Re: [mailop] Phishing hosted by Cloudflare-ipfs.com / Abuse Handled by Sparkpostmail.com?

[Michael Irvine via mailop]

This is normally an issue when it comes to SaaS solutions offering a free trial 
that happens to allow outbound email sending. Scammers will use it as many tend 
to trust the source. This is true for many senders as I still get at least 1-3 
fake document shares a week on my personal Google account. 

Thanks,
 
Michael Irvine 

-Original Message-
From: mailop  On Behalf Of Benoit Panizzon via mailop
Sent: Monday, May 13, 2024 10:05
To: mailop@mailop.org
Subject: [mailop] Phishing hosted by Cloudflare-ipfs.com / Abuse Handled by 
Sparkpostmail.com?

CAUTION: This email originated from outside of the organization. Do not click 
any links or open attachments unless you recognize the sender and know the 
content is safe.



Hi all

Our customers increasingly get phishing emails targeting our email platform 
accessible under the domain: Cloudflare-ipfs.com (interplanetary file system, I 
guess that is their name for CNS).

I reported some of those to the cloudflare abuse desk.

To my surprise, after usually 1 or two days I get a replies From:
"Cloudflare"  about them blocking some of the single 
URL we report.

So is sparkpostmail.com linked to cloudflare?

Unfortunately the basic issue is not being addressed. The phishers seem to be 
able to generate new URI under cloudflare-ipfs.com much faster than 
ab...@spakpostmail.com is able to block them.

Even SpamAssassin now has a rule matching those:

URI_CLOUDFLAREIPFS References Interplanetary File System PtP
content via CloudFlare, likely phishing

Mit freundlichen Grüssen

-Benoît Panizzon-
--
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Phishing hosted by Cloudflare-ipfs.com / Abuse Handled by Sparkpostmail.com?

[Faisal Misle via mailop]

I know Cloudflare uses Sparkpost's infra to send replies from their 
abuse desk system, which is likely what you're seeing.


Received: from mta-87-157.sparkpostmail.com ([192.174.87.157])
by safari.mxrouting.net with esmtps  (TLS1.2) tls 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
(Exim 4.96-58-g4e9ed49f8)

(envelope-from)
id 1roj7P-0002sE-3D
Subject: [a765c4b07061f747] Cloudflare: Abuse report confirmation

On 5/13/24 5:04 PM, Benoit Panizzon via mailop wrote:

Hi all

Our customers increasingly get phishing emails targeting our email
platform accessible under the domain: Cloudflare-ipfs.com
(interplanetary file system, I guess that is their name for CNS).

I reported some of those to the cloudflare abuse desk.

To my surprise, after usually 1 or two days I get a replies From:
"Cloudflare"  about them blocking some of the
single URL we report.

So is sparkpostmail.com linked to cloudflare?

Unfortunately the basic issue is not being addressed. The phishers
seem to be able to generate new URI under cloudflare-ipfs.com much
faster thanab...@spakpostmail.com  is able to block them.

Even SpamAssassin now has a rule matching those:

URI_CLOUDFLAREIPFS References Interplanetary File System PtP
 content via CloudFlare, likely phishing

Mit freundlichen Grüssen

-Benoît Panizzon-___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Phishing hosted by Cloudflare-ipfs.com / Abuse Handled by Sparkpostmail.com?

[Benoit Panizzon via mailop]

Hi all

Our customers increasingly get phishing emails targeting our email
platform accessible under the domain: Cloudflare-ipfs.com
(interplanetary file system, I guess that is their name for CNS).

I reported some of those to the cloudflare abuse desk.

To my surprise, after usually 1 or two days I get a replies From:
"Cloudflare"  about them blocking some of the
single URL we report.

So is sparkpostmail.com linked to cloudflare?

Unfortunately the basic issue is not being addressed. The phishers
seem to be able to generate new URI under cloudflare-ipfs.com much
faster than ab...@spakpostmail.com is able to block them.

Even SpamAssassin now has a rule matching those:

URI_CLOUDFLAREIPFS References Interplanetary File System PtP
content via CloudFlare, likely phishing

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Someone at Google (GSuite) with a clue?

[Aaron C. de Bruyn via mailop]

While it was a groups permission issue, the GSuite logs for GMail do *not*
show anything about a permission problem.  See attached photo (if the list
supports attached photos).

-A

On Mon, May 13, 2024 at 5:42 AM Faisal Misle via mailop 
wrote:

> Also worth noting that it was not rejected at the SMTP stage because the
> email address was valid. Google does not check for permissions to post to
> the Group until after it has accepted and processed the message, hence the
> delayed NDR. The Google rep also may not have had access to group details
> to check for permissions.
>
> Can't speak about the logs, it's been a while since I managed a Google
> Workspace deployment, but I would've guessed the logs would've shown the
> permission issue & bounce?
> On 5/11/24 2:56 AM, Aaron C. de Bruyn via mailop wrote:
>
> The sending email is a no-reply.
> Google accepts the message with at 2xx and then logs a bounce in gsuite
> with no info.
>
> Someone at Google replied off -list. Apparently it was a group permission
> issue, but the GSuite logs don't give a reason, just that it bounced.
>
> And their chat support couldn't figure it out in 3 hours of chatting.
>
> -A
>
> -A
>
> -A
>
> On Fri, May 10, 2024, 16:17 Graeme Fowler via mailop 
> wrote:
>
>> You said:
>> > then there's a bounce
>>
>> and then:
>>
>>>  GMail is accepting our messages, then silently junking them.
>>>
>>
>> So... Which of these is correct? They can't both be.
>>
>> Graeme
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://list.mailop.org/listinfo/mailop
>>
>
> ___
> mailop mailing listmailop@mailop.orghttps://list.mailop.org/listinfo/mailop
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Sudden TSS04's From Yahoo/AOL Early This Morning

[Michael E. Weisel via mailop]

Thanks Mike and Faisal for the reply, I did open a ticket after I sent this 
message earlier and am waiting for a response.



Thanks,

Michael

Michael E. Weisel
CTO / Deliverability Lead
Gold Lasso
(301) 990-9857 Corporate
(240) 813-0174 Direct Dial


From: Mike Hillyer 
Date: Monday, May 13, 2024 at 10:15 AM
To: Michael Weisel 
Cc: "mailop@mailop.org" 
Subject: Re: [mailop] Sudden TSS04's From Yahoo/AOL Early This Morning

The possibility of it being an issue at Yahoo! is why you should open a ticket, 
it allows them to investigate whether they have a false positive.

Mike
[https://ci3.googleusercontent.com/mail-sig/AIorK4xuRouyBW1lrKqTmHYY0M777luVEvvVA-CAb6JT4UX79uxqdlWf8wlYC1fIIR0yv_-PMFuYzFs9A4do]
Mike Hillyer
Co-Founder
443-472-7226

Let's Meet: https://cal.com/mike-kumomta/meet



On Mon, May 13, 2024 at 8:06 AM Michael E. Weisel via mailop 
mailto:mailop@mailop.org>> wrote:
Good morning Mailop friends.  One of our clients suddenly started seeing 
TSS04’s early this morning.  I haven’t opened a ticket yet in case this was an 
issue at Yahoo like happened a few months back.  Anyone else seeing similar 
issues this morning?   Nothing changed with their sending so not sure what may 
have triggered this.  If possible could someone reach out to me off list?



Thanks,

Michael

Michael E. Weisel
CTO / Deliverability Lead
Gold Lasso
(301) 990-9857 Corporate
(240) 813-0174 Direct Dial

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Sudden TSS04's From Yahoo/AOL Early This Morning

[Mike Hillyer via mailop]

The possibility of it being an issue at Yahoo! is why you should open a
ticket, it allows them to investigate whether they have a false positive.

Mike

Mike Hillyer
Co-Founder
443-472-7226

Let's Meet: https://cal.com/mike-kumomta/meet



On Mon, May 13, 2024 at 8:06 AM Michael E. Weisel via mailop <
mailop@mailop.org> wrote:

> Good morning Mailop friends.  One of our clients suddenly started seeing
> TSS04’s early this morning.  I haven’t opened a ticket yet in case this was
> an issue at Yahoo like happened a few months back.  Anyone else seeing
> similar issues this morning?   Nothing changed with their sending so not
> sure what may have triggered this.  If possible could someone reach out to
> me off list?
>
>
>
>
>
>
>
> Thanks,
>
>
>
> Michael
>
>
>
> Michael E. Weisel
>
> CTO / Deliverability Lead
>
> Gold Lasso
>
> (301) 990-9857 Corporate
>
> (240) 813-0174 Direct Dial
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Sudden TSS04's From Yahoo/AOL Early This Morning

[Faisal Misle via mailop]

I am of the opinion you should still submit a ticket - their team will 
have more information as to why it was flagged and if it was a false 
positive.


On 5/13/24 1:46 PM, Michael E. Weisel via mailop wrote:


Good morning Mailop friends.  One of our clients suddenly started 
seeing TSS04’s early this morning.  I haven’t opened a ticket yet in 
case this was an issue at Yahoo like happened a few months back.  
Anyone else seeing similar issues this morning?   Nothing changed with 
their sending so not sure what may have triggered this.  If possible 
could someone reach out to me off list?


Thanks,

Michael

Michael E. Weisel

CTO / Deliverability Lead

Gold Lasso

(301) 990-9857 Corporate

(240) 813-0174 Direct Dial


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Someone at Google (GSuite) with a clue?

[Faisal Misle via mailop]

Also worth noting that it was not rejected at the SMTP stage because the 
email address was valid. Google does not check for permissions to post 
to the Group until after it has accepted and processed the message, 
hence the delayed NDR. The Google rep also may not have had access to 
group details to check for permissions.


Can't speak about the logs, it's been a while since I managed a Google 
Workspace deployment, but I would've guessed the logs would've shown the 
permission issue & bounce?


On 5/11/24 2:56 AM, Aaron C. de Bruyn via mailop wrote:

The sending email is a no-reply.
Google accepts the message with at 2xx and then logs a bounce in 
gsuite with no info.


Someone at Google replied off -list. Apparently it was a group 
permission issue, but the GSuite logs don't give a reason, just that 
it bounced.


And their chat support couldn't figure it out in 3 hours of chatting.

-A

-A

-A

On Fri, May 10, 2024, 16:17 Graeme Fowler via mailop 
 wrote:


You said:
> then there's a bounce

and then:

 GMail is accepting our messages, then silently junking them.


So... Which of these is correct? They can't both be.

Graeme
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Sudden TSS04's From Yahoo/AOL Early This Morning

[Michael E. Weisel via mailop]

Good morning Mailop friends.  One of our clients suddenly started seeing 
TSS04’s early this morning.  I haven’t opened a ticket yet in case this was an 
issue at Yahoo like happened a few months back.  Anyone else seeing similar 
issues this morning?   Nothing changed with their sending so not sure what may 
have triggered this.  If possible could someone reach out to me off list?



Thanks,

Michael

Michael E. Weisel
CTO / Deliverability Lead
Gold Lasso
(301) 990-9857 Corporate
(240) 813-0174 Direct Dial

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Breaking DKIM and BIMI in 2024 (with 16y old CVE-2008-0166)

[Lukas Tribus via mailop]

Hey list,

it looks like CVE-2008-0166 affected DKIM keys are still out there:

https://16years.secvuln.info/


lukas
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop