Re: [mailop] Strange mail delivery from microsoft
Am 19.06.23 um 06:36 schrieb Klaus Ethgen via mailop: I have some update.. Greylisting was not the problem I had/have with microsoft. Your original mail sounded a little different. However, upon re-reading it is possible that you activated greylisting in response to the previous perceived attacks (this might be a foreign language subtleties issue, we both don't have english as our primary language). Due to ongoing attacks (especially also from big clouds like microsoft) I have a limit of 10 connections per IP and hour. That seems not enough for microsoft to deliver 1 or 2 mails per days relyable. Ok, so you're doing something that you didn't mention before. 10 connections per IP and hour is a bad idea if you want to receive mail. What a shity provider! I'm inclined to repeat what I said before: If your setup breaks mail consistently, it's likely your setup that's to blame. Others seem to be able to receive Outlook mail just fine. Microsoft didn't ask you to implement an arbitrary connection rate limit, blaming them for your inability to receive mails from their customers isn't really appropriate. There are enough actual faults Microsoft can be blamed for :-) Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Strange mail delivery from microsoft
I have some update.. Greylisting was not the problem I had/have with microsoft. Due to ongoing attacks (especially also from big clouds like microsoft) I have a limit of 10 connections per IP and hour. That seems not enough for microsoft to deliver 1 or 2 mails per days relyable. What a shity provider! Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Strange mail delivery from microsoft
On 2023-06-18 at 17:53 +0100, Klaus Ethgen wrote: > Hi, > > I have tighten my firewall a bit and seen many attacks from Microsoft > (40.92.0.0/16). They contact once from a IP and then never again. If I > greylist them, the will try to deliver from a different address which > gets greylisted again and so on. hotmail.com claims it delivers email from the whole 40.92.0.0/15: > spf.protection.outlook.com. 600 IN TXT "v=spf1 ip4:40.92.0.0/15... which seems completely overkill (maybe they want to keep the ability to serve a customer per ip?), specially since they also use many other ranges (full list below) but if they used that address space for anything other than their own email hosts they would be giving a free spf pass for those, so anything from there must be coming from their "official" MTAs. In which case, I don't think it makes much sense to graylist them. Regards $ spfwalk hotmail.com | sort -n 2a01:111:f400::/48 2a01:111:f403::/49 2a01:111:f403:8000::/50 2a01:111:f403:c000::/51 2a01:111:f403:f000::/52 40.107.0.0/16 40.92.0.0/15 52.100.0.0/14 65.54.121.120/29 65.54.190.0/24 65.54.241.0/24 65.54.51.64/26 65.54.61.64/26 65.55.111.0/24 65.55.113.64/26 65.55.116.0/25 65.55.126.0/25 65.55.174.0/25 65.55.178.128/27 65.55.234.192/26 65.55.238.129/26 65.55.238.129/26 65.55.33.64/28 65.55.34.0/24 65.55.52.224/27 65.55.78.128/25 65.55.81.48/28 65.55.90.0/24 65.55.94.0/25 70.37.151.128/25 94.245.112.0/27 94.245.112.10/31 104.47.0.0/17 111.221.112.0/21 111.221.23.128/25 111.221.26.0/27 111.221.66.0/25 111.221.69.128/25 157.55.0.192/26 157.55.11.0/25 157.55.1.128/26 157.55.157.128/25 157.55.2.0/25 157.55.225.0/25 157.55.49.0/25 157.55.61.0/24 157.55.9.128/25 157.56.232.0/21 157.56.240.0/20 157.56.24.0/25 157.56.248.0/21 207.46.116.128/29 207.46.117.0/24 207.46.132.128/27 207.46.198.0/25 207.46.200.0/27 207.46.4.128/25 207.46.50.192/26 207.46.50.224 207.46.58.128/25 207.68.169.173/30 207.68.176.0/26 207.68.176.96/27 213.199.161.128/27 213.199.177.0/26 ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and subdomains
It appears that Andrew C Aitchison via mailop said: >> FWIW, future development provides for walking down the DNS tree. >> So a DMARC verifier would lookup _domainkey.foo.bar.example.com and >> _domainkey.bar.example.com before reaching _domainkey.example.com. > >Are we talking about _dmarc...example.com or _domainkey...example.com ? DMARC >Is this future development published for comment ? Of course it is. See the DMARC WG's drafts. >Is this a way of allowing residential broadband and cloud providers to >distinguish their clients and not have to control what said clients do ? No. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Strange mail delivery from microsoft
Dnia 18.06.2023 o godz. 19:30:26 Hans-Martin Mosner via mailop pisze: > > Greylisting is something that only makes sense when dealing with > very braindead ratware on hijacked home network connections. That's exactly what greylisting is supposed to do. That "very braindead ratware" once (when greylisting was invented) accounted for huge percentage of spam. Now *maybe* it's not the case anymore, so *maybe* greylisting is not so important. I deliberately say "maybe" - I'm not sure... As for OP's original question, just exclude the IP range of these Microsoft servers (or domain, if they have a common rDNS domain) from greylisting. Most greylisting software should be able to do that. It needs to be done with various other services that retry from different IP as well. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Strange mail delivery from microsoft
Klaus Ethgen via mailop skrev den 2023-06-18 18:53: I have tighten my firewall a bit and seen many attacks from Microsoft (40.92.0.0/16). They contact once from a IP and then never again. If I greylist them, the will try to deliver from a different address which gets greylisted again and so on. use greylist /32 for ipv4, and /64 for ipv6, with microsoft there is no ipv6 senders maybe change greylist time to one single hour aswell, so urls is listed at accept time Could you please tell me how to handle that broken mail delivery? It triggers all, my mailserver attack filter as well as greylisting. change greylist to /32 for ipv4, i cant think of a better way to help microsoft servers :) Unfortunately I have some contacts on hotmail. Otherwise I would not care about. not news for me ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Strange mail delivery from microsoft
Am 18.06.23 um 18:53 schrieb Klaus Ethgen via mailop: Hi, I have tighten my firewall a bit and seen many attacks from Microsoft (40.92.0.0/16). Attacks or mail delivery attempts? They contact once from a IP and then never again. If I greylist them, the will try to deliver from a different address which gets greylisted again and so on. How do you reject them? Using a 4xx temp error? Or some other mechanism, such as closing the connection prematurely? If you do it in the firewall, it might do something else than a normal greylisting mailserver would. Microsoft's outgoing mailservers might try to distinguish between greylisting hosts and unreachable hosts, preferring to retry from a completely different IP when hosts are unreachable, under the assumption that it might be a routing issue. Could you please tell me how to handle that broken mail delivery? It triggers all, my mailserver attack filter as well as greylisting. If it consistently breaks valid mail, it's probably your side that's broken :-) Greylisting is something that only makes sense when dealing with very braindead ratware on hijacked home network connections. Any real outgoing MX, whether operated by legitimate organizations or by spammers, will retry and thus defeat the intent of greylisting. I would just drop greylisting from the list of effective anti-spam measures. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Strange mail delivery from microsoft
Hi, I have tighten my firewall a bit and seen many attacks from Microsoft (40.92.0.0/16). They contact once from a IP and then never again. If I greylist them, the will try to deliver from a different address which gets greylisted again and so on. Could you please tell me how to handle that broken mail delivery? It triggers all, my mailserver attack filter as well as greylisting. Unfortunately I have some contacts on hotmail. Otherwise I would not care about. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and subdomains
On Sun, 18 Jun 2023, Alessandro Vesely via mailop wrote: On Fri 16/Jun/2023 22:41:39 +0200 Gellner, Oliver via mailop wrote: On 16.06.2023 at 16:13 Jaroslaw Rafa via mailop wrote: [...] So at least one (and important one, given the size of this mail service) implementation of DMARC does not use the PSL. eu.org is located in the private domain section of Mozillas public suffix list. Apparently Google does not treat those private domains as public suffixes (at least not all of them) or uses a different public suffix list. The DMARC specification does not mandate that you have to use Mozillas PSL and pick up every self-appointed entry from there. FWIW, future development provides for walking down the DNS tree. So a DMARC verifier would lookup _domainkey.foo.bar.example.com and _domainkey.bar.example.com before reaching _domainkey.example.com. Are we talking about _dmarc...example.com or _domainkey...example.com ? Is this future development published for comment ? Is this a way of allowing residential broadband and cloud providers to distinguish their clients and not have to control what said clients do ? Eu.org would have to publish a "psd=y" tag to say it is a public suffix domain. Psd domains can specify policies. Their current record specifies a pct=, which won't be supported by the upcoming standard. So the future development will break compatibility with the current standard ? I hope the future development requires a new value for the "v" tag. "v=DMARC1;p=none;sp=none;pct=10;rua=mailto:dmarc-mas...@eu.org;ruf=mailto:dmarc-mas...@eu.org; Thanks, -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and subdomains
On Fri 16/Jun/2023 22:41:39 +0200 Gellner, Oliver via mailop wrote: On 16.06.2023 at 16:13 Jaroslaw Rafa via mailop wrote: [...] So at least one (and important one, given the size of this mail service) implementation of DMARC does not use the PSL. eu.org is located in the private domain section of Mozillas public suffix list. Apparently Google does not treat those private domains as public suffixes (at least not all of them) or uses a different public suffix list. The DMARC specification does not mandate that you have to use Mozillas PSL and pick up every self-appointed entry from there. FWIW, future development provides for walking down the DNS tree. So a DMARC verifier would lookup _domainkey.foo.bar.example.com and _domainkey.bar.example.com before reaching _domainkey.example.com. Eu.org would have to publish a "psd=y" tag to say it is a public suffix domain. Psd domains can specify policies. Their current record specifies a pct=, which won't be supported by the upcoming standard. "v=DMARC1;p=none;sp=none;pct=10;rua=mailto:dmarc-mas...@eu.org;ruf=mailto:dmarc-mas...@eu.org; Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop