Re: [mailop] Google Translate provide spammer and phishing reputation

2022-11-10 Thread John Levine via mailop 
It appears that Andrew C Aitchison via mailop  said:
>> Now you can click on the "List" link, see that it allows to browse the 
>> mailman website using google domain translate.goog
>
>First, I missed that Google was given a TLD (whois says back in 2015)

They have lots of TLDs.

ads androud app boo cal channel chome dad day dclk dev docs drive eat esq
fly foo gbiz gle gmail goog google guge hangout here how ing map meet meme
mov new nexus page phd play prod prof rsvp search soy youtube zip

Along with three non-ascii ones. Most are empty or nearly so.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Google Translate provide spammer and phishing reputation

2022-11-10 Thread Andrew C Aitchison via mailop 

On Thu, 10 Nov 2022, MRob via mailop wrote:


Recent I saw a link in a spam which wanted to phish credential:

https://translate.google.com/translate?sl=auto=en=en=ipfs.io/ipfs//index.html?submit=@=webapp

Google translate shows a live page the user can input data into so 
effectively google is hosting the payload for the spammer? (indirect over 
anon IPFS network)


See for yourself:

https://translate.google.com/translate?sl=auto=en=en=duckduckgo.com

https://translate.google.com/translate?sl=auto=en=en=spammers.dontlike.us/mailman/listinfo/

Now you can click on the "List" link, see that it allows to browse the 
mailman website using google domain translate.goog


First, I missed that Google was given a TLD (whois says back in 2015)

So spammer and phisher can host website on sketchy server but freely use 
Google for best possible reputation for web hosting and for putting link into 
spam email and successfully avoid URIBL type checks.


Thanks for the heads-up.

(Some) browsers can do automatic translation; we can encourage users to
post the original URL and "down-repute" translate.google.com and .goog

Is it worth an article in redit or similar ?

Does anyone have access to proofpoint urldefence.com and similar
to see what they do ?

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Google Translate provide spammer and phishing reputation

2022-11-10 Thread Jarland Donnell via mailop 
It's an interesting attack angle. Has anyone here seen any user fall for 
anything similar? I want to say no one would fall for that but 
experience tells me I should never underestimate what an end user will 
fall prey to.


On 2022-11-10 13:22, MRob via mailop wrote:

Recent I saw a link in a spam which wanted to phish credential:

https://translate.google.com/translate?sl=auto=en=en=ipfs.io/ipfs//index.html?submit=@=webapp

Google translate shows a live page the user can input data into so 
effectively google is hosting the payload for the spammer? (indirect 
over anon IPFS network)


See for yourself:

https://translate.google.com/translate?sl=auto=en=en=duckduckgo.com

https://translate.google.com/translate?sl=auto=en=en=spammers.dontlike.us/mailman/listinfo/

Now you can click on the "List" link, see that it allows to browse the 
mailman website using google domain translate.goog


So spammer and phisher can host website on sketchy server but freely 
use Google for best possible reputation for web hosting and for putting 
link into spam email and successfully avoid URIBL type checks.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Google Translate provide spammer and phishing reputation

2022-11-10 Thread MRob via mailop 

Recent I saw a link in a spam which wanted to phish credential:

https://translate.google.com/translate?sl=auto=en=en=ipfs.io/ipfs//index.html?submit=@=webapp

Google translate shows a live page the user can input data into so 
effectively google is hosting the payload for the spammer? (indirect 
over anon IPFS network)


See for yourself:

https://translate.google.com/translate?sl=auto=en=en=duckduckgo.com

https://translate.google.com/translate?sl=auto=en=en=spammers.dontlike.us/mailman/listinfo/

Now you can click on the "List" link, see that it allows to browse the 
mailman website using google domain translate.goog


So spammer and phisher can host website on sketchy server but freely use 
Google for best possible reputation for web hosting and for putting link 
into spam email and successfully avoid URIBL type checks.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Try to understand *.onmicrosoft.com

2022-11-10 Thread Bill Cole via mailop 
On 2022-11-10 at 11:27:47 UTC-0500 (Thu, 10 Nov 2022 16:27:47 + (UTC))
L. Mark Stone via mailop 
is rumored to have said:

> FWIW I have the same setup as Bill re Admin onmicrosoft accounts.
>
> To go one step further, I actually do not want those admin accounts to have a 
> mailbox at all. It's not the money, it's that I don't want customers emailing 
> me at that those addresses, let alone having to worry about spam/phishing 
> coming in to an Admin account.

And in my case it's a half-dozen accounts that only exist so that I can 
navigate the admin interfaces and click the right buttons. They just happen to 
have the form of an email address. I've already got enough actual mailboxes 
that I need to keep up with.



> Regards,
> Mark
> _
> L. Mark Stone, Founder
> North America's Leading Zimbra VAR/BSP/Training Partner
> For Companies With Mission-Critical Email Needs
>
> - Original Message -
> From: "Bill Cole via mailop" 
> To: "Gellner, Oliver via mailop" 
> Sent: Thursday, November 10, 2022 10:52:07 AM
> Subject: Re: [mailop] [External] Re:  Try to understand *.onmicrosoft.com
>
> On 2022-11-10 at 02:58:15 UTC-0500 (Thu, 10 Nov 2022 07:58:15 +)
> Gellner, Oliver via mailop 
> is rumored to have said:
>
>> On 2022-11-09 23:24, MRob via mailop wrote:
>>> Does anyones on this list getting legitimate nonspam mail from
>>> *@.onmicrosoft.com?
>>
>> Yes, in fact most of them are legitimate messages, so based on my
>> experience using onmicrosoft.com is not a good spam indicator. The
>> domain is used by senders who either do not bring their own domain to
>> Microsoft or fail to set their own domain as the default sender
>> address for some or all of their mailboxes or within some automated
>> processes and scripts.
>> For what it's worth we also receive emails from
>> @microsoft.onmicrosoft.com.
>
> Another datapoint: I do MS365 admin duty for multiple customers and *my*
> accounts for doing so are all authenticated as
> me@.onmicrosoft.com, but they have no mailboxes of their own
> and no licenses for any sort of end-user apps.
>
>
>
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Try to understand *.onmicrosoft.com

2022-11-10 Thread Giovanni Bechis via mailop 

On 11/9/22 23:23, MRob via mailop wrote:

On 2022-11-09 13:54, Kevin A. McGrail via mailop wrote:

Just a note that it is not necessarily a free trial.  It's the
onboarding domain for M365.

I would NOT agree that it reflects legitimate traffic and have rules
in the KAM ruleset for the onmicrosoft domains.  They are being
abused.


Does anyones on this list getting legitimate nonspam mail from 
*@.onmicrosoft.com?


out-of-office notices sometimes are sent from the onmicrosoft.com domain even 
if the real domain is another.

  Giovanni





On 11/8/2022 7:01 PM, Suresh Ramasubramanian via mailop wrote:


That is an office 365 free trial account. There is some massive abuse of these 
going on over a period of time. However there is also a ton of l

Raptor Remark: Please be careful! This email is from an EXTERNAL sender. Be 
aware of impersonation and credential theft.

That is an office 365 free trial account. There is some massive abuse of these 
going on over a period of time. However there is also a ton of legitimate 
traffic.

--srs

*From:* mailop  on behalf of MRob via mailop 

*Sent:* Wednesday, November 9, 2022 5:17:09 AM
*To:* mailop@mailop.org 
*Subject:* [mailop] Try to understand *.onmicrosoft.com
Is envelope sender user@.onmicrosoft.com normal in non-spam
mail? Is it how all microsoft mail comes through? Or is it usually spam
from badly configured domain? Should  part *always* match
sender domain in FROM header?

On the other hand, if mail come from microsoft server *not* through
"onmicrosoft.com" is that negative sign?

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop




OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Anyone from Vade on list?

2022-11-10 Thread Josh Nason via mailop 
Hi all - If anyone from Vade is on the list, can you email me directly? I'll 
also take a contact if someone has one.

Thanks!

Josh from Oracle Dyn
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Try to understand *.onmicrosoft.com

2022-11-10 Thread L. Mark Stone via mailop 
FWIW I have the same setup as Bill re Admin onmicrosoft accounts.

To go one step further, I actually do not want those admin accounts to have a 
mailbox at all. It's not the money, it's that I don't want customers emailing 
me at that those addresses, let alone having to worry about spam/phishing 
coming in to an Admin account.

Regards, 
Mark 
_ 
L. Mark Stone, Founder 
North America's Leading Zimbra VAR/BSP/Training Partner 
For Companies With Mission-Critical Email Needs

- Original Message -
From: "Bill Cole via mailop" 
To: "Gellner, Oliver via mailop" 
Sent: Thursday, November 10, 2022 10:52:07 AM
Subject: Re: [mailop] [External] Re:  Try to understand *.onmicrosoft.com

On 2022-11-10 at 02:58:15 UTC-0500 (Thu, 10 Nov 2022 07:58:15 +)
Gellner, Oliver via mailop 
is rumored to have said:

> On 2022-11-09 23:24, MRob via mailop wrote:
>> Does anyones on this list getting legitimate nonspam mail from 
>> *@.onmicrosoft.com?
>
> Yes, in fact most of them are legitimate messages, so based on my 
> experience using onmicrosoft.com is not a good spam indicator. The 
> domain is used by senders who either do not bring their own domain to 
> Microsoft or fail to set their own domain as the default sender 
> address for some or all of their mailboxes or within some automated 
> processes and scripts.
> For what it's worth we also receive emails from 
> @microsoft.onmicrosoft.com.

Another datapoint: I do MS365 admin duty for multiple customers and *my* 
accounts for doing so are all authenticated as 
me@.onmicrosoft.com, but they have no mailboxes of their own 
and no licenses for any sort of end-user apps.



-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Try to understand *.onmicrosoft.com

2022-11-10 Thread Dave Brockman via mailop 

On 11/10/2022 10:52 AM, Bill Cole via mailop wrote:

Another datapoint: I do MS365 admin duty for multiple customers and *my* 
accounts for doing so are all authenticated as 
me@.onmicrosoft.com, but they have no mailboxes of their own 
and no licenses for any sort of end-user apps.


That is your choice.  You could easily make your admin account username 
@company.com instead of @company.onmicrosoft.com, if you have 
company.com registered with the tenancy.  You don't have to license or 
assign a mailbox to do this.


With Gratitude,

Dave Brockman
Senior Network Engineer
Gig City Cloud, LLC

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Try to understand *.onmicrosoft.com

2022-11-10 Thread Bill Cole via mailop 

On 2022-11-10 at 02:58:15 UTC-0500 (Thu, 10 Nov 2022 07:58:15 +)
Gellner, Oliver via mailop 
is rumored to have said:


On 2022-11-09 23:24, MRob via mailop wrote:
Does anyones on this list getting legitimate nonspam mail from 
*@.onmicrosoft.com?


Yes, in fact most of them are legitimate messages, so based on my 
experience using onmicrosoft.com is not a good spam indicator. The 
domain is used by senders who either do not bring their own domain to 
Microsoft or fail to set their own domain as the default sender 
address for some or all of their mailboxes or within some automated 
processes and scripts.
For what it's worth we also receive emails from 
@microsoft.onmicrosoft.com.


Another datapoint: I do MS365 admin duty for multiple customers and *my* 
accounts for doing so are all authenticated as 
me@.onmicrosoft.com, but they have no mailboxes of their own 
and no licenses for any sort of end-user apps.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft allows free-form spoofing?

2022-11-10 Thread Bill Cole via mailop 

On 2022-11-09 at 17:21:16 UTC-0500 (Wed, 09 Nov 2022 22:21:16 +)
MRob via mailop 
is rumored to have said:


On 2022-11-09 13:37, Bill Cole via mailop wrote:

On 2022-11-09 at 06:47:55 UTC-0500 (Wed, 09 Nov 2022 11:47:55 +)
MRob via mailop 
is rumored to have said:


On 2022-11-09 08:40, Slavko via mailop wrote:

Dňa 9. 11. o 0:34 MRob via mailop napísal(a):
... But if microsoft agree to DKIM-sign using envelope-from 
(**signature including the FROM header**) shouldnt that mean it is 
seeing the headers and can of course validate FROM header? For me 
that show extra proof microsoft allowing free-form uncheked 
spoofing


DKIM doesn't validates any of signed header(s). It only digitaly 
signs

them to receiver can verify that they wasn't modified on transport
(from signer to receiver). Nothing more, nothing less.


Not questioning about DKIM. The point is microsoft has FROM header 
in its hand so it *can* easily do validation to the user account to 
disallow spoof.


Not so much.

If I send mail via an MS service and put in a (working) address in my
own domain in the From header. How is Microsoft supposed to 
"validate"

that?


Easy, user register their addresses in their MS acct, MS only send 
with FROM in allowed list



What they'd need to do in that case is to have alternative address
registration and confirmation at a per-user granularity. Users hate
that.


MS and you agree: users hate that so best decision is allow free-form 
spoofing :(


I guess my tone was unclear. I do not condone MS's lack of oversight of 
their customers' misbehavior, especially their not-really-customers 
using 'onmicrosoft' addresses. I just don't believe that there is the 
slightest chance of them changing it because it would add costs for both 
operations (a foreign address registry and scanning of messages to 
validate From headers) and for support (because: users hate it.) This is 
not something MS will ever fix, at least not in any way that they can't 
dress up as a positive feature and charge for. Because 'onmicrosoft' 
addresses are for trial accounts (and apparently for non-mailable admin 
accounts without Exchange mailboxes?) I would not expect MS to ever 
block header spoofing for them. It would be a cost with no benefit for 
MS.


Whether they *should* block it is not a useful conversation. They are 
not going to.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Try to understand *.onmicrosoft.com

2022-11-10 Thread Gellner, Oliver via mailop 
On 2022-11-09 23:24, MRob via mailop wrote:
> Does anyones on this list getting legitimate nonspam mail from 
> *@.onmicrosoft.com?

Yes, in fact most of them are legitimate messages, so based on my experience 
using onmicrosoft.com is not a good spam indicator. The domain is used by 
senders who either do not bring their own domain to Microsoft or fail to set 
their own domain as the default sender address for some or all of their 
mailboxes or within some automated processes and scripts.
For what it's worth we also receive emails from @microsoft.onmicrosoft.com.

--
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop