Re: [mailop] UCEPROTECT L2 fact

2023-05-22 Thread Andreas Ziegler via mailop 
uceprotect is (or was?) quite common around german municipalities and 
other governement agencies.


maybe some appliance they are/were using included this list by default?

Regards
Andreas


Slavko via mailop wrote on 14.05.23 12:47:

Hi,

i read multiple times, from multiple sources about UCEPROTECT
BL, how it is suspicious, etc...

Recently i got notification from ShadowServer, that i am on
blacklist, in particular on UCEPROTECT-L2 BL, which AFAIK
blocks whole networks as anounced by ASN. Thus i was curious,
what happens around me.

Today UCEPROTECT reports 32 incidents for /22 net. We can
discuss if 32 is enough for blocking whole network block or
not, but OK -- 32 incidents is over their policy... But all these
32 incidents was generated by 1 (one) IP! In other words,
one IP is enough for UCEPROTECT to block whole /22 network.

Now i really can know how wrong is this BL (and no, i never
used it, i even removed it from my check script)...

I am not very interested in that list, nor in how bad that RBL
is, but i am curious: is someone (bigger than personal) using
it? Or do you know someone who is using it? What is/can be
the reason to use it?

thanks



OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Hetzner

2023-02-07 Thread Andreas Ziegler via mailop 

Atro and everyone else blaming Hetzner for their abuse handling:

what is your data that shows hetzner being worse than others in this field?
does this data put in relation the size of the provider (number of 
IPs/servers/customers) ?


hetzner has grown big and in absolute numbers it's clear that the number 
of abuse is big - but only relative numbers are fair to compare!


-- Andreas


Atro Tossavainen via mailop wrote on 07.02.23 16:57:

Ever been on the receiving end of a retaliatory abuse complaint?


Yup, that too.


As a Hetzner customer I expect some trust in the company I pay money
to,


As do I, as a Hetzner customer.


that they'll give me a chance to face my accuser and fix the
problem if there is one, or give a response as to why I shouldn't
have to if there isn't a problem.


I, too, expect to be told what the nature of the problem is.

Where the report comes from should be completely irrelevant.

I frequently don't bother with complaints of abuse to Hetzner because
I get back the autoreply that states I am expected to OK them forwarding
it verbatim to the spammer. Most of the spammers I would complain about
are not the hijacked systems but the dedicated ones.


There are two sides to every story, surprisingly companies aren't
keen to just kick all of their customers out by third party demand,
on demand.


Not expecting shooting on sight, as already said. Some safety measures
would be nice though, such as not outsourcing the ToSsing of spammers
to the spammers themselves.



OpenPGP_signature
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Any reason to NOT block the entire .cam domain?

2022-05-27 Thread Andreas Ziegler via mailop 
Sorry, but this strategy looks more like some hobbyist hosting the 
server for himself and his friends.


Some of the TLDs you simply block are used by people i know for 
legitimate purposes, let alone by all the people i don't know.


Scoring messages by the TLD, ok, i do that, too - but an immediate block 
is really crazy for most of them.


Andreas


Sebastian Nielsen via mailop wrote on 27.05.22 20:06:

I block a lot of these pieces of shit domains, including .cam:

   deny
 message = 5.7.1 Banned TLD in MAIL FROM
 sender_domains = 
^(?i).*\\.(accountant|accountants|asia|auto|berlin|bid|buzz|camera|car|cam|cars|casa|christmas|click|club|college|computer|country|cricket|date|design|download|exposed|email|fail|
faith|fit|fun|gdn|global|guru|help|host|jetzt|kim|icu|life|live|link|loan|london|media|men|mom|news|ninja|online|party|photography|pro|protection|pub|racing|realtor|reise|ren|rent|rest|review|rocks|science|security|
shop|site|solutions|space|storage|store|stream|study|surf|tech|technology|theatre|today|top|trade|university|uno|us|viajes|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip|xn--.*)\$

And also in acl_data:

   deny
 message = 5.7.1 Banned TLD in MIME From
 condition = ${if match 
{$h_from:}{^(?i).*\\.(accountant|accountants|asia|auto|berlin|bid|buzz|camera|car|cam|casa|cars|christmas|click|club|college|computer|country|cricket|date|design|download|exposed|email|fail
|faith|fit|fun|gdn|global|guru|help|host|jetzt|kim|icu|life|live|link|loan|london|media|men|mom|news|ninja|online|party|photography|pro|protection|pub|racing|realtor|reise|ren|rent|rest|review|rocks|science|security
|shop|site|solutions|space|storage|store|stream|study|surf|tech|technology|theatre|today|top|trade|university|uno|us|viajes|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip|xn--.*)>\$}{yes}{no}}


There you have 2 nice blocklists to use in EXIM.

-Ursprungligt meddelande-
Från: Anne Mitchell via mailop 
Skickat: den 27 maj 2022 20:03
Till: Hans-Martin Mosner via mailop 
Ämne: [mailop] Any reason to NOT block the entire .cam domain?

We've started getting a fair amount of spam from .cam domains; in fact they all look the 
same, using the same HTML template with the same body format, but from different .cam 
domain for different 'businesses', so I suspect that one operation is selling "email 
marketing" packages to clients and setting it up for them, especially as they all 
are sending through their own domains, and, let's face it, these sorts of spammers 
usually don't know how to set up their own MX, etc.. rather than spamming through Google 
or Outlook.

They are all coming from:

77.73.131.0/24
185.221.66.0/24

they share:

mnt-routes: ashitt
mnt-domains:ashitt
mnt-by: ashitt

A few sample domains are:

stretchch.cam
inogenosx.cam
securetho.cam
livingcois.cam

I have a body of about 20 now (I'm sure I deleted many more) that are all clearly set up 
by the same entity, for/from different "businesses" using their own domains, so 
it's clearly a spam factory (they are almost certainly including a mailing list with the 
setup). Full samples available upon request.

Anyways, can anyone think of a single reason to *not* block all of .cam?

Or, hey, to not get these IPs listed? ;-)

P.S.  Aaah, a TLD that can be, in quick-glance, mistaken for .com; good 
thinking!

Anne

--
Anne P. Mitchell, Attorney at Law
CEO ISIPP SuretyMail
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Author: The Email Deliverability Handbook Board of Directors, Denver Internet 
Exchange Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School Prof. 
Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop 
Counsel Emeritus: Mail Abuse Prevention System (MAPS) (now the anti-spam arm of 
TrendMicro)

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Any Proofpoint contact on list?

2018-11-26 Thread Andreas Ziegler 
Hello,

add me to the list of people searching for a proofpoint contact...

we filled out their delisting form three times over the last two months
and got no reply whatsoever. the IP stays listed ofc...

Regards

Andreas

Vytis Marčiulionis schrieb am 26.11.18 um 13:20:
> Hello, 
> 
> We have an ongoing issue with Proofpoint where emails bounce due to "IP
> address is listed" error but when we check the provided link it says
> that IP address is fine. I have tried filling in contact forms, sending
> mails to different default addresses and one contact I've got from
> M3AAWG meeting in Lisbon. Nothing helped, even the sales agent, with
> whom we were discussing to try their solution for service providers,
> disappeared somewhere. 
> 
> If anyone from Proofpoint is here, please contact me off-list. We would
> like to understand what that error means and how we could resolve it
> completely. 
> -- 
> Best regards,
> 
> Vytis Marčiulionis
> Email Deliverability Manager
> Mailerlite.com
> vy...@mailerlite.com 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] IPs blacklisted with Microsoft

2017-11-02 Thread Andreas Ziegler 
Hi Michael,

we also have a similar case ( SRX1402507373ID )

We acted like you suggested many times, the subnet also doesn't show any
problems in SNDS and there were no JMRP mails.

nevertheless, the robot didn't mitigate the issue and our manual
response didn't trigger any action from "your" side yet - it's almost 7
days now.

we deliver the mail via a relay in a totally different subnet at the
moment and there's no issue with that relay's IP - it's just working.
so i really can't see what the problem might be with our customer's mails.

Regards

Andreas


Michael Wise via mailop schrieb am 20.09.2017 um 00:30:
> Standard response is to start by opening a ticket … using this link.
> 
>  
> 
> The first response will be from a robot confirming that the ticket has
> been opened, and then within 24 hours (typically much less), the robot
> will respond with the details of the Mitigation applied (“If any…”).
> 
>  
> 
> If the results are not to your satisfaction, reply to that 2^nd email
> and … State Your Case.
> 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mails to microsoft

2017-02-09 Thread Andreas Ziegler 


John Levine schrieb am 09.02.2017 um 05:30:
> If you want your mail delivered, you have to filter out the spam, even
> if it's forwarded.

sure - i didn't say i don't do that.
maybe i should simply set stricter rules for forwards than for local
mailboxes...

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft Junk Mail Reporting Program

2016-07-27 Thread Andreas Ziegler 
Hi Michael,

thanks for your thoughts on this.

But you said nothing about the issue with non-bulk messages that are
marked as spam... THAT is the real problem in my opinion - or are your
algorithms really good enough to filter that out, so it won't affect an
IPs/Domains reputation?

Maybe a comment on why the UI guys don't make it more clear to the user,
what a click on the junk/spam button will lead to?

Regards

Andreas


Am 27.07.2016 um 21:45 schrieb Michael Wise via mailop:
> 
> My top of mind suggestions on what might be a good idea to avoid trouble 
> (getting your traffic auto-Junked, or your IPs blocked) might include the 
> following, for what it's worth:
> 
> If you get a sample from any FBL, for a given recipient, you should make sure 
> that you can figure out who it is, probably best to use a token in the body 
> of the message, and ... you should fire off an email to that customer asking 
> them if they wish to continue receiving mailings, with a "Yes" button (and 
> some automatic logic to detect some AI that clicks all buttons), and only if 
> they do in fact click, "Yes" do you continue to send traffic.
> 
> If they go more than a week without opening an email, switch them to monthly.
> If they go more than a month without opening, send them a, "Do you want to 
> continue?" email and wait.
> And if traffic to a recipient ever bounces (except for 400 or 500 refusal 
> codes that do NOT implicate IP reputation), queue up a, "Do you want to 
> continue?" email, but hold it for ... at least a day? And suspend all other 
> deliveries to that recipient.
> 
> Y'all might want to save up all the 4xx and 5xx codes, and sort 'em and look 
> over them manually at the end of day, just to be sure something hasn't gone 
> pear-shaped. I suspect the really big senders do it in Real Time. As a matter 
> of fact, I know they do.
> 
> ...
> 
> Some of the above is officially, "Hard".
> But it would be, IMHO, Best List Management Practices.
> 
> Aloha,
> Michael.
> 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] I trust my candor is appreciated...?

2016-06-09 Thread Andreas Ziegler 
I very much appreciate you, Michael, taking part in the discussions on
this list and giving us some hints on what the issues are.

Microsoft could (unfortunately) easily ignore every inquiry from small
mail providers and it won't affect them, so... thanks for not ignoring ;-)

My hint to german law wasn't meant to offend anyone and of course this
doesn't apply for every other country - i just wanted to provide
information on the local situation.

The intention of this part of the law is to ensure people can trust
communication providers like snail mail and e-mail.

Of course, some exceptions (like discarding virusses) are allowed,
although many still inform the recipient that a mail has been discarded
or quarantined because of a detected virus.

Andreas


Am 09.06.2016 um 15:44 schrieb Michael Wise via mailop:
> 
> These are hard issues to discuss, and I hope the view I present of how
> certain issues are viewed from behind the trenches of a large scale mail
> service are useful.
> 
> Sometimes, what scales and what doesn't are not obvious. But the comment
> on German law in particular is interesting, and ... Will not go un-noticed.
> 
> I am not a fan of Silent Drop, and continue to push for some other
> infrastructure and user friendly solution, but so far... It's a hard
> sell for many reasons.
> 
> Aloha,
> Michael.
> -- 
> Sent from my Windows Phone
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft/Hotmail discards mails

2016-06-08 Thread Andreas Ziegler 
Hi,

thanks for your fast and detailed reply!

i will follow your suggestion regarding tackling the system by marking a
sender as safe, so it might reconsider its decisions.

as a side note: at least here in germany, discarding mail without any
notification of the sender or recipient is called supression and is
illegal (§206 StGB).

Best Regards

Andreas


 Original-Nachricht 
Betreff: Re: [mailop] Microsoft/Hotmail discards mails
Von: Michael Wise <michael.w...@microsoft.com>
An: Andreas Ziegler <m...@andreas-ziegler.de>, mailop@mailop.org
<mailop@mailop.org>
Datum: 9.6.2016, 04:08:39

> 
> At the request of the customer-base, traffic that is classified as 
> sufficiently spammy (by various "Black Box" algorithms that I have no 
> knowledge of the inner workings...) is deleted even after a successful 
> delivery.
> 
> At one point, Hotmail tried to turn off the delete action for sufficiently 
> spammy, and just delivered it into Junk; Customers complained. Loudly. So 
> whether the system is correctly classifying your traffic or not, I cannot 
> say. But the behavior is not unexpected in certain scenarios. Which one of 
> them applies to you, I cannot say. Even if I wanted to! But I really have no 
> idea, and no way to find out.
> 
> This "Delete" action is a well-known mitigation that is not unique to Hotmail.
> 
> About the only way around it would be to login to your test account, and safe 
> sender the sending email address.
> Among other things, that will force the system to reconsider the verdict that 
> it has assigned to the IP and the traffic coming from it.
> 
> It's possible that the IPs have a left-over bad reputation from a previous 
> sender, but that's difficult to tell.
> 
> Good luck.
> 
> Aloha,
> Michael.
> 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Microsoft/Hotmail discards mails

2016-06-08 Thread Andreas Ziegler 
Hi,

a user of my server complained, that some of his mails don't reach mail
accounts from hotmail/live/outlook etc. that complaint is nothing new,
the problem exists for months now.

the users mails are dkim signed, the domain has DKIM and SPF TXT DNS
records, since yesterday there is also a DMARC record.

i investigated further, set up test accounts on both ends and indeed,
they are accepting the mail with 250 but it doesn't appear in the inbox
or even junk folder.

According to SNDS, the IP has "normal status" and no events are logged.
i reached out to them through their form two times and got the same
answer twice, that the IP doesn't qualify for mitigation.

the thing is, i can't figure out
a) why they discard the mails
b) why they don't reject them, that would be much better

we're a low volume sender, so i investigated the logs manually and can't
find any outgoing spam.

all of the users recipients do really want to get these mails and are
very upset that they don't receive them.
and even if they didn't want to, they could tell via mail or even in
person, as all of them are at the same university (and are friends).

perhaps someone has an additional idea, another form or contact address
or what can i try to solve this?

ticket numbers: SRX1342522740ID / SRX1342663522ID.

Regards

Andreas

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop