Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Benoît Panizzon via mailop 
Hi

> Anybody else seeing increase phishing through sendgrid?  They look 
> fairly convincing.
> 
> A few paypals, and a few amazons.

Add Netflix
Add Joe-Jobs

> I thought sendgrid were ok?    Has somebody leaked a big pile of 
> sendgrid usernames and passwords or something?

Yes, I contacted their abuse desk on the Netflix case - No reaction.
Redirection Service to the phishing site on their platform was still
active after a couple of days (didn't re-check recently).

Also contacted them with a GDPR Request because of the joe-job so they
would need to reveal their customer. No reaction after about one month
now.

So attempted to contact their legal department. Their website redirects
to Twilio (yes, they seem to have purchased sendgrid).

And indeed, I also have a long lasting case open with the legal team of
twilio regarding one of their customers using a swisscom mobile phone
number to send SMS spam for what looks like a loan fraud scheme.
Swisscom only has the information that Twilio is their
'Reselling' customer and doesn't know the end-customer behind Twilio.

Swiss telecommunication laws require them to identify the customer
sending those SMS: But also here: No reaction from their legal team and
ofcom has no way to put a fine on them, because they are not a
registered telco in Switzerland.

I suspect the IP Ranges of Sendgrid are bound for a global blacklisting
if they keep ignoring abusive behaviour of their customers.

-- 
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft Outlook "Modern Authentication"?

2020-06-17 Thread Dave Warren via mailop 
A bit late, sorry. 

On Tue, Jun 2, 2020, at 04:55, Ken O'Driscoll via mailop wrote:
> On Thu, 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote:
>> Does anyone know if there is any alternative to Outlook to access
>> 
>> Exchange Online mailboxes that require modern authentication?
> 
> Take a look at Davmail, it's basically a proxy that sits in-between your 
> existing "legacy" MUA and O365. It handles all of the MFA and talks EWA then 
> presents standards based IMAP, SMTP, CalDAV and CardDAV protocol interfaces 
> for your MTA to use.
> 
> I don't know if it will work for your specific environment but it works for 
> most people that what to continue to use Thunderbird etc. with Exchange.
> 

Thunderbird beta (78.0b2) supports M365’s OAuth2 support natively, no external 
shim required.

The setup is a little weird, you need to set up the account, go to the advanced 
settings (so that it creates the account despite not working), switch the 
authentication to OAuth2 for both IMAP and SMTP, it just works. ___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF strict / DMARC interaction / "big" provider behavior...

2020-06-17 Thread Carl Byington via mailop 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2020-06-17 at 16:45 -0400, Bill Cole via mailop wrote:
> > This problem is part of why DMARC was developed. Very few people are
> adequately confident of their understanding of DMARC and of its
> reliability to make it the root cause of mail rejections that they do
> not intend.

Someone in the US State Department is apparently very confident, but
mistaken.

dig _dmarc.state.gov txt +short
"v=DMARC1; p=reject; rua=mailto:dmarcrepor...@state.gov,
mailto:repo...@dmarc.cyber.dhs.gov";

Yet they send mail out via Mailchimp, with a from: header of
From: =?utf-8?Q?The=20Office=20of=20Foreign=20Missions?=


and only a single DKIM signature from d=mailchimpapp.net.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXuq5+xUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsG7vACdFs0oYQODlWd+GygjGZQ21ZujilMA
oIvX4F+BMFrIrVPxfakf9pDvn/q8
=uLoA
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid and Phishing

2020-06-17 Thread Len Shneyder via mailop 
Something is a little off with the auto-responder we tested it last week
and it was working, just ran a test now and nothing yet so we'll dig into
that. In the meantime we are receiving anything you send to
ab...@sendgrid.com

Len Shneyder
VP Industry Relations
[image: Twilio] 
EMAIL l...@twilio.com
TWITTER @LenShneyder 


On Wed, Jun 17, 2020 at 2:30 PM Faisal Misle  wrote:

> I’ve had mixed luck... sometimes it auto replies, sometimes it doesn’t.
>
> I sometimes wonder if their Proofpoint gateway is quarantining them - or
> if they added a bypass rule for their abuse mailbox (as it should be)
>
> Best,
> Faisal
>
> PGP Key: C8FD029B
> 
>
>
> On Wed, Jun 17, 2020 at 4:17 PM, Tim Bray via mailop 
> wrote:
>
> On 17/06/2020 16:01, Len Shneyder via mailop wrote:
>
> Hi All,
>
> Appreciate the discussion. As was mentioned in another forum we are aware
> of the problem—the entire time is engaged in deploying a comprehensive fix
> that will prevent a wave like this in the future. Just to be perfectly
> clear, there is no leak of credentials as one post suggests. In the mean
> time if you want to send example/headers to ab...@sendgrid.com they are
> being reviewed, you can CC me too. We will play some whackamole as we look
> to implement a more thorough solution. Again, thank you all for your
> vigilance and feel free to ping me.
>
>
>
> Thanks for confirming the correct abuse address.   It doesn't auto reply
> or anything so was a bit worried I'm sending stuff and nobody checking.
>
> Fortunately some of the links are blocked by google safe browsing, which I
> guess limits the damage.
>
>
>
> --
> Tim Bray
> Huddersfield, gb...@kooky.org
>
>
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid and Phishing

2020-06-17 Thread Faisal Misle via mailop 
I’ve had mixed luck... sometimes it auto replies, sometimes it doesn’t.

I sometimes wonder if their Proofpoint gateway is quarantining them - or if 
they added a bypass rule for their abuse mailbox (as it should be)

Best,
Faisal

PGP Key: [C8FD029B](https://pgp.faisal.ec/)

On Wed, Jun 17, 2020 at 4:17 PM, Tim Bray via mailop  wrote:

> On 17/06/2020 16:01, Len Shneyder via mailop wrote:
>
>> Hi All,
>>
>> Appreciate the discussion. As was mentioned in another forum we are aware of 
>> the problem—the entire time is engaged in deploying a comprehensive fix that 
>> will prevent a wave like this in the future. Just to be perfectly clear, 
>> there is no leak of credentials as one post suggests. In the mean time if 
>> you want to send example/headers to ab...@sendgrid.com they are being 
>> reviewed, you can CC me too. We will play some whackamole as we look to 
>> implement a more thorough solution. Again, thank you all for your vigilance 
>> and feel free to ping me.
>
> Thanks for confirming the correct abuse address. It doesn't auto reply or 
> anything so was a bit worried I'm sending stuff and nobody checking.
>
> Fortunately some of the links are blocked by google safe browsing, which I 
> guess limits the damage.
>
> --
> Tim Bray
> Huddersfield, GB
> t...@kooky.org___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Jesse Thompson via mailop 
On 6/17/20 1:50 PM, Robert L Mathews via mailop wrote:
> Several months ago I suggested (among other things) that SendGrid block
> "From" headers matching prominent domain names until the messages have
> been manually reviewed. The fact that "don't let random customers send
> mail saying it's from @microsoft.com" hasn't been implemented in that
> time frame is disappointing.

More to the point: why should *any* ESP send "From" *any* domain without having 
explicit DMARC aligned authorization via SPF or DKIM?  At the very least, an 
ESP shouldn't allow their customers use domains that have a published DMARC 
policy that would result in quarantine or reject for the ESP's mail. 

I know the answer is that small businesses commonly use freemail providers, and 
they still want to send marketing as their brand, and if the ESP takes hard 
line on authorization their prospective customer might choose to do business 
with a competing ESP... 

But maybe those freemail domains should be the exception to the rule. 

We also saw a round of phishing sent from SendGrid that was "spoofing" some 
arbitrary .com domain.  And I mean to say "spoofing" lightly, since I'm fairly 
confident that SendGrid (as would any responsible ESP) did verify their 
customer's ability to receive mail at an address within that domain, so either:

1) a mailbox was compromised and used to authorize SendGrid to use the domain
2) a SendGrid customer account was compromised and the attacker was 
piggybacking on a prior authorization.  

If the former: all the more reason to have a slightly higher bar for ESPs 
achieving domain authorization.  
If the later: much tougher challenge.

Jesse

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid and Phishing

2020-06-17 Thread Len Shneyder via mailop 
Yep, that's strange. It should kick off an autoresponder. I'll look into
that.

If you have fresh headers you can share with me I'd appreciate it.

Thank you very much!

-L


Len Shneyder
VP Industry Relations
[image: Twilio] 
EMAIL l...@twilio.com
TWITTER @LenShneyder 


On Wed, Jun 17, 2020 at 2:17 PM Tim Bray  wrote:

> On 17/06/2020 16:01, Len Shneyder via mailop wrote:
>
> Hi All,
>
> Appreciate the discussion. As was mentioned in another forum we are aware
> of the problem—the entire time is engaged in deploying a comprehensive fix
> that will prevent a wave like this in the future. Just to be perfectly
> clear, there is no leak of credentials as one post suggests. In the mean
> time if you want to send example/headers to ab...@sendgrid.com they are
> being reviewed, you can CC me too. We will play some whackamole as we look
> to implement a more thorough solution. Again, thank you all for your
> vigilance and feel free to ping me.
>
>
>
> Thanks for confirming the correct abuse address.   It doesn't auto reply
> or anything so was a bit worried I'm sending stuff and nobody checking.
>
> Fortunately some of the links are blocked by google safe browsing, which I
> guess limits the damage.
>
>
>
> --
> Tim Bray
> Huddersfield, gb...@kooky.org
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid and Phishing

2020-06-17 Thread Tim Bray via mailop 

On 17/06/2020 16:01, Len Shneyder via mailop wrote:

Hi All,

Appreciate the discussion. As was mentioned in another forum we are 
aware of the problem—the entire time is engaged in deploying a 
comprehensive fix that will prevent a wave like this in the future. 
Just to be perfectly clear, there is no leak of credentials as one 
post suggests. In the mean time if you want to send example/headers to 
ab...@sendgrid.com  they are being 
reviewed, you can CC me too. We will play some whackamole as we look 
to implement a more thorough solution. Again, thank you all for your 
vigilance and feel free to ping me.





Thanks for confirming the correct abuse address.   It doesn't auto reply 
or anything so was a bit worried I'm sending stuff and nobody checking.


Fortunately some of the links are blocked by google safe browsing, which 
I guess limits the damage.




--
Tim Bray
Huddersfield, GB
t...@kooky.org

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF strict / DMARC interaction / "big" provider behavior...

2020-06-17 Thread Bill Cole via mailop 

On 17 Jun 2020, at 15:15, vom513 via mailop wrote:

My understanding for the longest time is that an SPF policy of 
“-all” is a strong statement and should be honored as such.


A lot of people believed that a long time ago. However, those of us 
running systems that handle a substantial quantity of non-bulk B2B email 
quickly learned that Sturgeon's Law applies to the set of all email and 
DNS admins, and therefore "-all" defaults in SPF records are often an 
expression of ignorance rather than one of hostility to transparent 
forwarding or a description of reality.


This problem is part of why DMARC was developed. Very few people are 
adequately confident of their understanding of DMARC and of its 
reliability to make it the root cause of mail rejections that they do 
not intend.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF strict / DMARC interaction / "big" provider behavior...

2020-06-17 Thread John Levine via mailop 
In article <2e5fef36-789f-61c2-41d6-dba139fc8...@heeg.de> you write:
>I'm pretty wary of SPF, especially since it just breaks mail forwarding which 
>some of our users like to do to
>consolidate all mail in one mailbox. I know they should not do this, ...

People have been forwarding mail about as long as there has been
electronic mail. The fact that SPF can't describe forwarded mail is a
failure of SPF, not of mail. One of the reasons that DMARC allows
either SPF or DKIM validation is that DKIM isn't affected by
forwarding (at least not by normal forwarding.)

What's really strange is that the guy who invented SPF ran pobox.com
which is a mail forwarding service.  I never understood what he was thinking.

-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Cryptic Earthlink rejection message

2020-06-17 Thread Scott Undercofler via mailop 
Ill reply off list. 

 

From: mailop  on behalf of Russell Clemings via 
mailop 
Reply-To: Russell Clemings 
Date: Wednesday, June 17, 2020 at 1:44 PM
To: mailop 
Subject: [mailop] Cryptic Earthlink rejection message

 

host mx03.oxsus-vadesecure.net [147.135.97.26]
SMTP error from remote mail server after end of data:
550 5.7.1 Message rejected - OXSUS0001_507 

 

Anyone know what this means? (Besides the obvious.) Googling "OXSUS0001_507" 
yields nothing. It's coming from mail sent to Earthlink.net and related 
domains: jps.net, mindspring.com, netcom.com so far. Just 

 

 

___ mailop mailing list 
mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Cryptic Earthlink rejection message

2020-06-17 Thread Al Iverson via mailop 
I am not familiar with the error message, but you might want to submit
your sending IP address here: https://abuse.vadesecure.com/ and see
that results in you getting any sort of useful reply.

Cheers,
Al Iverson

On Wed, Jun 17, 2020 at 2:40 PM Russell Clemings via mailop
 wrote:
>
> host mx03.oxsus-vadesecure.net [147.135.97.26]
> SMTP error from remote mail server after end of data:
> 550 5.7.1 Message rejected - OXSUS0001_507
>
> Anyone know what this means? (Besides the obvious.) Googling "OXSUS0001_507" 
> yields nothing. It's coming from mail sent to Earthlink.net and related 
> domains: jps.net, mindspring.com, netcom.com so far. Just
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



-- 
Al Iverson // Wombatmail // Chicago
Song a day! https://www.wombatmail.com
Deliverability! https://spamresource.com
And DNS Tools too! https://xnnd.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF strict / DMARC interaction / "big" provider behavior...

2020-06-17 Thread Hans-Martin Mosner via mailop 
Am 17.06.20 um 21:15 schrieb vom513 via mailop:
> I know the ultimate answer is “do what makes sense for me” - but I’d love 
> some feedback from folks here on what they consider best practice etc.  Also 
> please help me with my understanding of SPF / DMARC interactions (especially 
> with regard to what the big providers are doing) if I’m out of line.

I'm pretty wary of SPF, especially since it just breaks mail forwarding which 
some of our users like to do to
consolidate all mail in one mailbox. I know they should not do this, but 
attempts at enlightening them are pretty
futile, and I don't want them to point their fingers at us about missed e-mails.

At the moment, I do some DKIM checks (since that works mostly ok even in the 
presence of forwarding) and some very
strict analysis of sender domains. A remarkable amount of spam is sent from 
domains which can be recognized as not
trustworthy, for example because the domains are registered with anonymizing 
services and hosted at providers who don't
give a f*ing f.

I may look at SPF (especially in combination with DMARC) at a later time to 
detect some more unwanted mail but currently
most of the remaining spam (as far as I can see) is the stuff being sent via 
cracked regular mail accounts. Body
filtering is basically the only thing that helps against that (and of course, 
blocking mails from notoriously insecure
providers from which legit mail is very unlikely.)

Cheers,
Hans-Martin



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Cryptic Earthlink rejection message

2020-06-17 Thread Russell Clemings via mailop 
host mx03.oxsus-vadesecure.net [147.135.97.26]
SMTP error from remote mail server after end of data:
550 5.7.1 Message rejected - OXSUS0001_507

Anyone know what this means? (Besides the obvious.) Googling
"OXSUS0001_507" yields nothing. It's coming from mail sent to Earthlink.net
and related domains: jps.net, mindspring.com, netcom.com so far. Just
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SPF strict / DMARC interaction / "big" provider behavior...

2020-06-17 Thread John Levine via mailop 
In article <3e229a32-88db-4fdb-b67a-c68d0b65e...@gmail.com> you write:
>SPF.  Insofar as I reject at the “front door” (SMTP connection) if SPF fails 
>(example is a domain using
>“-all”).  I would imagine this is pretty vanilla so far compared to other 
>folks.

To be blunt, it is among hobby mail servers. It isn't among people who
actually want to provide mail service.

For most of us, the only time we take "-all" seriously is if it's the
only thing in the SPF record, to state that a domain sends no mail at
all.  Other than that, treat it the same as ~all or ?all because as
you have found a lot of people publish -all because it's "more secure"
but have no clue what they're doing.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] SPF strict / DMARC interaction / "big" provider behavior...

2020-06-17 Thread vom513 via mailop 
Hello all,

Apologies in advance if this is off-topic for this list.  I hope it doesn’t 
stir too much of a hornet nest :)

I run my own personal mail server, Linux, usual open source bits…  One of my 
many layers/checks for inbound is SPF.  Insofar as I reject at the “front door” 
(SMTP connection) if SPF fails (example is a domain using “-all”).  I would 
imagine this is pretty vanilla so far compared to other folks.

One of my kids got a part time job, and part of their onboarding HR stuff came 
to their address on my server.  It was rejected.  The sending domain has a 
“-all” and this message was from an outsourced HR “partner” that apparently was 
sending from a machine not in the SPF record anywhere…

When they asked them to send to their @gmail.com - it came right through (but 
details did show SPF fail).  I should also note the from domain has a DMARC 
policy of none.

I’ve tested this a little bit, sending to my gmail / yahoo accounts.  It seems 
like the behavior I see from some of the big guys (gmail and yahoo for this 
purpose) is:

strict SPF (-all) + DMARC none  == accept
strict SPF (-all) + no DMARC record == accept
strict SPF (-all) + DMARC reject== reject

I managed to pretty much replicate this behavior on my server by having my SPF 
check just add the header (but not reject).  I then let OpenDMARC do it’s thing 
(it’s thing being reject if need be).

However this doesn’t sit well with me.  I’ve put my policy back to dropping SPF 
hard fails at the front door.  I think the case above that bothers me the most 
is the "strict SPF (-all) + no DMARC record  == accept”.  I was very 
surprised these got through.

In fairness, the test messages I sent above pretty much all went to the 
providers “SPAM” folder.  But I’m still bothered that they are accepting hard 
SPF fails.  My understanding for the longest time is that an SPF policy of 
“-all” is a strong statement and should be honored as such.  If the sending org 
can’t keep their servers and message sources straight and up to date - that’s 
their problem (well my problem too ultimately because I’m going to reject their 
mails from unauthorized sources).  Taking this a step further, I feel like if 
the “big guys” accept these messages anyway, they have set a (bad) precedent 
and said in a manner of speaking “whats the point of having SPF, we will accept 
it anyway…”.

I know the ultimate answer is “do what makes sense for me” - but I’d love some 
feedback from folks here on what they consider best practice etc.  Also please 
help me with my understanding of SPF / DMARC interactions (especially with 
regard to what the big providers are doing) if I’m out of line.

Thanks.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Robert L Mathews via mailop 
On 6/17/20 10:22 AM, Carl Byington via mailop wrote:

> In the last 24 hours:

Yeah, I see phishing attempts that we rejected for DMARC failures like:

 Received: from microsoft.com (unknown)
  by ismtpd0004p1lon1.sendgrid.net (SG) with ESMTP id PP-Z30gTRGS8qMv1NXRDhA
  for ; Tue, 16 Jun 2020 06:55:20.140 + (UTC)
 From: 
 Date: Tue, 16 Jun 2020 06:55:20 + (UTC)
 Subject: Service Update  : info,

I mean, come on.

Several months ago I suggested (among other things) that SendGrid block
"From" headers matching prominent domain names until the messages have
been manually reviewed. The fact that "don't let random customers send
mail saying it's from @microsoft.com" hasn't been implemented in that
time frame is disappointing.

-- 
Robert L Mathews, Tiger Technologies

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Carl Byington via mailop 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2020-06-17 at 08:55 -0500, Michael Rathbun via mailop wrote:
> > Pointing out to users reporting these that blocking Sendgrid
> entirely
> (the temptation arises) would take out the SG traffic that is highly
> desired (at least 70%).

Two months ago we started treating mail arriving with a DKIM signature
from sendgrid.net as a moderated mailing list, with a few exceptions for
known senders. The resulting mail volume is low enough, combined with
the high value phishing targets, that we can do manual moderation. In
the last 24 hours:

2 recipients Failure Account Verification Message***Secure Immediately**
4 recipients Remove Your Criminal Convictions
1 recipient  Up To $2,000,000 In Capital
4 recipients Immediate Email Update
4 recipients Account Verification
1 recipient  Important Email Verification
1 recipient  Important Security Notice


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXupRAxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsEmZwCghtTG5kkAqV9dpohH5Og27kVH1bwA
nAiPDWod3X8GU7jzCHTeoKitHUzh
=jgq/
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [NOTICE] Significant Uptick in Traffic from a Japanese Network

2020-06-17 Thread Michael Peddemors via mailop 
Possibly .. (massive breach) and for the record, an uptick from other 
Japanese providers as well..


On 2020-06-17 7:51 a.m., Steve Freegard via mailop wrote:
I've just checked our traps and we also saw a big spike in traffic from 
this range but has been tapering off throughout the day.


Based on all the samples that I've looked at, they're all showing 
authenticated SMTP along with some other tell-tale signs, so maybe 
they've had a massive breach of their authentication database? Lots of 
stuff passing SPF on domains that are not new etc.


Looking back over the last month, we've always seen low amounts of 
traffic from this range, but never in these volumes, so I don't think 
there's been port 25 blocking on them.   They all have Dr. Web 
signatures in the headers stating that they're spam though


Kind regards,
Steve.

--
Steve Freegard
Senior Product Owner
Abusix Intelligence


On 17/06/2020 15:28, Michael Peddemors via mailop wrote:

A significant activity alert was detected over night.

IDC Frontier Inc. 164.46.0.0 - 164.46.255.255

It appears that maybe someone removed port 25 blocking on egress?
Or changed some filtering mechanism?

Any comments?

Return-Path: 
Received: (qmail 12711 invoked from network); 17 Jun 2020 13:21:44 -
Received: from rose-cat-dbc8debf20c95d71.znlc.jp (HELO 
rose-cat-dbc8debf20c95d71.znlc.jp) (164.46.42.85)

Received: from [127.0.0.1] (unknown [91.221.136.41])
    by rose-cat-dbc8debf20c95d71.znlc.jp (Postfix) with ESMTPSA id 
5EE757946D;

    Wed, 17 Jun 2020 21:41:39 +0900 (JST)
MIME-Version: 1.0
To: 
Cc: <5 ADDRESSES REDACTED>
From: nishih...@nsag.jp
Subject: [SPAM] Confiscated pets were often bought back
Date: Wed, 17 Jun 2020 08:41:41 -0400
Importance: normal
X-Priority: 3
Content-Type: multipart/alternative;
 boundary="_CF470615-86E4-6252-1D23-048F92C770EF_"
Message-ID: 
X-AntiVirus: Checked by Dr.Web [MailD version: 11.1]
X-DrWeb-SpamReason: 
gggruggvucftvghtrhhoucdtuddrgeduhedrudejuddgudduvdcutefuodetggdotefrucfrrhhofhhilhgvmecufffthgfgueenuceurghilhhouhhtmecufedttdenucetughnkfguqdfovggushdqufetqddtudculdeftddtmdenucfjughrpeggvffhufffkgfrtgfksegrtderredttdenucfhrhhomhepnhhishhhihhhrghrrgesnhhsrghgrdhjph 


X-DrWeb-SpamScore: 300
X-DrWeb-SpamState: yes


164.46.32.233    13 white-zebra-56a888f1951dc192.znlc.jp
164.46.33.95  1 blue-wolf-310c1f34e583c5e2.znlc.jp
   164.46.33.182  3 zebra-blue-c7f73f7001f353c5.znlc.jp
   164.46.33.209  1 sheep-white-d03040f6330f1986.znlc.jp
164.46.34.160 9 
apricot-tiger-ef00d82025808ee0.znlc.jp
   164.46.34.200  2 
sheep-scarlet-343451edc87acbd7.znlc.jp

164.46.35.13  1 yellow-koala-cfd23d2fec4c8061.znlc.jp
   164.46.35.38   9 
scarlet-koala-452c0ddeab4cde12.znlc.jp

   164.46.35.204 12 green-bear-7148ee712672665a.znlc.jp
164.46.42.85 15 rose-cat-dbc8debf20c95d71.znlc.jp
164.46.43.115 7 
elephant-orange-8769238751ce63f7.znlc.jp

164.46.45.101    13 ivory-zebra-409f9b960cb1d313.znlc.jp
164.46.46.72  1 
tiger-scarlet-0180ad76ab056691.znlc.jp

   164.46.46.196  3 deer-green-18bc5b651b1dad10.znlc.jp
   164.46.46.243  1 deer-red-da3124e99a81aecb.znlc.jp
164.46.47.172 7 koala-rose-ff60c16e7c028500.znlc.jp
164.46.49.104 2 
green-elephant-4b7a10399bc889ef.znlc.jp

164.46.50.39  2 green-dog-ae7b45201ebbcd11.znlc.jp
164.46.52.123 2 
ivory-elephant-4d6d0c5d359e5662.znlc.jp

164.46.53.45  7 rose-sheep-acd6ad1771e7b1b0.znlc.jp
164.46.54.44  3 yellow-tiger-891fc59f7635c238.znlc.jp
164.46.55.218 4 ivory-dog-d98550534ab80a2e.znlc.jp
164.46.56.27  2 rose-goat-de8b3426c807ba0f.znlc.jp
   164.46.56.179  1 orange-panda-2890dabde3fa538b.znlc.jp
164.46.57.213 3 yellow-cat-c710bd4f90792994.znlc.jp
   164.46.57.231  9 
scarlet-rabbit-63d7047fdb3bba28.znlc.jp

164.46.58.94  9 goat-ivory-cd576fb07fb35d47.znlc.jp
164.46.59.32  2 green-cat-5f5d40a8acf4c8bd.znlc.jp
   164.46.59.200 10 ivory-wolf-c07cdc7cd700daad.znlc.jp
   164.46.59.217 11 sheep-orange-2f225b39d818a816.znlc.jp
164.46.60.69  1 
camel-scarlet-b67f247d60a127ca.znlc.jp

   164.46.60.148  1 rose-wolf-5100c5ab6e5414f1.znlc.jp
   164.46.60.214  2 zebra-blue-f64889d1802e54c8.znlc.jp
   164.46.60.228  1 rose-horse-00885ded827f47e5.znlc.jp
164.46.61.117    10 giraffe-rose-48f7a4e4ab9123cc.znlc.jp
   164.46.61.164  1 blue-dog-fa049ffe1535daa5.znlc.jp
164.46.62.101 8 apricot-wolf-916b45a2b7e97957.znlc.jp
   164.46.62.106 

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Alan Hodgson via mailop 
On Wed, 2020-06-17 at 08:55 -0500, Michael Rathbun via mailop wrote:
> On Wed, 17 Jun 2020 14:00:35 +0100, Tim Bray via mailop w
> rote:
> > Anybody else seeing increase phishing through sendgrid?  They look fairly
> > convincing.
> 
> General spam (several per week) and phishing, especially some very nicely
> done"Reconfirm you Netflix payment method" at several per day.
> Pointing out to users reporting these that blocking Sendgrid entirely
> (thetemptation arises) would take out the SG traffic that is highly desired
> (atleast 70%).

Yeah. Tempting though. I got a dozen phishes literally From: 
supp...@amazon.com from them a few weeks ago.

Just zero attempt to authenticate senders it seems.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] SendGrid and Phishing

2020-06-17 Thread Len Shneyder via mailop 
Hi All,

Appreciate the discussion. As was mentioned in another forum we are aware
of the problem—the entire time is engaged in deploying a comprehensive fix
that will prevent a wave like this in the future. Just to be perfectly
clear, there is no leak of credentials as one post suggests. In the mean
time if you want to send example/headers to ab...@sendgrid.com they are
being reviewed, you can CC me too. We will play some whackamole as we look
to implement a more thorough solution. Again, thank you all for your
vigilance and feel free to ping me.

All best,
-L

--

Message: 1
Date: Wed, 17 Jun 2020 14:00:35 +0100
From: Tim Bray 
To: mailop 
Subject: [mailop] Sendgrid and phishing
Message-ID: <1f6aca35-94ef-70a0-bd75-49a5d632d...@kooky.org>
Content-Type: text/plain; charset=utf-8; format=flowed

Hi,

Anybody else seeing increase phishing through sendgrid?  They look
fairly convincing.

A few paypals, and a few amazons.

I thought sendgrid were ok?Has somebody leaked a big pile of
sendgrid usernames and passwords or something?


--
Tim Bray
Huddersfield, GB
t...@kooky.org




--

Message: 2
Date: Wed, 17 Jun 2020 13:26:52 +
From: Faisal Misle 
To: mailop 
Subject: Re: [mailop] Sendgrid and phishing
Message-ID:



Content-Type: text/plain; charset="utf-8"

I’ve been seeing it too... Mailgun, PayPal, etc

A SG rep replied to a SDLU thread yesterday about the same issue

“We are working to get a handle on this on a few fronts. These senders in
this thread have been banned. I don't have insight into the compliance
side, but it is being worked on."

Best,
Faisal

PGP Key: [C8FD029B](
https://urldefense.com/v3/__https://pgp.faisal.ec/__;!!NCc8flgU!LCEEi7RfsCuEjrw27F8pRz20vWUwhLqE6Acf7Hdq_1y72yJGxisirzN0Dvo$
 )

On Wed, Jun 17, 2020 at 8:00 AM, Tim Bray via mailop 
wrote:

> Hi,
>
> Anybody else seeing increase phishing through sendgrid? They look
> fairly convincing.
>
> A few paypals, and a few amazons.
>
> I thought sendgrid were ok? Has somebody leaked a big pile of
> sendgrid usernames and passwords or something?
>
> --
> Tim Bray
> Huddersfield, GB
> t...@kooky.org
>
> ___
> mailop mailing list
> mailop@mailop.org
>
https://urldefense.com/v3/__https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop__;!!NCc8flgU!LCEEi7RfsCuEjrw27F8pRz20vWUwhLqE6Acf7Hdq_1y72yJGxisiwA9kai4$
-- next part --
An HTML attachment was scrubbed...
URL: <
https://urldefense.com/v3/__https://chilli.nosignal.org/cgi-bin/mailman/private/mailop/attachments/20200617/df4c858b/attachment-0001.html__;!!NCc8flgU!LCEEi7RfsCuEjrw27F8pRz20vWUwhLqE6Acf7Hdq_1y72yJGxisiffajxJU$
 >

--

Message: 3
Date: Wed, 17 Jun 2020 15:42:21 +0200
From: Olivier Depuydt 
To: Faisal Misle 
Cc: mailop 
Subject: Re: [mailop] Sendgrid and phishing
Message-ID:

Content-Type: text/plain; charset="utf-8"

Hello.

I received the Phishing email from the fake Paypal Support, from Sendgrid's
platform on May the 29th, on a personal email address.
I have forwarded it to Paypal's phishing support on June the 1srt.
So, this issue has weeks if you still see emails like that.

Best regards,

Olivier
Deliverability Engineer at Cheetah Digital

Le mer. 17 juin 2020 à 15:32, Faisal Misle via mailop  a
écrit :

> I’ve been seeing it too... Mailgun, PayPal, etc
>
> A SG rep replied to a SDLU thread yesterday about the same issue
>
> “We are working to get a handle on this on a few fronts. These senders in
> this thread have been banned. I don't have insight into the compliance
> side, but it is being worked on."
>
> Best,
> Faisal
>
> PGP Key: C8FD029B <
https://urldefense.com/v3/__https://pgp.faisal.ec/__;!!NCc8flgU!LCEEi7RfsCuEjrw27F8pRz20vWUwhLqE6Acf7Hdq_1y72yJGxisirzN0Dvo$
 >
>
>
> On Wed, Jun 17, 2020 at 8:00 AM, Tim Bray via mailop 
> wrote:
>
> Hi,
>
> Anybody else seeing increase phishing through sendgrid?  They look
> fairly convincing.
>
> A few paypals, and a few amazons.
>
> I thought sendgrid were ok?Has somebody leaked a big pile of
> sendgrid usernames and passwords or something?
>
>
> --
> Tim Bray
> Huddersfield, GB
> t...@kooky.org
>
>
> ___
> mailop mailing list
> mailop@mailop.org
>
https://urldefense.com/v3/__https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop__;!!NCc8flgU!LCEEi7RfsCuEjrw27F8pRz20vWUwhLqE6Acf7Hdq_1y72yJGxisiwA9kai4$
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
>
https://urldefense.com/v3/__https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop__;!!NCc8flgU!LCEEi7

Re: [mailop] [NOTICE] Significant Uptick in Traffic from a Japanese Network

2020-06-17 Thread Steve Freegard via mailop 
I've just checked our traps and we also saw a big spike in traffic from 
this range but has been tapering off throughout the day.


Based on all the samples that I've looked at, they're all showing 
authenticated SMTP along with some other tell-tale signs, so maybe 
they've had a massive breach of their authentication database? Lots of 
stuff passing SPF on domains that are not new etc.


Looking back over the last month, we've always seen low amounts of 
traffic from this range, but never in these volumes, so I don't think 
there's been port 25 blocking on them.   They all have Dr. Web 
signatures in the headers stating that they're spam though


Kind regards,
Steve.

--
Steve Freegard
Senior Product Owner
Abusix Intelligence


On 17/06/2020 15:28, Michael Peddemors via mailop wrote:

A significant activity alert was detected over night.

IDC Frontier Inc. 164.46.0.0 - 164.46.255.255

It appears that maybe someone removed port 25 blocking on egress?
Or changed some filtering mechanism?

Any comments?

Return-Path: 
Received: (qmail 12711 invoked from network); 17 Jun 2020 13:21:44 -
Received: from rose-cat-dbc8debf20c95d71.znlc.jp (HELO 
rose-cat-dbc8debf20c95d71.znlc.jp) (164.46.42.85)

Received: from [127.0.0.1] (unknown [91.221.136.41])
    by rose-cat-dbc8debf20c95d71.znlc.jp (Postfix) with ESMTPSA id 
5EE757946D;

    Wed, 17 Jun 2020 21:41:39 +0900 (JST)
MIME-Version: 1.0
To: 
Cc: <5 ADDRESSES REDACTED>
From: nishih...@nsag.jp
Subject: [SPAM] Confiscated pets were often bought back
Date: Wed, 17 Jun 2020 08:41:41 -0400
Importance: normal
X-Priority: 3
Content-Type: multipart/alternative;
 boundary="_CF470615-86E4-6252-1D23-048F92C770EF_"
Message-ID: 
X-AntiVirus: Checked by Dr.Web [MailD version: 11.1]
X-DrWeb-SpamReason: 
gggruggvucftvghtrhhoucdtuddrgeduhedrudejuddgudduvdcutefuodetggdotefrucfrrhhofhhilhgvmecufffthgfgueenuceurghilhhouhhtmecufedttdenucetughnkfguqdfovggushdqufetqddtudculdeftddtmdenucfjughrpeggvffhufffkgfrtgfksegrtderredttdenucfhrhhomhepnhhishhhihhhrghrrgesnhhsrghgrdhjph

X-DrWeb-SpamScore: 300
X-DrWeb-SpamState: yes


164.46.32.233    13 white-zebra-56a888f1951dc192.znlc.jp
164.46.33.95  1 blue-wolf-310c1f34e583c5e2.znlc.jp
   164.46.33.182  3 zebra-blue-c7f73f7001f353c5.znlc.jp
   164.46.33.209  1 sheep-white-d03040f6330f1986.znlc.jp
164.46.34.160 9 
apricot-tiger-ef00d82025808ee0.znlc.jp
   164.46.34.200  2 
sheep-scarlet-343451edc87acbd7.znlc.jp

164.46.35.13  1 yellow-koala-cfd23d2fec4c8061.znlc.jp
   164.46.35.38   9 
scarlet-koala-452c0ddeab4cde12.znlc.jp

   164.46.35.204 12 green-bear-7148ee712672665a.znlc.jp
164.46.42.85 15 rose-cat-dbc8debf20c95d71.znlc.jp
164.46.43.115 7 
elephant-orange-8769238751ce63f7.znlc.jp

164.46.45.101    13 ivory-zebra-409f9b960cb1d313.znlc.jp
164.46.46.72  1 
tiger-scarlet-0180ad76ab056691.znlc.jp

   164.46.46.196  3 deer-green-18bc5b651b1dad10.znlc.jp
   164.46.46.243  1 deer-red-da3124e99a81aecb.znlc.jp
164.46.47.172 7 koala-rose-ff60c16e7c028500.znlc.jp
164.46.49.104 2 
green-elephant-4b7a10399bc889ef.znlc.jp

164.46.50.39  2 green-dog-ae7b45201ebbcd11.znlc.jp
164.46.52.123 2 
ivory-elephant-4d6d0c5d359e5662.znlc.jp

164.46.53.45  7 rose-sheep-acd6ad1771e7b1b0.znlc.jp
164.46.54.44  3 yellow-tiger-891fc59f7635c238.znlc.jp
164.46.55.218 4 ivory-dog-d98550534ab80a2e.znlc.jp
164.46.56.27  2 rose-goat-de8b3426c807ba0f.znlc.jp
   164.46.56.179  1 orange-panda-2890dabde3fa538b.znlc.jp
164.46.57.213 3 yellow-cat-c710bd4f90792994.znlc.jp
   164.46.57.231  9 
scarlet-rabbit-63d7047fdb3bba28.znlc.jp

164.46.58.94  9 goat-ivory-cd576fb07fb35d47.znlc.jp
164.46.59.32  2 green-cat-5f5d40a8acf4c8bd.znlc.jp
   164.46.59.200 10 ivory-wolf-c07cdc7cd700daad.znlc.jp
   164.46.59.217 11 sheep-orange-2f225b39d818a816.znlc.jp
164.46.60.69  1 
camel-scarlet-b67f247d60a127ca.znlc.jp

   164.46.60.148  1 rose-wolf-5100c5ab6e5414f1.znlc.jp
   164.46.60.214  2 zebra-blue-f64889d1802e54c8.znlc.jp
   164.46.60.228  1 rose-horse-00885ded827f47e5.znlc.jp
164.46.61.117    10 giraffe-rose-48f7a4e4ab9123cc.znlc.jp
   164.46.61.164  1 blue-dog-fa049ffe1535daa5.znlc.jp
164.46.62.101 8 apricot-wolf-916b45a2b7e97957.znlc.jp
   164.46.62.106  1 dog-rose-a44ab3c34a525ceb.znlc.jp
164.46.63.56  2 
apricot-koala-af12e69b2c41d01d.znlc.jp

164.46.64.108 2 camel-or

[mailop] [NOTICE] Significant Uptick in Traffic from a Japanese Network

2020-06-17 Thread Michael Peddemors via mailop 

A significant activity alert was detected over night.

IDC Frontier Inc. 164.46.0.0 - 164.46.255.255

It appears that maybe someone removed port 25 blocking on egress?
Or changed some filtering mechanism?

Any comments?

Return-Path: 
Received: (qmail 12711 invoked from network); 17 Jun 2020 13:21:44 -
Received: from rose-cat-dbc8debf20c95d71.znlc.jp (HELO 
rose-cat-dbc8debf20c95d71.znlc.jp) (164.46.42.85)

Received: from [127.0.0.1] (unknown [91.221.136.41])
by rose-cat-dbc8debf20c95d71.znlc.jp (Postfix) with ESMTPSA id 
5EE757946D;

Wed, 17 Jun 2020 21:41:39 +0900 (JST)
MIME-Version: 1.0
To: 
Cc: <5 ADDRESSES REDACTED>
From: nishih...@nsag.jp
Subject: [SPAM] Confiscated pets were often bought back
Date: Wed, 17 Jun 2020 08:41:41 -0400
Importance: normal
X-Priority: 3
Content-Type: multipart/alternative;
 boundary="_CF470615-86E4-6252-1D23-048F92C770EF_"
Message-ID: 
X-AntiVirus: Checked by Dr.Web [MailD version: 11.1]
X-DrWeb-SpamReason: 
gggruggvucftvghtrhhoucdtuddrgeduhedrudejuddgudduvdcutefuodetggdotefrucfrrhhofhhilhgvmecufffthgfgueenuceurghilhhouhhtmecufedttdenucetughnkfguqdfovggushdqufetqddtudculdeftddtmdenucfjughrpeggvffhufffkgfrtgfksegrtderredttdenucfhrhhomhepnhhishhhihhhrghrrgesnhhsrghgrdhjph

X-DrWeb-SpamScore: 300
X-DrWeb-SpamState: yes


164.46.32.23313   white-zebra-56a888f1951dc192.znlc.jp
164.46.33.95  1   blue-wolf-310c1f34e583c5e2.znlc.jp
   164.46.33.182  3   zebra-blue-c7f73f7001f353c5.znlc.jp
   164.46.33.209  1   sheep-white-d03040f6330f1986.znlc.jp
164.46.34.160 9   apricot-tiger-ef00d82025808ee0.znlc.jp
   164.46.34.200  2 
sheep-scarlet-343451edc87acbd7.znlc.jp

164.46.35.13  1   yellow-koala-cfd23d2fec4c8061.znlc.jp
   164.46.35.38   9 
scarlet-koala-452c0ddeab4cde12.znlc.jp

   164.46.35.204 12   green-bear-7148ee712672665a.znlc.jp
164.46.42.85 15   rose-cat-dbc8debf20c95d71.znlc.jp
164.46.43.115 7 
elephant-orange-8769238751ce63f7.znlc.jp

164.46.45.10113   ivory-zebra-409f9b960cb1d313.znlc.jp
164.46.46.72  1   tiger-scarlet-0180ad76ab056691.znlc.jp
   164.46.46.196  3   deer-green-18bc5b651b1dad10.znlc.jp
   164.46.46.243  1   deer-red-da3124e99a81aecb.znlc.jp
164.46.47.172 7   koala-rose-ff60c16e7c028500.znlc.jp
164.46.49.104 2 
green-elephant-4b7a10399bc889ef.znlc.jp

164.46.50.39  2   green-dog-ae7b45201ebbcd11.znlc.jp
164.46.52.123 2 
ivory-elephant-4d6d0c5d359e5662.znlc.jp

164.46.53.45  7   rose-sheep-acd6ad1771e7b1b0.znlc.jp
164.46.54.44  3   yellow-tiger-891fc59f7635c238.znlc.jp
164.46.55.218 4   ivory-dog-d98550534ab80a2e.znlc.jp
164.46.56.27  2   rose-goat-de8b3426c807ba0f.znlc.jp
   164.46.56.179  1   orange-panda-2890dabde3fa538b.znlc.jp
164.46.57.213 3   yellow-cat-c710bd4f90792994.znlc.jp
   164.46.57.231  9 
scarlet-rabbit-63d7047fdb3bba28.znlc.jp

164.46.58.94  9   goat-ivory-cd576fb07fb35d47.znlc.jp
164.46.59.32  2   green-cat-5f5d40a8acf4c8bd.znlc.jp
   164.46.59.200 10   ivory-wolf-c07cdc7cd700daad.znlc.jp
   164.46.59.217 11   sheep-orange-2f225b39d818a816.znlc.jp
164.46.60.69  1   camel-scarlet-b67f247d60a127ca.znlc.jp
   164.46.60.148  1   rose-wolf-5100c5ab6e5414f1.znlc.jp
   164.46.60.214  2   zebra-blue-f64889d1802e54c8.znlc.jp
   164.46.60.228  1   rose-horse-00885ded827f47e5.znlc.jp
164.46.61.11710   giraffe-rose-48f7a4e4ab9123cc.znlc.jp
   164.46.61.164  1   blue-dog-fa049ffe1535daa5.znlc.jp
164.46.62.101 8   apricot-wolf-916b45a2b7e97957.znlc.jp
   164.46.62.106  1   dog-rose-a44ab3c34a525ceb.znlc.jp
164.46.63.56  2   apricot-koala-af12e69b2c41d01d.znlc.jp
164.46.64.108 2   camel-orange-0a05e4b506d9a00c.znlc.jp
   164.46.64.200  1   green-bear-bc06e66521246c06.znlc.jp
164.46.66.119 2 
leopard-apricot-a7712c8884d716d2.znlc.jp

164.46.68.227 2   panda-blue-6e480e796aa215e4.znlc.jp
164.46.69.76  5   white-deer-d47a98d38c544778.znlc.jp
164.46.73.42  8   panda-rose-7d0afe00853a983a.znlc.jp
   164.46.73.191  3   apricot-wolf-afac3421b85a403f.znlc.jp
164.46.75.247 6   wolf-rose-982dd35ee8dabfd2.znlc.jp
164.46.76.7   2 
elephant-white-64bd468829dfda35.znlc.jp

164.46.78.117 4   scarlet-bear-9f3917493c6175cb.znlc.jp
164.46.89.20

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Michael Rathbun via mailop 
On Wed, 17 Jun 2020 14:00:35 +0100, Tim Bray via mailop 
wrote:

>Anybody else seeing increase phishing through sendgrid?  They look 
>fairly convincing.

General spam (several per week) and phishing, especially some very nicely done
"Reconfirm you Netflix payment method" at several per day.

Pointing out to users reporting these that blocking Sendgrid entirely (the
temptation arises) would take out the SG traffic that is highly desired (at
least 70%).

mdr
-- 
   "There will be more spam."
  -- Paul Vixie


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Michael Peddemors via mailop 
Going on two months since first reported, and last weekend was really 
high counts of new Send Grid IP(s) sending obvious phishing..




On 2020-06-17 6:26 a.m., Faisal Misle via mailop wrote:

I’ve been seeing it too... Mailgun, PayPal, etc

A SG rep replied to a SDLU thread yesterday about the same issue

“We are working to get a handle on this on a few fronts. These senders in
this thread have been banned. I don't have insight into the compliance
side, but it is being worked on."

Best,
Faisal

PGP Key: C8FD029B 


On Wed, Jun 17, 2020 at 8:00 AM, Tim Bray via mailop > wrote:

Hi,

Anybody else seeing increase phishing through sendgrid?  They look
fairly convincing.

A few paypals, and a few amazons.

I thought sendgrid were ok?    Has somebody leaked a big pile of
sendgrid usernames and passwords or something?


--
Tim Bray
Huddersfield, GB
t...@kooky.org


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop




___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Olivier Depuydt via mailop 
Hello.

I received the Phishing email from the fake Paypal Support, from Sendgrid's
platform on May the 29th, on a personal email address.
I have forwarded it to Paypal's phishing support on June the 1srt.
So, this issue has weeks if you still see emails like that.

Best regards,

Olivier
Deliverability Engineer at Cheetah Digital

Le mer. 17 juin 2020 à 15:32, Faisal Misle via mailop  a
écrit :

> I’ve been seeing it too... Mailgun, PayPal, etc
>
> A SG rep replied to a SDLU thread yesterday about the same issue
>
> “We are working to get a handle on this on a few fronts. These senders in
> this thread have been banned. I don't have insight into the compliance
> side, but it is being worked on."
>
> Best,
> Faisal
>
> PGP Key: C8FD029B 
>
>
> On Wed, Jun 17, 2020 at 8:00 AM, Tim Bray via mailop 
> wrote:
>
> Hi,
>
> Anybody else seeing increase phishing through sendgrid?  They look
> fairly convincing.
>
> A few paypals, and a few amazons.
>
> I thought sendgrid were ok?Has somebody leaked a big pile of
> sendgrid usernames and passwords or something?
>
>
> --
> Tim Bray
> Huddersfield, GB
> t...@kooky.org
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>


-- 

Olivier Depuydt

Site Reliability Engineer


Web   |  Blog 
  |  Linkedin   |  Twitter
  |  Facebook











 
 
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Faisal Misle via mailop 
I’ve been seeing it too... Mailgun, PayPal, etc

A SG rep replied to a SDLU thread yesterday about the same issue

“We are working to get a handle on this on a few fronts. These senders in
this thread have been banned. I don't have insight into the compliance
side, but it is being worked on."

Best,
Faisal

PGP Key: [C8FD029B](https://pgp.faisal.ec/)

On Wed, Jun 17, 2020 at 8:00 AM, Tim Bray via mailop  wrote:

> Hi,
>
> Anybody else seeing increase phishing through sendgrid? They look
> fairly convincing.
>
> A few paypals, and a few amazons.
>
> I thought sendgrid were ok? Has somebody leaked a big pile of
> sendgrid usernames and passwords or something?
>
> --
> Tim Bray
> Huddersfield, GB
> t...@kooky.org
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Sendgrid and phishing

2020-06-17 Thread Tim Bray via mailop 

Hi,

Anybody else seeing increase phishing through sendgrid?  They look 
fairly convincing.


A few paypals, and a few amazons.

I thought sendgrid were ok?    Has somebody leaked a big pile of 
sendgrid usernames and passwords or something?



--
Tim Bray
Huddersfield, GB
t...@kooky.org


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop