Re: [mailop] Our experience on Gmail blacklisting our IPs range

[Marc Bradshaw via mailop]

Hi Todd,

We are seeing the same thing at Fastmail. We are putting various mitigations in 
place and some of our domains reputation has revovered but are still having 
issues with the domain reputation of a number of our domains.
Does the group have any experience/advice in how to expediate the recovery of 
domain reputations.

On Wed, 6 Apr 2022, at 6:04 AM, Todd Herr via mailop wrote:
> 
> On Tue, Apr 5, 2022 at 6:35 AM Cyril - ImprovMX via mailop 
>  wrote:
>> 
>> After a discussion with OVH about this potential issue, I discovered that 
>> the problem was worst than that. By comparing all the emails from 
>> Spamcop.net reports, I discovered that they were from a few emails, but 
>> then, they had new headers added on top. This included a new "To", "Subject" 
>> and "Date" header. An email sent 4 days ago was sent again, with an updated 
>> date. The initial "Subject" was basic things like "hello" and the new 
>> Subject added at the top was more spammy (the typical horny stuff).
>> 
>> Clearly, someone used the reputation of ImprovMX.com to deliver emails by 
>> forging them before delivery.
>> 
> 
> What you're describing sounds exactly like a DKIM replay attack.
> 
> Socketlabs, among others, have some ideas on how to mitigate such things. 
> Perhaps you might find those ideas useful - 
> https://www.socketlabs.com/blog/dkim-replay-attacks-preventive-measures-to-protect-email-deliverability/
> 
> -- 
> 
> 
> *Todd Herr *** | Technical Director, Standards and Ecosystem
> *e:* todd.h...@valimail.com
> *m:* 703.220.4153
> 
> This email and all data transmitted with it contains confidential and/or 
> proprietary information intended solely for the use of individual(s) 
> authorized to receive it. If you are not an intended and authorized recipient 
> you are hereby notified of any use, disclosure, copying or distribution of 
> the information included in this transmission is prohibited and may be 
> unlawful. Please immediately notify the sender by replying to this email and 
> then delete it from your system.
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

--

  Marc Bradshaw - Deliverability/Abuse at Fastmail
  m...@fastmailteam.com | @marcbradshaw 

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Our experience on Gmail blacklisting our IPs range

[Cyril - ImprovMX via mailop]

Thank you everyone for your response.

I don't mind the false positives, it's part of the game and shows that it's
not perfect. But not having a way to interact with it and not having a way
to reach out, explain the situation and know more about what is
happening/what will happen is a pita.

We sometimes get our emails listed at Sorbs, and no matter what, they
always respond, and even in time. I believe that email is one of the last
remaining protocols that was built in the beginning to be open and
impartial, and many big players are trying to rig the game in their favor.
Running an MTA today requires a lot of knowledge and ideally a big team
with investment to support all the tricks. It shouldn't be the case.

@Todd, thank you for that link! It seems that it was exactly the issue we
were facing. I'll seek to implement ways to mitigate these in the future
(but already, banning the free domains helped a lot)

Le mer. 6 avr. 2022 à 08:40, Todd Herr via mailop  a
écrit :

>
> On Tue, Apr 5, 2022 at 6:35 AM Cyril - ImprovMX via mailop <
> mailop@mailop.org> wrote:
>
>>
>> After a discussion with OVH about this potential issue, I discovered that
>> the problem was worst than that. By comparing all the emails from
>> Spamcop.net reports, I discovered that they were from a few emails, but
>> then, they had new headers added on top. This included a new "To",
>> "Subject" and "Date" header. An email sent 4 days ago was sent again, with
>> an updated date. The initial "Subject" was basic things like "hello" and
>> the new Subject added at the top was more spammy (the typical horny stuff).
>>
>> Clearly, someone used the reputation of ImprovMX.com to deliver emails by
>> forging them before delivery.
>>
>>
> What you're describing sounds exactly like a DKIM replay attack.
>
> Socketlabs, among others, have some ideas on how to mitigate such things.
> Perhaps you might find those ideas useful -
> https://www.socketlabs.com/blog/dkim-replay-attacks-preventive-measures-to-protect-email-deliverability/
>
> --
>
> *Todd Herr * | Technical Director, Standards and Ecosystem
> *e:* todd.h...@valimail.com
> *m:* 703.220.4153
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Our experience on Gmail blacklisting our IPs range

[Todd Herr via mailop]

On Tue, Apr 5, 2022 at 6:35 AM Cyril - ImprovMX via mailop <
mailop@mailop.org> wrote:

>
> After a discussion with OVH about this potential issue, I discovered that
> the problem was worst than that. By comparing all the emails from
> Spamcop.net reports, I discovered that they were from a few emails, but
> then, they had new headers added on top. This included a new "To",
> "Subject" and "Date" header. An email sent 4 days ago was sent again, with
> an updated date. The initial "Subject" was basic things like "hello" and
> the new Subject added at the top was more spammy (the typical horny stuff).
>
> Clearly, someone used the reputation of ImprovMX.com to deliver emails by
> forging them before delivery.
>
>
What you're describing sounds exactly like a DKIM replay attack.

Socketlabs, among others, have some ideas on how to mitigate such things.
Perhaps you might find those ideas useful -
https://www.socketlabs.com/blog/dkim-replay-attacks-preventive-measures-to-protect-email-deliverability/

-- 

*Todd Herr * | Technical Director, Standards and Ecosystem
*e:* todd.h...@valimail.com
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Our experience on Gmail blacklisting our IPs range

[Michael Rathbun via mailop]

On Tue, 5 Apr 2022 16:39:16 +, ml+mailop--- via mailop 
wrote:

>BTW: AFAIK "don't be evil" is not Google's motto anymore.

Geek tradition requires inserting "FSVO 'Evil'".

mdr
-- 
One thing you discover after opening a can of worms is that 
each worm is carrying another can.
-- Shebardigan

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Our experience on Gmail blacklisting our IPs range

[Paul Vixie via mailop]

Anne Mitchell via mailop wrote on 2022-04-05 09:13:

...

Amen.  Good thing their motto is "don't be evil", can you imagine what they'd 
be doing otherwise?


@k8emo made me laugh out loud one day when she said, "unlike google, 
there never was a time when uber wasn't evil." yikes!


--
P Vixie

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Our experience on Gmail blacklisting our IPs range

[ml+mailop--- via mailop]

On Tue, Apr 05, 2022, Paul Vixie via mailop wrote:

> google e-mail addresses were signing up en masse for mailman lists here, and
> the resulting confirmation e-mail from mailman was seen by google as spam.
> i've since turned off confirmation e-mail, and i've added SPF checking to

"confirmation e-mail": that would be the mail "please confirm that
you want to subscribe to this list"?
If you turned it off, does that mean anyone can subscribe addresses
of all domains which do not use SPF?

And all of that because Google has $#%!^! spam filtering -- way too
many false positives.

BTW: AFAIK "don't be evil" is not Google's motto anymore.

-- 
Don't Cc: me, use only the list for replies.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Our experience on Gmail blacklisting our IPs range

[Anne Mitchell via mailop]

> at MAPS we got sued a lot, but we always answered requests for removal from 
> the RBL. 

Which is one of the reasons that to this day MAPS is seen as the most ethical 
of RBLs (not to mention the first ;-)) ever.  Even by some spammers. ;-)

> what google is doing is an active harm which discredits the whole field of 
> distributed reputation. there should never be deliberate operational impact 
> without transparency and accountability.

Amen.  Good thing their motto is "don't be evil", can you imagine what they'd 
be doing otherwise?

Anne (former in-house counsel for MAPS, one of the positions of which I am most 
proud, we did good work there!)

--
Anne P. Mitchell, Attorney at Law
CEO ISIPP SuretyMail
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law)
Author: The Email Deliverability Handbook
Board of Directors, Denver Internet Exchange
Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
Prof. Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Our experience on Gmail blacklisting our IPs range

[Paul Vixie via mailop]

Cyril - ImprovMX via mailop wrote on 2022-04-05 03:28:

Hi everyone!

Two weeks ago, we had two ranges of IP blocked by GMail and since they 
are a black box, we were in the dark about what would happen with the ban.


...

Clearly, someone used the reputation of ImprovMX.com to deliver emails 
by forging them before delivery.


when this happened to my primary outbound IP, it turned out to be that 
google e-mail addresses were signing up en masse for mailman lists here, 
and the resulting confirmation e-mail from mailman was seen by google as 
spam. i've since turned off confirmation e-mail, and i've added SPF 
checking to the inbound e-mail path.



...

After around a week, we restarted the IP and they were accepted by 
Gmail! We haven't received any responses from the form we submitted, nor 
from anywhere else.


when this happened to me, it went on for months. i hired an outbound 
e-mail delivery service and taught postfix how to route mail to google's 
MX servers through that service. this was fraught with pain, and so i 
eventually renumbered my primary outbound server to a different IP in 
the same /24. problem "solved".



...

My key takeaway here in case your IPs are banned by Gmail is:

  * First - and most importantly - find and stop the root cause of the
problem
  * If you can, stop sending with these IPs (after fixing the issue,
otherwise you'll get your other IP listed too!)
  * Reach out to Gmail via
https://support.google.com/mail/contact/bulk_send_new
  * Try restarting your IP from time to time.


tyvm, i wish i had had this guidance available when this happened to me.


...

I hope this will help some of you. Being blocked by Gmail is hard, and 
facing a black box makes it even harder. You don't know where to look, 
you don't know what to do, you don't know who to reach out to.


at MAPS we got sued a lot, but we always answered requests for removal 
from the RBL. what google is doing is an active harm which discredits 
the whole field of distributed reputation. there should never be 
deliberate operational impact without transparency and accountability.



... but the general feeling was clearly that Gmail is not on this world.

May your IPs stay out of DNSBLs.


yes, and yes.

--
P Vixie

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop