> This message was correctly marked as spam. This one was, but there are cases when they go to Primary tab. Sometimes they are moved to junk after delivery.
> The DKIM reputation is taking a hit due to the spamming, but that is an accurate assessment on our part, as it is being used for sending spam. They wouldn't be used for that, if you guys would simply reject mail from IPs with no rDNS, or those in SPF -all. Right now it's a huge hole. > A quick glance at some IPs and the Networks from the SBL addresses you listed show very low reputation and lots of blocked messages. I don't know how your filters work on the inside, but it could be a very good signal to detect attacks like this one. > I assume the fact that dkim replay attack spam messages are winding up in the spam labels of our users isn't the actual issue that concerns you. No, that is not the problem. Problem is accepting mail from extremely shady sources and counting that mail as legitimately sent on the victim domain's behalf. [image: Sender] Edgar Vaitkevičius, founder / CEO ed...@sender.net On Wed, Mar 2, 2022 at 9:08 PM Brandon Long <bl...@google.com> wrote: > This message was correctly marked as spam. > > Generally speaking, it looks like our systems are correctly determining > which of these is spam and which is not. The DKIM reputation is taking a > hit due to the spamming, but that is an accurate assessment on our part, as > it is being used for sending spam. The SPF reputation of the domain is > doing better, as are the IP addresses you listed in the SPF record, perhaps > that is visible to you on the postmaster page. A quick glance at some IPs > and the Networks from the SBL addresses you listed show very low reputation > and lots of blocked messages. > > I assume the fact that dkim replay attack spam messages are winding up in > the spam labels of our users isn't the actual issue that concerns you. > > Brandon > > On Wed, Mar 2, 2022 at 10:38 AM Edgaras | SENDER via mailop < > mailop@mailop.org> wrote: > >> > Add just the headers from a single abuse email here on the thread.. >> Here you go, latest victim (Wix) abused by azeddinebenlarbi...@gmail.com: >> >> Delivered-To: trappy.mctrapf...@gmail.com >> Received: by 2002:ac9:5a7:0:0:0:0:0 with SMTP id 36csp448821ocw; >> Wed, 2 Mar 2022 09:00:00 -0800 (PST) >> X-Google-Smtp-Source: >> ABdhPJyxgfRpUsqWbBr/re0QDp8Iuv7ucxtW/eurO7tWJljvtHlCTV1lhn/G7sQ8oaAejLhkikay >> X-Received: by 2002:a17:906:2ac9:b0:6ce:dc0f:9139 with SMTP id >> m9-20020a1709062ac900b006cedc0f9139mr24070631eje.206.1646240400450; >> Wed, 02 Mar 2022 09:00:00 -0800 (PST) >> ARC-Seal: i=2; a=rsa-sha256; t=1646240400; cv=pass; >> d=google.com; s=arc-20160816; >> >> b=l3yLyzfYcfCR9yaygSwMGchxrJnNoDvQiZ7ulrnSnSJDNm0Z6OzuvvxQRxFitXfKkC >> >> rv+M/at6NjqHvthAySYJHllze6pEFIgdYPLDbajCqIin8a09vhX6YsWdsGK8OMin/Zlr >> >> McvJ3AxyItbQ5vASGm2pROGaky8iG+isG1TIu1HtmVbGk75ihEllQDx8yxgKh7rsZ2Nb >> >> 42quNIa1SZ50v3wgs5o6F07ZCWGc9xR6t7UGhAOscbrTYYUWzCcjXNG3s2zqwhAV0kuz >> >> +ML+Idfy5jUvcrNWiKA1eBnELSskInJoYdzHddUq8E9tf+609ECu58A2pdizVkGWu/Za >> fhKQ== >> ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; >> s=arc-20160816; >> h=to:feedback-id:reply-to:subject:subject:message-id:message-id >> :mime-version:from:date:dkim-signature:dkim-signature; >> bh=unij9luYZjytYq8AnlTGrziLaTBYROHjkIEkJHrCZEI=; >> >> b=L2r7W1Ax8bOAZ/mPCFbyQiXSepDAqF4Z3BDl11dszqt3si4yReg9zYoIqc7wGFOXBV >> >> QuKBtFWs3FTE9fGqBFEwgaDiObCUWdVL08BMI7Uw9EZPL8ej3Mhk5oipUMi3gcSpDbgz >> >> uK6UChfO33wOx8uXoiDVZ8QmBoUEPiBvH/NLVYPHVdcVw9sIDS4/Rv/i+DCuAou2KQua >> >> emuPHs4W0SDrKRCYpOfYTilzse9RWiTgoCTjTL3whe/uZuWwYgeljZF682+Np+i7+OoZ >> >> YhyyHOijqWNwDR3dLPMXOpg7/u01xguZsjgTFoBMXYvPKWn3V/AXPoVjqC67CJ81vatf >> Jlhw== >> ARC-Authentication-Results: i=2; mx.google.com; >> dkim=pass header.i=@test.ascendbywix.com header.s=s1 >> header.b=P9JGN5Pt; >> dkim=pass header.i=@sendgrid.info header.s=smtpapi >> header.b="PzohlIQ/"; >> arc=pass (i=1 spf=pass spfdomain=sg.test.ascendbywix.com >> dkim=pass dkdomain=test.ascendbywix.com dkim=pass dkdomain=sendgrid.info >> dmarc=pass fromdomain=test.ascendbywix.com); >> spf=fail (google.com: domain of >> bounces+3348031-0178-azeddinebenlarbi329= >> gmail....@sg.test.ascendbywix.com does not designate 81.7.6.53 as >> permitted sender) smtp.mailfrom="bounces+3348031-0178-azeddinebenlarbi329= >> gmail....@sg.test.ascendbywix.com"; >> dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from= >> test.ascendbywix.com >> Return-Path: <bounces+3348031-0178-azeddinebenlarbi329= >> gmail....@sg.test.ascendbywix.com> >> Received: from takataka.gr ([81.7.6.53]) >> by mx.google.com with ESMTP id >> r1-20020a1709061ba100b006d07f388e25si10294892ejg.908.2022.03.02.09.00.00 >> for <trappy.mctrapf...@gmail.com>; >> Wed, 02 Mar 2022 09:00:00 -0800 (PST) >> Received-SPF: fail (google.com: domain of >> bounces+3348031-0178-azeddinebenlarbi329= >> gmail....@sg.test.ascendbywix.com does not designate 81.7.6.53 as >> permitted sender) client-ip=81.7.6.53; >> Authentication-Results: mx.google.com; >> dkim=pass header.i=@test.ascendbywix.com header.s=s1 >> header.b=P9JGN5Pt; >> dkim=pass header.i=@sendgrid.info header.s=smtpapi >> header.b="PzohlIQ/"; >> arc=pass (i=1 spf=pass spfdomain=sg.test.ascendbywix.com >> dkim=pass dkdomain=test.ascendbywix.com dkim=pass dkdomain=sendgrid.info >> dmarc=pass fromdomain=test.ascendbywix.com); >> spf=fail (google.com: domain of >> bounces+3348031-0178-azeddinebenlarbi329= >> gmail....@sg.test.ascendbywix.com does not designate 81.7.6.53 as >> permitted sender) smtp.mailfrom="bounces+3348031-0178-azeddinebenlarbi329= >> gmail....@sg.test.ascendbywix.com"; >> dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from= >> test.ascendbywix.com >> Received: by 2002:a4a:390e:0:0:0:0:0 with SMTP id m14csp2497925ooa; >> Tue, 1 Mar 2022 01:20:28 -0800 (PST) >> X-Received: by 2002:a25:b3c7:0:b0:623:e9fe:e108 with SMTP id >> x7-20020a25b3c7000000b00623e9fee108mr24017231ybf.335.1646126428656; >> Tue, 01 Mar 2022 01:20:28 -0800 (PST) >> ARC-Seal: i=1; a=rsa-sha256; t=1646126428; cv=none; >> d=google.com; s=arc-20160816; >> >> b=klrOQobiQW3z0we7NWks+cp02ocQHUJPSDgVAWXTvkjyJxD+ihHvo9ERutsIQzrG8K >> >> 1zVjI45xZs4cE7O6cB6Ylech/BF0+6XA4LmbHa7P69SfszZ0BJvkHMbQIKGSQ2EgkuIj >> >> wsxPqXOGAEUfcv3loqu+yhHvfF/e1FB7yJgASvLFU36gkWSy/cz91O1eeGfFGrgKSP9V >> >> n8CBONOor1cpwVaFhRTEPQ0ByIJRx/10feTaguiwCpoovac0/uajp+wgV3kBu8yMQOsL >> >> yFDfTH30/w8Lmo9A3R7yExiXctr88AkYrMIXSg5S3JZlCLieLxEfSirEDH4Hchgiiwzs >> KU2A== >> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; >> s=arc-20160816; >> >> h=to:feedback-id:reply-to:subject:message-id:mime-version:from:date >> :dkim-signature:dkim-signature; >> bh=unij9luYZjytYq8AnlTGrziLaTBYROHjkIEkJHrCZEI=; >> >> b=e7JNdh6KCXyb8EhXXTQo9p1qZ9yFuguH3aBwGC+IaK009NPSfnv8r7NBCK8FiiOESN >> >> m14bKwy+o9XaLGAw3F7UO2TE9q74/sOgB2L1IdGZ7F+pKvKGlQVRoKGFl1cy5CTZ9QXX >> >> kL3YX3J97nd3eOLe2QgR55G19Cxqa/wcgdfaJjzDrN/9aTSAvhX/K8UkVyLmGF/wxSL+ >> >> s6ZJchYDxaORmFRaUK79sN/oafqXYPH84/32Nc1IWHC9PL1ecItttkLij8SwUvDMjInv >> >> mtcY9WoZbTIBvgTNRaxeEZwfuLweaV9VUwub2RNNOwLfRezbW3z6aezBUUiMd2FR5wc3 >> bJqA== >> ARC-Authentication-Results: i=1; mx.google.com; >> dkim=pass header.i=@test.ascendbywix.com header.s=s1 >> header.b=P9JGN5Pt; >> dkim=pass header.i=@sendgrid.info header.s=smtpapi >> header.b="PzohlIQ/"; >> spf=pass (google.com: domain of >> bounces+3348031-0178-azeddinebenlarbi329= >> gmail....@sg.test.ascendbywix.com designates 167.89.28.151 as permitted >> sender) smtp.mailfrom="bounces+3348031-0178-azeddinebenlarbi329= >> gmail....@sg.test.ascendbywix.com"; >> dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from= >> test.ascendbywix.com >> Return-Path: <bounces+3348031-0178-azeddinebenlarbi329= >> gmail....@sg.test.ascendbywix.com> >> Received: from o29.sg.ascendbywix.com (o29.sg.ascendbywix.com. >> [167.89.28.151]) >> by mx.google.com with ESMTPS id >> h36-20020a81b664000000b002d13ff5f75bsi10543989ywk.53.2022.03.01.01.20.28 >> for <azeddinebenlarbi...@gmail.com> >> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); >> Tue, 01 Mar 2022 01:20:28 -0800 (PST) >> Received-SPF: pass (google.com: domain of >> bounces+3348031-0178-azeddinebenlarbi329= >> gmail....@sg.test.ascendbywix.com designates 167.89.28.151 as permitted >> sender) client-ip=167.89.28.151; >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= >> test.ascendbywix.com; >> h=content-type:from:mime-version:subject:reply-to:x-feedback-id:to; s=s1; >> bh=unij9luYZjytYq8AnlTGrziLaTBYROHjkIEkJHrCZEI=; >> b=P9JGN5PtXZbUGegZNFWrm7KJmx47g20Z8Ik7Og1sKYSNE+nWnEnfhUtHbbO9v4bb85xB >> ZcCAJJiVqZSABX+/YUzpVnvGvlcxP/4ZVlD/Vzdzk5sPdgAWg41fCbOolfXpVz3e+Mq50Q >> +em3llnjq+CliRMnmC4hSPRWlKLDfWKu8KPs38okaL7HK3WxxGpAO/6SC76aGOY/YxFSnV >> uxfdG8QEWX79tCpfI8pmUVZvv8MSTAOocAAcbbvenIeJE5PfPeBVjCreSqwogEO0OGguN2 >> 8V2akKKqvbMKRlaafPiZ8HBFaE1YkDSFGKkrmsFIoF8JNDOQC0RiIvzpB6KupVtw== >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.info; >> h=content-type:from:mime-version:subject:reply-to:x-feedback-id:to; >> s=smtpapi; bh=unij9luYZjytYq8AnlTGrziLaTBYROHjkIEkJHrCZEI=; >> b=PzohlIQ/O/Yd5uXr0V5xE/tfkG5TBjtSk4TSct0hwy6dCgV69aE8sYHkcUS4DPajzXNX >> hWJToy7b8T5/A4gy8ji+FqUOrIfqa+jFzUSU018/ujKqpllz8CCosZGve/CH+HsUZA+suC >> pCsvtJHoQAtJJDZoeBc28UibGfVFlHAzA= >> Received: by filterdrecv-656998cfdd-dxhv8 with SMTP id >> filterdrecv-656998cfdd-dxhv8-1-621DE55C-B >> 2022-03-01 09:20:28.239436093 +0000 UTC m=+13859590.117375723 >> Received: from MzM0ODAzMQ (unknown) by ismtpd0061p1las1.sendgrid.net >> (SG) with HTTP id nMh2xC0YSDuucmswZAyctA Tue, 01 Mar 2022 09:20:28.133 >> +0000 (UTC) >> Content-Type: multipart/alternative; >> boundary=5652e9e37bf97e2f5afd29ae0726f708c4d7d8a6ca2b68e83d110805e607 >> Date: Tue, 01 Mar 2022 09:20:28 +0000 (UTC) >> From: "🔞Suck_me💋" <no-re...@test.ascendbywix.com> >> Mime-Version: 1.0 >> Message-ID: < >> tair7mckqcfthnsohjrktzdgpzrwo...@ismtpd0061p1las1.sendgrid.net> >> Message-ID: <nmh2xc0ysduucmswzay...@ismtpd0061p1las1.sendgrid.net> >> Subject: TRAPPY.MCTRAPFACE.....Jag är ledig för sex🔥Ikväll🔞Låt oss >> träffas och knulla..🔞---Ikväll💋***3127795457 <(312)%20779-5457> >> Subject: se >> Reply-To: "🔞Suck_me💋" <cont...@studiosyears.co.uk> >> x-abuse-id: 4ceea4f1-8b3b-4aa3-b1e2-ac4327b529b9 >> Feedback-ID: >> 4ceea4f1-8b3b-4aa3-b1e2-ac4327b529b9:2295fca2-d8cd-445d-99b7-65050cd44b8e:wixshoutout >> X-Feedback-ID: 3348031:SG >> X-SG-EID: >> apC/pe/zbzDqnTT6zV9Wv1gEFqcnmG9YbKBQJEAVDcUgYP2u6TscjIHGdeOzzNKDpD2n7PUlpQzsLQFjZpSvEGF9cf1cv1gx0gn4QXMWEDLl+Q29zeCVlHp9jSG2xlNUkQz/KX4O3yiYOrYCD0qtNO491F2cmq2qsMSgSqqPwbXoiCNEegG8FoiwLeBMcbdCqTQZb/S/gk13BhEIHFfu9tng3n70tLqNwfsVF3aVWc7xsaOw0fFkfJ0GoDoZ876w7cyU5joVw0tikCjABXwRBA== >> X-SG-ID: >> N2C25iY2uzGMFz6rgvQsb8raWjw0ZPf1VmjsCkspi/LP5qbstBs+tNXeqRqWNMElXL97lzut3o+IPcAkA9CcXv8yKhwJejT9wnW1jUPmsdJ8/FV6Ck4y3YBgP5saSmoKs3fV2XzcfEGH1Cn5CId7xqmdBEMoGjiDP1gV3OFd9cykfBHNuIrQZ5FJ/D3Z2BF1k4sgTxm4TgHAjfvC/pp5+AyVzKkROwJ599/XwPA+iZY/GypC2PdgTIrroJVGBMhW/QUtCsniD57PrmYBF9ZS1pjgg+6eORATab9qgV2pf0aW0xZCQpvd6FGGdhFwH314 >> To: azeddinebenlarbi...@gmail.com >> X-Entity-ID: syRQ9ETube4F+FdaRpBU1w== >> >> >> [image: Sender] Edgar Vaitkevičius, founder / CEO >> ed...@sender.net >> >> >> >> >> On Wed, Mar 2, 2022 at 7:42 PM Michael Peddemors via mailop < >> mailop@mailop.org> wrote: >> >>> Add just the headers from a single abuse email here on the thread.. >>> sanitize as needed.. seems that they of course can only use part of the >>> information as a forgery (eg SendGrid headers) >>> >>> I think this is an attack vector that was seen back even a few months >>> ago, however that type of an attack quickly gets an IP on an RBL.. >>> normally. >>> >>> On 2022-03-02 9:12 a.m., Edgaras | SENDER via mailop wrote: >>> > Hi Simon, >>> > >>> > > Which domains, IP addresses and DKIM signatures are you responsible >>> for >>> > > (or not) in the examples? >>> > Our domain that is impacted: sendersrv.com <http://sendersrv.com> >>> > SPF: v=spf1 ip4:185.3.229.125 ip4:185.3.229.126 ip4:185.3.229.127 >>> > ip4:185.3.229.128/27 <http://185.3.229.128/27> ip4:141.136.38.0/24 >>> > <http://141.136.38.0/24> ip4:141.136.40.0/24 <http://141.136.40.0/24> >>> > ip4:195.191.140.0/24 <http://195.191.140.0/24> ip4:195.191.176.0/24 >>> > <http://195.191.176.0/24> -all >>> > IP addresses, which we do not control and which are being to send out >>> > spam are mentioned in my initial email: >>> > 176.56.220.0/24 <http://176.56.220.0/24> >>> > 176.56.221.0/24 <http://176.56.221.0/24> >>> > 176.56.222.0/24 <http://176.56.222.0/24> >>> > 103.110.248.0/24 <http://103.110.248.0/24> >>> > .... >>> > >>> > I added other samples that we discovered just to show that the problem >>> > is not only affecting us. >>> > Other abused domains are: >>> > sendgrid.info <http://sendgrid.info>, spam sent from 104.168.76.42 >>> (no >>> > rDNS!) >>> > getresponse-mail.com <http://getresponse-mail.com>, from >>> 119.235.249.182 >>> > (again no rDNS, SPF hard fails...) >>> > sfr.fr <http://sfr.fr>, from 85.120.225.105 (SPF fails) >>> > ... >>> > BTW, I only redacted the spamtrap email address, all other headers are >>> > left as is. >>> > To clarify further, I will walk through the case where an attacker >>> > abuses GetResponse (getresponse2.eml). >>> > What happens here: >>> > 1. Attacker creates an account at Getresponse using a throwaway spam >>> > site storagemodels.org.uk <http://storagemodels.org.uk> >>> > 2. Sends a single email from Getresponse (using >>> > re...@storagemodels.org.uk <mailto:re...@storagemodels.org.uk>) >>> > to himself (arsalanpir...@gmail.com <mailto:arsalanpir...@gmail.com> >>> is >>> > the attacker's Gmail address) >>> > 3. The email is signed with getresponse-mail.com >>> > <http://getresponse-mail.com>, a domain with a good reputation at >>> Gmail. >>> > 4. Attacker then proceeds to spam from 119.235.249.182, spam mails >>> count >>> > against the reputation of getresponse-mail.com < >>> http://getresponse-mail.com> >>> > 5. Mails are delivered to countless Gmail users. >>> > >>> > What's worrying is that even if the headers are oversigned, DMARC set >>> to >>> > reject, it does nothing to stop this attack. There's literally nothing >>> > you can do as a sender to prevent your reputation from being trashed. >>> > >>> > >>> > Sender Edgar Vaitkevičius, founder / CEO >>> > ed...@sender.net <mailto:ed...@sender.net> >>> > >>> > >>> > >>> > >>> > On Wed, Mar 2, 2022 at 6:39 PM Simon Arlott via mailop >>> > <mailop@mailop.org <mailto:mailop@mailop.org>> wrote: >>> > >>> > On 02/03/2022 15:44, Edgaras | SENDER via mailop wrote: >>> > > Sorry for losing my nerve, but it is harming our reputation for >>> a >>> > month >>> > > now, tried all possible channels to report this, and the issue >>> is >>> > being >>> > > completely ignored. >>> > >>> > These examples have the same problem that the original one in >>> January >>> > did. They're just copies of emails without any explanation as to >>> who >>> > you are and which domain's reputation is being impacted. >>> > >>> > Which domains, IP addresses and DKIM signatures are you >>> responsible for >>> > (or not) in the examples? >>> > >>> > If you need to redact something then replace it with "example.com >>> > <http://example.com>", >>> > "example.net <http://example.net>", "example.org >>> > <http://example.org>", etc. and state how each of them fit into >>> > this. Provide a copy of the SPF/DKIM records (where relevant) for >>> any >>> > redacted domains (the immediate sending IP may not be in the SPF >>> record >>> > but maybe an earlier one or Google is). >>> > >>> > Which domain's reputation is being impacted? >>> > >>> > Without that information it's very hard to identify exactly what is >>> > going on. You've stated previously that "first an attacker sent a >>> test >>> > email from our platform" but these ones don't appear to originate >>> from >>> > you. >>> > >>> > -- >>> > Simon Arlott >>> > _______________________________________________ >>> > mailop mailing list >>> > mailop@mailop.org <mailto:mailop@mailop.org> >>> > https://list.mailop.org/listinfo/mailop >>> > <https://list.mailop.org/listinfo/mailop> >>> > >>> > >>> > _______________________________________________ >>> > mailop mailing list >>> > mailop@mailop.org >>> > https://list.mailop.org/listinfo/mailop >>> > >>> >>> >>> >>> -- >>> "Catch the Magic of Linux..." >>> ------------------------------------------------------------------------ >>> Michael Peddemors, President/CEO LinuxMagic Inc. >>> Visit us at http://www.linuxmagic.com @linuxmagic >>> A Wizard IT Company - For More Info http://www.wizard.ca >>> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. >>> ------------------------------------------------------------------------ >>> 604-682-0300 <(604)%20682-0300> Beautiful British Columbia, Canada >>> >>> This email and any electronic data contained are confidential and >>> intended >>> solely for the use of the individual or entity to which they are >>> addressed. >>> Please note that any views or opinions presented in this email are solely >>> those of the author and are not intended to represent those of the >>> company. >>> _______________________________________________ >>> mailop mailing list >>> mailop@mailop.org >>> https://list.mailop.org/listinfo/mailop >>> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> https://list.mailop.org/listinfo/mailop >> >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
