> Add just the headers from a single abuse email here on the thread..
Here you go, latest victim (Wix) abused by azeddinebenlarbi...@gmail.com:
Delivered-To: trappy.mctrapf...@gmail.com
Received: by 2002:ac9:5a7:0:0:0:0:0 with SMTP id 36csp448821ocw;
Wed, 2 Mar 2022 09:00:00 -0800 (PST)
X-Google-Smtp-Source:
ABdhPJyxgfRpUsqWbBr/re0QDp8Iuv7ucxtW/eurO7tWJljvtHlCTV1lhn/G7sQ8oaAejLhkikay
X-Received: by 2002:a17:906:2ac9:b0:6ce:dc0f:9139 with SMTP id
m9-20020a1709062ac900b006cedc0f9139mr24070631eje.206.1646240400450;
Wed, 02 Mar 2022 09:00:00 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1646240400; cv=pass;
d=google.com; s=arc-20160816;
b=l3yLyzfYcfCR9yaygSwMGchxrJnNoDvQiZ7ulrnSnSJDNm0Z6OzuvvxQRxFitXfKkC
rv+M/at6NjqHvthAySYJHllze6pEFIgdYPLDbajCqIin8a09vhX6YsWdsGK8OMin/Zlr
McvJ3AxyItbQ5vASGm2pROGaky8iG+isG1TIu1HtmVbGk75ihEllQDx8yxgKh7rsZ2Nb
42quNIa1SZ50v3wgs5o6F07ZCWGc9xR6t7UGhAOscbrTYYUWzCcjXNG3s2zqwhAV0kuz
+ML+Idfy5jUvcrNWiKA1eBnELSskInJoYdzHddUq8E9tf+609ECu58A2pdizVkGWu/Za
fhKQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=to:feedback-id:reply-to:subject:subject:message-id:message-id
:mime-version:from:date:dkim-signature:dkim-signature;
bh=unij9luYZjytYq8AnlTGrziLaTBYROHjkIEkJHrCZEI=;
b=L2r7W1Ax8bOAZ/mPCFbyQiXSepDAqF4Z3BDl11dszqt3si4yReg9zYoIqc7wGFOXBV
QuKBtFWs3FTE9fGqBFEwgaDiObCUWdVL08BMI7Uw9EZPL8ej3Mhk5oipUMi3gcSpDbgz
uK6UChfO33wOx8uXoiDVZ8QmBoUEPiBvH/NLVYPHVdcVw9sIDS4/Rv/i+DCuAou2KQua
emuPHs4W0SDrKRCYpOfYTilzse9RWiTgoCTjTL3whe/uZuWwYgeljZF682+Np+i7+OoZ
YhyyHOijqWNwDR3dLPMXOpg7/u01xguZsjgTFoBMXYvPKWn3V/AXPoVjqC67CJ81vatf
Jlhw==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@test.ascendbywix.com header.s=s1
header.b=P9JGN5Pt;
dkim=pass header.i=@sendgrid.info header.s=smtpapi
header.b="PzohlIQ/";
arc=pass (i=1 spf=pass spfdomain=sg.test.ascendbywix.com dkim=pass
dkdomain=test.ascendbywix.com dkim=pass dkdomain=sendgrid.info dmarc=pass
fromdomain=test.ascendbywix.com);
spf=fail (google.com: domain of
bounces+3348031-0178-azeddinebenlarbi329=gmail....@sg.test.ascendbywix.com
does not designate 81.7.6.53 as permitted sender)
smtp.mailfrom="bounces+3348031-0178-azeddinebenlarbi329=
gmail....@sg.test.ascendbywix.com";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=
test.ascendbywix.com
Return-Path: <bounces+3348031-0178-azeddinebenlarbi329=
gmail....@sg.test.ascendbywix.com>
Received: from takataka.gr ([81.7.6.53])
by mx.google.com with ESMTP id
r1-20020a1709061ba100b006d07f388e25si10294892ejg.908.2022.03.02.09.00.00
for <trappy.mctrapf...@gmail.com>;
Wed, 02 Mar 2022 09:00:00 -0800 (PST)
Received-SPF: fail (google.com: domain of
bounces+3348031-0178-azeddinebenlarbi329=gmail....@sg.test.ascendbywix.com
does not designate 81.7.6.53 as permitted sender) client-ip=81.7.6.53;
Authentication-Results: mx.google.com;
dkim=pass header.i=@test.ascendbywix.com header.s=s1
header.b=P9JGN5Pt;
dkim=pass header.i=@sendgrid.info header.s=smtpapi
header.b="PzohlIQ/";
arc=pass (i=1 spf=pass spfdomain=sg.test.ascendbywix.com dkim=pass
dkdomain=test.ascendbywix.com dkim=pass dkdomain=sendgrid.info dmarc=pass
fromdomain=test.ascendbywix.com);
spf=fail (google.com: domain of
bounces+3348031-0178-azeddinebenlarbi329=gmail....@sg.test.ascendbywix.com
does not designate 81.7.6.53 as permitted sender)
smtp.mailfrom="bounces+3348031-0178-azeddinebenlarbi329=
gmail....@sg.test.ascendbywix.com";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=
test.ascendbywix.com
Received: by 2002:a4a:390e:0:0:0:0:0 with SMTP id m14csp2497925ooa;
Tue, 1 Mar 2022 01:20:28 -0800 (PST)
X-Received: by 2002:a25:b3c7:0:b0:623:e9fe:e108 with SMTP id
x7-20020a25b3c7000000b00623e9fee108mr24017231ybf.335.1646126428656;
Tue, 01 Mar 2022 01:20:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1646126428; cv=none;
d=google.com; s=arc-20160816;
b=klrOQobiQW3z0we7NWks+cp02ocQHUJPSDgVAWXTvkjyJxD+ihHvo9ERutsIQzrG8K
1zVjI45xZs4cE7O6cB6Ylech/BF0+6XA4LmbHa7P69SfszZ0BJvkHMbQIKGSQ2EgkuIj
wsxPqXOGAEUfcv3loqu+yhHvfF/e1FB7yJgASvLFU36gkWSy/cz91O1eeGfFGrgKSP9V
n8CBONOor1cpwVaFhRTEPQ0ByIJRx/10feTaguiwCpoovac0/uajp+wgV3kBu8yMQOsL
yFDfTH30/w8Lmo9A3R7yExiXctr88AkYrMIXSg5S3JZlCLieLxEfSirEDH4Hchgiiwzs
KU2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=to:feedback-id:reply-to:subject:message-id:mime-version:from:date
:dkim-signature:dkim-signature;
bh=unij9luYZjytYq8AnlTGrziLaTBYROHjkIEkJHrCZEI=;
b=e7JNdh6KCXyb8EhXXTQo9p1qZ9yFuguH3aBwGC+IaK009NPSfnv8r7NBCK8FiiOESN
m14bKwy+o9XaLGAw3F7UO2TE9q74/sOgB2L1IdGZ7F+pKvKGlQVRoKGFl1cy5CTZ9QXX
kL3YX3J97nd3eOLe2QgR55G19Cxqa/wcgdfaJjzDrN/9aTSAvhX/K8UkVyLmGF/wxSL+
s6ZJchYDxaORmFRaUK79sN/oafqXYPH84/32Nc1IWHC9PL1ecItttkLij8SwUvDMjInv
mtcY9WoZbTIBvgTNRaxeEZwfuLweaV9VUwub2RNNOwLfRezbW3z6aezBUUiMd2FR5wc3
bJqA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@test.ascendbywix.com header.s=s1
header.b=P9JGN5Pt;
dkim=pass header.i=@sendgrid.info header.s=smtpapi
header.b="PzohlIQ/";
spf=pass (google.com: domain of
bounces+3348031-0178-azeddinebenlarbi329=gmail....@sg.test.ascendbywix.com
designates 167.89.28.151 as permitted sender)
smtp.mailfrom="bounces+3348031-0178-azeddinebenlarbi329=
gmail....@sg.test.ascendbywix.com";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=
test.ascendbywix.com
Return-Path: <bounces+3348031-0178-azeddinebenlarbi329=
gmail....@sg.test.ascendbywix.com>
Received: from o29.sg.ascendbywix.com (o29.sg.ascendbywix.com.
[167.89.28.151])
by mx.google.com with ESMTPS id
h36-20020a81b664000000b002d13ff5f75bsi10543989ywk.53.2022.03.01.01.20.28
for <azeddinebenlarbi...@gmail.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Tue, 01 Mar 2022 01:20:28 -0800 (PST)
Received-SPF: pass (google.com: domain of
bounces+3348031-0178-azeddinebenlarbi329=gmail....@sg.test.ascendbywix.com
designates 167.89.28.151 as permitted sender) client-ip=167.89.28.151;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=test.ascendbywix.com;
h=content-type:from:mime-version:subject:reply-to:x-feedback-id:to; s=s1;
bh=unij9luYZjytYq8AnlTGrziLaTBYROHjkIEkJHrCZEI=;
b=P9JGN5PtXZbUGegZNFWrm7KJmx47g20Z8Ik7Og1sKYSNE+nWnEnfhUtHbbO9v4bb85xB
ZcCAJJiVqZSABX+/YUzpVnvGvlcxP/4ZVlD/Vzdzk5sPdgAWg41fCbOolfXpVz3e+Mq50Q
+em3llnjq+CliRMnmC4hSPRWlKLDfWKu8KPs38okaL7HK3WxxGpAO/6SC76aGOY/YxFSnV
uxfdG8QEWX79tCpfI8pmUVZvv8MSTAOocAAcbbvenIeJE5PfPeBVjCreSqwogEO0OGguN2
8V2akKKqvbMKRlaafPiZ8HBFaE1YkDSFGKkrmsFIoF8JNDOQC0RiIvzpB6KupVtw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.info;
h=content-type:from:mime-version:subject:reply-to:x-feedback-id:to;
s=smtpapi; bh=unij9luYZjytYq8AnlTGrziLaTBYROHjkIEkJHrCZEI=;
b=PzohlIQ/O/Yd5uXr0V5xE/tfkG5TBjtSk4TSct0hwy6dCgV69aE8sYHkcUS4DPajzXNX
hWJToy7b8T5/A4gy8ji+FqUOrIfqa+jFzUSU018/ujKqpllz8CCosZGve/CH+HsUZA+suC
pCsvtJHoQAtJJDZoeBc28UibGfVFlHAzA=
Received: by filterdrecv-656998cfdd-dxhv8 with SMTP id
filterdrecv-656998cfdd-dxhv8-1-621DE55C-B
2022-03-01 09:20:28.239436093 +0000 UTC m=+13859590.117375723
Received: from MzM0ODAzMQ (unknown) by ismtpd0061p1las1.sendgrid.net (SG)
with HTTP id nMh2xC0YSDuucmswZAyctA Tue, 01 Mar 2022 09:20:28.133 +0000
(UTC)
Content-Type: multipart/alternative;
boundary=5652e9e37bf97e2f5afd29ae0726f708c4d7d8a6ca2b68e83d110805e607
Date: Tue, 01 Mar 2022 09:20:28 +0000 (UTC)
From: "🔞Suck_me💋" <no-re...@test.ascendbywix.com>
Mime-Version: 1.0
Message-ID: <tair7mckqcfthnsohjrktzdgpzrwo...@ismtpd0061p1las1.sendgrid.net>
Message-ID: <nmh2xc0ysduucmswzay...@ismtpd0061p1las1.sendgrid.net>
Subject: TRAPPY.MCTRAPFACE.....Jag är ledig för sex🔥Ikväll🔞Låt oss
träffas och knulla..🔞---Ikväll💋***3127795457
Subject: se
Reply-To: "🔞Suck_me💋" <cont...@studiosyears.co.uk>
x-abuse-id: 4ceea4f1-8b3b-4aa3-b1e2-ac4327b529b9
Feedback-ID:
4ceea4f1-8b3b-4aa3-b1e2-ac4327b529b9:2295fca2-d8cd-445d-99b7-65050cd44b8e:wixshoutout
X-Feedback-ID: 3348031:SG
X-SG-EID:
apC/pe/zbzDqnTT6zV9Wv1gEFqcnmG9YbKBQJEAVDcUgYP2u6TscjIHGdeOzzNKDpD2n7PUlpQzsLQFjZpSvEGF9cf1cv1gx0gn4QXMWEDLl+Q29zeCVlHp9jSG2xlNUkQz/KX4O3yiYOrYCD0qtNO491F2cmq2qsMSgSqqPwbXoiCNEegG8FoiwLeBMcbdCqTQZb/S/gk13BhEIHFfu9tng3n70tLqNwfsVF3aVWc7xsaOw0fFkfJ0GoDoZ876w7cyU5joVw0tikCjABXwRBA==
X-SG-ID:
N2C25iY2uzGMFz6rgvQsb8raWjw0ZPf1VmjsCkspi/LP5qbstBs+tNXeqRqWNMElXL97lzut3o+IPcAkA9CcXv8yKhwJejT9wnW1jUPmsdJ8/FV6Ck4y3YBgP5saSmoKs3fV2XzcfEGH1Cn5CId7xqmdBEMoGjiDP1gV3OFd9cykfBHNuIrQZ5FJ/D3Z2BF1k4sgTxm4TgHAjfvC/pp5+AyVzKkROwJ599/XwPA+iZY/GypC2PdgTIrroJVGBMhW/QUtCsniD57PrmYBF9ZS1pjgg+6eORATab9qgV2pf0aW0xZCQpvd6FGGdhFwH314
To: azeddinebenlarbi...@gmail.com
X-Entity-ID: syRQ9ETube4F+FdaRpBU1w==
[image: Sender] Edgar Vaitkevičius, founder / CEO
ed...@sender.net
On Wed, Mar 2, 2022 at 7:42 PM Michael Peddemors via mailop <
mailop@mailop.org> wrote:
> Add just the headers from a single abuse email here on the thread..
> sanitize as needed.. seems that they of course can only use part of the
> information as a forgery (eg SendGrid headers)
>
> I think this is an attack vector that was seen back even a few months
> ago, however that type of an attack quickly gets an IP on an RBL..
> normally.
>
> On 2022-03-02 9:12 a.m., Edgaras | SENDER via mailop wrote:
> > Hi Simon,
> >
> > > Which domains, IP addresses and DKIM signatures are you responsible
> for
> > > (or not) in the examples?
> > Our domain that is impacted: sendersrv.com <http://sendersrv.com>
> > SPF: v=spf1 ip4:185.3.229.125 ip4:185.3.229.126 ip4:185.3.229.127
> > ip4:185.3.229.128/27 <http://185.3.229.128/27> ip4:141.136.38.0/24
> > <http://141.136.38.0/24> ip4:141.136.40.0/24 <http://141.136.40.0/24>
> > ip4:195.191.140.0/24 <http://195.191.140.0/24> ip4:195.191.176.0/24
> > <http://195.191.176.0/24> -all
> > IP addresses, which we do not control and which are being to send out
> > spam are mentioned in my initial email:
> > 176.56.220.0/24 <http://176.56.220.0/24>
> > 176.56.221.0/24 <http://176.56.221.0/24>
> > 176.56.222.0/24 <http://176.56.222.0/24>
> > 103.110.248.0/24 <http://103.110.248.0/24>
> > ....
> >
> > I added other samples that we discovered just to show that the problem
> > is not only affecting us.
> > Other abused domains are:
> > sendgrid.info <http://sendgrid.info>, spam sent from 104.168.76.42 (no
> > rDNS!)
> > getresponse-mail.com <http://getresponse-mail.com>, from
> 119.235.249.182
> > (again no rDNS, SPF hard fails...)
> > sfr.fr <http://sfr.fr>, from 85.120.225.105 (SPF fails)
> > ...
> > BTW, I only redacted the spamtrap email address, all other headers are
> > left as is.
> > To clarify further, I will walk through the case where an attacker
> > abuses GetResponse (getresponse2.eml).
> > What happens here:
> > 1. Attacker creates an account at Getresponse using a throwaway spam
> > site storagemodels.org.uk <http://storagemodels.org.uk>
> > 2. Sends a single email from Getresponse (using
> > re...@storagemodels.org.uk <mailto:re...@storagemodels.org.uk>)
> > to himself (arsalanpir...@gmail.com <mailto:arsalanpir...@gmail.com> is
> > the attacker's Gmail address)
> > 3. The email is signed with getresponse-mail.com
> > <http://getresponse-mail.com>, a domain with a good reputation at Gmail.
> > 4. Attacker then proceeds to spam from 119.235.249.182, spam mails count
> > against the reputation of getresponse-mail.com <
> http://getresponse-mail.com>
> > 5. Mails are delivered to countless Gmail users.
> >
> > What's worrying is that even if the headers are oversigned, DMARC set to
> > reject, it does nothing to stop this attack. There's literally nothing
> > you can do as a sender to prevent your reputation from being trashed.
> >
> >
> > Sender Edgar Vaitkevičius, founder / CEO
> > ed...@sender.net <mailto:ed...@sender.net>
> >
> >
> >
> >
> > On Wed, Mar 2, 2022 at 6:39 PM Simon Arlott via mailop
> > <mailop@mailop.org <mailto:mailop@mailop.org>> wrote:
> >
> > On 02/03/2022 15:44, Edgaras | SENDER via mailop wrote:
> > > Sorry for losing my nerve, but it is harming our reputation for a
> > month
> > > now, tried all possible channels to report this, and the issue is
> > being
> > > completely ignored.
> >
> > These examples have the same problem that the original one in January
> > did. They're just copies of emails without any explanation as to who
> > you are and which domain's reputation is being impacted.
> >
> > Which domains, IP addresses and DKIM signatures are you responsible
> for
> > (or not) in the examples?
> >
> > If you need to redact something then replace it with "example.com
> > <http://example.com>",
> > "example.net <http://example.net>", "example.org
> > <http://example.org>", etc. and state how each of them fit into
> > this. Provide a copy of the SPF/DKIM records (where relevant) for any
> > redacted domains (the immediate sending IP may not be in the SPF
> record
> > but maybe an earlier one or Google is).
> >
> > Which domain's reputation is being impacted?
> >
> > Without that information it's very hard to identify exactly what is
> > going on. You've stated previously that "first an attacker sent a
> test
> > email from our platform" but these ones don't appear to originate
> from
> > you.
> >
> > --
> > Simon Arlott
> > _______________________________________________
> > mailop mailing list
> > mailop@mailop.org <mailto:mailop@mailop.org>
> > https://list.mailop.org/listinfo/mailop
> > <https://list.mailop.org/listinfo/mailop>
> >
> >
> > _______________________________________________
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> >
>
>
>
> --
> "Catch the Magic of Linux..."
> ------------------------------------------------------------------------
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
> ------------------------------------------------------------------------
> 604-682-0300 Beautiful British Columbia, Canada
>
> This email and any electronic data contained are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> Please note that any views or opinions presented in this email are solely
> those of the author and are not intended to represent those of the company.
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
