Re: [mailop] Recent increase in GMail 421-4.7.28 responses

[Brandon Long via mailop]

I've raised a bug to take a look, this looks like a too broad dkim replay
rule.

Brandon

On Mon, Oct 2, 2023 at 1:35 AM Stephen Frost via mailop 
wrote:

> Greetings,
>
> For about the past month we (PostgreSQL.Org mailing lists) have seen a
> large increase in the number of 421-4.7.28 "Our system has detected an
> unusual rate of unsolicited mail originating from your IP address."
> responses when attempting to deliver to gmail.com addresses.  This is
> creating a painful backlog of queue'd email for us, not to mention
> gmail.com users having email from our lists delayed for hours and days
> in some cases, something we've not had issue with for years prior to
> this.
>
> We are delivering from:
>
> malur.postgresql.org has address 217.196.149.56
> malur.postgresql.org has IPv6 address 2a02:16a8:dc51::56
>
> Which is listed in https://www.dnswl.org/ as high trust, our mailing
> list software specifically avoids DKIM corruption, we provide
> List-Unsubscribe (along with other List-* headers), and all subscribers
> have to go through a process of creating a postgresql.org account (with
> email address verification as part of that process) before they can
> subscribe to any of ours lists.  We've also been delivering a simiar
> amount of email to gmail.com addresses for many years without this
> issue.
>
> We have seen some emails coming through which fail DKIM due to
> over-signing of the List-* headers or incorrect DKIM configurations.
> We've reached out to those individuals to work on correcting their DKIM
> configurations and have implemented code changes to catch and moderate
> and bounce back email that either fails DKIM or would fail it when
> posted to our lists.  We're also working on removing email addresses
> that have been bouncing back to us due to 'over quota' responses from
> gmail for long time (even though the 4xx codes would have one believe
> that this is a situation which will eventually correct itself... we've
> seen many cases where it doesn't for months...).  Based on our review of
> GMail's documentation, however, these actions do not seem very likely to
> actually change things.  We've also reviewed what GMail publishes
> regarding reported spam from our IP and it's literally 0%.
>
> Since implementing the changes described above a few days ago, very few
> emails that fail DKIM have passed through our lists, the one exception
> being a few Twitter emails going to closed lists with very few people on
> them.  Ultimately, we feel fairly comfortable saying that whatever
> changed a month ago certainly didn't seem to be due to these few DKIM
> failing emails.
>
> We're investigating other changes such as possibly spinning up a
> separate dedicated server to deal with email destined for gmail.com (or
> perhaps we'd move everything *else* to the new system/IP) but this is
> certainly far from ideal when we have historically had a very smooth
> running and fast system prior to this past month.
>
> Thanks!
>
> Stephen
> PostgreSQL.Org Sysadmin team
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Christof Meerwald via mailop]

On Mon, Oct 02, 2023 at 04:40:51PM +0200, Frank Heydlauf via mailop wrote:
> Hi Christof, folx,
> 
> On Sun, Oct 01, 2023 at 07:51:04PM +0200, Christof Meerwald via mailop wrote:
> > On Sat, Sep 30, 2023 at 10:45:41PM +0200, Christof Meerwald wrote:
> > > On Sat, Sep 30, 2023 at 08:36:02AM +0100, Andrew C Aitchison via mailop 
> > > wrote:
> ...
> > > having any inside knowledge) is that it heavily depends on your
> > > configuration and only a tiny percentage of servers will be affected
> > > (this includes CVE-2023-42115).
> > 
> > see https://www.mail-archive.com/exim-users@lists.exim.org/msg00526.html
> 
> I find the specification of "EXTERNAL auth" to be rather vague. 
> At least for people who don't work on the exim code all the time.
> 
> Is that what is meant?
> 
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_external_authenticator.html

Yes


Christof

-- 

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org   xmpp:cmeerw at cmeerw.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Frank Heydlauf via mailop]

Hi Christof, folx,

On Sun, Oct 01, 2023 at 07:51:04PM +0200, Christof Meerwald via mailop wrote:
> On Sat, Sep 30, 2023 at 10:45:41PM +0200, Christof Meerwald wrote:
> > On Sat, Sep 30, 2023 at 08:36:02AM +0100, Andrew C Aitchison via mailop 
> > wrote:
...
> > having any inside knowledge) is that it heavily depends on your
> > configuration and only a tiny percentage of servers will be affected
> > (this includes CVE-2023-42115).
> 
> see https://www.mail-archive.com/exim-users@lists.exim.org/msg00526.html


I find the specification of "EXTERNAL auth" to be rather vague. 
At least for people who don't work on the exim code all the time.

Is that what is meant?

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_external_authenticator.html


Greets
Frank
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Recent increase in GMail 421-4.7.28 responses

[Christine Borgia via mailop]

>>421-4.7.28 "Our system has detected an
>>unusual rate of unsolicited mail originating from your IP address."

Despite this error saying "IP address", I have found it to be
domain-specific. Can you narrow the issue down to specific domains or do
you just use your main domain for everything?

On Mon, Oct 2, 2023 at 4:36 AM Stephen Frost via mailop 
wrote:

> Greetings,
>
> For about the past month we (PostgreSQL.Org mailing lists) have seen a
> large increase in the number of 421-4.7.28 "Our system has detected an
> unusual rate of unsolicited mail originating from your IP address."
> responses when attempting to deliver to gmail.com addresses.  This is
> creating a painful backlog of queue'd email for us, not to mention
> gmail.com users having email from our lists delayed for hours and days
> in some cases, something we've not had issue with for years prior to
> this.
>
> We are delivering from:
>
> malur.postgresql.org has address 217.196.149.56
> malur.postgresql.org has IPv6 address 2a02:16a8:dc51::56
>
> Which is listed in https://www.dnswl.org/ as high trust, our mailing
> list software specifically avoids DKIM corruption, we provide
> List-Unsubscribe (along with other List-* headers), and all subscribers
> have to go through a process of creating a postgresql.org account (with
> email address verification as part of that process) before they can
> subscribe to any of ours lists.  We've also been delivering a simiar
> amount of email to gmail.com addresses for many years without this
> issue.
>
> We have seen some emails coming through which fail DKIM due to
> over-signing of the List-* headers or incorrect DKIM configurations.
> We've reached out to those individuals to work on correcting their DKIM
> configurations and have implemented code changes to catch and moderate
> and bounce back email that either fails DKIM or would fail it when
> posted to our lists.  We're also working on removing email addresses
> that have been bouncing back to us due to 'over quota' responses from
> gmail for long time (even though the 4xx codes would have one believe
> that this is a situation which will eventually correct itself... we've
> seen many cases where it doesn't for months...).  Based on our review of
> GMail's documentation, however, these actions do not seem very likely to
> actually change things.  We've also reviewed what GMail publishes
> regarding reported spam from our IP and it's literally 0%.
>
> Since implementing the changes described above a few days ago, very few
> emails that fail DKIM have passed through our lists, the one exception
> being a few Twitter emails going to closed lists with very few people on
> them.  Ultimately, we feel fairly comfortable saying that whatever
> changed a month ago certainly didn't seem to be due to these few DKIM
> failing emails.
>
> We're investigating other changes such as possibly spinning up a
> separate dedicated server to deal with email destined for gmail.com (or
> perhaps we'd move everything *else* to the new system/IP) but this is
> certainly far from ideal when we have historically had a very smooth
> running and fast system prior to this past month.
>
> Thanks!
>
> Stephen
> PostgreSQL.Org Sysadmin team
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Christof Meerwald via mailop]

On Sat, Sep 30, 2023 at 10:45:41PM +0200, Christof Meerwald wrote:
> On Sat, Sep 30, 2023 at 08:36:02AM +0100, Andrew C Aitchison via mailop wrote:
> > On Sat, 30 Sep 2023, Jay R. Ashworth via mailop wrote:
> > > I haven't even heard exim *mentioned* in like 20 years; these stats can't 
> > > be
> > > right, can they?
> > > 
> > > https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/
> > 
> > https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/?comments=1
> > 
> > gives a more plausible stat.
> 
> The question is how many of those exim servers are actually vulnerable.
> 
> My understanding (after looking a bit into these issues, but not
> having any inside knowledge) is that it heavily depends on your
> configuration and only a tiny percentage of servers will be affected
> (this includes CVE-2023-42115).

see https://www.mail-archive.com/exim-users@lists.exim.org/msg00526.html


Christof

-- 

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org   xmpp:cmeerw at cmeerw.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Christof Meerwald via mailop]

On Sat, Sep 30, 2023 at 08:36:02AM +0100, Andrew C Aitchison via mailop wrote:
> On Sat, 30 Sep 2023, Jay R. Ashworth via mailop wrote:
> > I haven't even heard exim *mentioned* in like 20 years; these stats can't be
> > right, can they?
> > 
> > https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/
> 
> https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/?comments=1
> 
> gives a more plausible stat.

The question is how many of those exim servers are actually vulnerable.

My understanding (after looking a bit into these issues, but not
having any inside knowledge) is that it heavily depends on your
configuration and only a tiny percentage of servers will be affected
(this includes CVE-2023-42115).


Christof

-- 

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org   xmpp:cmeerw at cmeerw.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Noticeable increase of spam emanating from Colocrossing?

[Benny Pedersen via mailop]

Jarosław Rafa via mailop skrev den 2023-10-02 11:38:


Nobody takes UCEProtect seriously. Actually, it takes only a few
spamming IPs in a wide IP range to get listed there. Many ISPs that are
absolutely OK are listed in UCEProtect level 3.


just use dnswl and abusic welcome-list before block-list, it should not 
make any rejects to welcome-listed ips


order in mta stage matters

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Heiko Schlittermann via mailop]

John Levine via mailop  (Sa 30 Sep 2023 21:14:31 CEST):
> There seems to be significant disagreement about how serious these
> bugs are and whether they'r really in Exim. The fact that the zeroday
> people didn't notice that libspf2 is a separate package makes it
> easy to believe that they're not all Exim bugs.

Indeed, there is one issue that looks like it should be filed against
libspf2. A PR is there, but I'm unsure if and how distros will integrate
this. Exim uses libspf2 as a shared lib, and relies on the version
installed locally.

https://github.com/shevek/libspf2/pull/44

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Noticeable increase of spam emanating from Colocrossing?

[Jarosław Rafa via mailop]

W dniu pon, 02.10.2023 o godzinie 11∶23 +0200, użytkownik Marco M. via
mailop napisał:
> Am 02.10.2023 um 06:54:51 Uhr schrieb Hans-Martin Mosner via mailop:
> 
> > does anybody else see a noticeable increase of spam from
> > Colocrossing
> > hosted IPs? I don't have hard data but my gut feeling is that the
> > number of attempts have increased by a significant amount during
> > the
> > few weeks.
> 
> http://www.uceprotect.net/de/l3charts.php
> 
> Listed in Level 3, so many, many spamming IPs are here.

Nobody takes UCEProtect seriously. Actually, it takes only a few
spamming IPs in a wide IP range to get listed there. Many ISPs that are
absolutely OK are listed in UCEProtect level 3.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[John Levine via mailop]

It appears that Simon Arlott via mailop  said:
>On 30/09/2023 08:50, Andrew C Aitchison via mailop wrote:
>> I see that there is an Exim release candidate out on test at the moment
>>https://lists.exim.org/lurker/message/20230926.174111.cb403675.en.html
>> but know nothing about whether it fixes any of these vulnerabilities.
>
>It doesn't fix the vulnerabilities. 

This says "Fixes are available in a protected repository and are ready to be
applied by the distribution maintainers."

https://seclists.org/oss-sec/2023/q3/254

There seems to be significant disagreement about how serious these
bugs are and whether they'r really in Exim. The fact that the zeroday
people didn't notice that libspf2 is a separate package makes it
easy to believe that they're not all Exim bugs.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Noticeable increase of spam emanating from Colocrossing?

[Marco M. via mailop]

Am 02.10.2023 um 06:54:51 Uhr schrieb Hans-Martin Mosner via mailop:

> does anybody else see a noticeable increase of spam from Colocrossing
> hosted IPs? I don't have hard data but my gut feeling is that the
> number of attempts have increased by a significant amount during the
> few weeks.

http://www.uceprotect.net/de/l3charts.php

Listed in Level 3, so many, many spamming IPs are here.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Recent increase in GMail 421-4.7.28 responses

[Marco M. via mailop]

Am 30.09.2023 um 13:17:44 Uhr schrieb Stephen Frost via mailop:

> "Our system has detected an unusual rate of unsolicited mail
> originating from your IP address."

Did anybody sent spam via your lists?
Maybe also SEO in normal-looking messages.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Eduardo Diaz Comellas via mailop]

We use exim extensively. It is a software piece we learned to tune and 
love :)


It has a relatively good security history and allows a lot of 
customization.


Best regards

On 30/9/23 6:58, Jay R. Ashworth via mailop wrote:

I haven't even heard exim *mentioned* in like 20 years; these stats can't be
right, can they?

https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/

Hat tip: Lauren @ Privacy

Cheers,
-- jra


--

Eduardo Diaz Comellas ed...@ultreia.es
Ultreia Comunicaciones, S.L.  --- Tlf: 986243324

AVISO LEGAL-LOPD Para ver la política de protección de datos, consulte 
https://ultreia.es/aviso-legal/
MEDIO AMBIENTE Antes de imprimir este correo, piense si es necesario. El 
medio ambiente es cosa de todos.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Recent increase in GMail 421-4.7.28 responses

[Stephen Frost via mailop]

Greetings,

For about the past month we (PostgreSQL.Org mailing lists) have seen a
large increase in the number of 421-4.7.28 "Our system has detected an
unusual rate of unsolicited mail originating from your IP address."
responses when attempting to deliver to gmail.com addresses.  This is
creating a painful backlog of queue'd email for us, not to mention
gmail.com users having email from our lists delayed for hours and days
in some cases, something we've not had issue with for years prior to
this.

We are delivering from:

malur.postgresql.org has address 217.196.149.56
malur.postgresql.org has IPv6 address 2a02:16a8:dc51::56

Which is listed in https://www.dnswl.org/ as high trust, our mailing
list software specifically avoids DKIM corruption, we provide
List-Unsubscribe (along with other List-* headers), and all subscribers
have to go through a process of creating a postgresql.org account (with
email address verification as part of that process) before they can
subscribe to any of ours lists.  We've also been delivering a simiar
amount of email to gmail.com addresses for many years without this
issue.

We have seen some emails coming through which fail DKIM due to
over-signing of the List-* headers or incorrect DKIM configurations.
We've reached out to those individuals to work on correcting their DKIM
configurations and have implemented code changes to catch and moderate
and bounce back email that either fails DKIM or would fail it when
posted to our lists.  We're also working on removing email addresses
that have been bouncing back to us due to 'over quota' responses from
gmail for long time (even though the 4xx codes would have one believe
that this is a situation which will eventually correct itself... we've
seen many cases where it doesn't for months...).  Based on our review of
GMail's documentation, however, these actions do not seem very likely to
actually change things.  We've also reviewed what GMail publishes
regarding reported spam from our IP and it's literally 0%.

Since implementing the changes described above a few days ago, very few
emails that fail DKIM have passed through our lists, the one exception
being a few Twitter emails going to closed lists with very few people on
them.  Ultimately, we feel fairly comfortable saying that whatever
changed a month ago certainly didn't seem to be due to these few DKIM
failing emails.

We're investigating other changes such as possibly spinning up a
separate dedicated server to deal with email destined for gmail.com (or
perhaps we'd move everything *else* to the new system/IP) but this is
certainly far from ideal when we have historically had a very smooth
running and fast system prior to this past month.

Thanks!

Stephen
PostgreSQL.Org Sysadmin team


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Bill Cole via mailop]

On 2023-09-30 at 03:36:02 UTC-0400 (Sat, 30 Sep 2023 08:36:02 +0100 
(BST))

Andrew C Aitchison via mailop 
is rumored to have said:


On Sat, 30 Sep 2023, Jay R. Ashworth via mailop wrote:

I haven't even heard exim *mentioned* in like 20 years; these stats 
can't be

right, can they?

https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/


https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/?comments=1

gives a more plausible stat.


The discrepancy is almost certainly an artifact of Exim being used so 
widely in cPanel.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Noticeable increase of spam emanating from Colocrossing?

[Hans-Martin Mosner via mailop]

Hi,

does anybody else see a noticeable increase of spam from Colocrossing hosted IPs? I don't have hard data but my gut 
feeling is that the number of attempts have increased by a significant amount during the few weeks.


Cheers,
Hans-Martin
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Carsten Schiefner via mailop]

On 30.09.2023 10:35, Carsten Schiefner via mailop wrote:

[...]

But would you happen to have any more details wrt. the withholding and 
the 50%?


[Link to https://seclists.org/oss-sec/2023/q3/254]

Thanks, Simon & Andrew!
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop