Re: [mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Marco via mailop 
Am 10.11.2023 22:27 schrieb Jaroslaw Rafa via mailop:

> Dnia 10.11.2023 o godz. 21:09:31 Louis Laureys via mailop pisze:
> > You can probably tell from my wording how I feel about this. I get
> > the battery efficiency part. Not the part where ActiveSync has an
> > exception to it, and their own battery efficient IDLE alternative
> > is not accessible to most. Let alone the fact that has caused
> > basically all third party emails to just capture your credentials.  
> 
> I don't understand, why the push notifications cannot work
> independently of IMAP?

It would be possible, but that needs to be polled (SPI firewalls, NAT
etc. need at least hole-punching).
Companies like MS or Apple don't look for such a solution when the
users accept that they have their credentials.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Jaroslaw Rafa via mailop 
Dnia 10.11.2023 o godz. 21:09:31 Louis Laureys via mailop pisze:
> You can probably tell from my wording how I feel about this. I get the battery
> efficiency part. Not the part where ActiveSync has an exception to it, and 
> their
> own battery efficient IDLE alternative is not accessible to most. Let alone 
> the
> fact that has caused basically all third party emails to just capture your
> credentials.

I don't understand, why the push notifications cannot work independently of
IMAP? I mean, there is a mechanism to get push notifications from any website
via the browser, you just go to website and subscribe to these notifications
(at least you can on Android, I don't know if it's the same on iOS).

So in theory, there could be a very simple website on the mail provider's
server, where you log in with your credentials and then just subscribe to
push notifications. You can log out after that. Then whenever a mail message
comes in, that website sends you a push notification.

(Actually, I have a "poor man's" version of this implemented on my mail
server for some selected important emails - when one of these emails comes
in, a script on the server simply sends me a SMS notification using my phone
provider's email-to-SMS gateway).

And for the IMAP client, you fire it up only when you want to actually read
or send mail. It doesn't need to keep any idle connections.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Louis Laureys via mailop 
Yeah, on iOS if it has instant notifications, and it's not the built-in Mail app
or a first party app of your service, it has to have phoned home the
credentials. There isn't really any way around it, the only long living
connection they allow is their own notification system. For some reason they
also decided to allow it for Exchange ActiveSync, because enterprise I guess?

They also have some custom stuff that will make instant notifications work in
their standard email client, which also uses their notification system in the
background. It needs a certificate, and by the book you can only get one as a
large service provider with good contacts at apple, or if you have an old
version of OSX server (not sure if that works anymore). Cyrus has it for
example, but also notes Apple has only licensed Yahoo and Fastmail to use it:
https://www.cyrusimap.org/imap/concepts/features/event-notifications.html#imap-features-event-notifications-applepushservice

You can probably tell from my wording how I feel about this. I get the battery
efficiency part. Not the part where ActiveSync has an exception to it, and their
own battery efficient IDLE alternative is not accessible to most. Let alone the
fact that has caused basically all third party emails to just capture your
credentials. I don't blame the apps in this case, I blame Apple. In this case
it's just Microsoft reusing Outlook web, which was designed to only work with
their own backend and not with other IMAP implementations in mind. We can safely
blame the app in this case :)


Louis


Op vrijdag 10 november 2023 om 20:53, schreef Carsten Schiefner via mailop
:

> Interesting, Louis - ...
> 
> On 10.11.2023 20:30, Louis Laureys via mailop wrote:
> > The fact that it transfers all of your messages is new (to me), the > whole
> transferring of credentials has been the standard for almost all > mobile
> email clients as on ios you can't keep an imap connection open > for instant
> notifications. On android you can, but only after hunting > for all the
> battery saving settings and turning them off for the app. So > your
> credentials will be sent to the server, so it can use the > platforms'
> notification channel instead. I think I've ever seen an app > warn me that
> they will be storing my credentials in their cloud, but > they do.
> 
> ... I have not been aware of the fact that *ALL* apps actually might be doing
> this.
> 
> It was just recently that I looked for alternative iOS mail apps - and
> "phoning home" credentials got noted only for the Spark app.
> 
> Thanks & best,
> 
> -C.
> 
> > Op vrijdag 10 november 2023 om 16:54, schreef Carsten Schiefner via > mailop
> :
> > > Folks,
> > > sort of triggered by Benoit's recent and absolutely spot-hitting
> > rant about Microsoft's inability resp. unwillingness to
> > appropriately deal with spam complaints, I thought I should share
> > this article:
> > > Microsoft lays hands on login data: Beware of the new Outlook
> >
> https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html
> [https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html]
>  [https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html]>
> > > with you.
> > > Although it is not strictly related to email service providers'
> > operations, I wonder about the unintended resp. unwanted side
> > effects wrt. email operations it could have that you have to
> > involuntarily hand off your credentials to a third party.
> > > So, your account got hacked and you happen to use such an Outlook
> > version: where was the leak? On your end? Or on Microsoft's?
> > > Opinions?
> > > Best,
> > > -C.
> > ___
> > mailop mailing list
> > mailop@mailop.org [mailop@mailop.org]  [mailop@mailop.org]>
> > https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]
> >  [https://list.mailop.org/listinfo/mailop]>
> ___
> mailop mailing list
> mailop@mailop.org [mailop@mailop.org]
> https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Carsten Schiefner via mailop 

Interesting, Louis - ...

On 10.11.2023 20:30, Louis Laureys via mailop wrote:
The fact that it transfers all of your messages is new (to me), the 
whole transferring of credentials has been the standard for almost all 
mobile email clients as on ios you can't keep an imap connection open 
for instant notifications. On android you can, but only after hunting 
for all the battery saving settings and turning them off for the app. So 
your credentials will be sent to the server, so it can use the 
platforms' notification channel instead. I think I've ever seen an app 
warn me that they will be storing my credentials in their cloud, but 
they do.


... I have not been aware of the fact that *ALL* apps actually might be 
doing this.


It was just recently that I looked for alternative iOS mail apps - and 
"phoning home" credentials got noted only for the Spark app.


Thanks & best,

-C.

Op vrijdag 10 november 2023 om 16:54, schreef Carsten Schiefner via 
mailop :


Folks,

sort of triggered by Benoit's recent and absolutely spot-hitting
rant about Microsoft's inability resp. unwillingness to
appropriately deal with spam complaints, I thought I should share
this article:

Microsoft lays hands on login data: Beware of the new Outlook

https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html
 


with you.

Although it is not strictly related to email service providers'
operations, I wonder about the unintended resp. unwanted side
effects wrt. email operations it could have that you have to
involuntarily hand off your credentials to a third party.

So, your account got hacked and you happen to use such an Outlook
version: where was the leak? On your end? Or on Microsoft's?

Opinions?

Best,

-C.
___
mailop mailing list
mailop@mailop.org 
https://list.mailop.org/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Louis Laureys via mailop 
The fact that it transfers all of your messages is new (to me), the whole
transferring of credentials has been the standard for almost all mobile email
clients as on ios you can't keep an imap connection open for instant
notifications. On android you can, but only after hunting for all the battery
saving settings and turning them off for the app. So your credentials will be
sent to the server, so it can use the platforms' notification channel instead. I
think I've ever seen an app warn me that they will be storing my credentials in
their cloud, but they do.


Op vrijdag 10 november 2023 om 16:54, schreef Carsten Schiefner via mailop
:

> Folks,
> 
> sort of triggered by Benoit's recent and absolutely spot-hitting rant about
> Microsoft's inability resp. unwillingness to appropriately deal with spam
> complaints, I thought I should share this article:
> 
> Microsoft lays hands on login data: Beware of the new Outlook
> https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html
> [https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html]
> 
> with you.
> 
> Although it is not strictly related to email service providers' operations, I
> wonder about the unintended resp. unwanted side effects wrt. email operations
> it could have that you have to involuntarily hand off your credentials to a
> third party.
> 
> So, your account got hacked and you happen to use such an Outlook version:
> where was the leak? On your end? Or on Microsoft's?
> 
> Opinions?
> 
> Best,
> 
> -C.
> ___
> mailop mailing list
> mailop@mailop.org [mailop@mailop.org]
> https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Marco Moock via mailop 
Am 10.11.2023 um 17:08:33 Uhr schrieb Andrew C Aitchison via mailop:

> Is this new Microsoft version significantly different ?

It is because it isn't that clear like the "import" feature of gmail
for the user.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Carsten Schiefner via mailop 

Hi Andrea & all -

On 10.11.2023 18:08, Andrew C Aitchison via mailop wrote:

Microsoft lays hands on login data: Beware of the new Outlook
https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html
with you.

   ...  ...
So, your account got hacked and you happen to use such an Outlook 
version: where was the leak? On your end? Or on Microsoft's?


Opinions?


How much of this is new ?


It was to me at least - I have not yet been aware of this:


For over a decade you have had the option of downloading
your other email accounts into Gmail (via IMAP I think)
do that you could work on them in one place.
I believe it was reasonably obvious that this gave Gmail
your password etc. and whilst I told my users not to do it
(especially as this was also their local desktop login)
I don't think anybody panicked.


Gmail "feature".


Is this new Microsoft version significantly different ?


In the light of the above: probably not.

I have read that Spark, an email app for iOS, does a similar trick with 
IMAP credentials.


Then again, this is probably just a small issue as any third party email 
app for iOS is a niche product as the vast majority of users will use 
Apple's iOS Mail app as this comes on-board as the default.


Now, with Outlook... Oh, wait: what again comes as an on-board default 
on any MS Windows installation?


Best,

-C.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Andrew C Aitchison via mailop 

On Fri, 10 Nov 2023, Carsten Schiefner via mailop wrote:


Folks,

sort of triggered by Benoit's recent and absolutely 
spot-hitting rant about Microsoft's inability resp. 
unwillingness to appropriately deal with spam complaints, I 
thought I should share this article:


Microsoft lays hands on login data: Beware of the new 
Outlook

https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html
with you.

  ...  ...
So, your account got hacked and you happen to use such an 
Outlook version: where was the leak? On your end? Or on 
Microsoft's?


Opinions?


How much of this is new ?

For over a decade you have had the option of downloading
your other email accounts into Gmail (via IMAP I think)
do that you could work on them in one place.
I believe it was reasonably obvious that this gave Gmail
your password etc. and whilst I told my users not to do it
(especially as this was also their local desktop login)
I don't think anybody panicked.

Is this new Microsoft version significantly different ?

The big question is, will Outlook use (X)OAuth2 or
OAuth to access these external (to MS) accounts,
as they ask Thunderbird, alpine, mutt and fetchmail
to do to access Microsoft-hosted mailboxes ?

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Francois Petillon via mailop 

On 11/10/23 16:54, Carsten Schiefner via mailop wrote:
sort of triggered by Benoit's recent and absolutely spot-hitting rant about 
Microsoft's inability resp. unwillingness to appropriately deal with spam 
complaints, I thought I should share this article:

Microsoft lays hands on login data: Beware of the new Outlook
https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html


I think we have noticed that at least in February (due to accounts blocked as 
they were considered to be compromised). Last April, I have sent an email about 
this subject to two "contacts" I have at Microsoft but I had no answer.


Although it is not strictly related to email service providers' operations, I 
wonder about the unintended resp. unwanted side effects wrt. email operations it 
could have that you have to involuntarily hand off your credentials to a third 
party.


What we have seen here is Microsoft IPs connecting to mailboxes using IMAP. 
These connections seemed to be uncorrelated from real users connections (graphs 
looked mostly flat) and Microsoft did not really care about credentials 
validity. At one point, one of their IPs was flagged as fraudulent (?) and we 
started to block accounts. This started a snowball effect (authentications on 
blocked accounts were failing, so reputation of their IPs was decreasing and 
more accounts were blocked).


François
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Marco M. via mailop 
Am 10.11.2023 um 16:54:00 Uhr schrieb Carsten Schiefner via mailop:

> So, your account got hacked and you happen to use such an Outlook 
> version: where was the leak? On your end? Or on Microsoft's?

I really don't know how people who are working in IT security can
use software form such a company.
I my opinion, it is a completely no-no what MS does and did in the last
years.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Microsoft lays hands on login data: Beware of the new Outlook

2023-11-10 Thread Carsten Schiefner via mailop 

Folks,

sort of triggered by Benoit's recent and absolutely spot-hitting rant 
about Microsoft's inability resp. unwillingness to appropriately deal 
with spam complaints, I thought I should share this article:


Microsoft lays hands on login data: Beware of the new Outlook
https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html

with you.

Although it is not strictly related to email service providers' 
operations, I wonder about the unintended resp. unwanted side effects 
wrt. email operations it could have that you have to involuntarily hand 
off your credentials to a third party.


So, your account got hacked and you happen to use such an Outlook 
version: where was the leak? On your end? Or on Microsoft's?


Opinions?

Best,

-C.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Microsoft Abuse Desk - we NEED to talk! (regarding 2a01:111:f403:2e1b::800 and other IP Addresses)

2023-11-10 Thread Benoît Panizzon via mailop 
Dear Microsoft Abuse Desk

(PS: Mailop list, feel free to forward this to your personal contacts @
microsoft).

Since months, I am trying to contact Microsoft regarding the increasing
number of spam incidents we observe and how Microsoft handles them.

The various Microsoft email addresses I was in contact with and from
which I know they are active and being read, never bother to reply.

The Situation has been escalated to the Microsoft Technical-Sales Team
Switzerland. I learned, they know about the issue, but face the same
problem, they feel like being a foreign company within Microsoft,
having many customer pressing them about similar issues, but not
being able to reach anyone internally who would take care of those
issues. Microsoft is apparently only interested in selling services,
not in maintaining them.

2a01:111:f403:2e1b::800 sent about 50 Spam Mails in October! Either to
Spam-Taps or being reported by our customers.

Yes, I have evidences in a database. I can show them. There is no doubt
this are real spam mails, not false positives. Either phished Microsoft
Accounts or Microsoft customers deliberately sending spam.

So yes, this IP is blacklisted in the SWINOG Anti-Spam Blacklist, which
we operate and which some ISP use as part to classify if emails are spam
or not.

And of course, this causes some legitimate email being classified as
spam and being rejected.

The Microsoft customer whose email are affected by this are told to
contact Microsoft Customer Service. I send them the link to the
evidence emails we got in our database, showing this is spam, fully
disclosed with sender and recipients!

So why is Microsoft still:

* Not solving the issue!
* Refuse to communicate with us!
* Telling their customer about us maliciously disrupting their
  legitimate email service.

I would be very glad to get hold of anyone at Microsoft, who could look
at the current issue and try to explain to me, how they are handling
this.

-- 
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop