[mailop] Phishing hosted by Cloudflare-ipfs.com / Abuse Handled by Sparkpostmail.com?

[Benoit Panizzon via mailop]

Hi all

Our customers increasingly get phishing emails targeting our email
platform accessible under the domain: Cloudflare-ipfs.com
(interplanetary file system, I guess that is their name for CNS).

I reported some of those to the cloudflare abuse desk.

To my surprise, after usually 1 or two days I get a replies From:
"Cloudflare"  about them blocking some of the
single URL we report.

So is sparkpostmail.com linked to cloudflare?

Unfortunately the basic issue is not being addressed. The phishers
seem to be able to generate new URI under cloudflare-ipfs.com much
faster than ab...@spakpostmail.com is able to block them.

Even SpamAssassin now has a rule matching those:

URI_CLOUDFLAREIPFS References Interplanetary File System PtP
content via CloudFlare, likely phishing

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] how does mailhash.josephlist.net work?

[Benoit Panizzon via mailop]

> Yes, there are joe jobs.  No, there are not very many.

Yes, everyone can send emails containing targeted URI to known
spamtraps, which then will extract and feed those URI to URI Blacklists.

So I guess this works on in similar way, just for email addresses found
in emails.

Joe-Jobs are an issue, thankfully not too much of an issue.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] how does mailhash.josephlist.net work?

[Benoit Panizzon via mailop]

Hi List

I came across emails rejected by mailhash.josephlist.net

reason: 550 5.7.1 block listed email address s...@example.com by 
mailhash.josephlist.net (c559b92e0e284312b26c88d4bb707d14)

What I found out is that the email content is searched for email
addresses and if some hash of that email address matches, the email is
rejected. It's the full email address. Only the domain part does not
trigger the issue.

The hash at the end of the error message looks like an MD5 hash. But
that hash does not match (tested lower and upper case) the email
address listed.

Also, if I send two email containing the email address triggering the
block, I get two different hashes. So maybe the hash is not derived
from the email address?

Does anyone know how mailhash.josephlist.net operates and the reason
why they list hashes of email addresses found in email bodies?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Anyone from sendinblue on this list?

[Benoit Panizzon via mailop]

Hi

If anyone from sendinblue is reading here.

We have repeated issue of tracking URI used by sendinblue get used in
emails sent to our spamtraps/honeypot mimiking an open relay, causing
the sender ip (not from the network of sendinblue) and 'spamvertized'
trackingdomain to get blacklisted, thus legitimate emails from
sendinblue being likely rejected as spam.

sendinblue customer could not get sendinblue to investigate what causes
this. I have evidences of those spamtrap emails and would love to share
them with sendinblue techs to learn why spamer use email tracking
provided by them.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Office365: only accepts messages from people in its organization or on its allowed senders list

[Benoit Panizzon via mailop]

Hi

> As the list is restricted, that’s pretty poor business practice - “We expect 
> you to reply to this message, but you can’t, and here’s why!”

Yes, this is exactly what we get...

From: noreply@...
CC: ms-peering-updates@...
Subject: BGP Peering AS8075, Request to increase prefix filter

Please reply by klicking on reply-to-all when done of if you have
further questions.

Well, now anyone can guess who this Microsoft 'customer' is we can not
reply to. This issue persist since about a year now.

Oh, of course I have tried peering@ or noc@ or Email Addresses found in
the RIPE/ARIN or PeeringDB database. Either no reply, or errors.

We get the emails to our peering@ email address (as published in the
PeeringDB) but we reply from our noc@ email address. That is why I
started wondering, if that is the issue.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Office365: only accepts messages from people in its organization or on its allowed senders list

[Benoit Panizzon via mailop]

Hi List

Maybe somebody could enlighten me, what is going on

We very often face the issue of Office365 business customers sending an
email to us and asking for reply, but when we reply we get:

=== schnip ===
Your message to [RECIPIENT] couldn't be delivered.

The group [USERPART OF EMAIL] only accepts messages from people in its
organization or on its allowed senders list, and your email address
isn't on the list.
=== snap ===

I used to think, this is a miss configuration on the o356 customer side.

But now I start to wonder, if this is some kind of anti-spam measure
which causes the recipient to receive emails ONLY from an email address
they previously sent an email to.

I have observed that those cases almost always happen when an email for
example is sent to our info@ email address, but then replied from a
personal email address. So the address replying is not the one the o365
sent the email to.

Has anyone more insight in this?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft 365 IP addresses listed on Spamcop

[Benoit Panizzon via mailop]

Hi Christoph

> I am attempting to send mail from a M365 tenancy, however, we are seeing 
> issues with it being filtered due to the address appearing on bl.spamcop.net.
> "Decision Engine classified the mail item was rejected because of IP Block 
> (from outbound normal IP pools) -> 550 mail from 40.107.107.97 refused, see 
> http://www.spamcop.net - Your mail provider is blocked because is sending 
> SPAM."
> If there is anyone on-list from Microsoft, could you please take a look? It's 
> causing issues 

Please ask the affected M365 to escalate this issue to Microsoft
Management. This is a well known issue. Unfortunately the customer
don't manage to get the issue addressed by the 'normal' Microsoft
support, which blames the operator of such blacklist for
wrongfully listing their ranges, even if presented with masses of
Evidence of the abuse originating from those ip addresses.

Therefore => Escalation to Management! I hope they will hear if enough
of their paying customer start shouting at them.

Some IP Addresses shared between M365 customers are the source of more
than 90% spam mails from most probably phished or autogenerated
'outlook.com' accounts.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Ping Microsoft / MSN

[Benoit Panizzon via mailop]

https://blacklist.imp.ch/entry.php?id=1.0.8.0.0.0.0.0.0.0.0.0.0.0.0.0.2.1.e.2.3.0.4.f.1.1.1.0.1.0.a.2

no further comment needed...

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to report abuse to cloudflare? Only via Web-Form?!? Phishing sites not against cloudflare policy!?!

[Benoit Panizzon via mailop]

Hi Laura

> Cloudflare does not concern itself with abuse. It does not host any websites, 
> it only proxies back to the web host. They are not responsible for the 
> content and they are unable to disconnect customers. 

I am aware they do not host the content.

But they hide the IP address of their 'customer' and if that customer
does not have any contact details on their site, there is no way to
contact them. Especially of this is a malicious customer.

And yes, of course they are able to discontinue forwarding traffic to
their customer and thus prevent more phishing to happen.

> I can’t imagine anyone who has been paying attention to expect cloudflare to 
> take action against any abusive content. It’s not in their nature, and never 
> has been. They protect a whole lot worse than phishing sites and have doxxed 
> people who complain about abuse. 

At least, they just discontinued proxying traffic to the phishing site
and changed the DNS entries to reveal the IP of the 'real' hoster. So I
have send a new complaint to the hoster and hope he will either urge
his customer, wo is aware of the issue but ignoring it, to fix the
hacked site, or block them until they do so.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to report abuse to cloudflare? Only via Web-Form?!? Phishing sites not against cloudflare policy!?!

[Benoit Panizzon via mailop]

Hi

> If you want any real action from Cloudflare, you have to jump through the
> hoop of filling in the web based abuse form. It sucks but only you can
> decide whether it's worth your time and effort.

Yes, but what I don't get is, why on their first reply, they confirm
opening a case but then never send any update that they are not
working on it, until you ask about the status.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] How to report abuse to cloudflare? Only via Web-Form?!? Phishing sites not against cloudflare policy!?!

[Benoit Panizzon via mailop]

Hi out there

A website, most probably hacked WordPress, behind cloudflare, is hosting
a phishing site targetting our webmail user.

I reported this to the owner of the hacked website. I know he read my
messages and choose to ignore the issue.

So next step, report to cloudflare.

First reply from cloudflare:

=== snipp ===

Your report (#*) has been received. Note -- When responding please make 
sure to keep #16191668 in the subject line.

Thank you for your report.

=== snapp ===

Having received this reply I was sure this would be processed, but 2
days later, the site is still up, we still get notified by customers who
receive phishing emails sending them to the phishing site.

So I asked back to cloudflare about this case and got this reply

=== snipp ===

Thank you for your report.

This address does not accept or process abuse reports. Please use the link 
below to submit your abuse report.

[...]

To ensure the prompt processing of your abuse report we request that you please 
submit your abuse report through Cloudflare's abuse reporting web form at: 
https://www.cloudflare.com/abuse/.

=== snapp ===

So they did not even bother to process or reply my first report for
which they assigned a case ID?

Somehow this is not the first time I get a similar reply from
cloudflare stating, if the incident not CP or DMCA related, then it's
not against their policy.

Their customer running phishing sites is not against their policy?!?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Phishing Emails sent via mail-sgaapc01on20624.outbound.protection.outlook.com ([IPv6:2a01:111:f400:feab::624]:24545)

[Benoit Panizzon via mailop]

Hi List

With little hope, that anyone @ microsoft is reading this list. I have
attempted to contact Microsoft on many different ways to try to address
those issues.

Clearly a phishing email claiming being from DPD hitting one of our
spamtraps square in the face causing immediate blacklisting of the
source IP.

Now of course, legitimate Microsoft Office365 customers complaining we
wrongfully blacklist 'their' IP address.

Does somebody know how this happens? Phished Account? Hacked Exim
Mailer instance? I thought without Oauth2 one could not relay emails via
SMTP to the email platform anymore. And exim as a relay most probably
can not do Oauth2, right? The last Received Link points to MAPI
Protocol, that is not SMTP. So how was that sent?

Received: from mail-sgaapc01on20624.outbound.protection.outlook.com 
([IPv6:2a01:111:f400:feab::624]:24545) from 76444@siswa.* Auth:   by a 
Spamtrap on 2001:4060:dead:beef::** 25 pretending to be an open relay for 
ap@blacklist.*; Sun, 24 Sep 2023 19:18:35 +0200 (CEST)

Received: from TYZPR01MB5237.apcprd01.prod.exchangelabs.com 
(2603:1096:400:343::10) by TY2PR0101MB3630.apcprd01.prod.exchangelabs.com 
(2603:1096:404:8004::13) with Microsoft SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.27; Sun, 24 Sep 
2023 06:47:22 +

Received: from SG2PR01MB3562.apcprd01.prod.exchangelabs.com (2603:1096:0:12::9) 
by TYZPR01MB5237.apcprd01.prod.exchangelabs.com (2603:1096:400:343::10) with 
Microsoft SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.25; Sat, 23 Sep 
2023 18:41:07 +

Received: from SG2PR01MB3562.apcprd01.prod.exchangelabs.com 
([fe80::c2b5:77cc:f2b:c394]) by SG2PR01MB3562.apcprd01.prod.exchangelabs.com 
([fe80::c2b5:77cc:f2b:c394%3]) with mapi id 15.20.6813.027; Sat, 23 Sep 2023 
18:41:07 +

[...]

Date: Sat, 23 Sep 2023 18:40:57 +
To: ap@blacklist.*
From: =?UTF-8?B?RFBELUt1cmllcg==?= <76444@siswa.*>
Subject: Ihr Paket konnte nicht zugestellt werden.
Message-ID: 

Mailer: Exim 4.93
X-ClientProxiedBy: GVX0EPF13DC.SWEP280.PROD.OUTLOOK.COM 
(2603:10a6:144:1::c) To SG2PR01MB3562.apcprd01.prod.exchangelabs.com 
(2603:1096:0:12::9)

hr Paket konnte nicht zugestellt werden.
Grund: Falsche Adresse/Telefonnummer

>>Planen Sie die Lieferung erneut.<<

Wenn keine Maßnahmen ergriffen werden, wird das Paket innerhalb von 48 Stunden 
zum Versand zurückgeschickt.

@2023 DPD

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Amazon SES using SAME sender Domain for multiple customer?

[Benoit Panizzon via mailop]

Hi List...

There is a company which is sending a lot of misdirected/unwanted email
via Amazon SES and has failed to react to my attempts to contact them
by email and phone in the last 14 days or so to try to solve the issue.

Usually I then go ahead and block the envelope-sender domain. In this
case: 

@eu-west-1.amazonses.com

But as this domain does not contain any similarity to the Header From
Username I had a quick look at our logs and realized, this would most
probably cause a lot of collateral damage.

Does anyone know, why Amazon is not using their customer's domain as
envelope sender?

The Username part looks like a completely new random string on every
email sent. Or is there a way to match one specific Amazon SES customer?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Anyone a contact @ virusfree.cz

[Benoit Panizzon via mailop]

Hi Gang

virusfree.cz is listing one of our mail servers.

I opened a support case with them almost two weeks ago to ask for a
delisting and reason/evidence for the listing.

They are praised for their good support:
https://www.virusfree.cz/en/customers-and-support

Unfortunately I don't get any reaction. Does anyone have a contact to
them or experience in how they handle such requests?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Delivery Reports, requested by Microsoft 'Outlook' customer, reported as Spam by same Microsoft 'Outlook' customer?

[Benoit Panizzon via mailop]

Hi Team

I would be very happy, if anymone at microsoft could get
in touch with me, we probably get more than 90% false positives from
the microsoft spam report robot.

Newest crazy addition!

exam...@outlook.com is sending an email indicating request for a
delivery report.

Our server AFTER delivering the email, obliges:

From:(Mail Delivery System)
To: exam...@outlook.com
Successful Mail Delivery Report

This is the mail system at host idefix.imp.ch.

Your message was successfully delivered to the destination(s)
listed below. If the message was delivered to mailbox you will
receive no further notifications. Otherwise you may still receive
notifications of mail delivery errors from other systems.

   The mail system
=== snip ===

exam...@outlook.com is reporting this as spam. We get a complaint from
microsoft asking for us to suspend 'mailer daemon' for sending
unsolicited emails. Doh!

Microsoft, could you please just block customers like this one who
repeatedly abuse your spam complaint machinery?

Or build some simple rules to redirect 'dubious' spam reports to be
reviewed by a human before clogging abuse desks of fellow ISP with such
reports?

Dubious could be:

* from a 'mailer daemon'.
* containing other signs that it is some sort of bounce.
* Quoted text matching an email recently sent by your customer.

etc

I also wonder if you told your customers, confirming to GDPR, that you
are disclosing their mail content to the abuse desk of any ISP around
the world. We repeatedly get all sort of emails reported as spam, which
I would consider to contain very sensitive information like salary
information etc.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Solved Re: Office365 STARTTLS not working anymore?

[Benoit Panizzon via mailop]

Ok, my bad...

Missed the -crlf option because SMTP requires CRLF line endings.
STARTTLS works.

So actual conclusion: outlook.office365.com

SMTP: Plain SSL on Port 465 not accessible.
  STARTLS on 587 (and 25) works!
IMAP: STARTLS advertised but BROKEN on port 143 since 2 days.
  Plain SSL on Port 993 works!

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Office365 STARTTLS not working anymore?

[Benoit Panizzon via mailop]

Hi..

Weird... if somebody could point me to what I'm doing wrong...

Our Postfix:

Jul 18 08:04:53 asterix postfix/smtp[81902]: Untrusted TLS connection 
established to hotmail-com.olc.protection.outlook.com[104.47.51.33]:25: TLSv1.2 
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Is very capable to STARTTLS with Microsoft...

So trying again:

$ openssl s_client -starttls smtp -connect 
hotmail-com.olc.protection.outlook.com:25
[cert validation stuff]
250 SMTPUTF8
ehlo example.com
rset
quit

=> Nothing!

If I try any other MX that supports TLS, like our postfix MX, I can have
a nice SMTP converstation using openssl s_client as above.

What am I missing? What is Claws-Mail missing?


Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] IMAP solved (port 993 ssl) but how to SMTPS? (Re: Office365 STARTTLS not working anymore?)

[Benoit Panizzon via mailop]

Hi again

IMAP Login thankfully works on imaps port 993 with plain SSL.

But now I get the same issue with SMTP.

Port 465 which traditionally is used for smtps via plain SSL is
closed.

Port 587 advertises STARTTLS:

Trying 2603:1026:c0b:16::2...
Connected to outlook.office365.com.
Escape character is '^]'.
220 ZR0P278CA0005.outlook.office365.com Microsoft ESMTP MAIL Service ready at 
Tue, 18 Jul 2023 14:43:40 +
ehlo example.com
250-ZR0P278CA0005.outlook.office365.com Hello 
[2001:4060:1:4133:9afa:9bff:fe4a:aa55]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF

But same as on the IMAP port, after issuing STARTTLS no more
communication is possible.

Can be checked with openssl:

$ openssl s_client -starttls smtp -connect outlook.office365.com:587

Cert Validation works, but then the Server is silent and does not
accept any SMTP commands.

Same on port 25 btw, which is blocked by many ISP. But wait, hotmail
hopefully also uses TLS for emails from server to server. STARTTLS
should still be working there...

$ openssl s_client -starttls smtp -connect 
hotmail-com.olc.protection.outlook.com:25

Same issue, checking our mailserver logs if I see anything about
STARTLS failing towards Hotmail etc.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Office365 STARTTLS not working anymore?

[Benoit Panizzon via mailop]

Hi Oliver

> As far as I know Microsoft never officially supported or advertised STARTTLS 
> for its mail submission services. Given that RFC8314 "Use of Transport Layer 
> Security for Email Submission and Access" basically deprecates STARTTLS in 
> favor of implicit TLS for submission services, I wouldn't expect that 
> STARTTLS is coming back if it's currently broken.
> Maybe Michael Wise can shed some more light on this.

They definitely advertise STARTTLS as a supported CAPABILITY, check
yourself:

$ telnet outlook.office365.com 143
Trying 2603:1026:c0b:1c::2...
Connected to outlook.office365.com.
Escape character is '^]'.
* OK The Microsoft Exchange IMAP4 service is ready. 
[WgBSADAAUAAyADcAOABDAEEAMAAwADIAOAAuAEMASABFAFAAMgA3ADgALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]
. CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 LOGINDISABLED STARTTLS SASL-IR UIDPLUS ID UNSELECT 
CHILDREN IDLE NAMESPACE LITERAL+
. OK CAPABILITY completed.


Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Office365 STARTTLS not working anymore?

[Benoit Panizzon via mailop]

Hi Team

Since two days I'm unable to connect to an Office365 IMAP Mailbox with
OAUTH2

My client connects to Port 143 and performs STARTTLS but is not getting
anything in reply.

Is there a known outage? Hast Microsoft discontinued STARTTLS?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] SPF: Does include: a host without TXT entry invalidate the whole SPF entry?

[Benoit Panizzon via mailop]

Hi List

One more technical question after some discussion with one of our
customers.

Sender has SPF entry:

"v=spf1 ip4:10.1.2.0/25 include:_spf.example.com -all"

_spf.example.com either has no txt entry or just does not exist.

So from my point of view, the SPF entry is still valid as it has at
least one valid element which designates an ip range which wending is
permitted.

My customer claims an invalid include: renders the whole entry invalid
causing some service provider to classify such emails as spam.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Microsoft Office365 not rejecting emails when instructed so by SPF recored?

[Benoit Panizzon via mailop]

Hi List

I'm surprised...

six-group.com is the biggest payment platform in Switzerland. Of course
they use SPF to protect their domain from being abused by phishers.

It looks like GV0CHE01FT013.mail.protection.outlook.com is happily
accepting phishing emails which, according to SPF should get rejected.

six-group.com descriptive text "v=spf1 mx include:285283.spf01.hubspotemail.net 
include:spf.protection.outlook.com a:prodmail33a.sapsf.eu 
a:prodmail33b.sapsf.eu a:prodmail33c.sapsf.eu a:prodmail33d.sapsf.eu 
ip4:130.214.193.81 a:smtp.cetrel.lu -all"

https://www.spf-record.de/spf-lookup/six-group.com?ip=157.161.4.123

Connected to *.mail.protection.outlook.com.
Escape character is '^]'.
220 GV0CHE01FT013.mail.protection.outlook.com Microsoft ESMTP MAIL Service 
ready at Tue, 23 May 2023 13:30:12 +
ehlo example.com
250-GV0CHE01FT013.mail.protection.outlook.com Hello [157.161.4.123]
  # (yes, my actual IP)
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
mail from:
250 2.1.0 Sender OK
rcpt to:
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
PhsihPhishPhish
.
250 2.6.0 
<1596b267-85c2-4695-80cb-4c354a335...@gv0che01ft013.eop-che01.prod.protection.outlook.com>
 [InternalId=139006616572402, Hostname=ZRAP278MB0141.CHEP278.PROD.OUTLOOK.COM] 
7400 bytes in 0.087, 82.746 KB/sec Queued mail for delivery

WTF!

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] ab...@microsoft.com => Mailbox full

[Benoit Panizzon via mailop]

For heaven's sake Microsoft!

I'm trying to report the same spaming Office 365 Customer again which
uses a shared ip address with some other Swiss companies that use
Office 365 and experience collateral damage...

That is NOT the reply I expect.

=== snipp ===

Delivery has failed to these recipients or groups:

ab...@microsoft.com
The recipient's mailbox is full and can't accept messages now. Please try 
resending your message later, or contact the recipient directly.

=== snapp ===

Yes please, how can I contact the microsoft abuse desk more directly?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] How to address Microsoft if spaming Office365 customers cause collateral damage for other Office365 customers sharing the same IP?

[Benoit Panizzon via mailop]

Hi all

Received: from mail-vi1eur04on0730.outbound.protection.outlook.com 
([IPv6:2a01:111:f400:fe0e::730]:47502) from new...@news-science-travel.com 
Auth:   by a Spamtrap on 2001:4060:dead:beef::1907:2 25 pretending to be an 
open relay for jodyyw...@blacklist.woody.ch; Mon, 27 Mar 2023 07:22:56 +0200 
(CEST)

jodyyw...@blacklist.woody.ch is a spamtrap. I can guarantee, that this
email address is not being used for any other purposes and has never
been subscribed to any newsletters or similar.

From the 'username' i more suspect that this was generated and verified
'valid' by some script checking my spamtrap to accept emails to this
destination.

Such a 'confirmed' spamtrap hit immediately causes the sending IP to
get listed in the SWINOG blacklist.
I also looked at the email content.
It is spam, sent via PHPMailer relaying it's payload via Office365
submission servers.

Unfortunately, this massively affects other Office365 customers. But
they complaint because we (operating the SWINOG blacklist) block them,
they don't complaint to Microsoft for being the source of the issue and
find it hard to address such issues with Microsoft.

What would be the best way to address such issues for Office365
customers?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Cyren

[Benoit Panizzon via mailop]

> This is a good hypothesis but so far I have not seen any absolute
> confirmation that they are "listing the world." I guess we will see...

I fear this is the case. I have contacted the ISP in question whose
ctasd instance was adding 6 SpamAssassin Points to every email sent by
their customer.

They immediately disabled the ctasd check.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Cyren

[Benoit Panizzon via mailop]

Hi All

I have started seeing a lot of emails sent via one Swiss ISP flagged as
spam by the SpamAssassin CTASD, which according to Google, is Cyren's
anti spam service.

Have they started flagging all emails as spam to tell their customer to
stop using their service?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Office365 sometimes sending reply to email to originator 'submission' ip instead of there the MX points?

[Benoit Panizzon via mailop]

Hi Gang

Short update: Was 'human error' on our side. Submission Host was
wrongly advetised as one of the 'MX'.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Reject vs spam folders

[Benoit Panizzon via mailop]

Hi

> > First of all: I am fed up with telling people to look for missing emails in 
> > their spamfolders.
> >
> > If I have to check a spamfolder for false positives every day, I can just 
> > have them delivered to my inbox. The spamfolder does not have an advantage 
> > then.
> >
> > Your user's opinion on that will change as soon as someone missed a bid or 
> > contract, because it hid in the spam folder :).  

It looks like I missed the original email. Interesting topic we have
been pondering a lot a couple of years ago designing our ISP mail
platform.

I fully agree and that is the reason why our ISP email platform has no
spamfolder.

Basic principle of our solution: An email shall never disappear from
the users perspective.

An email delivered to the spamfolder, from the sender AND recipient
point of view, just disappears unnoticed until somebody is 'missing'
that email and actively looking for it. But then it might be too late
for an important email.

Furthermore, if you enable per domain (per organisation) catch-all
spamfolder where an admin is going (that won't be done) through those
emails to find false positive sent to anyone in that organisation, that
is a big NO NO from the privacy point of view.

We offer customer those settings if spam is detected:

* Reject (during SMTP handshake)
* Tag Subject
* Accept

So if an email is deemed spam and is a positive, the recipient is not
going to miss it or get bothered by having to look at it in the
spamfolder and the sender (probably a botnet anyway) is not going to
bother.

If this is a false positive, the sender, using a proper MTA which will
deliver an error message. The sender will know immediately this did not
work and take corrective actions.

And yes I can hear you shouting 'BUT!'

BUT if the email is tagged as spam in the subject, the recipient can
use that tag to filter them into a spamfolder with sieve or his mail
client => Customer Problem. Not caused by us as service provider.

BUT the sender will just ignore/delete the error message in case of a
false positive. => Again, sender problem, we did our best!

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] opendkim replacement

[Benoit Panizzon via mailop]

Hi

> If you are looking for something that integrates as a milter like opendkim,
> dkimpy-milter seems to do exactly that. With a bit of luck it could even
> integrate with your existing opendkim configuration.

I'll have a look at it.

> However, I am curious about what the issue is with opendkim. Indeed it
> didn't get any updates for a long time, but as far as I know it still
> operates fine. Unless it is about supporting different types of keys?

Configuration was not that easy. I miss a 'TrustedHost' setting per
Domain.

But what I faced most are crashes.

systemd: Restart=on-failure

mitigates the issue for now as we have 3 round robin DNS machines
running all the milters.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] opendkim replacement

[Benoit Panizzon via mailop]

Hi

I would also be interested in finding a 'plug in' replacement for the,
sometimes dodgy openDKIM milter.

> rspamd or WildDuck

rspamd is a full featured spamfilter. I only need the part that
validates and signs DKIM.

WildDuck is a fully featured mail plattform.

I guess I have to stick with OpenDKIM :-)

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Barracuda DKIM checker reports invalid signature

[Benoit Panizzon via mailop]

Hi Sebastien

> One common issue is Canonicalization. Try setting your to relaxed/relaxed and 
> it solves many issues. Many of these things "downconvert" the emails into 
> 7BITMIME and also munge certain whitespace characters, which can b0rk the 
> signatures.
> 
> So try setting to relaxed/relaxed and see what happens.

Thank you for that hint! Tested with an affected customer. Barracuda
now also accepts the signature we generate as valid.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Barracuda DKIM checker reports 'invalid signature'

[Benoit Panizzon via mailop]

Hi Gang

Maybe I could ask for some help here...

We have a DKIM issue with recipients which use Anti-Spam Products from
Barracuda Networks.

All tests we could find, confirm that we configured Domainkey correctly
for the domain imp.ch and signatures are valid. Google is happy with
our signatures.

Still on recipients using Barracuda, our emails get tagged as 'spam'
because:

X-ASG-Block: DomainKeys (Invalid signature (imp.ch))

We asked a customer to open a case with Barracuda and all what they
returned was, that our signature is invalid, which we know, is not the
case.

Does anyone know, what could cause Barracuda to fail checking our
Domainkey signature? (this email should also be signed).

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus: Get more details about LISTING (Could a DMARC Report Address point to a spamtrap)?

[Benoit Panizzon via mailop]

Following up to this issue...

The 'comments' field while requesting a delisting is obviously not being
looked at by Spamhaus.

Opening a case via their contacts page worked smoothly and the cause
was found in a 'too aggressive rule' that has been fixed in the
meantime, but still no very clear statement, which email from our
system caused the listing.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Spamhaus: Get more details about LISTING (Could a DMARC Report Address point to a spamtrap)?

[Benoit Panizzon via mailop]

Hopefully somebody from spamhaus is reading.

The 2nd day in a row, our main mailplattform IP address is listed and
outlook.com blocks all emails.

Spamhaus only gives a timestamp +/- 5 minutes.

There are A LOT OF EMAILS passing our plattform in 10 Minutes.

Yesterday I found a suspect. One customer had configured his exchange
server to relay 'bounces' via our platform. That was fixed.

Today I am looking through the logs again. No suspicious emails. But in
that timespam, we send out DMARC reports.

Could it be, that someone publishes a DMARC Report address which points
to a Spamhaus Spamtrap?

For the 2nd time I requestd 'more details' from Spamhaus. Is there a
chance to get such informations?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Business Office 365 hosted Exchange IP Addresses shared between customers? Lateral damage on spam sending customer.

[Benoit Panizzon via mailop]

Hi List

One of the local electricity plants is sending invoices via hosted
Office 365 emails services to it's customers, many hosted on our email
platform. It's a larger Office 365 customer.

Many of those emails were rejected as spam. So they opened a case with
our abuse desk. I noticed their IP address was blacklisted for a
couple of days and managed to get an evidence of the email that caused
the listing.

It was definitely spam and it looks like it was sent by a different
Office 365 customer which shares the same Office 365 'outlook.com'
outbound IP address. It's not yet clear ob this was due to one of their
accounts being phished or if they 'purchased' web-harvested spamtrap
addresses somewhere. 

Can Office 365 customers request a static IP address from Microsoft to
avoid such issues, or is this something they have to live with?
Unfortunately they also seem not to get any support from Microsoft when
facing such an issue.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Anyone from BT UK on this list?

[Benoit Panizzon via mailop]

Hi

Please contact me regarding BT 'Customer-Resolutionteam' directing to
open support cases via Community Support Site, but Email Verification
failing with:

RCPT from outbound-dkim.eu.khoros-mail.com[34.246.32.154]: 450 4.1.8 
: Sender address rejected: Domain not found; 
from= 

community-mail.bt.com descriptive text "v=spf1 ip4:46.19.168.0/22 
include:eu.khoros-mail.com -all"

I guess only a TXT entry, no MX, no A or  no CNAME is not good
enough!

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So how do you actually manage to send mails to outlook/hotmail?

[Benoit Panizzon via mailop]

Hi Marcus

I had a similar issue some time ago.

Google uses some 'Domain Reputation' Woodoo.

I used to operate an automated spam feedback loop from my spamtrap,
under a specific hostname in my domain. One only used for those reports.

Unfortunately, it looks like some 'abuse contact addresses' as reported
by RIPE or abusix.org which use Gmail, flagged my reports as spam,
pulling down the reputation not only of that single host and IP
address, but of the whole 1st level domain it was attached to. And
because this was a privately used domain with a handfull of email
traffic per day, those few emails never made enough traffic for google
to improve the reputation.

Solution was:

* Stopped that Feedback Loop so that would not keep pulling down the
  reputation of some rogue abuse contact flagged them as spam.
* Send a couple of emails to some friends google email addresses and
  asked them specifically via other channel, to flag those emails as
  non spam. This fixed the Google reputation of my domain in a week or
  so.

I guess there is not much more you can do. I attempted to contact the
google abuse desk to discuss the issue and persuade them of the
advantage to exempt ARF X-ARF and other messages types usually used to
send spam evidence or logfiles from their spam-checking and also maybe
detect if one of their email addresses is published as abuse contact @
RIPE or abusix.org and handle incoming emails accordingly.

But as always ab...@google.com is /dev/null

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Technical Contact to paddle.com mail platform operator?

[Benoit Panizzon via mailop]

Hi

> 2021-06-29         mta214a-ord.mtasv.net [104.245.209.214]
> 2021-06-29         mta216a-ord.mtasv.net [104.245.209.216]
> 2020-11-25         mta200a-ord.mtasv.net [104.245.209.200]

Thank you. I can confirm, other customers (other domains on our
platform) are getting email from those IP Addresses.

So maybe Postmark put the domain of that recipient on an internal
blacklist?

We had such an issue with AWS SES some time ago, where one of our
wholesale ISP customer's email domain was put on a SES internal
'do not send' list because 'they got a lot of spam complaints' from
recipients in that domain. No AWS SES Customer could send emails to
this domain and didn't get any useful error message. It took months for
Amazon to look into that issue and solve it.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] DigitalOcean: Marketing Emails to abuse email address after contacting their abuse department?

[Benoit Panizzon via mailop]

Hi List

I guess some of you have also contacted DigitalOcean's abuse desk in the
past. We did so from our abuse desk email address.

I was quite surprised, to find our abuse desk email address subscribed
to DigitalOcean's:

* Educational Resources
* Events and Meetups
* User Research Surveys
* Webinard
* The Digital Ocean Newsletter

I guess their marketing people are just to overenthusiastic and just
subscribe every email address which somehow contacted them to most of
their marketing channels.
I am quite sure this fails GDPR, as reporting an abuse does for sure
not count as an agreement to receiving marketing emails.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Zendesk being abuse to distribute PDF malware

[Benoit Panizzon via mailop]

Hi List

I just tumbled over a new was those attackers have found to distribute
their PDF to avoid being blocked by spam filter and virus scanner (or
maybe just a coincidence?)

The attacker sends an email to a Zendesk support site, with the PDF
attachment and a huge list of recipients CC.

The Zendesk case tracker then replies to all CC addresses by sending a
link to the PDF now stored on the Zendesk platform.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Registered @ Microsoft JMRP - blacklisted without feedback received

[Benoit Panizzon via mailop]

Dear List

One of our main smtp outbound ip addresses is blocked by microsoft.

host outlook-com.olc.protection.outlook.com[104.47.10.33] said: 550 5.7.1
Unfortunately, messages from [157.161.12.84] weren't sent. Please
contact
your Internet service provider since part of their network is on our
block
list (S3150). You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors.
[DB5EUR03FT006.eop-EUR03.prod.protection.outlook.com] (in reply to MAIL
FROM command)

I checked our JMRP entries. This IP is listed as one of our
mailservers. The complaint rate is < 0.1% but it had 2 'trap' hits and
is in status red.

Our abuse desk email address is registered for the ARF feedback loop
for the ip range in question.

We usually get a lot of feedback loop emails, mostly false positives of
Mirosoft users mixing up 'junk' with their trash folder or similar, or
moving all their old mail to 'junk' causing an avalanche of complaints
being sent. I opened several cases with Microsoft about this, but never
got any solution offered (as a sidenote rant)

But no, there were no complaints about: 157.161.12.84 received.

Does anyone know, how to get hold of the emails that caused this
blocking?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Weird 'tempfail too many recipients' bug/incompatibility EXIM => Postfix?

[Benoit Panizzon via mailop]

Hi Gang

I wonder of anyone else has seen this kind of this issue between EXIM
and Postfix.

Sender uses Exim, Version unknown
Recipient uses Postfix 3.1.0

Email is sent to a lot of recipients. Postfix is configured to only
accept a certain amount of recipients.

Surplus recipients get rejected by: 452 4.5.3

When it comes to the first recipient being tempfailed, in the postfix
logs, I see that recipient being rejected, but at the same time the
EXIM log show a 200 OK message for that same recipient.

Postfix of course does NOT deliver the email to that recipient it
tempfailed and EXIM never retires that recipient because it got a 200
OK.

I have not been able to sniff such a connection yet and I guess I will
have to reproduce the issue to see what really happens 'on the wire'

But I wonder if such a bug is known with either EXIM or Postfix.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Revisiting: outlook_hexstr...@outlook.com email addresses

[Benoit Panizzon via mailop]

Hi List

I already mentioned this issue some time ago, and now I am seeing this
more often again.

Sometimes the From: Header and evelope-from from Outlook.com customers
do NOT contain their email address but a strange hex string.

This is an authentic email from one of our customers.

So I wanted to check once more, if anyone else sees this issue and
might know the cause.

Example:

Subject:Festnetz-Telefon Verbindungen
X-MS-Traffictypediagnostic: VI1EUR04HT146:
X-MS-Has-Attach:
X-MS-Exchange-Transport-Forked: True
Content-Language:   de-CH
X-MS-Exchange-Organization-SCL: 0
X-MS-Tnef-Correlator:   
X-MS-Exchange-Crosstenant-ID:   84df9e7f-e9f6-40af-b435-

From:   " X" 

^ Replaced customer Realname by 

Thread-Index:   AQHWm712p1p8FZTrvUaHFiq8mGCsHA==
X-MS-Exchange-Antispam-Messagedata: 
2C0ekzREJlcdXHzHAui5qq0ZggocQcvyAOlAo4i6jR1ON0x30mhnn2Wmk/nJLCGWNItGt6RGeYvnqdHhPL8uO78ONUBheCh/nvPIG2SxM86BwwkrWpbT1NZzuqcIrsm7vZg+rq3b9pMoPypOOAmBIg==
X-MS-Exchange-Crosstenant-Authas:   Anonymous
Date:   Tue, 6 Oct 2020 09:01:01 +
X-Eopattributedmessage: 0
X-MS-Exchange-Crosstenant-Fromentityheader: Internet

Received:   from EUR04-VI1-obe.outbound.protection.outlook.com 
(mail-oln040092075071.outbound.protection.outlook.com [40.92.75.71]) (using 
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client 
certificate requested) by asterix.imp.ch (Postfix) with ESMTPS id BA549C571C 
for ; Tue, 6 Oct 2020 11:01:09 +0200 (CEST)
Received:   from VI1EUR04FT036.eop-eur04.prod.protection.outlook.com 
(2a01:111:e400:7e0e::42) by VI1EUR04HT146.eop-eur04.prod.protection.outlook.com 
(2a01:111:e400:7e0e::394) with Microsoft SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.25; Tue, 6 Oct 2020 
09:01:01 +
Received:   from DBAP195MB1033.EURP195.PROD.OUTLOOK.COM 
(2a01:111:e400:7e0e::47) by VI1EUR04FT036.mail.protection.outlook.com 
(2a01:111:e400:7e0e::423) with Microsoft SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.34 via Frontend 
Transport; Tue, 6 Oct 2020 09:01:01 +
Received:   from DBAP195MB1033.EURP195.PROD.OUTLOOK.COM 
([fe80::84d4:cadc:b5a:a661]) by DBAP195MB1033.EURP195.PROD.OUTLOOK.COM 
([fe80::84d4:cadc:b5a:a661%7]) with mapi id 15.20.3433.045; Tue, 6 Oct 2020 
09:01:01 +

X-MS-Exchange-Crosstenant-RMS-Persistedconsumerorg: 
----
X-MS-Exchange-Crosstenant-RMS-Persistedconsumerorg: 
----
Arc-Message-Signature:  i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
s=arcselector9901; 
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=sOQZZbCYpxeAe3oZFZJUS3yAg0XSLEdlBGD/lzza4JU=; 
b=JZEH4EyrK0UmlapGNqNnD+FET+69mmUgnNmi4M9E5ataPi9Z8RwF9f7S/xYeg5rmjOl/0pbCbMKM790p9kKXt+fir5RNitHqb0wbqMPDEDOS632r2uIsadPxUX8FJmsCxsX4G8+5dg8HP071XsWOoAHb9US810Vhr3hlo+0t92yWIGG/JfXI4k8Ys/XQjvP6ciWiYrX1nYsIlF+sljpga+E9FyZiZa7Ze0Si8Vc7+R1tmoKfhkpszy00vgpU8eTVwr0Lqv1xaocxjmrcNk82sKJbwkNEtzdMuuw3x3HsRPIzarEXvWG3gb17cZJlcFDulsBzN6RE8VZKc+Ul19KAoQ==
Message-ID: 

X-Incomingtopheadermarker:  
OriginalChecksum:987E4C7A0A57C499261D9A59884FEC8A43EC88967D5B62C7E8075E520036F452;UpperCasedChecksum:FDC8CCA546C6CFE18F2654627825320A983BD673DF04B3CDADD5341D4AF1E703;SizeAsReceived:6597;Count:41
Arc-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; 
dkim=none; arc=none
Dmarc-Filter:   OpenDMARC Filter v1.3.1 asterix.imp.ch BA549C571C
MIME-Version:   1.0
X-Originatororg:outlook.com
X-Microsoft-Antispam:   BCL:0;
X-MS-Exchange-Crosstenant-Originalarrivaltime:  06 Oct 2020 09:01:01.4923 (UTC)
X-Microsoft-Antispam-Message-Info:  
3U4mmURNGzzC1t0Ornis4ZhsnpQ7QL3jRopt313FOtG/FMbMZOlQx4yCHaL6glH9+e0kVYszNR5TrSeDoA1V6Uzh2QUzLyjBzeomXnz8hZt2gRwOFDaW8Ekwl4ptaCtNbOrmCJ3mkw57Jmjry53pxexWP2u12luWy+X+oOGcGvFuUFRfdMy1A7vIKwNyrzCJyjBshOryE7VfftcH1LcZgvzXuD+L9tBhjB4i3czUq62YUk8JFBnH2KHQxfZhhBBJ
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; 
s=selector1; 
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=sOQZZbCYpxeAe3oZFZJUS3yAg0XSLEdlBGD/lzza4JU=; 
b=Inv2RzGVo7P+jY/B44V48Y4eZxgY5QTHaA+xdLG9Tu7uwn8xj+TE4XaX95oLk52XDh8Mza0HUhjJoRFVeO8mLRvSyIpwgsEsEgoBrfm8Ha1cYbKTkbNQuSAv3K18u9M4KGBSfp5aSovtCJkfem99K4T3GiK56S0A8LkjhtVu7rZ9W8rKY1JLhyyp+S806G+z/HY7VlkVjDJ1ebNoP3VnJww8RB/SIYuKSPoL2FeMxldiCeVCXF/dUQnqFTyPuZyqeCfvbXF6jLrsZn+O92h5OlWIv6IFO0PCzAb1sSsvkdKnijYqwseYjJeKsaw058LWAF6fDQytCcUB7FotzrmzrQ==
X-Greylist: Sender IP whitelisted by DNSRBL, not delayed by 
milter-greylist-4.5.11 (asterix.imp.ch [0.0.0.0]); Tue, 06 Oct 2020 11:01:10 
+0200 (CEST)
X-MS-Office365-Filtering-Correlation-ID:
16b0e999-96f4-47ef-702e-08d869d65956

X-Original-Envelope-Sender: outlook_3dddb25f0278f...@outlook.com
Thread-Topic:   Festnetz-Telefon Verbindungen
To: 

Re: [mailop] Any chance that Microsoft would tell it's customer that the 'junk' folder creates complaints?

[Benoit Panizzon via mailop]

> Would that even change the customer behaviour? I doubt so.
> Maybe if they make it so user has to click 5 times through warnings 
> before it ends to the junk folder, while trash is only 1 click away. 
> But, if they do that, people would also probably stop reporting junk.

I am sure this would significantly lower the number of such
'false' complaints. Not completely eliminate them of course.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__


pgpAlVEblmmVD.pgp
Description: Digitale Signatur von OpenPGP
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Any chance that Microsoft would tell it's customer that the 'junk' folder creates complaints?

[Benoit Panizzon via mailop]

Hi Gang

We had one more case of one of our customers sending commercial
newsletters resulting in us getting complaints from hotmail.com etc.
users.

We confronted our customer and requested a proof of opt-in for the
Microsoft recipients. Our customer ignored this.

So on the next occurrence, we blocked our customer's account and
reported back to the complaining hotmail.com customer that we had
blocked our customer's account for spaming.

Now the Microsoft customer contacted us, that he had indeed subscribed
to the newsletter of our customer and still wanted to receive it. So we
checked with the recipient WHY he kept reporting those emails as spam
and he told us, that after he reads newsletter he didn't want to keep,
he put them in the 'junk' folder as he considered them 'junk'. He was
NOT aware that this would cause a complaint NOR could he find any such
information.

Is there any chance such incidents could be avoided by Microsoft
showing a pop up or similar, that a complaint to the sending ISP is
being generated when moving an email to the 'junk' folder?

Or that Microsoft would CC his own customer in that complaint sent?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] firebasestorage.googleapis.com any legitimate uses?

[Benoit Panizzon via mailop]

Hi List

In the last couple of days we face an increasing amount of phishing
sites hosted @ firebasestorage.googleapis.com targeting our customers.

They get taken down rather quickly when added to phishtank.com, but
still they are valid for one or two days after reception, long enough
for stup** customers to send in their credentials.

*.googleapis.com is whitelisted so it won't get blacklisted by our RBL
blacklist.

Now I start to wonder, is this URI also being used in legitimate
emails, or is it uniquely used in phishing emails and similar?

I could manually add firebasestorage.googleapis.com to the blacklist
which would have precedence over the wildcard whitelist entry.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

[Benoit Panizzon via mailop]

Hi Rob

This works like a charm, blocking a lot of: bounces+8465718 atm.

Thank you for your excellent plugin!

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Just how does SendGrid fail this badly?

[Benoit Panizzon via mailop]

Am Tue, 18 Aug 2020 11:01:19 -0700
schrieb Luke via mailop :

> In the Return-Path. "bounces+1234567" the number following bounces+ is the
> SendGrid account ID.

Return-Path: 

Does the c581 part also belong to the account id?

I might consider trying to extract this on my spamtrap and collect them
to see if there are accounts that keep sending phishing emails for long
times.

What I also wonder: How is a customer required to identify himself
@sendgrid before he can start sending emails?

Did they start providing 'testing' accounts which don't require any
kind of identification and which can be automatically mass created via
an API or similar.

(Yes, they just could go on a run an open smtp relay then :-) )

I know Mailchimp ran into a similar issue some time ago, but it looks
like they managed to solve that problem.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] New SendGrid IP(s) detected sending phishing last 24 hours..

[Benoit Panizzon via mailop]

Here's my contribution (Reversed IP)

Last 6 months for a single hit, possily longer back if there are more
hits.
This is just the 'hits' by spamtrap or customer report database, not
the actual blacklisted ip addresses. Most of them did not get
blacklisted because of positive dnswl.org crosscheck.

+--++
| count(*) | host   |
+--++
|1 | 103.36.72.149  |
|1 | 107.173.72.149 |
|1 | 11.245.72.149  |
|1 | 118.215.72.149 |
|6 | 122.248.72.149 |
|   40 | 130.185.72.149 |
|3 | 135.94.72.149  |
|1 | 140.230.72.149 |
|2 | 141.233.72.149 |
|1 | 143.255.72.149 |
|1 | 145.93.72.149  |
|1 | 151.248.72.149 |
|3 | 152.85.72.149  |
|3 | 159.199.72.149 |
|1 | 164.71.72.149  |
|3 | 166.247.72.149 |
|1 | 169.233.72.149 |
|   13 | 170.185.72.149 |
|2 | 179.235.72.149 |
|1 | 185.186.72.149 |
|1 | 189.210.72.149 |
|1 | 194.241.72.149 |
|1 | 201.51.72.149  |
|1 | 205.253.72.149 |
|4 | 209.26.72.149  |
|1 | 21.37.72.149   |
|1 | 212.146.72.149 |
|1 | 212.200.72.149 |
|2 | 215.80.72.149  |
|1 | 216.28.72.149  |
|1 | 219.64.72.149  |
|1 | 221.255.72.149 |
|1 | 224.252.72.149 |
|2 | 226.179.72.149 |
|1 | 230.190.72.149 |
|2 | 233.34.72.149  |
|1 | 234.94.72.149  |
|1 | 239.209.72.149 |
|1 | 25.28.72.149   |
|2 | 253.208.72.149 |
|1 | 254.213.72.149 |
|3 | 26.134.72.149  |
|1 | 29.153.72.149  |
|4 | 29.224.72.149  |
|1 | 32.61.72.149   |
|2 | 35.231.72.149  |
|1 | 38.251.72.149  |
|4 | 39.250.72.149  |
|1 | 43.90.72.149   |
|4 | 47.33.72.149   |
|1 | 5.187.72.149   |
|6 | 51.25.72.149   |
|1 | 56.43.72.149   |
|1 | 58.78.72.149   |
|1 | 6.199.72.149   |
|1 | 61.214.72.149  |
|1 | 61.236.72.149  |
|1 | 64.209.72.149  |
|3 | 66.176.72.149  |
|   13 | 66.68.72.149   |
|3 | 77.184.72.149  |
|1 | 79.1.72.149|
|1 | 8.90.72.149|
|1 | 80.206.72.149  |
|1 | 84.167.72.149  |
|1 | 84.45.72.149   |
|1 | 86.252.72.149  |
|1 | 92.203.72.149  |
|2 | 96.87.72.149   |
|2 | 99.254.72.149  |
+--++
+--++
| count(*) | host   |
+--++
|1 | 104.33.89.167  |
|2 | 108.107.89.167 |
|1 | 108.52.89.167  |
|1 | 128.100.89.167 |
|1 | 128.18.89.167  |
|9 | 138.12.89.167  |
|1 | 139.100.89.167 |
|2 | 142.66.89.167  |
|1 | 146.107.89.167 |
|1 | 146.22.89.167  |
|1 | 149.51.89.167  |
|3 | 164.24.89.167  |
|1 | 165.100.89.167 |
|1 | 168.100.89.167 |
|1 | 169.100.89.167 |
|2 | 17.16.89.167   |
|1 | 170.106.89.167 |
|1 | 172.100.89.167 |
|2 | 173.17.89.167  |
|2 | 181.10.89.167  |
|2 | 210.58.89.167  |
|2 | 214.28.89.167  |
|1 | 215.28.89.167  |
|1 | 226.100.89.167 |
|1 | 228.98.89.167  |
|4 | 235.100.89.167 |
|1 | 239.100.89.167 |
|1 | 250.100.89.167 |
|4 | 251.100.89.167 |
|1 | 253.31.89.167  |
|1 | 27.100.89.167  |
|1 | 27.23.89.167   |
|3 | 29.92.89.167   |
|1 | 40.20.89.167   |
|1 | 44.100.89.167  |
|1 | 47.20.89.167   |
|1 | 58.99.89.167   |
|1 | 61.69.89.167   |
|1 | 66.85.89.167   |
|1 | 76.101.89.167  |
|1 | 8.15.89.167|
|2 | 88.42.89.167   |
|1 | 97.109.89.167  |
+--++
+--+-+
| count(*) | host|
+--+-+
|1 | 100.63.245.168  |
|1 | 112.71.245.168  |
|1 | 12.58.245.168   |
|1 | 156.123.245.168 |
|2 | 159.65.245.168  |
|6 | 165.63.245.168  |
|2 | 168.50.245.168  |
|1 | 183.115.245.168 |
|2 | 208.38.245.168  |
|1 | 219.71.245.168  |
|1 | 232.33.245.168  |
|1 | 239.15.245.168  |
|1 | 252.39.245.168  |
|1 | 4.124.245.168   |
|6 | 47.120.245.168  |
|9 | 49.6.245.168|
|1 | 50.115.245.168  |
|1 | 6.119.245.168   |
|1 | 77.104.245.168  |
|1 | 86.55.245.168   |
|2 | 9.114.245.168   |
|2 | 97.45.245.168   |
+--+-+

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 

[mailop] Delisting request from sendgrid customer about ip used in recent phishing campaign.

[Benoit Panizzon via mailop]

Hi List

o1678912x138.outbound-mail.sendgrid.net [167.89.12.138] and IP under
control of sendgrid was repeatedly involved in phishing and other spam
since June.

It ended up being blacklisted @ SWINOG.

Now a sendgrid customers complains to us, that his emails are being
rejected because of this listing.

But that makes me wonder: Doesn't sendgrid deal with such issues like
asking for delisting after blocking the sender itself and re-uses
recently (last phish received on 14. July) 'abused' ip addresses for
other customers?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Outlook 2016: Excessive IMAP connections

[Benoit Panizzon via mailop]

Hi Tim

No, ICMP is not being blocked. At least not on the IMAP server side.

Yes, IPv6 in use, but the affected customer mostly don't use IPv6 and
don't use mobile networks.

But since we increased to 50 connections per user+ip the complaints are
almost gone.
As I understand, Outlook 2016 opens one connection per IMAP folder to
get instantly notified (was this via IDLE command?) when something
changes in the folder.

So maybe a coincidence and many customers started exceeding the 20
folder limit?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Outlook 2016: Excessive IMAP connections

[Benoit Panizzon via mailop]

Hi Gang

We use DoveCot as IMAP Server and have limited the number of
connections per IMAP account to 20 which looks to have been sufficient
in the past couple of years.

Since about two weeks we get an increased number of users complaining
about IMAP connections problem and name (0x8...) error message which
outlook 2016 throws at them.

When looking at the log, we see those users sometimes hit the 20 IMAP
connections limit. So we increased this limit to 50 connections per
user+ip and they still hit it.

This ONLY happens with customers using outlook 2016. Any other clients
never hit this issue.

So I wonder if Microsoft has rolled out some weird update for outlook
2016 lately or if anyone could have a hint on what causes this issue
and how to solve.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Digital Ocean Broken Bot attack, just in case it's you and not me..

[Benoit Panizzon via mailop]

> >Range,  192.241.227.0/24  
> 
> One connect each on Thu, Sat, Sun, and Mon.  Did EHLO after banner, then
> closed the connection.  

116 connections between 27. June and 1. July to my spamtrap / honeypot,
mostly sending "EHLO zg-0626-127" and then disconnecting.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

[Benoit Panizzon via mailop]

Hi Laura

> Why is Google applying a strict reject when the policy is p=none?

I think I mentioned that I reverted back to p=none quickly after I saw
such rejects. TTL is 300 :-)

-- 
-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

[Benoit Panizzon via mailop]

Hi Tim

> and I guess the domain in the HELO too?

the HELO contains the FQDN of the sending machine which is
not the same as the domain of the envelope sender or From: Header.

The HELO needing to match anything for DMARC or SPF would be quite new
to me.

-- 
-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Is Gmails DMARC check broken?

[Benoit Panizzon via mailop]

Hi Gang

I'm on the way of more widely deploying DMARC and also testing DKIM
once again. Also on our ISP email service domains.

So at the moment I'm only using DMARC with SPF. According to my
reading on how DMARC works, if no DKIM record is published, a passing
SPF record is sufficient for authentication.

But as soon as I set p=reject Gmail is rejecting all emails:

: host aspmx.l.google.com[2a00:1450:4013:c04::1a] said:
550-5.7.26 Unauthenticated email from imp.ch is not accepted due to
domain's 550-5.7.26 DMARC policy. Please contact the administrator of
imp.ch domain if 550-5.7.26 this was a legitimate mail. Please visit
550-5.7.26  https://support.google.com/mail/answer/2451690 to learn about
the 550 5.7.26 DMARC initiative. i4si1617970edq.200 - gsmtp (in reply to
end of DATA command)

imp.ch descriptive text "v=spf1 ip6:2001:4060::/32 ip4:157.161.0.0/16 
ip4:217.173.238.128/27 ip6:2a00:ec0:1::/64 -all"

_DMARC.imp.ch descriptive text "v=DMARC1; p=none; 
rua=mailto:dmarc-rep...@imp.ch; ruf=mailto:dmarc-rep...@imp.ch; aspf=s"
(reverted to p=none)

That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.

Any idea what is going wrong? Is Gmail's DMARC implementation broken
and REQUIRES DKIM violating RFC?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Google: 'Low reputation of the sending domain'

[Benoit Panizzon via mailop]

Hi Gang

My personal mailserver is not able to send any emails to gmail accounts
since several months. I was hoping this would solve itself eventually.
It did not.

There are no breaches or spam or anything sent from that server. I
would know as I am part of the AS6772 Abuse Desk. :-) Just the
dozed or so emails per day sent by my family members and myself.

Even emails to my own Gmail Account where my sending email address for
sure is a know past sender, are being blocked.

The Error:

   - Transcript of session follows -
... while talking to gmail-smtp-in.l.google.com.:
>>> DATA  
<<< 550-5.7.1 [2001:4060:dead:beef::1  19] Our system has detected that this
<<< 550-5.7.1 message is likely suspicious due to the very low reputation of the
<<< 550-5.7.1 sending domain. To best protect our users from spam, the message 
has
<<< 550-5.7.1 been blocked. Please visit
<<< 550 5.7.1  https://support.google.com/mail/answer/188131 for more 
information. ds3si1043668ejc.545 - gsmtp
554 5.0.0 Service unavailable

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.e.e.b.d.a.e.d.0.6.0.4.1.0.0.2.ip6.arpa domain 
name pointer magma.woody.ch.

magma.woody.ch has address 157.161.57.1
magma.woody.ch has IPv6 address 2001:4060:dead:beef::1

No DNS PTR issue I guess :-)

I have registered woody.ch and magma.woody.ch with Gmail Postmaster
Tools about one month ago, in the hope that eventually I would get some
hint to the cause.

Still 'Spamrate' and 'IP Reputation' and 'Domain Reputation' (all other
items too) still show 'there is no data available yet'.

Not listed in any blacklists @ MXToolbox.

An SPF record exists since several years.

woody.ch descriptive text "v=spf1 ip4:157.161.57.0/27 ip6:2001:4060:dead::/48 
-all"

Yesterday, after re-reading google email recommendations, I also added a
DMARC entry:

_dmarc.woody.ch descriptive text "v=DMARC1; p=reject; 
rua=mailto:paniz...@woody.ch; ruf=mailto:paniz...@woody.ch; aspf=s"

Still the problem persists as of a couple minutes ago.

DKIM is not a solution. I faced too many problems with mailinglists
and similar which did alter the header and broke DKIM signatures.

Has anyone a hint what could be the cause for this problem?

And yes, disabling IPv6 seems to solve the issue, but that is the wrong
way dealing with it :-)

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)

[Benoit Panizzon via mailop]

Hi

Just a clarification on the issue, as we just got a 2nd similar
complaint from another Tor Exit node operator (obviously same attacker
being routed through another exit, guessing from the involved email
addresses).

The Spamtrap / HoneyPot in question not only listens to port 25 but also
listens on port 465 (smtps) and 587 (submission).

If an attacker is doing some dictionary attack on this to check for
valid passwords (every authentication attempt is accepted) or attempts
to relay spam mails (every relay attempt is answered with 200 OK) he
is being blacklisted and an ARF reports is sent to the abuse contact of
the submitting IP range.

This is what causes those reports, not emails received on port 25.

But I guess, just silently blacklisting Tor exist nodes and not sending
a ARF report to the ISP could be an option to solve that issue.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__


pgpezbCQbB6W1.pgp
Description: Digitale Signatur von OpenPGP
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Recipe vs fake From: header?

[Benoit Panizzon via mailop]

Hi List

Lately, our customers are getting an increased amount of phishing
emails, or emails containing malware with legit looking From: headers
from either banks, or even from our own customer support.

SPF would block the From email addresses if also used as envelope
sender. But the, from the customers perspective 'hidden' envelope
sender is different and does match SPF.

So we get complaints why we let such emails with faked From: header
through our content filter.

As we use MIMEDefang as filter, we can easily match From and envelope
sender and do something with it, like increasing spam score.

But:
* A lots of ESP sending Newsletters, have different From and
Envelope Sender to manage bounces.
* Mailinglists use different From headers.
* SRS

So another thought was to append the String 'Possible fake sender' to
the From: Header string.
But also this would match an awful lot of legitimate newsletters and
possibly break DKIM signatures.

Has anyone come up with a clever recipe for this issue?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Opinions? Email Abuse over TOR Network? (spamtraps)

[Benoit Panizzon via mailop]

Dear List

We operate Spamtraps which feed the SWINOG Anti-Spam Blacklist.

A feedback loop is sent to the abuse-c of the IP Address from which
email or attackts to spamtraps was detected.

Occasionally, spam or more often, log-in attempts and dictionary
attacks on the submission ports of the spamtraps are detected from TOR
exit nodes. So a feedback is sent to the abuse-c.

Now I got into discussion with the operator of several TOR exit
nodes. He claims that his ISP threatened to disconnect his TOR servers
because they were subject to a couple of abuse complaints from our
spamtraps.

As he has no way to block the abusers on the TOR network, without
completely blocking any ports involved in email abuse which would
render using email sending over TOR unusable if all TOR exit node
operators would block those ports.

I told him to sort this out with his ISP and that his ISP would for
sure understand, that he is not himself be the origin of this abuse.

He told me that his ISP did not care what service he operates and for
them, only the count of complaints is the criteria to get disconnected.

So he suggests I use public available TOR exist node lists, to block
them from accessing the spamtraps.

I understand his claim.

But I also see a benefit from our blacklists to list abused TOR exit
nodes.

So what are your opinions about this? How do other spamtrap / honeypot
operators deal with TOR exit nodes?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Trendmicro Emails: "An email sent to you has been placed in quarantine by Hosted Email Security (HES)."

[Benoit Panizzon via mailop]

Hi Gang

I wonder if others have also started seing such emails:

Source:

Received: from routemea20.hes.trendmicro.eu (routemea20.hes.trendmicro.eu 
[3.125.147.66])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by idefix.imp.ch (Postfix) with ESMTPS id A7510C008C
for <*HIDDEN*@imp.ch>; Wed, 15 Jan 2020 02:15:38 +0100 (CET)

Hosted on Amazon AWS. Of course they never react to inquiries.

But the PTR looks legit. So I assume they are indeed sent by Trendmicro.

Content:
-
From: 
To: 
Subject: Email quarantined
Date: Wed, 15 Jan 2020 00:51:57 + (UTC)

An email sent to you has been placed in quarantine by Hosted Email Security 
(HES).
-

Yes, this is all, not Link no hint what email we possibly could have
sent which could have caused this message. It's just 'out of the blue'.

Or do they 'backscattter' such a message to every single email them
receive?

Opened a Case with Trendmicro NOC about one week ago when this first
occurred. No reaction yet.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] China Telecom

[Benoit Panizzon via mailop]

Hi

> Happy holidays all, 

Same to you!

> Curious, does anyone happen to have a contact or know of a proper escalation 
> route at China Telecom?  Seeing some wonkiness that I can't explain.  

Also very interrested in this! Habe been trying to get hold of a tech @
China Telecom since monts, if not years.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Benin, 197.234.221.180, AS37424, "For Jeny SAS Internet customers" Mylove@1

[Benoit Panizzon via mailop]

Hi Gang

Over the last months, I have observed many email mailbox abuses from the
"Jeny SAS" IP Range in Benin which used passwords probably obtained by
phishing attacks.

The interesting thing here is: If we block SMTP for the affected
mailbox, this usually solves the issue.

Our customer then still can log in, change it's mailbox password and
thus unlock his mailbox.

Not so from this IP Range. The Attacker knows how to change the
password and changes it to "Mylove@1". So the only way is to force
change the customer's password so he has to request a new one via
customer support.

Any others with the same observation?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] How to get delisted @ senderscore.org?

[Benoit Panizzon via mailop]

Hi List

One IP address of our email plattform, got a '20' score @
senderscore.org because of emails to 'unknown recipients'

This causes one of the major swiss banks to put emails sent from our
customers which were sent via this IP into a quanantine folder.

So neither the sender nor the recipient notice there is a problem,
which is a bit of a serious issue, especially with business customers
needing to be in contact with their bank.

I created an account on senderscore.org and trying to open a case to
ask for delisting. I stated, that we are an ISP, but senderscore wants
to put me through a whole questionnaire targeted at email marketers
and I am still not sure that I will be able to open a case afterwards.
We are not an email marketing company.

Does anyone have a more direct contact to senderscore, or could tell me
how to open a case right away to find out with them why they listed a
single ip out of our mailserver ranges?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Avoiding bounces - custom spamfilter behind real-spamfilter that reject mails

[Benoit Panizzon via mailop]

> The customer, in that case, need to change from REJECT to DISCARD or 
> QUARANTINE. 

Yes, that would be an option. But from my experience, this leads to the
problem of 'disappearing' emails in case of false positives.

Usually no email admin looks into the quarantine, unless somebody
complains not receiving an email. Not ideal in case of urgent matter.

Also having a quarantine where an email admin could look into personal
emails could cause privacy issues.

Also if a server replies with 200 OK, then the sender should be able to 
expects the email to get delivered to the recipient.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Avoiding bounces - custom spamfilter behind real-spamfilter that reject mails

[Benoit Panizzon via mailop]

> On 24/10/2019 14:12, Benoit Panizzon via mailop wrote:
> > I also considered hacking together a small 'relay' MTA which would
> > receive the email but not reply OK to the final DATA command (RFC
> > states you can take up to 60 seconds to reply to the DATA command)  
> 
> 60 seconds? I thought the timeout there SHOULD be at least 10 minutes
> 
> https://tools.ietf.org/html/rfc5321#section-4.5.3.2.6

Yeah, sorry you're right of course. But still, if you wait that long,
you will find many submitters which disconnect and reconnect causing
email duplication.

Yes, I know 'SHOULD' not 'MUST'.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Avoiding bounces - custom spamfilter behind real-spamfilter that reject mails

[Benoit Panizzon via mailop]

Hi Stefan

> So the reject generates bounces at our spamfilters. Howto handle this?

Yes, I do know this issue, as we offer a similar service.

And I must admit, I have no real solution if you use some out of the
stock MTA like postfix or sendmail which work on store and forward
basis.

I also considered hacking together a small 'relay' MTA which would
receive the email but not reply OK to the final DATA command (RFC
states you can take up to 60 seconds to reply to the DATA command)

The relay MTA would perform virus / spamfiltering and then forward the
email to the destination MX.

When the Destination MX replies with OK to the DATA phase, and only
then, it would reply back, possibly forwarding the same OK messages it
received from upstream, to the sending side.

Pitfalls:

* 60 second according RFC, not every MSA respects this. Our Spamfilter
  sometimes takes a couple of seconds to scan the content after DATA. If
  it's too long, some MTA start re-sending the email multiple times.

* You have to possibly hold many connections open.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Anyone a direct contact to the Mailchimp abuse desk?

[Benoit Panizzon via mailop]

Hi All

I'm looking for a direct contact to the Mailchimp Abuse Desk, regarding
a case of a repeated spamer I opened in March this year.

Mailchimp told me they need some time to verify my evidences and
reconstruct how their customer acted.

I update that mailchimp case with the question if they finally came to a
conclusion on a monthly base. They don't react.

So if anyone from Mailchimp is reading this. Please contact me offlist.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Erroneous Hotmail spam/junk JMR email due to recipient error, where's the operator feedback loop?

[Benoit Panizzon via mailop]

Hi Chris

I have exactly the same issue.

I have found a hotmail user who made rule to 'save' all emails from a
whole list of 'known friends' sender to the 'junk' folder. Causing an
immediate Spam Complaint from Microsoft every time one of our customers
sends that hotmail user an email.

The hotmail user does not understand what she did wrong.

I had another hotmail user deleting multiple year old emails by moving
them all to the junk folder. Causing us to receive several complaint
sent by one customer that recipient was in contact with one year and
more ago.

Yet another one, reported a work report with full salary detail from
his employer, not aware that Microsoft would forward that sensitive data
to our abuse desk.

And also a nuisance are real spam emails which our users (possibly
after disabling spam filtering on their account with us) forward to
their hotmail account and then report as spam.

I have notified the Microsoft Abuse Desk about those often reoccurring
'false' complaints.
I have notified the sender of those complaints.

No reaction.

The solution would be easy:

1: Define a cut-off date. Don't send reports if a user moves an email
older than say 14 days to the spam folder.

2: If a user moves an email to the spam folder, throw an POP-UP or
something similar to him and make him confirm he does want to report
that emails as spam.

3: Try to make it more obvious in the documentation of that junk
folder, that moving emails there will lead to a complaint to the
senders ISP.

4: Better recognition of forwarded emails: If the origin IP Address of
the reported spam is in the same range as the MX for the original
recipient in the To: Header and the Received: header, and possibly SRS
signed From: header also all hint to a forwarding situation, please
consider the Received: of the forwarder to be trusted and report it to
the ISP of the Received: before that header.

So if anyone on that list has a better connection to Microsoft and
could hint them to those issues, that would be great.

I don't suggest Microsoft should stop reporting spam. It is a great
help. I would say about half of the reports we get are legit and help us
block phished accounts in a timely manner. But some attempts could be
done to lower the ratio of false positives.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Weird blocking by outlook.com (S3150)

[Benoit Panizzon via mailop]

Hi Laura

> In my experience, when the bounce message says "Please contact your Internet 
> service provider since part of their network is on our block list (S3150).” 
> That means that Microsoft is seeing problems across a wide range of IPs in a 
> space and they don’t have a clear picture of where the customer boundaries 
> are. You may find a better customer experience if you SWIP IPs to your 
> customers rather than just lumping them all into a single /16. 
> 
> Are these the IPs you’re using for forwarding? If so, how much filtering are 
> you doing before you forward them?

157.161.0.0/16 is a 'legacy', pre RIPE range which is exempt from the
RIPE requirement to register customer allocations.

So for privacy reasons we have decided not to register our customers
using this ranges @ RIPE. Anyway we mostly have businesses customers in
this range.

Whole of 157.161.0.0/16 is included in the SNDS monitoring. I don't see
any major problem there. We haven a customer running an ESP service,
but also in his ip range, the complaint rate is < 0.1%

Out of this range, our email platform uses 157.161.12.0/23

It's a typical 'end user' platform for our enduser internet access
customers. Webmail, IMAP Mailboxes. We also operate whitelabel email
services for other ISP. Each one with it's own dedicated ip range.

We explicitly do not offer 'relaying services' to customers with own
mailserver. Our rate limiting thresholds would not make those
customers happy.

As we quite closely monitor those services, I am pretty confident we
have no major problem. Of course we get the occasional customer which
manages to get his credentials phished or stolen and the account then
abused. But usually it's a matter of minutes for some measures to
automatically block such account, maxium 2 days, if some human
intervention is needed until such an account is blocked.

And yes, I did open a case with the SNDS support team.

But usually when we hit a blacklist with one of those IP, we already
know why.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Weird blocking by outlook.com (S3150)

[Benoit Panizzon via mailop]

Hi List

One of our mail platform IP has once more been hit by an outlook.com
blocking:

host outlook-com.olc.protection.outlook.com[104.47.4.33] said: 550 5.7.1
Unfortunately, messages from [157.161.12.116] weren't sent. Please contact
your Internet service provider since part of their network is on our block
list (S3150). You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors.
[AM5EUR02FT063.eop-EUR02.prod.protection.outlook.com] (in reply to MAIL
FROM command)

According to MX-Toolbox that IP is not listed anywhere.

According to our report on:
https://sendersupport.olc.protection.outlook.com/snds/ipStatus.aspx

"All of the specified IPs have normal status."

On View Data there are occasional 'trap' hits for that IP and the
history show < 0.1% but 9 red days.

We also had a spike with 2% trap hits, but that is not flagged as 'red
day'.

So somehow I don't quite understand what 'red day' means and what could
cause the IP to be blocklisted right now I think we are doing a pretty
good job keeping our mailserver clean from phished accounts.

Anyone with more insight?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Solved: Re: Amazon AWS SES (Simple Email Services) what could cause a domain to be blocked?

[Benoit Panizzon via mailop]

Hi Team

Just a follow up on that case, as from the feedback I got it looks
others are also affected by this problem.

I finally managed to get the attention of an Amazon SES Tech who agreed
to look into the issue and got an explanation of what most probably
happened.

Amazon SES does NOT block whole destination domains, but only single
email addresses which 'bounce'.

One single bounces causes the destination address to be put on a
'suppression list' for a day or so. The sender just sees a non
descriptive delivery error but has no information of the exact cause or
exact reply of the rejecting email server.

If a destination bounces more than once, the timeout of that list is
massively increased, up to several months.

As mentioned, we observe a lot of spam from Amazon AWS IP Ranges and
feed our anti-spam blacklists from such emails.

So it might be, that the mostly affected customer of Amazon SES shared
the IP with a spamer in the past and thus the sending IP Address was
blacklisted for some time on our platform, which caused the bounces and
thus the affected destination email address from our customer being put
on that suppression list with an expiry date far in the future.

Anyway, according to Amazon SES the bounce events must have been so far
in the past, that Amazon cannot find them anymore in their logs.

In the last couple of days, the email address of our customer got
automatically expired from that suppression list and latest test
shows, the Amazon SES customer can again successfully send emails to
our customer.

What still is very unfortunate is how the Amazon SES Tech first replied
to the case opened by their customer and was blaming us to be the
'cause' of the problem and urging their customer to tell us to 'fix' the
'MX' problem without giving him or us any details about the origin of
the problem.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Hotmail: Moving Email to 'spam' folder generates ISP complaint?

[Benoit Panizzon via mailop]

Hi Mathieu

> I don't see that as a problem, I mean I completly understand the logic behind 
> that. If someone wants to organize their inbox they can create subfolders 
> easily, using the spam folder to "rearrange" your emails is just plain 
> stupid, especially as mails in the spam folder are deleted after 10 days.

Yes, this is exactly the 'feature' one of the customers described to
me. He moves read emails he does not want to keep to the 'spam' folder,
because they disappear after a couple of days.

So if he moved one by mistake, he can still find it and move it
back. Emails he does not care about get deleted automatically.

He was absolutely not aware, that emails moved there would generate a
complaint.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Hotmail: Moving Email to 'spam' folder generates ISP complaint?

[Benoit Panizzon via mailop]

Hi List

A couple of days ago we found out, that Mircosoft offers an Feedback
Loop to received complaints about spam incidents.

Perfect, one more source we can use to detect and block phished
customers's account or trojanized devices. So we enabled this.

That works good so far, but we also repeatedly get @hotmail.com
customers reporting very obviously non spam mails.

I was now in contact with two customers, both were puzzled about those
spam reports we received and confirmed, they did not report those
emails as spam.

One customer is using Outlook for Android. Another one just plain
Outlook, to access his Hotmail account.

Both are moving read emails the don't want to keep to the 'spam' folder.

So I wonder, does the simple act of moving of an email to the hotmail
spam folder generate a spam complaint to the ISP? And possibly impact
the sender IP reputation?

No need to confirm 'yes this is spam I want it reported to the sender
ISP' ?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Amazon AWS SES (Simple Email Services) what could cause a domain to be blocked?

[Benoit Panizzon via mailop]

Hi Marc

> https://mxtoolbox.com/SuperTool.aspx?action=mx%3aleunet.ch=toolpage
> 
> Suggest you fix that and come back to them.

DMARC? It's not an error, it's not a requirement.

The AWS customer who notified the problem uses this email domain:

https://mxtoolbox.com/SuperTool.aspx?action=mx%3aedudip.com=toolpage

Also has not DMARC entry.

Or look at a well know big email service operator: GMX:

https://mxtoolbox.com/SuperTool.aspx?action=mx%3agmx.net=toolpage

Also has not DMARC entry. And Edudip confirmed, they can send email
from Amazon SES to GMX recipients.

So this was ruled out to be the cause.

> In addition, I would have your client add you or a member of your team as a 
> user in their AWS acct with the ability to add support issues on their acct.

Edudip.com is not our client. Our client is under the domain leunet.ch
and unable to receive emails sent via Amazon SES.

Edudip.com is not related to us. It was just a Amazon SES user who was
friendly enough to open a case for the Issue with Amazon SES and got
the reply, that we have to fix the issue with the MX or get in contact
ourself with Amazon SES to solve the issue. The second part is where we
fail because of that stupid amazon policy that you need an AWS account
to obtain any kind of support.

My attempt to open a 'user' account on Amazon (the one you can order
stuff) also didn't help much further as this account also has no way to
open an AWS case or access the existing case the Amazon SES customer
opened.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Amazon AWS SES (Simple Email Services) what could cause a domain to be blocked?

[Benoit Panizzon via mailop]

Hi List

Amazon AWS SES Support drives me and their customer mad.

So I wonder if any other email operator had a similar issue and might
know what causes Amazon AWS SES Services to block email delivery to a
specific domain and how this can be solved.

We are an ISP and operate email services for various domains.

Email delivery to 'leunet.ch' is blocked on the Amazon SES Platform.

When an affected Amazon Customer opens a Case with Amazon to find out
the cause, they only get the reply: 'something is wrong with the
recipient domain MX, the operator of the recipient's MX has to fix
the issue'. But no further information about the exact problem. Not
even on request.

We, as the operator of that platform have no AWS account, therefore we
cannot open a case directly with AWS Tech support or even call them,
because their 'security policy' requires them to ask for an email
address linked to an AWS customer account.
Thus, we are as of now, unable to communicate with Amazon AWS Tech, to
find the cause of that blocking or on how to have our domain unblocked.

Has anyone else had a similar issue with Amazon SES and might know a
way to solve it?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] How to contact 'Silverpop' Abuse Desk?

[Benoit Panizzon via mailop]

Dear List

Silverpop is an email marketing platform accredited by CSA, therefore
whitelisted with some email platform operators.

They add such a header in emails via their plattform:

X-CSA-Complaints: whitelist-complai...@eco.de

Well one silverpop customer keeps sending spam to one of our support
email addresses. I am pretty sure that sender has not proof of opt-in
and has probably web-harvested the recipient email address.

So I requested information about the source of our support email
address to the privacy contact address of the sender company. They play
silly games by keeping closing those cases unanswered. So I escalated to
eco.de who in turn tell me they forwarded the complaint to 'Silverpop'.
But again, nothing happens.

The sender IP used by silverpop belongs to a /16 from IBM. It looks
like IBM acquired silverpop:

https://www.ibm.com/digital-marketing/silverpop

On that page, the 'privacy' contact are generic contacts @ IBM.
Same about the ARIN Abuse Handle for the sending IP Address.

So I guess this is never being forwarded to the appropriate team
running 'silverpop'.

So is there anyone who could share a contact @ silverpop or who knows
how to report an abusive customer of them?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] How to identify source of email sent via Google?

[Benoit Panizzon via mailop]

Hi List

Operating the SWINOG Blacklist and Spamtraps, I notice quite some spam
originating from Google IPv6 Ranges (yes, trying to catching up
whitelisting them, which is not easy with their constant morphing).

Usually the Received: Line parser skips a line indicating a whitelisted
souce IP.

Unfortunately with emails sent over Gmail, there are no more IP source
before the Google IP Address, so I started wondering if there is any
other way to find an unique source in the Gmail Headers:

Like for example trying to base64 decode such strings:

X-Gm-Message-State: APjAAAULgJIbXPmiYeO34K1oPDHCszLRsTEIWu44mCUMhwcvNI2FSw2C
13E/GzFi+GzlVSKPy4cBzQaU513ns+TJSg1RReBoON3S

=> does not decode to human readable string. Or is this not base64?

X-Google-Smtp-Source: 
APXvYqxVPTn6xkps+03MiBFtpaU14OeJ20XxcX1Q6Tdg7/H8nOZpNx6gGMtNRggJ6WXmISfZ4L2aqtsCyvqjsMYyO+4=

=> does not decode to human readable string, but that header sounds very 
promising.

X-Received: by 2002:a54:4694:: with SMTP id k20mr20471032oic.136.1563371906203;
 Wed, 17 Jul 2019 06:58:26 -0700 (PDT)

IPv6 mapped IPv4 address from RFC1918. What about the ID? Could hat be
used to match and block the source?

Received: from 776393159873 named unknown by gmailapi.google.com with
 HTTPREST; Wed, 17 Jul 2019 06:58:24 -0700

Well, could 776393159873 be some kind of encoded source IP? Or just a
unique token for the origin IP which could be used to match spam from
this source?

Any help is welcome!

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any URI whitelists out there?

[Benoit Panizzon via mailop]

> Have you taken a look at white.uribl.com:

Perfect, exactly what I was looking for.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Any URI whitelists out there?

[Benoit Panizzon via mailop]

Hi Mailops!

We operate the SWNIOG Blacklists and Spamtraps.

We fairly often find URI which make it onto the blacklist, which should
clearly be whitelisted. Like 'apple.com' just this week.

We do maintain a whitelist, but I start wondering, if there are
DNS based URI whitelists which we could query to prevent listing
domains which shouldn't get listed.

All google dit spit out on my searches were IP whitelists.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] SPF: What happens if includes specify different 'all' settings?

[Benoit Panizzon via mailop]

Hi List

Just wondering as I have come across this situation multiple times.

A domain includes an SPF entries which have different 'all' settings.
Which one is valid?

I would have guessed, that an 'include' should never contain the
'all' statement to make it possible for the domain owner to define this.

But for example hosted exchange services often include:

spf-a.outlook.com descriptive text "v=spf1 ip4:157.56.232.0/21 
ip4:157.56.240.0/20 ip4:207.46.198.0/25 ip4:207.46.4.128/25 ip4:157.56.24.0/25 
ip4:157.55.157.128/25 ip4:157.55.61.0/24 ip4:157.55.49.0/25 ip4:65.55.174.0/25 
ip4:65.55.126.0/25 ip4:65.55.113.64/26 ip4:65.55.94.0/25 -all"

I am aware, specifying anything other than '-all' is pretty useless,
but shouldn't the choice remain with the domain owner?

Other company publishing such an include SPF for it's customers.

_spf.synventis.com descriptive text "v=spf1 ip4:213.239.204.153 
ip4:78.46.40.142 ip4:78.46.101.176 ip4:5.9.28.36 ~all"

The customer in question specified '-all' in his TXT entry including
the above one.

So which one is valid in the end? Is the first one encountered while
parsing the line or the last one? How are includes processed? After
processing the 'main' entry, or recursively, therefore before?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any contact to Google to debug 'aspmx' troubles?

[Benoit Panizzon via mailop]

Hi Grant

> Why are messages, presumably from a human, outbound from RT/4 setting 
> the Precedence: header to bulk?

I suppose to silence auto-responders to prevent them to play email
ping-pong. I know the good old 'vacation' tool does not reply on
presence of the bulk header. And also RT/4 itself does not send the
'ticket created' confirmation email if a bulk header is present.

> I can see Auto-Submitted: Auto-Generated: , but not Precedence: bulk.
> 
> Do your outgoing messages have a references header?  Does it reference 
> the incoming message's Message-ID?

Yes, it references the Ticket ID:

References: 
(and other previous emails in the case)

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__


pgpKymczI0lVI.pgp
Description: Digitale Signatur von OpenPGP
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Any contact to Google to debug 'aspmx' troubles?

[Benoit Panizzon via mailop]

Hi all

I'm looking for a contact to Google (or anyone with insight on what
could cause the problem) to solve a specific issue we have with a
company using their ASP services.

Observed Problem:

I send them an email from the email client 'claws-mail'. This is
received perfectly.

But we use RT/4 as issue tracking system. If I reply to a case we have
open with them. They do not get my reply, despite our logs showing a
successful delivery to aspmx.l.google.com and no late bounces being
received. We did try different recipients in their domain, it's the
same for all of them. It looks a bit like as if google is silently
dropping everything with:

Precedence: bulk
or
X-Managed-BY: RT 4.2.12 (http://www.bestpractical.com/rt/)

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone on this List with Access to Amazon SES Maillogs?

[Benoit Panizzon via mailop]

> >nc: connect to rrmx.imp.ch. port 25 (tcp) failed: Network is unreachable
> >nc: connect to rrmx.imp.ch. port 25 (tcp) failed: Network is unreachable
> >nc: connect to rrmx.imp.ch. port 25 (tcp) failed: Network is unreachable
> >
> >So maybe AWS SES is trying to connect to the IPv6 address and cannot?  
> 
> I see the same thing, three  records that point to servers that
> refuse port 25 connections.  That is a problem.
> 
> Either make the v6 servers work or get rid of the  records.

Hi, this is very odd, could you send a traceroute to those IPv6
destinations? I can confirm the servers do NOT refuse IPv6 connections.
I suppose there is a transit problem from certain ISP.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Did CloudFlare change tolerant attitude against spamer?

[Benoit Panizzon via mailop]

Hi List

I have noticed that we didn't get any spamtrap hits advertising
cloudflare.com in the last couple months.

Before, spamers did love their anonymizing proxy service and their
policy which stated as long as it's not DMCA or CP related we won't
take down a customer's site.

Is still states spam complaints not being valid abuse cases if I
read between the lines of:

https://www.cloudflare.com/abuse/

I wonder what made spamers stop using their services.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Anyone on this List with Access to Amazon SES Maillogs?

[Benoit Panizzon via mailop]

Please contact me off-list

Short story:

A customer of Amazon SES is attempting to send emails to one of our
customers.

Our customer is not getting them, we don't see ANY trace of those
emails in our logs, they just seem to disappear in transit.

Re-Tested yesterday, exact times known.

Long lasting cases have been opened @ Amazon but the only problem,
according to Amazons SES Support is, that the recipient MX is not
correct and we should fix that issue, without Amazon being able to tell
us what's incorrect (leunet.ch, do you see any problem), or that
leunet.ch does not have a DKIM entriy (cause disproved by Amazon's own
customer showing that he can perfectly send emails to recipients in
other domains which also do not have a DKIM entry)

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Mylove@1

[Benoit Panizzon via mailop]

Hi List

I wonder if others have also stumbled over the password "Mylove@1".

We use RoundCube as Webmail.

We have 'stupid' customers, who give away their email password by
answering to phishing emails or just simply are victims of trojans
stealing their credentials.

Subsequently those accounts get abused to send spam but our automatic
monitoring usually quickly detects them and disables SMTP Submission
resulting in a 5XX error indicating to the customer to change his
password.

We offer to change the password with a widely used
RoundCube 'Password' Plugin, which also unblocks SMTP.

And it looks like one spamer has specialized in automatizing this. He
spams until he is getting automatically blocked, then logs in to
Roundcube, re-sets the Password and restarts spaming usually taking
measures like only using one single IP and lowering the send-rate to
such an amount not to get detected by our system anymore.

I wonder if there are such highly sophisticated bots around, that do
this all automatically of if one spamer does love our email plattform
so much despite we still locking him out eventually by manually changing
the password of the affected account, so he cannot log in to RoundCube
anymore without knowing the set password. Our system also rate limits
down his sending speed, so I guess we would not be very lucrative for
him. But still we find one such an abused account about twice a month.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Anyone with contact to: Digibyte Media B.V. Netherlands?

[Benoit Panizzon via mailop]

Hi List

Since a couple of weeks our customers (and some of our support
email addresses) get spam emails advertising erotica services hosted by
DigiByte Media B.V. in the Netherlands.

Blocking is not easy, as the sender IP, content of emails and
redirection service URI used keeps changing.

Their website is hosted @ Google and they do not take down indirectly
spamvertized websites, no matter how much evidence you provide.

So I have kept trying to reach DigiByte Media B.V. by email and phone,
but I never get a reply and only get to the phone announcement that I
should send them an email which would be answered within 8 working
hours.

Is anything else known about that company? Any way to reach them?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)

[Benoit Panizzon via mailop]

Hi List

I wonder if DigitalOcean is running for some social media related
wake-up call.

I Twittered to @digitalocean about the lack of responsiveness from their
abuse desk.

They promptly replied via Twitter:

"We apologise for the trouble. Our security & operation team is already
looking into it."

As I still had a case open with them, I appended your nice list of
pgHammer IP Addresses.

This time, they replied promptly:

"As we are an unmanaged cloud hosting provider, we do not create,
administer, or have direct access to our customers' Droplets. This
means that we cannot make direct changes to any programs or websites
hosted there."

Well I once more pointed out, all they need to do is pull the 'virtual'
plug to those servers which are the origin of abusive behavior. But I
fear the do not understand or do not want to understand as long as the
customer is paying the bill. McColo/2 ?

So anyone else wanting to moan via their social media channels? I
think their quick reaction shows, this bothers them.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop