Re: [mailop] Question of SPF record
On 02/06/2023 04:14 PM, Jarland Donnell via mailop wrote: > Take this: > > v=spf1 a mx ip4:74.208.4.194 ~all > > Change it to this: > > v=spf1 include:_spf.perfora.net include:_spf.kundenserver.de ~all > > Done :) > > On 2023-02-05 18:13, H via mailop wrote: >> I have a domain with multiple email addresses hosted by Ionos. I have found >> that outgoing emails can come from a range of Ionos email IPs. >> >> I have created a TXT record for my domain containing one IP4 address but >> outgoing emails seem to be sent from different IP4 addresses. As an example >> I now have: >> >> v=spf1 a mx ip4:74.208.4.194 ~all >> >> I know I can add at least one more ip4 address using the same format but I >> am not sure exactly what the Ionos email ip range might be so: >> >> - Is there a way of saying eg. ip4:72.20.8.* >> >> - Or should I delete the ip4 component and instead add: >> >> include:mydomain.tld (corrected of course) >> >> Suggestions appreciated! >> >> Thanks. >> >> ___ >> mailop mailing list >> mailop@mailop.org >> https://list.mailop.org/listinfo/mailop > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop Thank you for all suggestions. My Ionos mail server is located in the US so I entered the following SPF record: "v=spf1 include:_spf-us.ionos.com ~all" It now passes the SPF check mail-tester.com, next challenge will be to get DKIM configured which apparently is required before creating the DMARC record. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
On 2023-02-07 14:00, Hans-Martin Mosner via mailop wrote: Another thing is that it should go absolutely without question that as the hoster will not divulge the identity of their customers to abuse reporters, Okay, going to start a flame war with this Huh? Anyone who wants to run an email server on the internet in this day and age, understands the need for transparency if they want their email accepted by others. If you can't find the responsible party to report things to, then expect that you will simply get blocked. Hosting providers can easily have customers agree when signing up, to the need to be transparent if they want to run an email service, and there is a legitimate reason to make that information available, so this can get by GDPR if the customer KNOWS and AGREES that the information will be made available, how and for what purpose. Spammers and malware operators hide behind obfuscation and GDPR policies of hosters, and those with long take down cycles.. I am tired of hearing 'we reported it to our reseller', and that's the end of it. If the reseller is supposed to be the responsible party, the reseller information should be public. That's what SWIP (and 'rwhois') is for. You want to send email without revealing who you are, expect to get blocked, with NO notification. Hosting companies that hide behind privacy laws, in order to encourage customer sign-ups, are often called 'bullet proof' hosters.. (okay, maybe taking this rant too far). If you want to send email, there has to be able to find the responsible party for the activity related to the server/domain/ip. You will hear me pounding the table about this at M3AAWG. And of course, law enforcement are also frustrated about this. It's easy to do... IF your customer doesn't want to disclose for the intended purposes, fine.. but you should question why. And tell them they are on their own when it comes to being blocked. And this applies to even the largest providers (Amazon, Gmail, etc) Too many criminals are operating with impunity. And you look at the hosting companies with the least complaints, they embrace transparency by email operators. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
Am 07.02.23 um 13:31 schrieb Ralph Seichter via mailop: When a third party X complains that Hetzner customer Y is a spammer, I consider it only appropriate that Hetzner passes the complaint along and asks Y for a statement, and does not simply impose restrictions on Y based on X's say-so. There's a lot that can be done between those two extremes. One thing is that upon receiving complaints, a hoster should make sure that they actually know who the customer is, and that the customer isn't using shady and possibly fake identity, payment options, etc. A customer going out of their way to hide their true identity should be a red flag. Another thing is that it should go absolutely without question that as the hoster will not divulge the identity of their customers to abuse reporters, they must also not divulge the identity of abuse reporters to their customers. Even hinting at the possibility that they might do that completely destroys the trust in them that I as an abuse reporter might have. This is why I am not reporting anything to Hetzner anymore but block single IPs immediately. When I report abuse, I expect the hoster to first do some plausibility checks, including checks whether there are reports from other sources about the same customer. If there is good reason to assume that the customer is a victim himself, it would be appropriate to work with them to fix the issue, and in the meantime place some restrictions on their outgoing traffic to contain the damage. If there are reasonable indicators that the customer might be the originator of abuse, they need to be warned and put on a watchlist. As an abuse reporter, I often have a more complete picture of the spammer's activity, for example I tend to be able to follow some of them from hoster to hoster by their choice of host and domain names, registrars, etc. When I suggest that a customer be disconnected due to spamming it is normally because they are very clearly the perpretators, not victims. Otherwise I simply report and leave the judgement up to the hoster. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
> what is your data that shows hetzner being worse than others in this field? What is the point you are trying to make by trying to turn this into a race where it wasn't one previously? We are discussing Hetzner specifically, prompted by the original post from Lena, last I checked. > hetzner has grown big and in absolute numbers it's clear that the > number of abuse is big - but only relative numbers are fair to > compare! In addition to making the mistake of trying to make it a race, you are also mistaking a qualitative discussion for a quantitative one. -- Atro Tossavainen, Founder, Partner Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635) Tallinn, Estonia tel. +372-5883-4269, http://www.koliloks.eu/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
On 07/02/2023 16:08, Michael Peddemors via mailop wrote: > Yes, the spammers are picking up on the Hetzner networks again.. > Maybe a priority abuse line is needed for those in the threat detection > industry.. Maybe when people like Return Path stop sending in false abuse reports? I've had two so far, for emails sent from the IP address over a year before Hetzner assigned it to me. This claims a date in 2021 for an email over a year earlier in 2020: > Source: Telenet > Abuse-Type: complaint > Feedback-Type: abuse > User-Agent: ReturnPathFBL/2.0 > Arrival-Date: Sat, 16 Oct 2021 16:01:25 + > > Received: from elasmtp-galgo.atl.sa.earthlink.net ([*.*.*.*]) > by charles.telenet-ops.be with bizsmtp > id *; Wed, 30 Sep 2020 05:53:49 +0200 This claims a date in 2022 for a different email over two years before in 2020: > Source: Telenet > Abuse-Type: complaint > Feedback-Type: abuse > User-Agent: ReturnPathFBL/2.0 > Arrival-Date: Fri, 07 Oct 2022 09:08:26 + > > Received: from lucien.telenet-ops.be (LHLO lucien.telenet-ops.be) > (2a02:1800:120:4:0:0:f00:16) by zcsnocm106.telenet-ops.be with LMTP; Wed, > 30 Sep 2020 14:44:41 +0200 (CEST) > Received: from elasmtp-galgo.atl.sa.earthlink.net ([*.*.*.*]) > by lucien.telenet-ops.be with bizsmtp > id *; Wed, 30 Sep 2020 14:44:41 +0200 RFC 5965: "Arrival-Date" indicates the date and time at which the original message was received by the Mail Transfer Agent (MTA) of the generating ADMD (Administrative Management Domain). -- Simon Arlott ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
Atro and everyone else blaming Hetzner for their abuse handling: what is your data that shows hetzner being worse than others in this field? does this data put in relation the size of the provider (number of IPs/servers/customers) ? hetzner has grown big and in absolute numbers it's clear that the number of abuse is big - but only relative numbers are fair to compare! -- Andreas Atro Tossavainen via mailop wrote on 07.02.23 16:57: Ever been on the receiving end of a retaliatory abuse complaint? Yup, that too. As a Hetzner customer I expect some trust in the company I pay money to, As do I, as a Hetzner customer. that they'll give me a chance to face my accuser and fix the problem if there is one, or give a response as to why I shouldn't have to if there isn't a problem. I, too, expect to be told what the nature of the problem is. Where the report comes from should be completely irrelevant. I frequently don't bother with complaints of abuse to Hetzner because I get back the autoreply that states I am expected to OK them forwarding it verbatim to the spammer. Most of the spammers I would complain about are not the hijacked systems but the dedicated ones. There are two sides to every story, surprisingly companies aren't keen to just kick all of their customers out by third party demand, on demand. Not expecting shooting on sight, as already said. Some safety measures would be nice though, such as not outsourcing the ToSsing of spammers to the spammers themselves. OpenPGP_signature Description: OpenPGP digital signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
On 2/7/23 04:31, Ralph Seichter via mailop wrote: * Hetzner Blacklist via mailop: I’m not seeing anything offensive or insulting in our response. Neither do I. The response simply describes what is happening. When a third party X complains that Hetzner customer Y is a spammer, I consider it only appropriate that Hetzner passes the complaint along and asks Y for a statement, and does not simply impose restrictions on Y based on X's say-so. If within a short period of time third parties A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, and X complain that Hetzner customer Y is a spammer, then maybe at least a temporary block on destination port 25 outbound for customer Y would be a good idea while things are sorted out. -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
Yes, the spammers are picking up on the Hetzner networks again.. Maybe a priority abuse line is needed for those in the threat detection industry.. Of course, like all large hosting companies, the responsibility is on you for what leaves your networks. #itsnotthathard The real players in the threat detection space have their hands full, and really don't have much incentive to supply abuse reports, it takes time and money. Interesting question, how do you incentivize others to provide you timely information? But 20 day response times does de-incentivize others to help. On 2023-02-07 06:39, Hetzner Blacklist via mailop wrote: I am referring to the fact that the wording of the autoreply suggests that Hetzner is simply passing complaints verbatim to the spammers themselves and not dealing with it yourselves. If we were passing them on verbatim we wouldn’t have to manually process them. The whole point is not to simply refer to our abuse form, which many people dislike (including many on here), but instead to process individual email complaints ourselves. That needs to be done manually, since we need to check what the issue is, what information is provided, and figure out what we can pass on to our client. That takes time. As for the spammers comment, you know that the vast majority of spam leaving our network is from compromised servers. Most spam complaints we get are for legitimate clients. There are spammers who try to sign up with us, but those that get through and start spamming don't last very long. We deal with this by giving our client a chance to resolve the issue. If they don't, then we take action. Blocking servers for a single abuse complaint without first informing our client about a potential issue is not something that a reliable hosting partner would do. > And I think the bigger issue is one of resourcing. If Hetzner is now > processing all abuse reports manually, Uff, that would be rough. Please note that individual email complaints does not mean all abuse reports. For the sake of completeness: we get lots of automated abuse complaints that are processed automatically. If we’re only talking spam, then think of the complaints from blacklists (like Spamhaus, SpamCop, SORBS, 0Spam, or EGP), FBLs (mostly from Validity and SPFBL), and companies (like Netcraft, clean-mx, and many more). These are dealt with in a timely manner, and a quick look at the blacklists that show data for entire networks/companies will show that we take spam seriously. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
> Ever been on the receiving end of a retaliatory abuse complaint? Yup, that too. > As a Hetzner customer I expect some trust in the company I pay money > to, As do I, as a Hetzner customer. > that they'll give me a chance to face my accuser and fix the > problem if there is one, or give a response as to why I shouldn't > have to if there isn't a problem. I, too, expect to be told what the nature of the problem is. Where the report comes from should be completely irrelevant. I frequently don't bother with complaints of abuse to Hetzner because I get back the autoreply that states I am expected to OK them forwarding it verbatim to the spammer. Most of the spammers I would complain about are not the hijacked systems but the dedicated ones. > There are two sides to every story, surprisingly companies aren't > keen to just kick all of their customers out by third party demand, > on demand. Not expecting shooting on sight, as already said. Some safety measures would be nice though, such as not outsourcing the ToSsing of spammers to the spammers themselves. > > On 2023-02-07 07:15, Atro Tossavainen via mailop wrote: > >>Neither do I. The response simply describes what is happening. When a > >>third party X complains that Hetzner customer Y is a spammer, I > >>consider > >>it only appropriate that Hetzner passes the complaint along and asks Y > >>for a statement, and does not simply impose restrictions on Y based on > >>X's say-so. Informing X of what the internal process entails does not > >>look offensive, let alone insulting, to me. > > > >Have you ever been on the receiving end of retaliation from a > >spammer, Ralph? > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Atro Tossavainen, Founder, Partner Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635) Tallinn, Estonia tel. +372-5883-4269, http://www.koliloks.eu/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
Ever been on the receiving end of a retaliatory abuse complaint? As a Hetzner customer I expect some trust in the company I pay money to, that they'll give me a chance to face my accuser and fix the problem if there is one, or give a response as to why I shouldn't have to if there isn't a problem. There are two sides to every story, surprisingly companies aren't keen to just kick all of their customers out by third party demand, on demand. On 2023-02-07 07:15, Atro Tossavainen via mailop wrote: Neither do I. The response simply describes what is happening. When a third party X complains that Hetzner customer Y is a spammer, I consider it only appropriate that Hetzner passes the complaint along and asks Y for a statement, and does not simply impose restrictions on Y based on X's say-so. Informing X of what the internal process entails does not look offensive, let alone insulting, to me. Have you ever been on the receiving end of retaliation from a spammer, Ralph? ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
> If we were passing them on verbatim we wouldn’t have to manually > process them. Suppose it is so, then. > As for the spammers comment, you know that the vast majority of spam > leaving our network is from compromised servers. You would know that beyond any doubt. I don't have comprehensive stats, although I may have guesses. > Most spam complaints we get are for legitimate clients. There are > spammers who try to sign up with us, but those that get through and > start spamming don't last very long. OK. I'm curious about the Russian spam list spammer on 78.47.158.139 four days ago, as well as the dedicated 419 domain on 168.119.9.111 two weeks ago, if you are at liberty to discuss. (As well as the Japanese credit card phishers everywhere. Subject: [実録]格安カードで騙された! 88.99.150.167 188.40.100.144 138.201.209.250 95.216.221.140 195.201.12.225 148.251.202.161 78.47.187.206 135.181.5.246 95.217.226.237 116.203.45.186 176.9.44.204 65.109.189.33 95.217.211.68 144.76.32.106 188.34.190.243 ) > We deal with this by giving our client a chance to resolve the > issue. But you don't know the legitimate client from the illegitimate one before you do, which could mean you might be passing on information that the illegitimate one could then use for retaliating against the complainant. > If they don't, then we take action. Blocking servers for a > single abuse complaint without first informing our client about a > potential issue is not something that a reliable hosting partner > would do. Not expecting you to shoot on sight, that's for sure. Admittedly I also don't know how much information in the initial complaint you actually do forward to the customer. In the absence of reliable evidence to the contrary, I am expecting it to be "everything." (Which brings us back to square one: don't enable further abuse.) I'd love to be wrong on that. > These are dealt with in a timely manner, and a quick look at the > blacklists that show data for entire networks/companies will show > that we take spam seriously. Having only one live SBL is indeed an indication of mostly getting it right. Many others have dozens, hundreds. -- Atro Tossavainen, Founder, Partner Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635) Tallinn, Estonia tel. +372-5883-4269, http://www.koliloks.eu/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
I am referring to the fact that the wording of the autoreply suggests that Hetzner is simply passing complaints verbatim to the spammers themselves and not dealing with it yourselves. If we were passing them on verbatim we wouldn’t have to manually process them. The whole point is not to simply refer to our abuse form, which many people dislike (including many on here), but instead to process individual email complaints ourselves. That needs to be done manually, since we need to check what the issue is, what information is provided, and figure out what we can pass on to our client. That takes time. As for the spammers comment, you know that the vast majority of spam leaving our network is from compromised servers. Most spam complaints we get are for legitimate clients. There are spammers who try to sign up with us, but those that get through and start spamming don't last very long. We deal with this by giving our client a chance to resolve the issue. If they don't, then we take action. Blocking servers for a single abuse complaint without first informing our client about a potential issue is not something that a reliable hosting partner would do. > And I think the bigger issue is one of resourcing. If Hetzner is now > processing all abuse reports manually, Uff, that would be rough. Please note that individual email complaints does not mean all abuse reports. For the sake of completeness: we get lots of automated abuse complaints that are processed automatically. If we’re only talking spam, then think of the complaints from blacklists (like Spamhaus, SpamCop, SORBS, 0Spam, or EGP), FBLs (mostly from Validity and SPFBL), and companies (like Netcraft, clean-mx, and many more). These are dealt with in a timely manner, and a quick look at the blacklists that show data for entire networks/companies will show that we take spam seriously. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
On Tue, 7 Feb 2023 at 13:19, Atro Tossavainen via mailop wrote: > > Neither do I. The response simply describes what is happening. When a > > third party X complains that Hetzner customer Y is a spammer, I consider > > it only appropriate that Hetzner passes the complaint along and asks Y > > for a statement, and does not simply impose restrictions on Y based on > > X's say-so. Informing X of what the internal process entails does not > > look offensive, let alone insulting, to me. > > Have you ever been on the receiving end of retaliation from a spammer, > Ralph? > And I think the bigger issue is one of resourcing. If Hetzner is now processing all abuse reports manually, and it's taking upwards of a month to work through reports, it's likely that the abusive customer is long gone from their fraudulent use (or has rotated through that third party's compromised server/instance to another server/compromised customer account). That significantly diminishes the usefulness of reporting abuse, to the point where some operators may reasonably decide to start discarding traffic from Hetzner ranges. Reports should not simply be passed along verbatim without any prior action taken to mitigate a violation, because that simply provides a near-realtime feedback loop to the malicious user. What I would personally like to see at all large hosts is an automated-then-human system, which could automatically action either soft-suspension / egress block-and-notify to a customer, or priority flag to customer services, upon receipt of a validated abuse report. At that point the customer, if legitimate, would likely end up proactively contacting customer support. Any issue of compromised credentials, software vuln or TOS infringement can be dealt with promptly. If an abuse report is itself malicious/abusive, and targeting an innocent user, a flag could be set after manual verification, so that future service suspension would not be automatic, but would still flag up to the abuse team to investigate. This would accommodate a scenario where it may appear like a mistake, but might actually be a more sophisticated attempt to hide TOS infringing usage. This is not the work of a moment, and it's one thing to block diagram an automated abuse management system, but something like this is the only way I can see the abuse reporting and actioning process scaling for hosts as large as Hetzner. The alternative is staffing dozens of techs 24/7 to work through abuse reports. A month to action an abuse report and inform a reporter is, with respect, not acceptable. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
> Neither do I. The response simply describes what is happening. When a > third party X complains that Hetzner customer Y is a spammer, I consider > it only appropriate that Hetzner passes the complaint along and asks Y > for a statement, and does not simply impose restrictions on Y based on > X's say-so. Informing X of what the internal process entails does not > look offensive, let alone insulting, to me. Have you ever been on the receiving end of retaliation from a spammer, Ralph? -- Atro Tossavainen, Founder, Partner Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635) Tallinn, Estonia tel. +372-5883-4269, http://www.koliloks.eu/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
* Hetzner Blacklist via mailop: > I’m not seeing anything offensive or insulting in our response. Neither do I. The response simply describes what is happening. When a third party X complains that Hetzner customer Y is a spammer, I consider it only appropriate that Hetzner passes the complaint along and asks Y for a statement, and does not simply impose restrictions on Y based on X's say-so. Informing X of what the internal process entails does not look offensive, let alone insulting, to me. -Ralph ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
Thanks Bastiaan for picking up the red courtesy phone so fast. > I’m not seeing anything offensive or insulting in our response. I am referring to the fact that the wording of the autoreply suggests that Hetzner is simply passing complaints verbatim to the spammers themselves and not dealing with it yourselves. To me, that _is_ offensive and insulting, because as we all know, we (tinw) don't want the spammer to know about us, we don't want the spammer to remove just us, we want you to remove the spammers, and there is nothing the spammer themselves can accomplish to that end. -- Atro Tossavainen, Founder, Partner Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635) Tallinn, Estonia tel. +372-5883-4269, http://www.koliloks.eu/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Hetzner
> 20 days (!) later I received a reply [AbuseID:BEA948:23]: That’s too long of a delay, I agree. We’re currently in the middle of a restructuring in our abuse department, where a number of processes are also being updated. For example, we’re no longer immediately referring to our abuse form when we get individual email complaints, but instead our team is manually processing them. That manual processing obviously takes longer than abuse form submissions, which is why there are currently some delays. We’re still ironing out some kinks, and we should be back to responding in a timely fashion soon. > Bastiaan is on this list. Is there anything you can do, Bastiaan, > to make the offensive responses to abuse@ go away permanently and > for the company to stop insulting complainants? I’m not seeing anything offensive or insulting in our response. Having said that, I have been wanting to update that wording for a while, so I will get that ball rolling. Regards Bastiaan ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop