Re: [mailop] Connection failures to Hotmail domains

2016-05-26 Thread Michael Wise via mailop 

Okay, the External Facing messaging is along the lines of:

Skinny: Issue resolved. ☺
“Yer Bug Is Fixed!”

Some references were made to Han Solo on the intercom when they were trying to 
rescue the Princess, but were removed.
Can’t really say more, but they tell me the Root Cause has been addressed, and 
stuff is in place to see that it doesn’t happen again.

Huge Thanks to all who raised the alarm.
The lack of an alarm here is also being looked into, as that issue should never 
have slipped thru the cracks, but it did.

“ Inconceivable!
“ You keep using that word…

Have a most excellent rest of the week, and a glorious Memorial Day Weekend for 
the USA folks.
… who are not On Call.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool ?

From: frnk...@iname.com [mailto:frnk...@iname.com]
Sent: Wednesday, May 25, 2016 3:08 PM
To: 'Jaren Angerbauer' ; Michael Wise 

Cc: mailop 
Subject: RE: [mailop] Connection failures to Hotmail domains

Finally has a chance to look at my logs … looking at error count over time (all 
U.S. Central) I see the following:

Server 1:
  1 25 12:3
  1 25 12:4
  4 25 13:1
 22 25 13:2
 22 25 13:3
 24 25 13:4
 31 25 13:5
 18 25 14:0
  8 25 14:1
 16 25 14:2
  5 25 14:3
 19 25 14:4
 15 25 14:5
 18 25 15:0
  7 25 15:1
  6 25 15:2
  4 25 15:3
 11 25 15:4
  2 25 15:5
  8 25 16:0
  9 25 16:1
  6 25 16:2
  7 25 16:3
  9 25 16:4
  6 25 16:5
  4 25 17:0

Server 2:
  2 25 12:4
  1 25 13:0
 14 25 13:1
 10 25 13:2
 24 25 13:3
 20 25 13:4
 11 25 13:5
 11 25 14:0
 19 25 14:1
 11 25 14:2
  9 25 14:3
 12 25 14:4
 14 25 14:5
  7 25 15:0
  8 25 15:1
 16 25 15:2
  8 25 15:3
 17 25 15:4
 17 25 15:5
  7 25 16:0
 12 25 16:1
 12 25 16:2
 27 25 16:3
 13 25 16:4
 18 25 16:5
  4 25 17:0

So it’s off its peak, but not resolved.

Frank

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jaren Angerbauer
Sent: Wednesday, May 25, 2016 3:50 PM
To: Michael Wise >
Cc: mailop >
Subject: Re: [mailop] Connection failures to Hotmail domains

Thanks Mike.  If you can, any update you receive (and can disclose) would be 
greatly appreciated.

--Jaren



On Wed, May 25, 2016 at 2:29 PM, Michael Wise via mailop 
> wrote:

Oh yeah, we're aware.
Hearing some reports that the issue may have been mitigated, but until I hear 
anything from Inside the House, can't really comment except to say ... PRI:0, 
being worked on as I type. But not by me, as I have no insight into the inner 
workings.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop 
[mailto:mailop-boun...@mailop.org] On Behalf 
Of Al Iverson
Sent: Wednesday, May 25, 2016 1:19 PM
To: mailop >
Subject: Re: [mailop] Connection failures to Hotmail domains

You're not alone. It's quite widespread. Multiple folks have talked to 
Microsoft people about the issue, they are aware.

Regards,
Al

--
Al Iverson
https://na01.safelinks.protection.outlook.com/?url=www.aliverson.com=01%7c01%7cmichael.wise%40microsoft.com%7c0a5ec58b131c4c5a5f2708d384dad364%7c72f988bf86f141af91ab2d7cd011db47%7c1=aAsiNeE1mgSCmbWOUv3P%2b9YXhGHv2v45p1LBMnD%2bdJs%3d
(312)725-0130


On Wed, May 25, 2016 at 3:08 PM, Keenan Tims 
> wrote:
> I'm seeing 90+% of our connection attempts to the MXes for
> 'hotmail.com'
>  and other Hotmail domains 
> (mx[1-4].hotmail.com)
>  are
> either timing out (30s) or getting connection refused since ~11:00am
> PDT. Anyone else seeing this? I've tested from a few off-net points
> and am seeing the same. Mail is starting to pile up in our queues in
> quantity. Given the scale of what this appears to be I assume the team
> is already hard at work on it, but the lack of mention here concerns
> me, so sorry for the noise if this is too obvious for the

Re: [mailop] Excluding Message-ID from DKIM Signature

2016-05-26 Thread Joel Beckham 
Thanks for the input!

Steve -- I've been on a couple calls with Securence and they're not willing
to stop the message-id modification. They did offer to tack on .invalid to
the FROM address to bypass our DMARC, but I'm not a big fan of that idea.
They said they're handling each p=reject on a case-by-case basis, so I'm
pretty sure it's breaking for a lot of their other customers. I'm not
really sure how to convince them DMARC is a real thing they need to deal
with.

Kurt -- From all the samples I've seen, message-id is the only thing
getting changed. I'll ask if I can provide you with their contact info and
follow up with you.



On Thu, May 26, 2016 at 3:36 PM, Kurt Andersen (b)  wrote:

> On Thu, May 26, 2016 at 1:25 PM, Joel Beckham  wrote:
>
>> Are there any negative consequences to consider before excluding
>> message-id from our signature?
>>
>> ...found that Securence / usinternet.com (A forwarder) gets a measurable
>> percentage of our mail and modifies the message-id in the process. This
>> breaks our DKIM signature and causes DMARC to fail at the destination.
>> Working directly with them, I've learned that they're unable to preserve
>> the signed message-id.
>
>
> This seems like an odd thing to change. Are you sure that there is nothing
> else that they are doing to your messages which will break the signature?
>
> Having worked on the DMARC interoperability catalog (for the IETF DMARC
> WG), I'd be interested in talking a bit more with Securence if you can
> provide contact info off-list so that I can find out if we have captured
> their issue(s) in the catalog.
>
> --Kurt Andersen
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Excluding Message-ID from DKIM Signature

2016-05-26 Thread Kurt Andersen (b) 
On Thu, May 26, 2016 at 1:25 PM, Joel Beckham  wrote:

> Are there any negative consequences to consider before excluding
> message-id from our signature?
>
> ...found that Securence / usinternet.com (A forwarder) gets a measurable
> percentage of our mail and modifies the message-id in the process. This
> breaks our DKIM signature and causes DMARC to fail at the destination.
> Working directly with them, I've learned that they're unable to preserve
> the signed message-id.


This seems like an odd thing to change. Are you sure that there is nothing
else that they are doing to your messages which will break the signature?

Having worked on the DMARC interoperability catalog (for the IETF DMARC
WG), I'd be interested in talking a bit more with Securence if you can
provide contact info off-list so that I can find out if we have captured
their issue(s) in the catalog.

--Kurt Andersen
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Excluding Message-ID from DKIM Signature

2016-05-26 Thread Steve Atkins 

> On May 26, 2016, at 1:25 PM, Joel Beckham  wrote:
> 
> Are there any negative consequences to consider before excluding message-id 
> from our signature?
> 
> I'm working towards p=reject on bombbomb.com and found that Securence / 
> usinternet.com (A forwarder) gets a measurable percentage of our mail and 
> modifies the message-id in the process. This breaks our DKIM signature and 
> causes DMARC to fail at the destination. Working directly with them, I've 
> learned that they're unable to preserve the signed message-id.
> 
> RFC4871 says it "SHOULD be included", but not required. RFC6376 adds, which 
> is the part that has me concerned, that: 
> 
> Verifiers may treat unsigned header fields with extreme
> skepticism, including refusing to display them to the end user or
> even ignoring the signature if it does not cover certain header
> fields.

Probably not. It increases your vulnerability to simple replay attacks 
significantly, but they're not really a thing. DKIM validators are unlikely to 
care - that warning is more about things like the Subject, Date, and other 
user-visible fields, I think.

(In theory, if they change the message-id it is - by definition - no longer the 
same message and it shouldn't authenticate. But, eh.)

I might try reaching out to Securence too and see if they're prepared to fix 
their behaviour as it's probably breaking things for many of their users, not 
just your recipients.

Cheers,
  Steve


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Anyone know if iPage is having issues...

2016-05-26 Thread Eric Tykwinski 
We seem to be receiving disconnects and "451 Internal queueing error" when
trying to deliver to them today.

Seems a bit sporadic, so what to make sure it's not just our servers here.

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-26 Thread Alberto Miscia via mailop 
This opens up for an interesting discussion.
We experienced the very same issue in the past for few customers and
enabling a captcha was the only viable option.
The "bots" (don't really know actually) managed to complete a COI
process with several free accounts.

Ip ranges were different some on CBL some not but blocking a listed IP
in a COI process can be dangerous.
For the very same reason I'd rule out e-hawk and alike.
The vast majority of the addresses were listed on cleantalk.org

The hidden link in the confirmation email (an HTML comment would work
better than a "white-on-white tiny font" from a
deliverabilityperspective) in may opinion is the way to go.
Even if it can be very tricky to implement, we are seriously
considering it to prevent bot clicks across the board.

HTH

Alberto Miscia | MailUp | Head of Deliverability & Compliance


2016-05-26 15:05 GMT+02:00 Vick Khera :
>
> On Wed, May 25, 2016 at 6:04 PM, Al Iverson 
> wrote:
>>
>> I've heard John Levine propose the "hidden link to catch scanning
>> robots" solution but I've never heard of an email system implementing
>
>
> I'm running through my head how that would work, and makes for some very
> complicated state transition diagrams to go from "signup requested" to
> "confirmed". What if they scan in parallel and the timing works out they
> poked them in the opposite order, etc. I see a few new states and many
> transitions, and some timeout based events. Not pretty.
>
>>
>> it. Similarly, senders have often suggested that spamtrap systems
>> shouldn't follow links. (Security systems, sure, but don't do that
>> with spamtrap addresses.) And today I heard it suggested that it would
>> be wiser to have COI have a second click (probably an HTTP POST-based
>
>
> What if the confirmation email button itself was a POST form rather than
> just a GET to a page? Are scanning systems following POSTs too?
>
>>
>>
>> button) on the landing web page, to prevent security systems from
>> erroneously completing COI confirm steps. All good stuff, but it
>
>
> I don't think you're going to get much buy-in for requiring so many clicks
> to get activated. I know we already lose customer just for requiring COI.
> Making the COI be more work for the subscriber will just make people go
> elsewhere faster.
>
>>
>> doesn't sound as though any of it has been widely broadcasted as a
>> best practice or requirement.
>
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-26 Thread Vick Khera 
On Wed, May 25, 2016 at 6:04 PM, Al Iverson 
wrote:

> I've heard John Levine propose the "hidden link to catch scanning
> robots" solution but I've never heard of an email system implementing
>

I'm running through my head how that would work, and makes for some very
complicated state transition diagrams to go from "signup requested" to
"confirmed". What if they scan in parallel and the timing works out they
poked them in the opposite order, etc. I see a few new states and many
transitions, and some timeout based events. Not pretty.


> it. Similarly, senders have often suggested that spamtrap systems
> shouldn't follow links. (Security systems, sure, but don't do that
> with spamtrap addresses.) And today I heard it suggested that it would
> be wiser to have COI have a second click (probably an HTTP POST-based
>

What if the confirmation email button itself was a POST form rather than
just a GET to a page? Are scanning systems following POSTs too?


>
> button) on the landing web page, to prevent security systems from
> erroneously completing COI confirm steps. All good stuff, but it
>

I don't think you're going to get much buy-in for requiring so many clicks
to get activated. I know we already lose customer just for requiring COI.
Making the COI be more work for the subscriber will just make people go
elsewhere faster.


> doesn't sound as though any of it has been widely broadcasted as a
> best practice or requirement.
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-26 Thread Vick Khera 
In the confirmation message, there is a link (which looks like a button) to
click to confirm you want to be on the list. That link is being followed
and the addresses activated. My working theory is that some mail filtering
software is fetching the URLs it sees.

On Wed, May 25, 2016 at 5:47 PM, Michael Wise 
wrote:

> When you say, “Confirmation Clicks”, do you mean on a link provided via
> email, or a confirmation button of a web form?
>
>
>
> Aloha,
>
> Michael.
>
> --
>
> *Michael J Wise* | Microsoft | Spam Analysis | "Your Spam Specimen Has
> Been Processed." | Got the Junk Mail Reporting Tool
>  ?
>
>
>
> *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Vick
> Khera
> *Sent:* Wednesday, May 25, 2016 2:14 PM
> *To:* Erwin Harte 
> *Cc:* mailop@mailop.org
> *Subject:* Re: [mailop] signup form abuse
>
>
>
>
>
> On Wed, May 25, 2016 at 3:02 PM, Erwin Harte  wrote:
>
> I did a spot check of a recent attack. The email address was
> jabradb...@kanawhascales.com and it got signed up to 12 lists during May
> 17 and 18. Amazingly, whoever is on the other end of that address clicked
> to confirm every one of those confirmation messages. All confirmation
> clicks appear to come from a netblock owned by Barracuda Networks... Hmm...
>
> Which netblock was that?
>
>
> 64.235.144.0/20
> 
>
>
>
> Specifically: 64.235.154.109,
> 64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop