date:20160525

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop

Yeah, pretty much. :)

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 4:25 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 4:11 PM, Michael Wise wrote:
> That may or may not be a good metric, since if I just signed up for a legit 
> mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a 
> robot, I might be backlogged a few tens of seconds.

So, "Click here to subscribe", "Click here if you're a robot" 
white-on-white tiny font. Only count if 1 > 2.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f=01%7c01%7cmichael.wise%40microsoft.com%7ca285b4851de84c9af1f908d384f47cda%7c72f988bf86f141af91ab2d7cd011db47%7c1=ouB5JoFwSlBReFwvakAy6ww56Bl8RoacU3MbHhDsEe4%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7ca285b4851de84c9af1f908d384f47cda%7c72f988bf86f141af91ab2d7cd011db47%7c1=U6GOv%2bT3BNdme5bMp1Fax1%2fTpUO9%2fmhTJ76XyVgpT6M%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop

[ lightbulb / ]

I've been thinking about this for a while, and just had a flash of brilliance 
(or madness, hard to tell at times...)

You know what might be a good solution?
Just occurred to me.

The mailing list software displays a clickable link that will send an email 
address with a cookie in the Subject to a special address hosted by the mailing 
list server.

But the trick is, the email *MUST* pass a sufficiently strict DMARC check.

So if the mailing list receives a piece of email *FROM* the sending domain, and 
it's DKIM signed, and it validates, and DMARC passes...
That would be a remarkably strong authentication that the recipient really did 
want the traffic.
It could even be stored for reference later.

And if it was not actually from the recipient, but someone on the same service, 
the true recipient has a piece of evidence of either a compromise, or malicious 
act by another user that would be grounds to TOS them.

Thoughts?

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: Michael Wise 
Sent: Wednesday, May 25, 2016 4:11 PM
To: 'Jay Hennigan' ; mailop@mailop.org
Subject: RE: [mailop] signup form abuse

That may or may not be a good metric, since if I just signed up for a legit 
mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a 
robot, I might be backlogged a few tens of seconds.

So the Venn Diagram circles just might overlap more than you would wish.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 4:03 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 8:36 AM, Vick Khera wrote:

> I did a spot check of a recent attack. The email address was 
> jabradb...@kanawhascales.com 
> and it got signed up to 12 lists during May 17 and 18. Amazingly, 
> whoever is on the other end of that address clicked to confirm every 
> one of those confirmation messages. All confirmation clicks appear to 
> come from a netblock owned by Barracuda Networks... Hmm...

Maybe Barracuda spam filtering is doing something like opening remote content 
to inspect it before forwarding it to the inbox.

What was the latency between when the confirmations were sent and when they 
were "clicked"?

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1=x0mTD7A0OqaRkzR%2fgnb7sHsi7oIhOgP7OJEi4c%2bVTv8%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1=R5a9BsHXQJjF81%2fAeHFChLTICwDj14lNST8CpCmq00k%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop

That may or may not be a good metric, since if I just signed up for a legit 
mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a 
robot, I might be backlogged a few tens of seconds.

So the Venn Diagram circles just might overlap more than you would wish.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 4:03 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 8:36 AM, Vick Khera wrote:

> I did a spot check of a recent attack. The email address was 
> jabradb...@kanawhascales.com 
> and it got signed up to 12 lists during May 17 and 18. Amazingly, 
> whoever is on the other end of that address clicked to confirm every 
> one of those confirmation messages. All confirmation clicks appear to 
> come from a netblock owned by Barracuda Networks... Hmm...

Maybe Barracuda spam filtering is doing something like opening remote content 
to inspect it before forwarding it to the inbox.

What was the latency between when the confirmations were sent and when they 
were "clicked"?

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1=x0mTD7A0OqaRkzR%2fgnb7sHsi7oIhOgP7OJEi4c%2bVTv8%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1=R5a9BsHXQJjF81%2fAeHFChLTICwDj14lNST8CpCmq00k%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Laura Atkins


> On May 25, 2016, at 4:03 PM, Jay Hennigan  wrote:
> 
> On 5/25/16 8:36 AM, Vick Khera wrote:
> 
>> I did a spot check of a recent attack. The email address
>> was jabradb...@kanawhascales.com 
>> and it got signed up to 12 lists during May 17 and 18. Amazingly,
>> whoever is on the other end of that address clicked to confirm every one
>> of those confirmation messages. All confirmation clicks appear to come
>> from a netblock owned by Barracuda Networks... Hmm...
> 
> Maybe Barracuda spam filtering is doing something like opening remote content 
> to inspect it before forwarding it to the inbox.
> 
> What was the latency between when the confirmations were sent and when they 
> were "clicked”?

Barracuda is well known for following every link in an email, including 
confirmation links

laura

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop


Oh heck yeah.
And if nothing else, it's Rule Fodder.

Subject =~ /confirm [\da-f]{32}/
Body =~ /\bxx.yy.zz.\d+\b/
... you know the drill.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 3:49 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 7:59 AM, Vick Khera wrote:
>
> On Wed, May 25, 2016 at 10:45 AM, Matthew Black 
> > wrote:
>
> Are your customers using confirmed opt-in mailing lists? If not,
> they should not be running mailing lists.
>
>
> Yes, the only effect is to send a confirmation message, which is quite 
> generic and at most contains the customer's logo and name of the list, 
> to the victim.

Consider adding the origin IP and timestamp/timezone to the confirmation 
message. It can be useful to savvy folks and to your abuse department if people 
complain about fraudulent confirmation messages themselves, and might act as a 
mild deterrent if the bad guys know you're doing it.

--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f=01%7c01%7cmichael.wise%40microsoft.com%7c0e6a58359c014fa180b008d384efa268%7c72f988bf86f141af91ab2d7cd011db47%7c1=ZgDQ9cukcInQ041qGJUQM21kUKDyRqRn88BOIhg9wWw%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c0e6a58359c014fa180b008d384efa268%7c72f988bf86f141af91ab2d7cd011db47%7c1=PFxzxOHGZeQgpOCD2ioi6OB2q69DFyKTZ1hdVyY8%2b7k%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Jay Hennigan


On 5/25/16 8:36 AM, Vick Khera wrote:


I did a spot check of a recent attack. The email address
was jabradb...@kanawhascales.com 
and it got signed up to 12 lists during May 17 and 18. Amazingly,
whoever is on the other end of that address clicked to confirm every one
of those confirmation messages. All confirmation clicks appear to come
from a netblock owned by Barracuda Networks... Hmm...


Maybe Barracuda spam filtering is doing something like opening remote 
content to inspect it before forwarding it to the inbox.


What was the latency between when the confirmations were sent and when 
they were "clicked"?


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Jay Hennigan


On 5/25/16 7:45 AM, Matthew Black wrote:

Are your customers using confirmed opt-in mailing lists? If not, they
should not be running mailing lists.


The monetary compensation of ESPs is directly proportional to the volume 
of promotional messages that they send. Let that sink in.


--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Jay Hennigan


On 5/25/16 7:59 AM, Vick Khera wrote:


On Wed, May 25, 2016 at 10:45 AM, Matthew Black > wrote:

Are your customers using confirmed opt-in mailing lists? If not,
they should not be running mailing lists.


Yes, the only effect is to send a confirmation message, which is quite
generic and at most contains the customer's logo and name of the list,
to the victim.


Consider adding the origin IP and timestamp/timezone to the confirmation 
message. It can be useful to savvy folks and to your abuse department if 
people complain about fraudulent confirmation messages themselves, and 
might act as a mild deterrent if the bad guys know you're doing it.


--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Al Iverson

I've heard John Levine propose the "hidden link to catch scanning
robots" solution but I've never heard of an email system implementing
it. Similarly, senders have often suggested that spamtrap systems
shouldn't follow links. (Security systems, sure, but don't do that
with spamtrap addresses.) And today I heard it suggested that it would
be wiser to have COI have a second click (probably an HTTP POST-based
button) on the landing web page, to prevent security systems from
erroneously completing COI confirm steps. All good stuff, but it
doesn't sound as though any of it has been widely broadcasted as a
best practice or requirement.

--
Al Iverson
www.aliverson.com
(312)725-0130


On Wed, May 25, 2016 at 4:55 PM, Michael Wise via mailop
 wrote:
> The classical response to that is a "Hidden" URL that, if "clicked" by the 
> scanning software, gives "Insight" into the fact that the recipient is doing 
> that, yes?
>
> Aloha,
> Michael.
> --
> Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
> Processed." | Got the Junk Mail Reporting Tool ?
>
> -Original Message-
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Erwin Harte
> Sent: Wednesday, May 25, 2016 2:48 PM
> To: Michelle Sullivan ; Vick Khera 
> Cc: mailop@mailop.org
> Subject: Re: [mailop] signup form abuse
>
> On 5/25/16 4:40 PM, Michelle Sullivan wrote:
>> Vick Khera wrote:
>>> On Wed, May 25, 2016 at 3:02 PM, Erwin Harte >> > wrote:
>>>
  I did a spot check of a recent attack. The email address was
  jabradb...@kanawhascales.com
   and it got signed up to 12
  lists during May 17 and 18. Amazingly, whoever is on the other
  end of that address clicked to confirm every one of those
  confirmation messages. All confirmation clicks appear to come
  from a netblock owned by Barracuda Networks... Hmm...
>>>  Which netblock was that?
>>>
>>>
>>> 64.235.144.0/20
>>> >> 35.144.0%2f20=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c2
>>> 70e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1=
>>> oIRzp1YSYhsrARm8tlIY7lSAqbZvAx0rP1eLn4MWmaE%3d>
>>>
>>> Specifically: 64.235.154.109,
>>> 64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105,
>>> 64.235.154.109
>>>
>>>
>> Single click through?  (as in everything in the URL?) - if so probably
>> automated mail scanning.
>>
> That's what I expect as well. Those addresses are all from ESS
> (https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.barracuda.com%2fproducts%2femailsecurityservice=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1=b1Dd64fsAyanlvQmva%2bkNgXdpLD4wqzC1UGwQxAjwVk%3d)
>  which does 'intent' checking.
>
> --Erwin
>
> ===
>
>
> Considering Office 365?  Barracuda security and storage solutions can help. 
> Learn more about Barracuda solutions for Office 365 at 
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fbarracuda.com%2foffice365=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1=RWCdhi4rj1HgPH5M%2bu9hUibpTdxR3T5NqbHgE%2f5Fh%2bU%3d.
>
> DISCLAIMER:
> This e-mail and any attachments to it contain confidential and proprietary 
> material of Barracuda, its affiliates or agents, and is solely for the use of 
> the intended recipient. Any review, use, disclosure, distribution or copying 
> of this transmittal is prohibited except by or on behalf of the intended 
> recipient. If you have received this transmittal in error, please notify the 
> sender and destroy this e-mail and any attachments and all copies, whether 
> electronic or printed.
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1=%2f1rLcSOg0Pk3Bn9UsmkSPQokBSFF2F5T0gtlsCpAJ8A%3d
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread frnkblk

Finally has a chance to look at my logs … looking at error count over time (all 
U.S. Central) I see the following:

 

Server 1:

  1 25 12:3

  1 25 12:4

  4 25 13:1

 22 25 13:2

 22 25 13:3

 24 25 13:4

 31 25 13:5

 18 25 14:0

  8 25 14:1

 16 25 14:2

  5 25 14:3

 19 25 14:4

 15 25 14:5

 18 25 15:0

  7 25 15:1

  6 25 15:2

  4 25 15:3

 11 25 15:4

  2 25 15:5

  8 25 16:0

  9 25 16:1

  6 25 16:2

  7 25 16:3

  9 25 16:4

  6 25 16:5

  4 25 17:0

 

Server 2:

  2 25 12:4

  1 25 13:0

 14 25 13:1

 10 25 13:2

 24 25 13:3

 20 25 13:4

 11 25 13:5

 11 25 14:0

 19 25 14:1

 11 25 14:2

  9 25 14:3

 12 25 14:4

 14 25 14:5

  7 25 15:0

  8 25 15:1

 16 25 15:2

  8 25 15:3

 17 25 15:4

 17 25 15:5

  7 25 16:0

 12 25 16:1

 12 25 16:2

 27 25 16:3

 13 25 16:4

 18 25 16:5

  4 25 17:0

 

So it’s off its peak, but not resolved.

 

Frank

 

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jaren Angerbauer
Sent: Wednesday, May 25, 2016 3:50 PM
To: Michael Wise 
Cc: mailop 
Subject: Re: [mailop] Connection failures to Hotmail domains

 

Thanks Mike.  If you can, any update you receive (and can disclose) would be 
greatly appreciated.




--Jaren

 

 

 

On Wed, May 25, 2016 at 2:29 PM, Michael Wise via mailop  > wrote:


Oh yeah, we're aware.
Hearing some reports that the issue may have been mitigated, but until I hear 
anything from Inside the House, can't really comment except to say ... PRI:0, 
being worked on as I type. But not by me, as I have no insight into the inner 
workings.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org 
 ] On Behalf Of Al Iverson
Sent: Wednesday, May 25, 2016 1:19 PM
To: mailop  >
Subject: Re: [mailop] Connection failures to Hotmail domains

You're not alone. It's quite widespread. Multiple folks have talked to 
Microsoft people about the issue, they are aware.

Regards,
Al

--
Al Iverson
https://na01.safelinks.protection.outlook.com/?url=www.aliverson.com 

 
=01%7c01%7cmichael.wise%40microsoft.com%7c0a5ec58b131c4c5a5f2708d384dad364%7c72f988bf86f141af91ab2d7cd011db47%7c1=aAsiNeE1mgSCmbWOUv3P%2b9YXhGHv2v45p1LBMnD%2bdJs%3d

(312)725-0130  


On Wed, May 25, 2016 at 3:08 PM, Keenan Tims  > wrote:
> I'm seeing 90+% of our connection attempts to the MXes for
> 'hotmail.com  ' and other Hotmail domains 
> (mx[1-4].hotmail.com  ) are
> either timing out (30s) or getting connection refused since ~11:00am
> PDT. Anyone else seeing this? I've tested from a few off-net points
> and am seeing the same. Mail is starting to pile up in our queues in
> quantity. Given the scale of what this appears to be I assume the team
> is already hard at work on it, but the lack of mention here concerns
> me, so sorry for the noise if this is too obvious for the list ;-).
>
> Our primary outbound relays are within 64.253.128.0/19 
>  
>
> Here are a couple representative logs:
>
> 2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com  [65.55.37.104]:25: Connection timed 
> out
> 2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com  [207.46.8.167]:25: Connection timed 
> out
> 2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to
> mx2.hotmail.com  [65.55.33.119]:25: Connection refused
> 2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com  [134.170.2.199]:25: Connection timed 
> out
> 2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com  [65.54.188.110]:25: Connection timed 
> out
> 2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B:
> to= >, relay=none, 
> delay=120,
> delays=0.17/0/120/0, dsn=4.4.1, status=deferred (connect to mx1.hotmail.com 
>  [65.54.188.110]:25:
> Connection timed out)
>
> 2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to
> mx3.hotmail.com

Re: [mailop] signup form abuse

2016-05-25 Thread Erwin Harte


On 5/25/16 4:40 PM, Michelle Sullivan wrote:

Vick Khera wrote:

On Wed, May 25, 2016 at 3:02 PM, Erwin Harte > wrote:


 I did a spot check of a recent attack. The email address was
 jabradb...@kanawhascales.com
  and it got signed up to 12
 lists during May 17 and 18. Amazingly, whoever is on the other
 end of that address clicked to confirm every one of those
 confirmation messages. All confirmation clicks appear to come
 from a netblock owned by Barracuda Networks... Hmm...

 Which netblock was that?


64.235.144.0/20 

Specifically: 64.235.154.109,
64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109



Single click through?  (as in everything in the URL?) - if so probably
automated mail scanning.

That's what I expect as well. Those addresses are all from ESS 
(https://www.barracuda.com/products/emailsecurityservice) which does 
'intent' checking.


--Erwin

===


Considering Office 365?  Barracuda security and storage solutions can help. 
Learn more about Barracuda solutions for Office 365 at 
http://barracuda.com/office365.

DISCLAIMER:
This e-mail and any attachments to it contain confidential and proprietary 
material of Barracuda, its affiliates or agents, and is solely for the use of 
the intended recipient. Any review, use, disclosure, distribution or copying of 
this transmittal is prohibited except by or on behalf of the intended 
recipient. If you have received this transmittal in error, please notify the 
sender and destroy this e-mail and any attachments and all copies, whether 
electronic or printed.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop

When you say, “Confirmation Clicks”, do you mean on a link provided via email, 
or a confirmation button of a web form?

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera
Sent: Wednesday, May 25, 2016 2:14 PM
To: Erwin Harte 
Cc: mailop@mailop.org
Subject: Re: [mailop] signup form abuse


On Wed, May 25, 2016 at 3:02 PM, Erwin Harte 
> wrote:
I did a spot check of a recent attack. The email address was 
jabradb...@kanawhascales.com and it got 
signed up to 12 lists during May 17 and 18. Amazingly, whoever is on the other 
end of that address clicked to confirm every one of those confirmation 
messages. All confirmation clicks appear to come from a netblock owned by 
Barracuda Networks... Hmm...
Which netblock was that?

64.235.144.0/20

Specifically: 64.235.154.109, 64.235.153.2, 64.235.150.252, 64.235.153.10, 
64.235.154.105, 64.235.154.109
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michelle Sullivan


Vick Khera wrote:


On Wed, May 25, 2016 at 3:02 PM, Erwin Harte > wrote:



I did a spot check of a recent attack. The email address was
jabradb...@kanawhascales.com
 and it got signed up to 12
lists during May 17 and 18. Amazingly, whoever is on the other
end of that address clicked to confirm every one of those
confirmation messages. All confirmation clicks appear to come
from a netblock owned by Barracuda Networks... Hmm...

Which netblock was that?


64.235.144.0/20 

Specifically: 64.235.154.109, 
64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109





Single click through?  (as in everything in the URL?) - if so probably 
automated mail scanning.


--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera

On Wed, May 25, 2016 at 3:02 PM, Erwin Harte  wrote:

> I did a spot check of a recent attack. The email address was
> jabradb...@kanawhascales.com and it got signed up to 12 lists during May
> 17 and 18. Amazingly, whoever is on the other end of that address clicked
> to confirm every one of those confirmation messages. All confirmation
> clicks appear to come from a netblock owned by Barracuda Networks... Hmm...
>
> Which netblock was that?
>

64.235.144.0/20

Specifically: 64.235.154.109,
64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread Michael Wise via mailop


Oh yeah, we're aware.
Hearing some reports that the issue may have been mitigated, but until I hear 
anything from Inside the House, can't really comment except to say ... PRI:0, 
being worked on as I type. But not by me, as I have no insight into the inner 
workings.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Al Iverson
Sent: Wednesday, May 25, 2016 1:19 PM
To: mailop 
Subject: Re: [mailop] Connection failures to Hotmail domains

You're not alone. It's quite widespread. Multiple folks have talked to 
Microsoft people about the issue, they are aware.

Regards,
Al

--
Al Iverson
https://na01.safelinks.protection.outlook.com/?url=www.aliverson.com=01%7c01%7cmichael.wise%40microsoft.com%7c0a5ec58b131c4c5a5f2708d384dad364%7c72f988bf86f141af91ab2d7cd011db47%7c1=aAsiNeE1mgSCmbWOUv3P%2b9YXhGHv2v45p1LBMnD%2bdJs%3d
(312)725-0130


On Wed, May 25, 2016 at 3:08 PM, Keenan Tims  wrote:
> I'm seeing 90+% of our connection attempts to the MXes for 
> 'hotmail.com' and other Hotmail domains (mx[1-4].hotmail.com) are 
> either timing out (30s) or getting connection refused since ~11:00am 
> PDT. Anyone else seeing this? I've tested from a few off-net points 
> and am seeing the same. Mail is starting to pile up in our queues in 
> quantity. Given the scale of what this appears to be I assume the team 
> is already hard at work on it, but the lack of mention here concerns 
> me, so sorry for the noise if this is too obvious for the list ;-).
>
> Our primary outbound relays are within 64.253.128.0/19
>
> Here are a couple representative logs:
>
> 2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[65.55.37.104]:25: Connection timed out
> 2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused
> 2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[134.170.2.199]:25: Connection timed out
> 2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[65.54.188.110]:25: Connection timed out
> 2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B:
> to=, relay=none, delay=120, 
> delays=0.17/0/120/0, dsn=4.4.1, status=deferred (connect to 
> mx1.hotmail.com[65.54.188.110]:25:
> Connection timed out)
>
> 2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to
> mx3.hotmail.com[65.55.37.72]:25: Connection timed out
> 2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to
> mx4.hotmail.com[65.54.188.126]:25: Connection refused
> 2016-05-25T13:00:03.033047-07:00 skaro postfix/smtp[5033]: connect to
> mx2.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T13:00:33.066589-07:00 skaro postfix/smtp[5033]: connect to
> mx4.hotmail.com[207.46.8.199]:25: Connection timed out
> 2016-05-25T13:00:33.076153-07:00 skaro postfix/smtp[5033]: connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused
> 2016-05-25T13:00:33.080762-07:00 skaro postfix/smtp[5033]: 25B4FFFC00:
> to=, relay=none, delay=91, 
> delays=0.78/0/90/0, dsn=4.4.1, status=deferred (connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused)
>
> 2016-05-25T13:02:08.167728-07:00 skaro postfix/smtp[7967]: connect to
> mx4.hotmail.com[65.55.37.88]:25: Connection timed out
> 2016-05-25T13:02:08.177325-07:00 skaro postfix/smtp[7967]: connect to
> mx4.hotmail.com[65.55.37.120]:25: Connection refused
> 2016-05-25T13:02:38.208945-07:00 skaro postfix/smtp[7967]: connect to
> mx1.hotmail.com[65.54.188.72]:25: Connection timed out
> 2016-05-25T13:03:08.242467-07:00 skaro postfix/smtp[7967]: connect to
> mx1.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T13:03:38.275974-07:00 skaro postfix/smtp[7967]: connect to
> mx3.hotmail.com[207.46.8.199]:25: Connection timed out
> 2016-05-25T13:03:38.278894-07:00 skaro postfix/smtp[7967]: 7DA71FFC4D:
> to=, relay=none, delay=3265, 
> delays=3145/0/120/0, dsn=4.4.1, status=deferred (connect to 
> mx3.hotmail.com[207.46.8.199]:25:
> Connection timed out)
>
> Keenan
>
> Stargate Connections AS19171
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchill
> i.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7c
> michael.wise%40microsoft.com%7c0a5ec58b131c4c5a5f2708d384dad364%7c72f9
> 88bf86f141af91ab2d7cd011db47%7c1=1lBgm%2bJnd7TLKgze60qkqXI10v4xy
> E3BKYe42l%2fS5Z0%3d

___
mailop mailing list

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread Steve Ratzlaff


On 5/25/2016 3:08 PM, Keenan Tims wrote:
I'm seeing 90+% of our connection attempts to the MXes for 
'hotmail.com' and other Hotmail domains (mx[1-4].hotmail.com) are 
either timing out (30s) or getting connection refused since ~11:00am 
PDT. Anyone else seeing this? I've tested from a few off-net points 
and am seeing the same. Mail is starting to pile up in our queues in 
quantity. Given the scale of what this appears to be I assume the team 
is already hard at work on it, but the lack of mention here concerns 
me, so sorry for the noise if this is too obvious for the list ;-).


Our primary outbound relays are within 64.253.128.0/19

Here are a couple representative logs:

2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[65.55.37.104]:25: Connection timed out
2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused
2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[134.170.2.199]:25: Connection timed out
2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[65.54.188.110]:25: Connection timed out
2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B: 
to=, relay=none, delay=120, 
delays=0.17/0/120/0, dsn=4.4.1, status=deferred (connect to 
mx1.hotmail.com[65.54.188.110]:25: Connection timed out)


2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to 
mx3.hotmail.com[65.55.37.72]:25: Connection timed out
2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to 
mx4.hotmail.com[65.54.188.126]:25: Connection refused
2016-05-25T13:00:03.033047-07:00 skaro postfix/smtp[5033]: connect to 
mx2.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T13:00:33.066589-07:00 skaro postfix/smtp[5033]: connect to 
mx4.hotmail.com[207.46.8.199]:25: Connection timed out
2016-05-25T13:00:33.076153-07:00 skaro postfix/smtp[5033]: connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused
2016-05-25T13:00:33.080762-07:00 skaro postfix/smtp[5033]: 25B4FFFC00: 
to=, relay=none, delay=91, 
delays=0.78/0/90/0, dsn=4.4.1, status=deferred (connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused)


2016-05-25T13:02:08.167728-07:00 skaro postfix/smtp[7967]: connect to 
mx4.hotmail.com[65.55.37.88]:25: Connection timed out
2016-05-25T13:02:08.177325-07:00 skaro postfix/smtp[7967]: connect to 
mx4.hotmail.com[65.55.37.120]:25: Connection refused
2016-05-25T13:02:38.208945-07:00 skaro postfix/smtp[7967]: connect to 
mx1.hotmail.com[65.54.188.72]:25: Connection timed out
2016-05-25T13:03:08.242467-07:00 skaro postfix/smtp[7967]: connect to 
mx1.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T13:03:38.275974-07:00 skaro postfix/smtp[7967]: connect to 
mx3.hotmail.com[207.46.8.199]:25: Connection timed out
2016-05-25T13:03:38.278894-07:00 skaro postfix/smtp[7967]: 7DA71FFC4D: 
to=, relay=none, delay=3265, 
delays=3145/0/120/0, dsn=4.4.1, status=deferred (connect to 
mx3.hotmail.com[207.46.8.199]:25: Connection timed out)


Keenan

Stargate Connections AS19171


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


We started seeing the same thing at ~ 1:40 p.m. Central time.  All 
connections to their MXs are timing out.


Steve


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread Jeremy Harris

On 25/05/16 21:08, Keenan Tims wrote:
> I'm seeing 90+% of our connection attempts to the MXes for 'hotmail.com'
> and other Hotmail domains (mx[1-4].hotmail.com) are either timing out
> (30s) or getting connection refused since ~11:00am PDT. Anyone else
> seeing this?

Yup.
-- 
Jeremy



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Connection failures to Hotmail domains

2016-05-25 Thread Al Iverson

You're not alone. It's quite widespread. Multiple folks have talked to
Microsoft people about the issue, they are aware.

Regards,
Al

--
Al Iverson
www.aliverson.com
(312)725-0130


On Wed, May 25, 2016 at 3:08 PM, Keenan Tims  wrote:
> I'm seeing 90+% of our connection attempts to the MXes for 'hotmail.com' and
> other Hotmail domains (mx[1-4].hotmail.com) are either timing out (30s) or
> getting connection refused since ~11:00am PDT. Anyone else seeing this? I've
> tested from a few off-net points and am seeing the same. Mail is starting to
> pile up in our queues in quantity. Given the scale of what this appears to
> be I assume the team is already hard at work on it, but the lack of mention
> here concerns me, so sorry for the noise if this is too obvious for the list
> ;-).
>
> Our primary outbound relays are within 64.253.128.0/19
>
> Here are a couple representative logs:
>
> 2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[65.55.37.104]:25: Connection timed out
> 2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused
> 2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[134.170.2.199]:25: Connection timed out
> 2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to
> mx1.hotmail.com[65.54.188.110]:25: Connection timed out
> 2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B:
> to=, relay=none, delay=120, delays=0.17/0/120/0,
> dsn=4.4.1, status=deferred (connect to mx1.hotmail.com[65.54.188.110]:25:
> Connection timed out)
>
> 2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to
> mx3.hotmail.com[65.55.37.72]:25: Connection timed out
> 2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to
> mx4.hotmail.com[65.54.188.126]:25: Connection refused
> 2016-05-25T13:00:03.033047-07:00 skaro postfix/smtp[5033]: connect to
> mx2.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T13:00:33.066589-07:00 skaro postfix/smtp[5033]: connect to
> mx4.hotmail.com[207.46.8.199]:25: Connection timed out
> 2016-05-25T13:00:33.076153-07:00 skaro postfix/smtp[5033]: connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused
> 2016-05-25T13:00:33.080762-07:00 skaro postfix/smtp[5033]: 25B4FFFC00:
> to=, relay=none, delay=91,
> delays=0.78/0/90/0, dsn=4.4.1, status=deferred (connect to
> mx2.hotmail.com[65.55.33.119]:25: Connection refused)
>
> 2016-05-25T13:02:08.167728-07:00 skaro postfix/smtp[7967]: connect to
> mx4.hotmail.com[65.55.37.88]:25: Connection timed out
> 2016-05-25T13:02:08.177325-07:00 skaro postfix/smtp[7967]: connect to
> mx4.hotmail.com[65.55.37.120]:25: Connection refused
> 2016-05-25T13:02:38.208945-07:00 skaro postfix/smtp[7967]: connect to
> mx1.hotmail.com[65.54.188.72]:25: Connection timed out
> 2016-05-25T13:03:08.242467-07:00 skaro postfix/smtp[7967]: connect to
> mx1.hotmail.com[207.46.8.167]:25: Connection timed out
> 2016-05-25T13:03:38.275974-07:00 skaro postfix/smtp[7967]: connect to
> mx3.hotmail.com[207.46.8.199]:25: Connection timed out
> 2016-05-25T13:03:38.278894-07:00 skaro postfix/smtp[7967]: 7DA71FFC4D:
> to=, relay=none, delay=3265, delays=3145/0/120/0,
> dsn=4.4.1, status=deferred (connect to mx3.hotmail.com[207.46.8.199]:25:
> Connection timed out)
>
> Keenan
>
> Stargate Connections AS19171
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Connection failures to Hotmail domains

2016-05-25 Thread Keenan Tims

I'm seeing 90+% of our connection attempts to the MXes for 'hotmail.com' 
and other Hotmail domains (mx[1-4].hotmail.com) are either timing out 
(30s) or getting connection refused since ~11:00am PDT. Anyone else 
seeing this? I've tested from a few off-net points and am seeing the 
same. Mail is starting to pile up in our queues in quantity. Given the 
scale of what this appears to be I assume the team is already hard at 
work on it, but the lack of mention here concerns me, so sorry for the 
noise if this is too obvious for the list ;-).


Our primary outbound relays are within 64.253.128.0/19

Here are a couple representative logs:

2016-05-25T12:55:19.470647-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[65.55.37.104]:25: Connection timed out
2016-05-25T12:55:49.504155-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T12:55:49.513775-07:00 skaro postfix/smtp[6486]: connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused
2016-05-25T12:56:19.550093-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[134.170.2.199]:25: Connection timed out
2016-05-25T12:56:49.583216-07:00 skaro postfix/smtp[6486]: connect to 
mx1.hotmail.com[65.54.188.110]:25: Connection timed out
2016-05-25T12:56:49.585566-07:00 skaro postfix/smtp[6486]: 3F2D5FFC9B: 
to=, relay=none, delay=120, delays=0.17/0/120/0, 
dsn=4.4.1, status=deferred (connect to 
mx1.hotmail.com[65.54.188.110]:25: Connection timed out)


2016-05-25T12:59:32.971606-07:00 skaro postfix/smtp[5033]: connect to 
mx3.hotmail.com[65.55.37.72]:25: Connection timed out
2016-05-25T12:59:32.995152-07:00 skaro postfix/smtp[5033]: connect to 
mx4.hotmail.com[65.54.188.126]:25: Connection refused
2016-05-25T13:00:03.033047-07:00 skaro postfix/smtp[5033]: connect to 
mx2.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T13:00:33.066589-07:00 skaro postfix/smtp[5033]: connect to 
mx4.hotmail.com[207.46.8.199]:25: Connection timed out
2016-05-25T13:00:33.076153-07:00 skaro postfix/smtp[5033]: connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused
2016-05-25T13:00:33.080762-07:00 skaro postfix/smtp[5033]: 25B4FFFC00: 
to=, relay=none, delay=91, 
delays=0.78/0/90/0, dsn=4.4.1, status=deferred (connect to 
mx2.hotmail.com[65.55.33.119]:25: Connection refused)


2016-05-25T13:02:08.167728-07:00 skaro postfix/smtp[7967]: connect to 
mx4.hotmail.com[65.55.37.88]:25: Connection timed out
2016-05-25T13:02:08.177325-07:00 skaro postfix/smtp[7967]: connect to 
mx4.hotmail.com[65.55.37.120]:25: Connection refused
2016-05-25T13:02:38.208945-07:00 skaro postfix/smtp[7967]: connect to 
mx1.hotmail.com[65.54.188.72]:25: Connection timed out
2016-05-25T13:03:08.242467-07:00 skaro postfix/smtp[7967]: connect to 
mx1.hotmail.com[207.46.8.167]:25: Connection timed out
2016-05-25T13:03:38.275974-07:00 skaro postfix/smtp[7967]: connect to 
mx3.hotmail.com[207.46.8.199]:25: Connection timed out
2016-05-25T13:03:38.278894-07:00 skaro postfix/smtp[7967]: 7DA71FFC4D: 
to=, relay=none, delay=3265, 
delays=3145/0/120/0, dsn=4.4.1, status=deferred (connect to 
mx3.hotmail.com[207.46.8.199]:25: Connection timed out)


Keenan

Stargate Connections AS19171


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Erwin Harte


On 5/25/16 10:36 AM, Vick Khera wrote:
On Tue, May 24, 2016 at 2:18 PM, Michael Wise 
> wrote:


Are these IP addresses on CBL?

I did a spot check of a recent attack. The email address was 
jabradb...@kanawhascales.com  and 
it got signed up to 12 lists during May 17 and 18. Amazingly, whoever 
is on the other end of that address clicked to confirm every one of 
those confirmation messages. All confirmation clicks appear to come 
from a netblock owned by Barracuda Networks... Hmm...

Which netblock was that?

--Erwin

===


Considering Office 365?  Barracuda security and storage solutions can help. 
Learn more about Barracuda solutions for Office 365 at 
http://barracuda.com/office365.

DISCLAIMER:
This e-mail and any attachments to it contain confidential and proprietary 
material of Barracuda, its affiliates or agents, and is solely for the use of 
the intended recipient. Any review, use, disclosure, distribution or copying of 
this transmittal is prohibited except by or on behalf of the intended 
recipient. If you have received this transmittal in error, please notify the 
sender and destroy this e-mail and any attachments and all copies, whether 
electronic or printed.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera

On Tue, May 24, 2016 at 2:18 PM, Michael Wise 
wrote:

> Are these IP addresses on CBL?
>

I did a spot check of a recent attack. The email address was
jabradb...@kanawhascales.com and it got signed up to 12 lists during May 17
and 18. Amazingly, whoever is on the other end of that address clicked to
confirm every one of those confirmation messages. All confirmation clicks
appear to come from a netblock owned by Barracuda Networks... Hmm...

Each signup request came from a different IP address. 5 were on CBL (as of
right now) and 7 were not. In case anyone is interested, I also checked
them against MinFraud from Maxmind. Of the 7 CBL did not detect, it said 5
of them were high risk of being fraudulent source. Between the two, only 2
would get through.

If anyone is interested, these are the IPs used for the signup form
submission:

 107.184.168.161 - CBL, MF
 67.208.149.17 - CBL, MF "low"
 116.212.155.5 -
 73.4.8.181 - MF
 76.74.237.61 - CBL, MF
 96.245.176.53 - MF
 50.196.42.201 - MF
 32.213.237.56 -
 50.192.254.21 - MF
 76.74.237.61 - CBL, MF
 74.196.162.37 - MF
 76.74.237.61 - CBL, MF

I am definitely going to start checking CBL and MinFraud for these forms.
Thanks for the tip.

Are these addresses in a larger pool, like a Nigerian coffee shop?
>

Doesn't seem like it. I spot checked a couple and they look like ISPs in
the states.

> At some point, you should have a CAPTCHA, and also possibly a list of
> ranges of known bad actors.
>
>
>

We do have CAPTCHA available. I think it is time to start pushing it on the
customers a little harder...
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Al Iverson

Matthew,

Which ESPs operate that way? (Hint: none. Most ESPs offer COI, few or
none require it.)

So since that's not happening...

--
Al Iverson
www.aliverson.com
(312)725-0130


On Wed, May 25, 2016 at 9:45 AM, Matthew Black  wrote:
> Are your customers using confirmed opt-in mailing lists? If not, they should
> not be running mailing lists.
>
>
>
> matthew
>
>
>
>
>
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera
> Sent: Tuesday, May 24, 2016 10:18 AM
> To: mailop@mailop.org
> Subject: [mailop] signup form abuse
>
>
>
> As an ESP, we host mailing list signup forms for many customers. Of late, it
> appears they have been getting pounded on with fraudulent signups for real
> addresses. Sometimes the people confirm by clicking the confirmation link in
> the message and we are left scratching our heads as to why they would do
> that. Mostly they get ignored and sometimes they come back as spam
> complaints.
>
>
>
> One opinion I got regarding this was that people were using bots to sign up
> to newsletter lists other bot-driven email addresses at gmail, yahoo, etc.,
> to make those mailboxes look more real before they became "weaponized" for
> use in sending junk. That does not seem to be entirely what is happening
> here...
>
>
>
> Today we got a set of complaints for what appears to be a personal email
> address at a reasonably sized ISP. The complaint clearly identified the
> messages as a signup confirmation message and chastised us for not having
> the form protected by a CAPTCHA. Of course, they blocked some of our IPs for
> good measure :( They characterized it as a DDoS.
>
>
>
> What are the folks on this fine list doing about this kind of abuse? We do
> have ability to turn on CAPTCHA for our customers, but often they have
> nicely integrated the signup forms into their own web sites and making it
> work for those is pretty complicated. If I enabled CAPTCHA naively, the
> subscribers would have to click the submit form twice and then click the
> confirm on the email. The UX for that sucks, but such is the cost of
> allowing jerks on the internet...
>
>
>
> Rate limiting doesn't seem to be useful since the forms are being submitted
> at low rates and from a wide number of IP addresses.
>
>
>
> I look forward to hearing what others here are doing.
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera

On Wed, May 25, 2016 at 10:45 AM, Matthew Black 
wrote:

> Are your customers using confirmed opt-in mailing lists? If not, they
> should not be running mailing lists.
>
>
Yes, the only effect is to send a confirmation message, which is quite
generic and at most contains the customer's logo and name of the list, to
the victim.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Matthew Black

Are your customers using confirmed opt-in mailing lists? If not, they should 
not be running mailing lists.

matthew

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera
Sent: Tuesday, May 24, 2016 10:18 AM
To: mailop@mailop.org
Subject: [mailop] signup form abuse

As an ESP, we host mailing list signup forms for many customers. Of late, it 
appears they have been getting pounded on with fraudulent signups for real 
addresses. Sometimes the people confirm by clicking the confirmation link in 
the message and we are left scratching our heads as to why they would do that. 
Mostly they get ignored and sometimes they come back as spam complaints.

One opinion I got regarding this was that people were using bots to sign up to 
newsletter lists other bot-driven email addresses at gmail, yahoo, etc., to 
make those mailboxes look more real before they became "weaponized" for use in 
sending junk. That does not seem to be entirely what is happening here...

Today we got a set of complaints for what appears to be a personal email 
address at a reasonably sized ISP. The complaint clearly identified the 
messages as a signup confirmation message and chastised us for not having the 
form protected by a CAPTCHA. Of course, they blocked some of our IPs for good 
measure :( They characterized it as a DDoS.

What are the folks on this fine list doing about this kind of abuse? We do have 
ability to turn on CAPTCHA for our customers, but often they have nicely 
integrated the signup forms into their own web sites and making it work for 
those is pretty complicated. If I enabled CAPTCHA naively, the subscribers 
would have to click the submit form twice and then click the confirm on the 
email. The UX for that sucks, but such is the cost of allowing jerks on the 
internet...

Rate limiting doesn't seem to be useful since the forms are being submitted at 
low rates and from a wide number of IP addresses.

I look forward to hearing what others here are doing.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Dave Warren


On 2016-05-24 15:30, Michael Wise via mailop wrote:

If someone has a better idea how to keep mailinglist software like MailMan from 
being co-opted into such an attack, I would LOVE to hear it.


I think the obvious approach would be to move back to 
listname-subscr...@example.com requests, but require subscription 
requests to either have valid SPF, DKIM, or some matching of 
MX/rDNS/something to indicate it might be legitimate.


But of course this would require users to actually want to join lists 
enough to take action, and we can't have friction.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Dave Warren


On 2016-05-24 15:17, Jay Hennigan wrote:

On 5/24/16 12:26 PM, Michael Wise wrote:


We're still seeing cases where a malicious actor, typically in 
Eastern Europe, will try and sign up a target email address for 
thousands of lists all at once, flooding their mailbox with 
confirmation traffic , perhaps to hide some other nefarious issues.


I wonder what the point is. How does the bad guy monetize it, or is it 
a coordinated attack against a specific victim? What other nefarious 
issues? Making the address useless or burying some other mail in the 
midst of the junk would seem to be a possibility.


If an attack against a specific victim, it would seem that unconfirmed 
marketing lists would be a more effective weapon than a bunch of 
random confirmation messages. 


I could see this type of attack being useful when the bad actor desires 
to suppress a legitimate message. For example, if I were to spoof a 
message from the finance director to a subordinate to send corporate 
financial information out to a third party, I might want to disrupt the 
finance director's email temporarily to ensure that the subordinate's 
attempt to confirm the request is not seen.


I might do so again after compromising the corporate bank account so 
that wire transfer confirmations are not seen and acted upon in a timely 
fashion.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] Connection failures to Hotmail domains

Re: [mailop] Connection failures to Hotmail domains

[mailop] Connection failures to Hotmail domains

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

Re: [mailop] signup form abuse

26 matches

Site Navigation

Mail list logo

Footer information