Re: [mailop] Contact for Zoom webinar spam sent via Sendgrid (ugh)
Am 08.07.21 um 18:14 schrieb Luke via mailop: > Just so the group is aware, our team is looking into the Zoom traffic. We > aren't sure what they are doing with that > mail stream, but it doesn't look good. > > Both of the accounts reported by Michael have been suspended. > > Thanks, everyone. > > Luke > I have a hunch that some time ago (just before the increased spam via SendGrid started) there might have been an unauthorized access to SendGrid customer data which allowed hackers to bruteforce hashed passwords and use valid accounts to send spam and fraudulent/phishing mails. The pattern is too strong to be reasonably explained with singular security breaches at individual customers. SendGrid, if this comes close to the truth (I can only guess), please be open about it at least in communication to your customers. If possible, enforce 2FA, watch for logins from unusual IP addresses, etc. Maybe a complete password reset for all customers would be in order. Repealing spam and fraud from completely bogus sources is a lot of work for us mail admins already, but when it comes from presumably authentic sources it becomes incredibly difficult and prone to false positives. Here's a simple example: I have a mail sample in quarantine that comes from "topbuildersolutions.net", apparently a SendGrid customer, using your outgoing infrastructure (192.254.122.201), so it's not a simple impersonation. It purports to be a payment reminder, with the usual phishing drill of urgency by threatening account termination. With a From: line of "SendGrid ", a SendGrid logo as embedded png, closing line "The Billing Operations Team at SendGrid" it looks 100% like phishing to me. Is this from you actually? If yes, why do you send out payment reminders using foreign domains? If not, why do you let your customers send such mails through your system? Your reputation is going down the drain. You should definitely realize that your reputation is your most valuable asset, and it's losing value at an incredible rate. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Old subject, awareness, given recent Microsoft disclosure.. blocking port 25 from dynamic/DUL networks
on Thu, Jul 08, 2021 at 02:28:13PM -0700, Michael Peddemors via mailop wrote: > Ex. 1.186.104.104 x1 1.186.104.104.dvois.com Even better still dvois.com uses the same naming for dynamics and statics. At least they only have the couple - though they also use static.dvois.com right anchored PTR naming, they don't ALWAYS, so it's a risk to just assume. I've dealt with Indian ISPs with hundreds, if not thousands of naming "conventions". The old vsnl and bsnl were awful. > Time to brush off M3AAWG best practices.. listing what ports do not > need to be open on dynamic IP home style networks.. That's just it - you can't assume dynamic with dvois.com, and many more. I have at least 136 patterns that I had to throw my hands up and call "mixed" because they either lie, don't distinguish, or are so incompetent they can't be bothered to not hand out statics with 'dyn' token labels, and vice versa (eg., rima-tde). Much of Brazil is simply generic, stuff like 1-2-3-4.example.net.br. We tend to assume generic == dynamic, especially when they've got tiny allocations, but shrug. Steve -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ Internet security and antispam hostname intelligence: http://enemieslist.com/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Old subject, awareness, given recent Microsoft disclosure.. blocking port 25 from dynamic/DUL networks
It's been quite a few years, and for those of you on this list as long in the tooth as I am, you will remember the battles of the 90's and early 2000's between various RBL's and large telco/cable companies.. Those cable companies did very little about outbound abuse, so several of the RBL's in the day, controversially blocked the largest ISP's networks.. period.. This finally hit the big telco's in the pocket book enough, that they gave in and started blocking port 25 on egress from their dynamic IP ranges, and now most of the ISP's in North America still block port 25 on egress. However, the world is big.. and many other areas in the world are not doing this yet.. eg.. from today, just looking at compromised GPON routers, this one ISP is sending spam from the following.. (any one here have any sway with this company?) Ex. 1.186.104.104 x1 1.186.104.104.dvois.com (fuller list below) Now, there are several countries really having a problem with this. Compromised routers, IoT devices.. and compromised old versions of Windows. And while most email operators already stop them one way or another, it is just a huge drain on resources. (Included samples from Brazil below as well) It was bad enough when all they were doing is spamming, and it is so simple to block port 25 on egress from DUL/Dynamic networks, why is this practice not working its way to emerging markets?? We have brought it up with several CERT's, but little progress is being made on this front, and given the prevalence of older/cheaper IoT routers, and/or older versions of Windows, a lot more compromised devices in those regions. And now, with the latest Microsoft disclosure, we can be sure millions more devices will be compromised.. Isn't it time we renwed this conversation with ISP's and Telco's around the world? Spambots' are dangerous, precursor to much worse things. But at least it is easy to stop. Time to brush off M3AAWG best practices.. listing what ports do not need to be open on dynamic IP home style networks.. .. 1.186.104.104 x1 1.186.104.104.dvois.com 1.186.104.111 x2 1.186.104.111.dvois.com 1.186.104.118 x2 1.186.104.118.dvois.com 1.186.104.119 x1 1.186.104.119.dvois.com 1.186.104.121 x1 1.186.104.121.dvois.com 1.186.104.123 x1 1.186.104.123.dvois.com 1.186.104.128 x1 1.186.104.128.dvois.com 1.186.104.144 x1 1.186.104.144.dvois.com 1.186.104.154 x1 1.186.104.154.dvois.com 1.186.104.160 x1 1.186.104.160.dvois.com 1.186.104.164 x3 1.186.104.164.dvois.com 1.186.104.197 x2 1.186.104.197.dvois.com 1.186.104.207 x2 1.186.104.207.dvois.com 1.186.104.221 x2 1.186.104.221.dvois.com 1.186.104.228 x3 1.186.104.228.dvois.com 1.186.104.237 x1 1.186.104.237.dvois.com 1.186.104.240 x1 1.186.104.240.dvois.com 1.186.104.245 x7 1.186.104.245.dvois.com 1.186.104.25x1 1.186.104.25.dvois.com 1.186.104.65x2 1.186.104.65.dvois.com 1.186.104.72x3 1.186.104.72.dvois.com 1.186.104.76x1 1.186.104.76.dvois.com 1.186.104.99x3 1.186.104.99.dvois.com 1.186.105.1 x5 1.186.105.1.dvois.com 1.186.105.104 x2 1.186.105.104.dvois.com 1.186.105.109 x2 1.186.105.109.dvois.com 1.186.105.117 x5 1.186.105.117.dvois.com 1.186.105.123 x2 1.186.105.123.dvois.com 1.186.105.128 x1 1.186.105.128.dvois.com 1.186.105.133 x2 1.186.105.133.dvois.com 1.186.105.136 x1 1.186.105.136.dvois.com 1.186.105.138 x1 1.186.105.138.dvois.com 1.186.105.142 x1 1.186.105.142.dvois.com 1.186.105.149 x2 1.186.105.149.dvois.com 1.186.105.150 x2 1.186.105.150.dvois.com 1.186.105.153 x4 1.186.105.153.dvois.com 1.186.105.163 x2 1.186.105.163.dvois.com 1.186.105.166 x3 1.186.105.166.dvois.com 1.186.105.171 x5 1.186.105.171.dvois.com 1.186.105.172 x3 1.186.105.172.dvois.com 1.186.105.176 x2 1.186.105.176.dvois.com 1.186.105.187 x2 1.186.105.187.dvois.com 1.186.105.193 x4 1.186.105.193.dvois.com 1.186.105.199 x1 1.186.105.199.dvois.com 1.186.105.206 x4 1.186.105.206.dvois.com 1.186.105.209 x2 1.186.105.209.dvois.com 1.186.105.211 x3 1.186.105.211.dvois.com 1.186.105.215 x4 1.186.105.215.dvois.com 1.186.105.226 x2 1.186.105.226.dvois.com 1.186.105.227 x1 1.186.105.227.dvois.com 1.186.105.231 x5 1.186.105.231.dvois.com 1.186.105.233 x1 1.186.105.233.dvois.com 1.186.105.242 x1 1.186.105.242.dvois.com 1.186.105.246 x2 1.186.105.246.dvois.com 1.186.105.247 x4 1.186.105.247.dvois.com 1.186.105.253 x1 1.186.105.253.dvois.com 1.186.105.254 x3 1.186.105.254.dvois.com 1.186.105.3 x3 1.186.105.3.dvois.com 1.186.105.35x1 1.186.105.35.dvois.com 1.186.105.52x1
[mailop] M-365 classified as phishing a "good" domain
Hi, I have a customer that was unable to delivery email to all Microsoft 365 Exchange hosted domains. The domain name classified as phishing from Microsoft antispam is enterprisesolutions DOT cc and messages are not marketing, just email sent from user with their client email from our SMTP. This is the only domain name that have problems to delivery email from our SMTP. Here the log from Microsoft: 250 2.6.0 <013601d773fe$f05504b0$d0ff0e10$@enterprisesolutions DOT cc> [InternalId=59103044970866, Hostname=VI1PR08MB4317.eurprd08.prod.outlook.com] 10983 bytes in 0.130, 82.459 KB/sec Queued mail for delivery The recipients find the message in the quarantine with a warning about: "High confidence phishing". How can I help my customer to solve this issue? Can I open a ticket to Microsoft since I'm not a customer of them? Thanks -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Contact for Zoom webinar spam sent via Sendgrid (ugh)
Just so the group is aware, our team is looking into the Zoom traffic. We aren't sure what they are doing with that mail stream, but it doesn't look good. Both of the accounts reported by Michael have been suspended. Thanks, everyone. Luke On Thu, Jul 8, 2021 at 8:48 AM Michael Peddemors via mailop < mailop@mailop.org> wrote: > On 2021-07-08 8:20 a..m., Carl Byington via mailop wrote: > > On Thu, 2021-07-08 at 09:31 +0300, Atro Tossavainen via mailop wrote: > >> That one is Zoom.us itself. > > > >> Received: from o5.sg.zoom.us (o5.sg.zoom.us [149.72.199.144]) > > > >> Received: from o12.ptr3622.sg.zoom.us (o12.ptr3622.sg.zoom.us > >> [167.89.93.232]) > > > > Yes, the mail arrives from systems with rdns of *.sg.zoom.us, but my > > understanding is that the X-Entity-ID points to a sendgrid user. And the > > headers include stuff like: > > > > Received: by filter1889p1las1.sendgrid.net with SMTP id > > filter1889p1las1-10585-60DE6FD0-E > > 2021-07-02 01:45:52.506187482 + UTC m=+23969.518969155 > > Received: from MjEwNzk4ODQ (unknown) > > by geopod-ismtpd-3-2 (SG) with HTTP id W8YVLKQPT6CK1S2NPi9CbA > > > > Which looks like the original submission was via a sendgrid web > > interface. A reply-to address in .vn, and a subject line (google > > translate from Vietnamese) of "Why real estate can make you rich?". > > > > Just more crap that sendgrid is leaking, this time sending their > > outbound spam via zoom.us servers. > > > > > Yeah, it is almost always a compromise, but hard to believe Zoom would > not have enabled two factor authentication, or similar restrictions on > who can use their sendgrid servers, keep thinking that their is another > back door that abusers are using at SendGrid.. > > Be nice to hear from Zoom (if anyone knows a contact) on what they > discover, since SendGrid hasn't been too transparent. > > -- > "Catch the Magic of Linux..." > > Michael Peddemors, President/CEO LinuxMagic Inc. > Visit us at http://www.linuxmagic.com @linuxmagic > A Wizard IT Company - For More Info http://www.wizard.ca > "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. > > 604-682-0300 Beautiful British Columbia, Canada > > This email and any electronic data contained are confidential and intended > solely for the use of the individual or entity to which they are addressed. > Please note that any views or opinions presented in this email are solely > those of the author and are not intended to represent those of the company. > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Contact for Zoom webinar spam sent via Sendgrid (ugh)
On 2021-07-08 8:20 a..m., Carl Byington via mailop wrote: On Thu, 2021-07-08 at 09:31 +0300, Atro Tossavainen via mailop wrote: That one is Zoom.us itself. Received: from o5.sg.zoom.us (o5.sg.zoom.us [149.72.199.144]) Received: from o12.ptr3622.sg.zoom.us (o12.ptr3622.sg.zoom.us [167.89.93.232]) Yes, the mail arrives from systems with rdns of *.sg.zoom.us, but my understanding is that the X-Entity-ID points to a sendgrid user. And the headers include stuff like: Received: by filter1889p1las1.sendgrid.net with SMTP id filter1889p1las1-10585-60DE6FD0-E 2021-07-02 01:45:52.506187482 + UTC m=+23969.518969155 Received: from MjEwNzk4ODQ (unknown) by geopod-ismtpd-3-2 (SG) with HTTP id W8YVLKQPT6CK1S2NPi9CbA Which looks like the original submission was via a sendgrid web interface. A reply-to address in .vn, and a subject line (google translate from Vietnamese) of "Why real estate can make you rich?". Just more crap that sendgrid is leaking, this time sending their outbound spam via zoom.us servers. Yeah, it is almost always a compromise, but hard to believe Zoom would not have enabled two factor authentication, or similar restrictions on who can use their sendgrid servers, keep thinking that their is another back door that abusers are using at SendGrid.. Be nice to hear from Zoom (if anyone knows a contact) on what they discover, since SendGrid hasn't been too transparent. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Contact for Zoom webinar spam sent via Sendgrid (ugh)
And another bad for SendGrid compromises/spammers.. 149.72.34.12(S) 19 wrqvnnhc.outbound-mail.sendgrid.net 149.72.34.115(RS) 1 wrqvnntp.outbound-mail.sendgrid.net 149.72.34.116(S) 16 wrqvnntq.outbound-mail.sendgrid.net 149.72.34.124(S) 13 wrqvnntc.outbound-mail.sendgrid.net 149.72.37.206 1 wrqvnrcz.outbound-mail.sendgrid.net 149.72.37.207 1 wrqvnrcf.outbound-mail..sendgrid.net 149.72.37.212(S) 18 wrqvnrdq.outbound-mail.sendgrid.net 149.72.128.32 (S,M)15 wrqvvhnh.outbound-mail.sendgrid.net You have to assume they don't care any more ;) Not that hard to stop, and it's being going on for 1 1/2 years.. Kind of hard to believe that they don't have the budget or skill to stop it.. Return-Path: From: App reviews Subject: How a friend of mine business got sued Reply-To: austinookoyo...@gmail.com Subject: Hello! To: YOU From: "Mackenzie Scott Grant" Date: Wed, 07 Jul 2021 13:51:23 + (UTC) Reply-To: msfoundati...@indamail.hu Fake Grant Offers.. You get the drift.. which is why more and more operators are simply blacklisting SendGrid.. I know our team sure doesn't have the time or patience to keep reporting these.. On 2021-07-07 4:08 p.m., Carl Byington via mailop wrote: On Tue, 2021-07-06 at 23:59 +0300, Atro Tossavainen via mailop wrote: X-Entity-ID: 7mxhBNMkQ9yfwz0A5+NG7Q== Return-Path: That one has been trying to send spam here for at least a month. > > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Contact for Zoom webinar spam sent via Sendgrid (ugh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, 2021-07-08 at 09:31 +0300, Atro Tossavainen via mailop wrote: > That one is Zoom.us itself. > Received: from o5.sg.zoom.us (o5.sg.zoom.us [149.72.199.144]) > Received: from o12.ptr3622.sg.zoom.us (o12.ptr3622.sg.zoom.us > [167.89.93.232]) Yes, the mail arrives from systems with rdns of *.sg.zoom.us, but my understanding is that the X-Entity-ID points to a sendgrid user. And the headers include stuff like: Received: by filter1889p1las1.sendgrid.net with SMTP id filter1889p1las1-10585-60DE6FD0-E 2021-07-02 01:45:52.506187482 + UTC m=+23969.518969155 Received: from MjEwNzk4ODQ (unknown) by geopod-ismtpd-3-2 (SG) with HTTP id W8YVLKQPT6CK1S2NPi9CbA Which looks like the original submission was via a sendgrid web interface. A reply-to address in .vn, and a subject line (google translate from Vietnamese) of "Why real estate can make you rich?". Just more crap that sendgrid is leaking, this time sending their outbound spam via zoom.us servers. -BEGIN PGP SIGNATURE- iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYOcXoxUcY2FybEBmaXZl LXRlbi1zZy5jb20ACgkQL6j7milTFsGmiACfRob62kkNRCYmCuGVToI/xg+IjSkA n0KwN05UTZa35wOzW7Pzkl4wbvr6 =+QB+ -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] polspam.pl contacts?
Hello guys, does anyone know how to get in contact with the polspam.pl blacklist owners? Their contact form does not work and the website footer lists an email address, but asks to "not send any messages to this address". Regards Thomas Walter -- Thomas Walter Datenverarbeitungszentrale FH Münster University of Applied Sciences Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83-64908 Fax: +49 251 83-64910 E-Mail: b...@fh-muenster.de https://www.fh-muenster.de/dvz/ smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Contact for Zoom webinar spam sent via Sendgrid (ugh)
On Wed, Jul 07, 2021 at 04:08:42PM -0700, Carl Byington via mailop wrote: > > On Tue, 2021-07-06 at 23:59 +0300, Atro Tossavainen via mailop wrote: > > X-Entity-ID: 7mxhBNMkQ9yfwz0A5+NG7Q== > > > Return-Path: > That one has been trying to send spam here for at least a month. That one is Zoom.us itself. Received: from o5.sg.zoom.us (o5.sg.zoom.us [149.72.199.144]) Received: from o12.ptr3622.sg.zoom.us (o12.ptr3622.sg.zoom.us [167.89.93.232]) -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Cyren status regularly flapping back to Suspicious
Hello, Alessandro Vesely via mailop wrote on 07.07.21 at 13:27: So it's IPv4. Talos[*] reports low email activity on it. Do you send out DMARC reports and similar stuff? I found that doing so increases my footprint and hence stabilizes reputation, albeit some point out that reports can be classified as spam... indeed, the activity on the various IPs of mine is not that high. It's a bit higher on some, but in any case I'm not one of the big players with a large mail volume. :-) I don't send out DMARC reports (yet), but the quality of the traffic should be good, i.e. the bounce ratio rather low. All are individual mailboxes from the educational sector, no newsletters or the like. Luckily, thanks to this list, a kind person from Cyren poked me directly (thanks so much!) and in parallel, the recipient was excluding these IPs from their Cyren checking, so my current case at hand seems solved for the moment. I'm trying to understand if the Cyren behaviour is expected and the recipient is just wrongly blocking the yellow IPs, or if actually the flapping back is due to "spammy neighbours" and can be mitigated. I'll report back if I have more insight. That being said - thanks indeed, I appreciate how helpful and cooperative this list has been to me so far, although I'm fairly new here! Florian ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
