Re: [mailop] [External] Does Google not accept bounce emails anymore?

[Kevin A. McGrail via mailop]

Good Question.

The RFC purist in me says, hell no. But my calmer, gentler, experience 
mail inner child would say you should work to extend your edge so you 
decline the message during the SMTP conversation if at all possible.  
Backscatter, joe jobs, and bounces with payloads/spam have pretty much 
ruined bounce messages IMO.


Regards,

KAM

On 5/27/2024 7:04 PM, Jarland Donnell via mailop wrote:
421-4.7.26 Your email has been rate limited because it is 
unauthenticated. Gmail requires all senders to authenticate with 
either SPF or DKIM. Authentication results: DKIM = did not pass SPF [] 
with ip: [136.175.108.34] = did not pass For instructions on setting 
up authentication, go to 
https://support.google.com/mail/answer/81126#authentication 
5614622812f47-3d1b370fc69si2809030b6e.141 - gsmtp


Bounces coming from blank envelope senders are being held to SPF/DKIM 
authentication, which of course fails. Been seeing this a lot lately. 
Should we just not send bounce emails to Google anymore?

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Gmail has a thing about dots

[Kevin A. McGrail via mailop]

Whoops.  Missed that part :-)

On 5/2/2024 6:44 PM, John Levine wrote:

These dots aren't in the Gmail address.  They're in the return address in the 
message.___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Gmail has a thing about dots

[Kevin A. McGrail via mailop]

Gmail treats dots as non-existent.  So kevin.mcgr...@gmail.com and 
kevinmcgr...@gmail.com are the same account.


https://support.google.com/mail/answer/7436150?hl=en

HTH, KAM

On 5/2/2024 3:02 PM, John Levine via mailop wrote:

RAPTOR REMARK: Alert! Please be careful! This email is from an EXTERNAL sender. 
Be aware of impersonation and credential theft.

While debugging something else, I've been trying to send messages to myself
from the address a...@m.jl.ly.  RFC 5321 says two dots in a row need to be
quoted, and I have checked that my mail system does indeed put in the quotes
and it says

MAIL FROM:<"a..b"@m.jl.ly>

But Gmail still doesn't like it, with the error message suggesting that 
something at
their end stripped the quotes too early   Huh?

Outlook/Hotmail accepts it but puts it in the spam folder which I guess is OK.

R's,
John

Connected to 2607:f8b0:4004:0c17::::001a but sender was rejected.
Remote host said: 553-5.1.7 The sender address  is not a valid 
RFC 5321 address. For
553-5.1.7 more information, go to
553-5.1.7  https://support.google.com/a/answer/3221692 and review RFC 5321
553 5.1.7 specifications. e5-20020a0562141d0500b0069b3262b75fsi1739474qvd.226 - 
gsmtp

  ...

Return-Path: <"a..b"@m.jl.ly>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Off-Topic - VMWare ESXI 7.0

[Kevin A. McGrail via mailop]

As the original poster, I wanted to say thanks.  Based on the dozen or 
so replies so far, I clearly struck a nerve.  I'm reading all the 
replies with great interest.


Regards,
KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Off-Topic - VMWare ESXI 7.0

[Kevin A. McGrail via mailop]

Hi All,

We have four servers where we can't retrieve our free ESXi VMWare 
license after Broadcom shut things down and they are in evaluation mode 
for about 30 more days.


Does any one have any advice?  Is there a product we can buy?  Is there 
an alternative you've been switching over to using?  Anyone have a spare 
license we can use?


Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: random.onmicrosoft.com SPAM

[Kevin A. McGrail via mailop]

On 3/21/2024 5:48 AM, Gellner, Oliver via mailop wrote:

The topic about onmicrosoft.com has already been brought up multiple times on 
this list, the last time in 
January:https://list.mailop.org/private/mailop/2024-January/026871.html
  ff

To sum it up: .onmicrosoft.com is the default domain for
  everyone who uses Exchange Online. There are various scenarios why
legitimate emails can use this default domain, although most of them
come down to some misconfiguration or missing settings.
If all emails which you receive from those domains are spam then I
suggest you block it, as is true for every other domain. However a
general assessment that all emails which use onmicrosoft.com would be
spam is wrong.


A very good summary.  We consider these provisioning domains not 
suitable for real mail as a failure to follow standard postmaster 
hygiene such as using IPs with rptrs.  The KAM Ruleset includes a rule 
called KAM_ONMICROSOFT that has a score of 5.0.  Not quite a poison pill 
but very close.


Regards,
KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] OT re Munging was Re: Extortion spam from OVH-hosted *.sbs domains

[Kevin A. McGrail via mailop]

Hi MailOp,

I thought I would send a note that emails about this topic with OVH and 
SBS domains have sometimes been going into spam because some emails 
mention URIs that are on blocklists.


At the Apache SpamAssassin project we typical discuss things with [] 
brackets or the word munge to avoid this issue.For example, 
mx.h.orku*[.]*sbs mx.h.orku*munge*.sbs with the bolding added for extra 
emphasis.  This might help when people are discussing threat data.


Regards,
KAM
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] seeking a spamtrap milter

[Kevin A. McGrail via mailop]

Hi folks,

I suspect this exists, but can't come up with the right search.

I have domains that should never receive mail. I'd like a milter that
looks for mail to those domains and feeds the IP of the sender to an
outside program.

Surely someone wrote this spamtrap software? Or does everyone just
parse the log?


Ever looked at MIMEDefang?  You can write your milter code in Perl.  
Only thing is I think you'll have to let the domains that should never 
receive email get email for your MTA so the milter "sees" the email.


Regards,

KAM
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Microsoft CERT Report Response Marked As Spam

[Kevin A. McGrail via mailop]

I wouldn't agree with that.  Microsoft sending emails with invalid dates 
alone would put this under the threshold. -KAM


On 11/9/2023 1:41 PM, Jarland Donnell via mailop wrote:
A score of 5.8 on SpamAssassin rules is fairly low. It would be more 
advisable for you to consider adjusting your settings. SpamAssassin is 
designed in such a way that it will always trigger a variety of rules 
for every email, legit or otherwise. It shouldn't be too strange to 
see a legit email in the range of 3-5, and I'd say 5.8 isn't too far 
out from there. 

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] gmail deliverability issue was mailop Digest, Vol 39, Issue 48

[Kevin A. McGrail via mailop]

Hi Mark,

I saw this and your test from the loopback. Everything looked good from 
ARC/DKIM/SPF/DMARC.  We've been seeing Google requiring DKIM 
authentication lately so we wanted to confirm that wasn't the issue.


Are you sending bulk emails? I noticed it's the BBB and they send a lot 
of messages people might mark as spam.


The error from Google says that their antispam system has marked it as 
spam.  Is there any content of note in your messages that are getting 
blocked?  Anything like links in a signature to URLs that might be in a 
blocklist?


One thought to get that escalated is to email a Google Workspace paying 
customer and have them make a support request about the issue.


Regards,

KAM


On 10/26/2023 4:07 PM, Mark Stanley via mailop wrote:

RAPTOR REMARK: Alert! Please be careful! This email is from an EXTERNAL sender. 
Be aware of impersonation and credential theft.

KAM - I sent a message as one of my users to that email address you supplied 
and listed below is the bounceback message we get:

More Info for Email Admins
Status code: 550 5.7.350

When Office 365 tried to send the message to the recipient (outside Office 
365), the recipient's email server (or email filtering service) suspected the 
sender's message is spam.

If the sender can't fix the problem by modifying their message, contact the 
recipient's email admin and ask them to add your domain name, or the sender's 
email address, to their list of allowed senders.

Although the sender may be able to alter the message contents to fix this 
issue, it's likely that only the recipient's email admin can fix this problem. 
Unfortunately, Office 365 Support is unlikely to be able to help fix these 
kinds of externally reported errors.

Original Message Details
Created Date:   10/26/2023 8:05:05 PM
Sender Address: ba...@richmond.bbb.org
Recipient Address:  markwstanley2...@gmail.com
Subject:testing again

Error Details
Error:  550 5.7.350 Remote server returned message detected as spam -> 550 
5.7.1 [104.47.57.168 12] Our system has detected that this message is;likely 
unsolicited mail. To reduce the amount of spam sent to Gmail,;this message has 
been blocked. Please visit; 
https://support.google.com/mail/?p=UnsolicitedMessageError for more;information. 
m14-20020a5d4a0e00b003296b69535csi124898wrq.495 - gsmtp
Message rejected by:mx.google.com

Notification Details
Sent by:BL3PR04MB8106.namprd04.prod.outlook.com

We experienced a brief respite from all this yesterday afternoon and all users 
could actively send to Google domains. As of about noon today, it started 
happening again.

Mark W. Stanley, Managed Services Engineer
Richweb, Inc.  /  mstan...@corp.richweb.com
O: 804-368-0421 X 120
richweb.com / hvens.com

-Original Message-
From: mailop  On Behalf Of mailop-requ...@mailop.org
Sent: Thursday, October 26, 2023 3:54 PM
To: mailop@mailop.org
Subject: [SUSPECTED SPAM] mailop Digest, Vol 39, Issue 48

Caution! This message was sent from outside your organization.

Send mailop mailing list submissions to
mailop@mailop.org

To subscribe or unsubscribe via the World Wide Web, visit
https://list.mailop.org/listinfo/mailop
or, via email, send a message with subject or body 'help' to
mailop-requ...@mailop.org

You can reach the person managing the list at
mailop-ow...@mailop.org

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of mailop digest..."


Today's Topics:

1. Re: Still Don't understand Google's relaying systems..
   Duplicate Return-Path, and other things.. (Atro Tossavainen)
2. Re: [External] Need Help with Google Deliverability Issue
   (Kevin A. McGrail)


--

Message: 1
Date: Thu, 26 Oct 2023 22:17:49 +0300
From: Atro Tossavainen 
To: mailop@mailop.org
Subject: Re: [mailop] Still Don't understand Google's relaying
systems.. Duplicate Return-Path, and other things..
Message-ID: <20231026191749.gq28...@dm7.infinitemho.fi>
Content-Type: text/plain; charset=iso-8859-1


They're a legit Google customer. What's there to marvel at?

https://developers.google.com/gmail/api/guides <- have a look.

--
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635) Tallinn, Estonia tel. 
+372-5883-4269, https://www.koliloks.eu/


--

Message: 2
Date: Thu, 26 Oct 2023 15:43:53 -0400
From: "Kevin A. McGrail" 
To: mailop@mailop.org
Subject: Re: [mailop] [External] Need Help with Google Deliverability
Issue
Message-ID: <726fd9fa-da01-4d35-b711-25bbd218a...@pccc.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Mark, was there a bounce message with any information?

Send a message to raptorloopb...@raptoremailsecurity.com and that will
tell you what that spam scanner sees to check your SPF, DKIM, DMARC, etc.

Regards,
KAM

On 10/26/2023 3:13 PM, Mark Stanley via 

Re: [mailop] [External] Need Help with Google Deliverability Issue

[Kevin A. McGrail via mailop]

Mark, was there a bounce message with any information?

Send a message to raptorloopb...@raptoremailsecurity.com and that will 
tell you what that spam scanner sees to check your SPF, DKIM, DMARC, etc.


Regards,
KAM

On 10/26/2023 3:13 PM, Mark Stanley via mailop wrote:


I have recently migrated one of our customers from Google to Office365 
and have been encountering deliverability issues when sending to Google


Raptor Remark: Please be careful! This email is from an EXTERNAL 
sender. Be aware of impersonation and credential theft.


I have recently migrated one of our customers from Google to Office365 
and have been encountering deliverability issues when sending to 
Google-related domains. All other domains are perfectly fine and 
haven’t seen any issues. Listed below are the headers for a bounced 
email to a Gmail account:


ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;

b=IUdOSeOS2v8fBqFRT+2+ob/64xDWHCrxU6br11+L6Gjlytj2kEMHoVq7TCpkgY1uKHg/IxVBQh1bpLReem8wfvKVM4ncibBVmls1IAmgt/fFxBThm7Vgfc3HZUlmk0NYy+0ifABUO8cVWXE9nz0/XyjTXfmI2lo0CX4Ysgk+mN5FxmFHz1yCDYJomM0k8Naxr7+nO8d9TC7TQ/U2QlH6aHfa2I+kHP/vxNAYPumA6At7aBtXh7o5ULqNt3LDrW/tTJua/8M6Z5KZccU2GHa/wlEaaEH4g9/cLSPGn28kDx5bj1j5jMdl7zXjnETZYymGCEKFJwJMOFecCl3kI4YX7g==

ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; 
d=microsoft.com;


s=arcselector9901;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;

bh=U1XPevLPW3kgepb4RRUmQy20bmFrzeFdm+z8xjlDhQo=;

b=MveUHC2brc6+/jbu/Q1RrDABPlHSagEN1omoqqUmP04RPTk60M+AZtFEC2tF2LImub4A1RvvL/w9FjP+lysSfftGpywNPazJHaPgGiW44cqS2S84sGkJFDgHCivhnSfBKYBKHFGvAZhjYe16CXWERd//M0u/yGtTRPoG8J/OSKUcugiMpsburQ6ffOHOmRLERu+w8fBKn7A+4rwIDoKP2/efhZNJ7xQWk/Z6MAB32UXmxWPYOY+/kUMRyQ1Z5Sf2ZAT9MoRnVldID4W9HeGMA75Ticxl8Dt0e/Q+XoD4f7BEHKpwoznNEr9HSLNQXkQSbSuPharKncn3fZEyIbQh6A==

ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender 
ip is


198.154.181.224) smtp.rcpttodomain=gmail.com 
smtp.mailfrom=richmond.bbb.org;


dmarc=pass (p=none sp=none pct=100) action=none 
header.from=richmond.bbb.org;


dkim=pass (signature was verified) header.d=richmond.bbb.org; dkim=pass

(signature was verified) 
header.d=mail-dkim-us-west-2.prod.hydra.sophos.com;


arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=richmond.bbb.org]

dkim=[1,1,header.d=richmond.bbb.org]

dmarc=[1,1,header.from=richmond.bbb.org])

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=richmond.bbb.org;

s=selector1;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

bh=U1XPevLPW3kgepb4RRUmQy20bmFrzeFdm+z8xjlDhQo=;

b=IBp6WddL0tAEtjsUg9TLjHYmU5nmyIqGMASfttCAkZzzJQLOspzOwgifiLEXyz3lfCwmIC89UkBptAT4Z0p5sFvDUNDTtWkMoK5nPxNpjJAZenjDXSrwRfwcj0WOjcLV7VaIvVYyEs2Db+8tikyWrR2VJ2I9iNAYJkIWqwP50u9jcPYUj3FHKR44B7cxTz1VXeegS2RPjZ968HuIvKsGx6gKSgtWobvcPsYgNA3apo1BZ/Y+i3h7cGx1cdJJPED5uyyeIj8dZ/l28DoMSETkT29DVqCcKvgbVQUyM2URBFUgvksANuYRRjFcE119QOlQSsyGyl1ligENnsozK5MyYQ==

Received: from DM6PR07CA0095.namprd07.prod.outlook.com 
(2603:10b6:5:337::28)


by CO6PR04MB8329.namprd04.prod.outlook.com (2603:10b6:303:134::10) with

Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.22; Thu, 
26 Oct


2023 19:00:26 +

Received: from DS1PEPF0001708E.namprd03.prod.outlook.com

(2603:10b6:5:337:cafe::30) by DM6PR07CA0095.outlook.office365.com

(2603:10b6:5:337::28) with Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.19 via 
Frontend


Transport; Thu, 26 Oct 2023 19:00:25 +

X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 
198.154.181.224)


smtp.mailfrom=richmond.bbb.org; dkim=pass (signature was verified)

header.d=richmond.bbb.org;dmarc=pass action=none

header.from=richmond.bbb.org;

Received-SPF: Pass (protection.outlook.com: domain of richmond.bbb.org

designates 198.154.181.224 as permitted sender)

receiver=protection.outlook.com; client-ip=198.154.181.224;

helo=mfod-usw2.prod.hydra.sophos.com; pr=C

Received: from mfod-usw2.prod.hydra.sophos.com (198.154.181.224) by

DS1PEPF0001708E.mail.protection.outlook.com (10.167.17.134) with Microsoft

SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id


15.20.6933.18 via Frontend Transport; Thu, 26 Oct 2023 19:00:25 +

Received: from ip-172-17-2-248.us-west-2.compute.internal 
(ip-172-17-2-248.us-west-2.compute.internal [127.0.0.1])


    by mfod-usw2.prod.hydra.sophos.com (Postfix) with ESMTP id 
4SGZqr6KmBzdZMC


   for ; Thu, 26 Oct 2023 19:00:24 
+ (UTC)


X-Sophos-Product-Type: Mailflow

X-Sophos-Email-ID: 331699fdd3364172b148bf658ab8ad0a

Received: from NAM12-DM6-obe.outbound.protection.outlook.com

(mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169])

(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))

(No client certificate 

Re: [mailop] [External] Re: United Airlines / mileageplus DNS/rDNS mismatch issue

[Kevin A. McGrail via mailop]

On 5/9/2023 4:17 PM, Gellner, Oliver via mailop wrote:

I’d be surprised if there are many members on this list whose systems do not 
penalize connections from IP addresses without a fully confirmed reverse DNS 
entry one way or the other. Maybe I‘m wrong, but then I‘d like to hear from 
them.


This has not proven to be a useful indicator of spam or ham and has a 
lot of FPs if you try to enforce it.  From anecdotally looking at the 
logs, it might be useful to bump it up a small amount in SA for when it 
does match but hardly anything when it doesn't.


-KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] [Off-Topic] Blog from KAM on Cybersecurity and Looking for Hecklers for my workshop at InboxExpo

[Kevin A. McGrail via mailop]

Hi Mailopers,

Thanks to Inbox Expo for publishing my 2 Secrets to Streamline 
Cybersecurity Projects. You can read it at 
https://inboxexpo.com/2-secrets-from-from-kam/ and no registration or 
silliness required!


I will also be presenting the keynote and a workshop for InboxExpo.com 
on February 27th. While the onsite venue is full, free virtual tickets 
are available thanks to Dotdigital. Register today at 
https://lnkd.in/gATaQaGX.


My Workshop will be a facilitated discussion on deliverability, SEO, 
Spam, Marketing, Branding, etc.


If you are interested in more content from me and want to learn more 
about CRM, Emails, Marketing, Email Security, and using Google Cloud & 
AI, I will be working with emailexpert.org to give free classes as part 
of the 2023 membership drive running now. Join today!



Regards,
KAM
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Question of SPF record

[Kevin A. McGrail via mailop]

To add onto this, rarely will you want to divine the IP addresses of 
your service providers.  Contact them for their include record.  From 
searching the interweb, it seems these are likely what you want:


*//*include:_spf.perfora.net include:_spf.kundenserver.de 
include:spf.mailjet.com


If you really want the IPs, here you go:

https://www.ionos.com/help/email/postmaster/ip-addresses-of-the-11-ionos-mail-servers/

Regards,

KAM

On 2/5/2023 8:21 PM, Scott Undercofler via mailop wrote:

RAPTOR REMARK: Alert! Please be careful! This email is from an EXTERNAL sender. 
Be aware of impersonation and credential theft.

Ionos has an spf include. Use it. Or just put all four ips in your record.

Sent from my iPhone


On Feb 5, 2023, at 5:43 PM, H via mailop  wrote:

I have a domain with multiple email addresses hosted by Ionos. I have found 
that outgoing emails can come from a range of Ionos email IPs.

I have created a TXT record for my domain containing one IP4 address but 
outgoing emails seem to be sent from different IP4 addresses. As an example I 
now have:

v=spf1 a mx ip4:74.208.4.194 ~all

I know I can add at least one more ip4 address using the same format but I am 
not sure exactly what the Ionos email ip range might be so:

- Is there a way of saying eg. ip4:72.20.8.*

- Or should I delete the ip4 component and instead add:

include:mydomain.tld (corrected of course)

Suggestions appreciated!

Thanks.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Anyone from Spamhaus?

[Kevin A. McGrail via mailop]

Quick note from SH:

"Sorry for the delay, we have too many people out sick right now!

This was caused by a rule that we determined was not working as desired. 
It's been pulled. Please accept our apologies for the aggravation."


Regards,

KAM

On 1/19/2023 11:20 PM, Mark Fletcher via mailop wrote:


Hi All, Over the past couple of days, the two servers that send email 
for groups.io , 66.175.222.12 and 66.175.222.108, have been listed on 
the Spamha


Raptor Remark: Please be careful! This email is from an EXTERNAL 
sender. Be aware of impersonation and credential theft.


Hi All,

Over the past couple of days, the two servers that send email for 
groups.io , 66.175.222.12 and 66.175.222.108, have 
been listed on the Spamhaus CSS blacklist a couple times each. We're 
an email groups hosting service, like Google Groups. Nothing has 
changed on our end for quite a long time with those machines, and I 
don't believe they're compromised. Meanwhile, the email is backing up.


I've gone through the delisting process for the IPs. (I assume at some 
point that'll stop working). I've sent an inquiry to Spamhaus' contact 
form.


I'm scratching my head and feeling a bit dumb. Is there anyone here 
from Spamhaus that could give me some more information as to what's 
going on and how I can fix it?


Thanks,
Mark

RAPTOR REMARK: Alert! Please be careful! This email is from an EXTERNAL sender. 
Be aware of impersonation and credential theft.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: verizon email-to-text gateway mail deferred evening and night

[Kevin A. McGrail via mailop]

On 1/6/2023 9:34 PM, John Levine via mailop wrote:

WHen you use someone else's free e-mail gateway, it shouldn't be
surprising that sometimes you only get what you paid for.
I would just point out that the gateway I use is part of my cell service 
so I don't consider it free but part of the service. A failure in that 
service is not something I take lightly and I open complaints with my 
cell provider.  Perhaps others with Verizon are in the same boat but 
haven't consider it that way. -KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] I received a scam letter from Paypal

[Kevin A. McGrail via mailop]

We've seen quite a few of these.  They are abusing paypal's system, 
sending invoices, etc.  Agreed, it's a very good scam and leverages 
PayPal's real comms. -KAM


On 12/28/2022 1:14 PM, Cyril - ImprovMX via mailop wrote:
What I'm saying here, is what the hell? How a scam can come from 
Paypal like this?
This is a serious issue, and they need to fix this because I'm not 
sure my parents would catch the scam here, all seems legit!


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: RackSpace Security Issue

[Kevin A. McGrail via mailop]

Here, here!

On 12/5/2022 5:11 PM, William Kern via mailop wrote:
best wishes to the poor sysadmins at Rackspace who are not having a 
good weekend/week.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Try to understand *.onmicrosoft.com

[Kevin A. McGrail via mailop]

Just a note that it is not necessarily a free trial.  It's the 
onboarding domain for M365.


I would NOT agree that it reflects legitimate traffic and have rules in 
the KAM ruleset for the onmicrosoft domains.  They are being abused.


Regards,

KAM

On 11/8/2022 7:01 PM, Suresh Ramasubramanian via mailop wrote:


That is an office 365 free trial account. There is some massive abuse 
of these going on over a period of time. However there is also a ton of l


Raptor Remark: Please be careful! This email is from an EXTERNAL 
sender. Be aware of impersonation and credential theft.


That is an office 365 free trial account. There is some massive abuse 
of these going on over a period of time. However there is also a ton 
of legitimate traffic.


--srs

*From:* mailop  on behalf of MRob via 
mailop 

*Sent:* Wednesday, November 9, 2022 5:17:09 AM
*To:* mailop@mailop.org 
*Subject:* [mailop] Try to understand *.onmicrosoft.com
Is envelope sender user@.onmicrosoft.com normal in non-spam
mail? Is it how all microsoft mail comes through? Or is it usually spam
from badly configured domain? Should  part *always* match
sender domain in FROM header?

On the other hand, if mail come from microsoft server *not* through
"onmicrosoft.com" is that negative sign?

Thank you.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

RAPTOR REMARK: Alert! Please be careful! This email is from an EXTERNAL sender. 
Be aware of impersonation and credential theft.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Google Workspace support? Off-list...

[Kevin A. McGrail via mailop]

This is a common question over at the Google Workspace community:

https://www.googlecloudcommunity.com/

Two recommendations:

See https://support.google.com/a/answer/33561?hl=en=1

And if it's enabled, and you are on the domain you might figure out the 
account from the directory: https://contacts.google.com/directory?hl=en


Regards,

KAM

On 8/17/2022 3:11 PM, Eric Tykwinski via mailop wrote:


I have a common customer that doesn’t know who the domain 
administrator is for their domain. The domain curransisk.com and as of 
right now they are ju


Raptor Remark: Please be careful! This email is from an EXTERNAL 
sender. Be aware of impersonation and credential theft.


I have a common customer that doesn’t know who the domain 
administrator is for their domain.


The domain curransisk.com and as of right now they are just trying to 
find the admin email or a way to contact support.


Sincerely,

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Google Workspace Account Deliverability Issues

[Kevin A. McGrail via mailop]

On 7/25/2022 1:46 PM, Jenny Nespola via mailop wrote:
I was approached today by a potential client asking why one account in 
their Workspace is bulking, while none of the others are. Granted that 
one user could be generating complaints, but (from what was shared 
with me) it doesn't seem to be the case. In addition it seems that 
sporadically other accounts from the Workspace get bulked when this 
user mails from it, but others don't. At one point they could mail 
from their mobile just fine, but not from their desktop.


Some suggested the account or computer may be compromised. Is there a 
path to research this more thoroughly to help identify if the user is 
a spammer or if there is malware or other compromises they need to be 
reviewed? I suggested working with their Google contact, but they only 
have a contact for Google Domains. Would something as simple as a 
Google ticket suffice?


Hi Jenny,

First, have you confirmed they have SPF+DKIM+DMARC?  Start there as that 
will fix a lot of issues and Google has been putting email into spam if 
they don't have them especially DKIM of late.


Second, Do they have a Google partner for their account?  If not, that's 
my $dayjob at Dito (quick toot: we were just awarded Google Security 
Partner of the Year).


Finally, in my experience asking that question above to Google support 
will not be very useful.  YMMV.


Regards,
KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Did Google become stricter about RFC 5322?

[Kevin A. McGrail via mailop]

On 7/13/2022 11:18 AM, Miles Fidelman via mailop wrote:
It's been over a month now, since Google became hostile to email 
lists.  I'm still dealing with the aftermath. 

Do you mean their stricter requirements around SPF and DKIM?
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Moving email server to new IP

[Kevin A. McGrail via mailop]

On 7/8/2022 11:23 AM, Russell Clemings via mailop wrote:
We use spamhaus zen, spamcop, and barracuda , along with spamassassin, 
but some still gets through.


Russell and others,

re: Spam getting through.  We've been publishing the KAM ruleset now for 
Apache SpamAssassin for going on 18 years and no charge. Take a look at 
https://mcgrail.com/template/kam.cf_channel and try it out.  It will 
likely increase the efficiency and the efficacy of your installation.


We also turned off our RBL in the ruleset because a major provider 
launched it on a few bazillion boxes and basically DDoSed us.  However, 
thanks to donated resources from Linode we are getting ready to open it 
back up again if you want to try our PCCC Wild RBL as well.  Also, no 
charge.  Just send me an email if you are interested.


Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: dmarcian Probe

[Kevin A. McGrail via mailop]

NOTE: I got one of these probes as well about 2  weeks and flagged it to 
watch. Thanks for posting about it. -KAM


On 6/25/2022 11:54 AM, L. Mark Stone via mailop wrote:

RAPTOR REMARK: Alert! Please be careful! This email is from an EXTERNAL sender. 
Be aware of impersonation and credential theft.

I'm a Dmarcian customer.  FWIW, emails from their domain I have received are 
all routed from Google/Gmail servers and IPs.  None of the tests they offer 
available to the public and to subscribers involve sending email to my 
knowledge.

To be fair, rua/ruf email addresses for my domains point to Dmarcian (I like 
their reporting dashboard and feel it is good value for money), so I can't 
comment on any email flows related to reporting.

Suggest contacting Dmarcian to confirm that they do/do not use Sendgrid if the 
headers look like the email originated with Google, but otherwise I would 
suspect it's just more Sendgrid cruft.

Hope that helps,
Mark
_
L. Mark Stone, Founder
North America's Leading Zimbra VAR/BSP/Training Partner
For Companies With Mission-Critical Email Needs

- Original Message -
From: "Slavko via mailop" 
To: "mailop" 
Sent: Saturday, June 25, 2022 11:05:29 AM
Subject: [mailop] dmarcian Probe

Hi all,

today i got email with subject:

 dmarcian Probe: 8f472310-d2a3-4ba3-803c-4352e3026997

It was delivered from xvfrtbnw.outbound-mail.sendgrid.net with ZIP
attachment which looks as DMARC reports for my (nonexistent but served
by * in DNS) subdomain 8tVqwhagZ5GJ2PL9 and was delivered to my domain's
RUA email.

I do not use dmarcian at all, thus i am curious what this email means.

Please, is someone trying to register this random generated subdomain
on dmarcian? Or what?

thanks


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: FYI - Google/Gmail hard enforcing SPF presence

[Kevin A. McGrail via mailop]

While you are likely right about RFCs, general mail administrator 
hygiene like having rptr's, etc. is something we've all had to work on 
since the days of AOL being the 1000lb gorilla and enforcing postmaster 
guidelines.  RFCs typically codify real-world practices not drive them.


My argument is since you can't join Google's postmaster tools until you 
have SPF or DKIM, well that sort of answers it for you from Google's 
perspective:


https://support.google.com/mail/answer/9981691?hl=en

On 4/19/2022 3:27 PM, Jaroslaw Rafa via mailop wrote:

  If it doesn't, SPF check should be
ignored. There is no RFC that says you MUST have a SPF record.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: FYI - Google/Gmail hard enforcing SPF presence

[Kevin A. McGrail via mailop]

I don't think this is accurate. It seemed to trigger right around the 
start of Russia's invasion of the Ukraine.  I don't think it's 
consistent or has the rhyme/reason you are trying to apply to it in your 
tests.  I would simply say if you have issues with delivery to Google, 
look at your SPF/DKIM/DMARC even if you weren't using them.


On 4/19/2022 12:34 PM, Steve Atkins via mailop wrote:

If you’re being blocked by Google, or “Google is requiring SPF to be accepted” or “I 
had to add DKIM to get mail accepted" then your sending infrastructure, history 
and mailstream reputation is worse than this test setup.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] FYI - Google/Gmail hard enforcing SPF presence

[Kevin A. McGrail via mailop]

Interesting note that we also saw this a few weeks ago too and had to 
add DKIM to get mail to work to domains that only had SPF.


On 4/19/2022 3:20 AM, Andre van Eyssen via mailop wrote:
A little testing shows that gmail appears to be rejecting all mail 
from domains with no SPF record. Having them create the SPF record 
returned their domains to deliverability in about an hour.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: IP Reputation Services

[Kevin A. McGrail via mailop]

On 4/4/2022 11:59 AM, micah via mailop wrote:

More general information about the IADB is here:

https://www.isipp.com/for-isps/

FWIW - spamassassin checks the ISIPP by default since 3.10 and reduces
the score if your address is found there.

And I can vouch for Anne Mitchell and the ISIPP.  -KAM___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Info on deluxe.com

[Kevin A. McGrail via mailop]

I just received my first ever spam from |info.deluxe.com|, sent to a 
tagged address used exclusively for online banking. Does anyone have a 
contact at deluxe so that inquiries can be sent?


Lem: Any chance you use that account with an accounting software that 
has ToS that allow for the solicitation?


Regards,
KAM
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Google DNS Quad 8 Outage tonight

[Kevin A. McGrail via mailop]

On 11/22/2021 12:25 AM, Luke Thompson via mailop wrote:
We tend to run Cloudflare quad-1 rather than Google's quad-8, though 
have hit instabilities with it, too.


This was odd because it was a server or two setup to use Google's 
servers by a lazy admin.  We have a full DNS infrastructure but thanks 
for the Quad 1 note.  Didn't know about that one!


Regards,

KAK

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Google DNS Quad 8 Outage tonight

[Kevin A. McGrail via mailop]

Thanks for the feedback everyone.  We've definitely confirmed outages 
from multiple sources.


Regards,

KAM

On 11/20/2021 11:53 PM, Noel Butler via mailop wrote:
strange, lots of people from multiple networks reported google dns 
went MIA in Australia for an hour or two on 19th


poor souls, had to shake off the google fanboisms and revert to using 
ISPs DNS



On 21/11/2021 02:11, Al Iverson via mailop wrote:

I never thought to monitor for it but Twitter suggests yes, there was 
an outage, both on 11/19 and maybe back on 11/12 too.

Cheers,
Al Iverson

On Fri, Nov 19, 2021 at 8:52 PM Kevin A. McGrail via mailop 
 wrote:


Anyone out there see any Quad 8 outages from about 20:25PM
Eastern to
21:16PM Eastern?

Regards,

KAM
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Google DNS Quad 8 Outage tonight

[Kevin A. McGrail via mailop]

Anyone out there see any Quad 8 outages from about 20:25PM Eastern to 
21:16PM Eastern?


Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Fighting spam

[Kevin A. McGrail via mailop]

On 10/15/2021 4:57 AM, Brent Clark via mailop wrote:

Are you using KAM rules.
I.e. http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf


Just a note that the much better way to use the rules is with the KAM 
Channel, see https://mcgrail.com/template/kam.cf_channel


Regards,
KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Help with listing on Invaluement

[Kevin A. McGrail via mailop]

On 10/7/2021 11:54 AM, Lyle Lamb via mailop wrote:


Hello there,
Is there a rep on the list with Invaluement that can reach out to me 
off list about some domain listings we are seeing?



Lyle, I gave Rob a heads-up on your email.

Regards,
KAM
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Feasibility of a private DNSBL

[Kevin A. McGrail via mailop]

Good idea.  RBLs are brilliant but when Vixie invented the idea and the 
Apache SpamAssassin team implemented it some 2 decades ago, I wrote 
something to the effect of what a (brilliant) hack. We need to replace 
this with something in a year.


Now, many many years later and several DDOSes against RBL operators like 
STORM network, the use of DNS for RBLs remains :-)


Regards,
KAM

On 10/6/2021 4:22 AM, Leandro Santiago via mailop wrote:

Thank you all who shared their knowledge.

We decided, on our solution, to go away from the DNSBL approach which 
has way too many caveats and are now experimenting with solutions on a 
higher level on the network stack.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] [OT] Dell EMC PowerSwitch N3248TE-ON anyone out there using them?

[Kevin A. McGrail via mailop]

Hi Mailop,

We're evaluating the Dell EMC PowerSwitch N3248TE-ON for a 10G network 
and having some issues with how you get updates, etc. for the device.  
We bought one as an open-box and wondering if anyone out here on MailOp 
has experience with them.


Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Anyone here from SiteGround or .mailspamprotection.com?

[Kevin A. McGrail via mailop]

Just to be clear because I'm selfish and trying to fix the issue I'm 
having, is SiteGround using SMTP EXPN / VRFY commands when they try to 
deliver mail but failing if they don't work?  I do use the privacy 
option of goaway for Sendmail.


Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Anyone here from SiteGround or .mailspamprotection.com?

[Kevin A. McGrail via mailop]

Hello, working on a delivery error that to me looks like there might be 
DNS issues.  Very unusual.


Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Xfinity / Comcast / rsys5.com

[Kevin A. McGrail via mailop]

On 9/15/2021 2:55 AM, Daniele Nicolodi via mailop wrote:

I understand that industry back practice recommends to have
"unsubscribe" links in promotional bulk messages. Shouldn't these links
direct to some form that effectively allows to remove the recipient
address from the distribution list?

Xfinity spamms (apparently through rsys5.com) with messages with
"unsubscribe" links that bring to a web form whose settings have no
effect on the reception of these promotional emails.

Are this kind of tricks accepted?


For me, your email gives no evidence to really weigh in. Throwing a 
spample up on pastebin might help people give better insight.


However, flying blind, I *think* you are mixing up anti-spam issues with 
legal issues.


For example, unsubscribe and abuse links typically have to do more with 
laws like CAN-SPAM in the US, CASL in Canada, and things like block 
unsolicited commercial email.  They might have unsubscribe requirements 
and the CAN SPAM law allows for 10 days to do the removal from a list. 
(https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business)


So, how long have you waited to say that the form had no effect?

One thing I like to espouse is that at my firm, with my ruleset, and in 
my work at the Apache SpamAssassin project, we use a litmus test by 
Chris Santere where spam is about consent not content.  It is not about 
compliance with XYZ law in PDQ jurisdiction. I often use the example 
that if the Pope mailed me the cure to cancer but didn't have consent to 
email me, it is spam.  That's how much consent and not content drives 
our decisions.  Content, especially with consenting adults, is of Zero 
concern to me in spam filtering.


And as a capitalist, there are implicit consent like sending receipts 
AND I'm not judging if they use default opt-in or bury something [1] in 
their ToS allowing them to send you solicitations.   I might not like 
what they are doing but they have gotten the consent they need to email 
you legally.  [1] If it's a trick like using javascript or white on 
white text, that's not consent.


So the question I would ask you if you reported it as spam is the 
Xfinity related to Comcast's brand and if so, are you (or have you been) 
a Comcast customer, hence do you believe they might have consent to 
reach out to you through some reason?


Also, I would look at the email.  Sometimes it's rogue sales people who 
do things they shouldn't.  Depending on the company, the impact to 
legitimate mail and whether the company takes the spam complain 
seriously would impact how we would handle the spam.  Do we notify 
Comcast, do we add domains to blocklists, do we publicly complain about 
the behavior, do we write a rule for it, etc.


HTH,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Recommendation for inbox provider?

[Kevin A. McGrail via mailop]

Agreed.  I thought Yen's statements about it were excellent: 
https://protonmail.com/blog/climate-activist-arrest/


On 9/8/2021 5:07 AM, Mary via mailop wrote:

I think protonmail's business model is about being secure and private within 
the bounds of Swiss law.

The case you mention, is about Interpol asking data about a user, which is 
normal and legal.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Off-topic re: hosting recommendation (contains a response pitching my firm) was Re: Recommendation for inbox provider?

[Kevin A. McGrail via mailop]

(Resending without the attachment per the Ops request but just email me 
if you are interested :-) )


I would love to throw my firm's hat in the rink.  For those who know 
PCCC, we are experts in open source work, cyber security, anti-spam and 
anti-phishing and have done so since 1998 including funding multiple PMC 
members for the Apache SpamAssassin Project and projects over at 
https://mcgrail.com/


In addition, we ALSO provide a product called cPanel Web Hosting + 
Raptor Email Security.  cPanel + Raptor is PCCC's premier web and email 
hosting powered by cPanel and Raptor Email Security.  cPanel provides an 
easy graphical interface and automation tools for end users to manage 
their sites and users.   PCCC combines this with deployment on hardened, 
managed servers with Raptor Email Security for a complete solution for 
hosting your email and websites.


Attached is a one pager we're working on now so it's rough but you can 
see more about Raptor at https://raptor.us/


Referrals ALWAYS appreciated and Happy to put our money where our mouth 
with a free 2 month trial for anyone interested.  If you have a personal 
domain and want to test raptor for a year, no strings, hit me off-list.


Regards,
KAM

On 9/6/2021 7:21 PM, Faisal Misle via mailop wrote:
Apart from the buck a month web hosts, the only one that comes to mind 
is MXRoute (their main guy is often on this list)


I used to recommend Rackspace, but not too sure about the long term 
future of their email hosting division. /(Disclaimer: I worked there 
for three years)/



On Mon, Sep 6, 2021 at 5:47 PM, Anne P. Mitchell, Esq. via mailop 
mailto:mailop@mailop.org>> wrote:



All,

I know someone who is setting up a business domain, and needs an 
inbox host. Her registrar/webhost is GoDaddy and they are 
discontinuing their free hosted email, and referring people to paid 
Office365. It seems that all of the general info out there points to 
either 365 or Gmail. Surely there must be others out there? Anybody 
have one they recommend? Bonus if they help with authentication setup 
because she is ..um...tech challenged.


Thanks!

Anne

--
Anne P. Mitchell, Esq.
Author: Section 6 of the Federal Email Marketing Law (CAN-SPAM)
Board of Directors, Denver Internet Exchange
Chair Emeritus, Asilomar Microcomputer Workshop
Former Counsel: MAPS Anti-Spam Blacklist
Location: Boulder, Colorado
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Microsoft Complaint Rate Increase

[Kevin A. McGrail via mailop]

Interesting.

We're seeing oddities with M365 with customers with connectors for our 
IPs getting S77719.  I'm still gathering information about to open a 
ticket but this is just started today.



Regards,

KAM


On 9/2/2021 5:42 PM, yitzi--- via mailop wrote:
We've been seeing much higher levels of spam markings and SNDS was 
crazy the past couple days, more so than normal. So yes, I'd say we're 
also experience some unusual activity surrounding Microsoft reporting.


One of my colleagues mentioned back in mid-July that she suspected 
there could be some automatic spam markings, as some mailings were 
marked as spam within the first couple mins of being delivered - we 
previously chalked it up to an edge case, but since then the numbers 
seem to have climbed but we're thankfully not getting much in way of 
blocks, so I suppose that's good. And Im glad to see we're not the 
only ones noticing this issue.


*From:* mailop  on behalf of Leandro 
Manager via mailop 

*Sent:* Tuesday, August 24, 2021 00:48
*To:* Scot Berggren 
*Cc:* mailop@mailop.org 
*Subject:* Re: [mailop] Microsoft Complaint Rate Increase
Caution: This email is from an external sender. Please do not click 
links or open attachments unless you recognize the sender and know the 
content is safe. Forward suspicious emails to isitbad@.


Hi all

I have seen that when I empty the junk folder from my testing email 
account, most of the time I get an equal number of complaints like, 
automatically.


I don't know if this is the expected behavior or not but I think this 
could be a problem (or not?)


Regards
Leandro

Em seg., 23 de ago. de 2021 às 15:12, Scot Berggren via mailop 
mailto:mailop@mailop.org>> escreveu:


All,

I'm trying to find out how widespread this is and if there's a
known cause. Over the past couple weeks we've seen an increase in
the total number of unique Microsoft complaints for several
senders, with some really large ones who previously had a 0.01%
rate jump to around 0.14% and it's remained consistently around
0.06% since.

Thanks,
Scot Berggren
Sr. Deliverability Strategist
scot.bergg...@sparkpost.com 
___
mailop mailing list
mailop@mailop.org 
https://list.mailop.org/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Hotmail spam (again)

[Kevin A. McGrail via mailop]

Good morning,
Yes sorry. That's my point. You cannot filter MS junk by its headers 
(as far as I know)
No, but there are techniques in SpamAssassin for things such as 
transaction reputation and whether it's coming from a freemail 
provider.  This is not a new phenomenon in the anti-spam world that 
spammers are using freemail systems and it can be a good data point in 
analysis.


Perhaps you were just showing the IPs but I think you will find that 
hotmail/live/msn/outlook use all the same IPs but I could be wrong.  
They likely come under the "to big to block" so content and 
transaction analysis is what I use with Apache SpamAssassin.


I was hoping that maybe they used a separate address range for free 
Hotmail accounts. That would be helpful.


Your email was too much of a red herring IMO so you might re-ask that 
specific question.  Some notes from me on the topic:


Microsoft, at a minimum, has 4 domains under their freemail umbrella:  
hotmail.com, msn.com, live.com and outlook.com.


Checking a few days on one server and I see inbound freemail emails from 
IPs in in 104.47.108 & 104.47.109 rarely and the bulk in in 40.92.x.x.


Checking the logs for inbound on the same server for the same date range 
that isn't from the 4 freemail that advertises 
*.outbound.protection.outlook.com, shows at least some in 104.47. and 40.92/


And per 
https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide, 
40.92 is listed for *.mail.protection.outlook.com, so at least according 
to their documentation there is overlap and my logs appear to confirm 
it.  They are big ranges though so they might have it carved out but 
likely you have to ask Microsoft.


Regards,
KAM


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Hotmail spam (again)

[Kevin A. McGrail via mailop]

On 8/15/2021 8:05 AM, Markus E. via mailop wrote:

How do you guys combat Hotmail spam?


Markus, I did not see anything in the snippet that you posted that was 
of help to block the emails.  Perhaps you were just showing the IPs but 
I think you will find that hotmail/live/msn/outlook use all the same IPs 
but I could be wrong.  They likely come under the "to big to block" so 
content and transaction analysis is what I use with Apache SpamAssassin.


If you are using SA, take a look at adding the KAM Ruleset at 
mcgrail.com.  I can also let you into a beta program to use our Wild 
RBL.  That RBL got ddosed by a big provider adding it to their 
configuration but we are about to launch more mirrors and make it free 
again for everyone.  Ping me offlist and I'll get you access to it now 
if you want.


Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] U.S. DoJ will elevate rasonware attacks to the same priority as terrorism

[Kevin A. McGrail via mailop]

I thought this news was very welcome today:

https://twitter.com/RichardEscobedo/status/1400529641065140225

“The U.S. Department of Justice is elevating investigations of 
ransomware attacks to a similar priority as terrorism in the wake of the 
Colonial Pipeline hack and mounting damage caused by cyber criminals, a 
senior department official told Reuters.”


Regards, KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Huh?

[Kevin A. McGrail via mailop]

On 4/30/2021 10:50 AM, Chris Kolbenschlag via mailop wrote:
I got an email from a small receiver that they are blocking one of our 
/24s because of spam.  I looked up the email address they referenced 
and found the contact signed up on their website 2 years ago, has a 
41% open rate, a 17% click rate and has made thousands of dollars in 
purchases and now they block the /24.

Any idea the thought process here?


Chris, sounds like you have clear consent and need to complain to the 
small receiver with the evidence.  There is no judge or jury that can 
help if they are an island of their own.  You could always try reaching 
out to an them especially by phone or LinkedIn too.  It shows you are 
real and not a spammer IMO.



Good luck.


Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Office 365 issues

[Kevin A. McGrail via mailop]

Thanks Frank.  We had just opened a ticket about this internally and 
thought it was something on our end.  Appreciate your heads-up and the 
mailop list!


Regards,
KAM

On 4/22/2021 11:02 AM, Frank Bulk via mailop wrote:


I presume most of you are aware of issues sending to domains hosted 
with Office 365.


I got my first hint around 8:50 am Central when I received an NDR 
sending email to two valid email addresses at the same company (they 
use Barracuda Networks for web filtering):


d193123a.ess.barracudanetworks.com

Remote Server returned '554 5.0.0 #5.0.0 smtp; 550 permanent failure for one or more recipients 
(:550  
5.1.1 The email account that you tried to reach does not exist. Please 
try 5...)>'


I emailed a third valid email address at that company from Gmail and 
it didn’t arrive.


Then our monitoring system alerted us that email was queuing up on our 
ISP email server to a certain Office 365 hosted domain … looking at 
our email server outbound queue, there were lots of


451 4.3.2 Temporary server error. Please try again later ATTR1 
[BN8NAM12FT065.eop-nam12.prod.protection.outlook.com])


type messages.

Based on our ISP email server logs, the first example was at 8:00 am 
Central.


Confirmed also here: https://downdetector.com/status/office-365/ 



Frank


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] What's w/ .bl.score.senderscore.com?

[Kevin A. McGrail via mailop]

Andreas,

Senderscore is part of Validity which is now the product Everest.  They 
worked with us to update some rules on the SpamAssassin project.  I'll 
bcc some contacts there to see if they can relay/post some information 
about this!


Regards,

KAM

On 4/21/2021 10:30 AM, Andreas Schamanek via mailop wrote:


Did I miss something? Since days .bl.score.senderscore.com returns 
NXDOMAIN or SERVFAIL, and apparently I am not the only one affected.



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Reg. Virginmedia SMC Policy Violation bounce error

[Kevin A. McGrail via mailop]

On 3/17/2021 9:33 PM, Vaibhav via mailop wrote:

Hi,

We're an ESP sending emails on behalf of clients who are receiving the 
following bounce error from virgin media domains (blueyonder.co.uk 
, ntlworld.com , 
virginmedia.com ) across multiple different 
domains and IPs:


SMTP Error : *421 4.2.0 MXIN618 Temporary SMC Policy Violation 
detected, retry later 
;id=MVLFlm4kdboSoMVLGlk2I5;sid=MVLFlm4kdboSo;mta=mx1.tb;dt=2021-03-17T13:32:03+01:00*

*
*
We have tried "sending later", as suggested in the error but no emails 
are being allowed through. Would someone please be able to help me 
with the cause of this error, and how we may resolve it moving 
forwards? I can't find any information on it online nor action I can 
take for it to be removed


It's their sender mail compliance or something like that.  Your systems 
are likely being blocked for sending spam / user complaints.  See 
https://netreport.virginmedia.com/netreport/ for more info but I don't 
know how to reach their postmaster.  They have a community forum linked 
there as well.


Have you looked at the postmaster hygiene of your customers?  Any of 
them using things like bought lists?  What's your ESP?


Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] MailOp Postmaster - reason: 554 5.7.1 [C9] Missing reverse DNS for ...)

[Kevin A. McGrail via mailop]

Trying to reach a Qwest/CenturyLink/CenturyNet posthandler.

We have been seeing sporadic and inaccurate errors about missing reverse 
DNS for about a week with them.  I believe they have a problem somewhere 
on one of their networks/DNS servers.


Seeing errors like  (reason: 554 5.7.1 [C9] Missing reverse DNS for ...) 
and the IPs listed have reverse DNS.


Anyone on list can point me to a contact, please?

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] SURBL.org mirror broken

[Kevin A. McGrail via mailop]

Fixed.

Lyle


Thanks for raising the issue!
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] SURBL.org mirror broken

[Kevin A. McGrail via mailop]

On 2/22/2021 6:41 PM, Lyle Giese via mailop wrote:
38.124.232.194 is answering correctly. .193 is still malfunctioning 
and b.surbl.org is showing 34.124.232.193 as one of the A record.



Thanks.  I bcc'd the email yesterday and will follow-up.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] SURBL.org mirror broken

[Kevin A. McGrail via mailop]

Lyle, that's the mirror my firm runs and we "fixed" a networking issue 
which likely broke this.


Can you query from 38.124.232.194?  I'll ask them to update b.surbl.org 
to include 38.124.232.194 instead of .193.


Thanks for raising the red flag on this.

Regards,
KAM

On 2/22/2021 4:48 PM, Lyle Giese via mailop wrote:
I found that one of their dns mirrors is broken.  38.124.232.193 is 
listed as one of 4 ip addresses for b.surbl.org.  It appears to not be 
functioning at this time.


dig @38.124.232.193 surbl-org-permanent-test-point.com.multi.surbl.org

Fails.

I went to the surbl.org website and their links to their mail lists 
claim no public mailing lists available, but that is what the website 
claims is their preferred communication method.  I don't need to hear 
from them directly, but this mirror appears to be broken and it either 
needs to be fixed or removed as an A record for b.surbl.org


Thanks,

Lyle Giese

LCR Computer Services, Inc.


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Good Hosting Suggestions?

[Kevin A. McGrail via mailop]

On 2/19/2021 10:43 PM, John Levine via mailop wrote:

Once again, people sending you an abuse report are doing you a favor.
In my experience, If you can't figure out how to deal with
attachments, I doubt you can manage your network.


I have lost track of which provider we are discussing BUT I wanted to 
say that I agree with this very much.  I will use WHATEVER is reported 
to try and improve things.  The feedback loop is a key reason why the 
research I lead is so effective in the world and the time each person 
takes to send us that feedback is very appreciated!


And there are many definitions of "good" hosting, but PCCC.com provides 
cpanel hosting on secured, hardened, managed servers and includes 
RaptorEmailSecurity.com on top as a white-glove boutique hosting firm.  
Happy to discuss with anyone interested.


Regards,
KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Re: Any Postmaster from ATT.NET?

[Kevin A. McGrail via mailop]

On 2/3/2021 10:06 AM, Rob McEwen via mailop wrote:

On 2/3/2021 8:57 AM, Kevin A. McGrail via mailop wrote:
Hello all, if anyone from AT is here, the @mms.att.net gateway to 
email is using an SPF record with ?ALL [ip4:166.216.152.0/24 ?all] 
and blocked by invaluement RBL.



Kevin,

It was 1 IP that had gotten listed at invaluement, /not/ a /24 or 
subnet. It just got listed yesterday, and there hadn't been a single 
delist request sent to us about this yet. We have just about all such 
ISP outbound ranges in our local WL already, but occasionally miss 
something. And even then, our false positive prevention filter is 
/usually/ excellent at otherwise preventing a listing, even when 
occasional egregious spam is sent from a normally-OK ip. I've delisted 
this IP and have taken further steps to prevent this from happening in 
the future. Hopefully, it will be apparent to others that you finding 
this important enough to mention on mailop, where these are rarely 
ever mentioned, illustrates the rarity of this situation. As 
mentioned, this is already delisted and WL'ed.


+1 I love and pay for Invaluement RBL.  I mentioned it on maillop so 
AT will fix the poor mail server hygiene. :-)
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Any Postmaster from ATT.NET?

[Kevin A. McGrail via mailop]

Hello all, if anyone from AT is here, the @mms.att.net gateway to 
email is using an SPF record with ?ALL [ip4:166.216.152.0/24  ?all] and 
blocked by invaluement RBL.


Regards,
KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Sendgrid again...

[Kevin A. McGrail via mailop]

On 1/22/2021 9:08 AM, Hans-Martin Mosner via mailop wrote:

Well I'm not complaining about the spam from them - it's a steady flow, nothing 
new.

But it looks like they have filters on their abuse box now to reduce the amount 
of abuse reports:

Of course, that would be my next step in their shoes...
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Lashback UBL (unsubscore.com) not working?

[Kevin A. McGrail via mailop]

On 1/6/2021 10:19 AM, randy via mailop wrote:
A little late to the thread here, but I found it because I had the 
same question. I emailed lashback (bugs at lashback.com 
), and this was their reply:


"Greetings, the blacklist has been retired for the time being. These 
plans may change so please refer to the home page for upcoming details. "


So either keep watching and waiting, or more likely don't, because 
it'll probably never return.


Thanks Randy,

I'm a mirror for them and didn't know this!

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Anyone from BlueHost on this list?

[Kevin A. McGrail via mailop]

On 12/22/2020 2:54 AM, Sidsel Jensen via mailop wrote:

Is this still a valid limit? I’d like to hear your thoughts about it.
IMO know. It hasn't been valid for years in the real-world.  See 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7182 for more 
background when the Apache SpamAssassin team discussed it a few years back.

Regards,
KAM
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Anyone from BlueHost on this list?

[Kevin A. McGrail via mailop]

On 12/21/2020 1:56 PM, Eric Tykwinski via mailop wrote:


Just a heads up:

v=spf1 include:spf2.bluehost.com include:_spf.qualtrics.com 
include:_spf.google.com include:_spf.salesforce.com 
include:sparkpostmail.com include:spf.mailjet.com -all


evaluating...
Results - PermError SPF Permanent Error: Too many DNS lookups

Side-note: In general, the RFC for SPF is too strict on this.  SA raised 
the limit from 10 to 20 because otherwise you get all kinds of 
real-world failures.


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] [Off-Topic] Happy Thanksgiving and Announcing the Apache SpamAssassin Channel for the KAM Rule Ser

[Kevin A. McGrail via mailop]

Morning all,
I wanted to share the news from 
https://mcgrail.com/newsmanager/news_article.cgi?template=news.template_id=11 
with you all.  We'll also have a mailing list up soon too.
Thanks to the sponsors and to Georgia Smith and Karsten Bräckelmann who 
worked hard on setting up the infrastructure for this.


Happy Thanksgiving,
KAM


 Announcing the Apache SpamAssassin Channel for the KAM Rule Set

Nov 26, 2020
Happy Thanksgiving,

The McGrail Foundation is proud to announce the immediate availability 
of the channel for the KAM rule set.


The rule set has been free and available to improve Apache SpamAssassin 
installations for going on 17 years now. It includes rules for common 
spam as well as contributed rules plus tweaks to help make things faster 
and more efficient with the stock rules without lowering the efficacy.


The KAM rule set is authored by Kevin A. McGrail with contributions from 
Joe Quinn, Karsten Bräckelmann, Bill Cole, and Giovanni Bechis. It is 
maintained by The McGrail Foundation.


The KAM channel is made possible with the support of hosting from Linode 
and help from PCCC & cPanel. More information about our sponsors can be 
found at our Sponsor's Page  at 
https://mcgrail.com/template/sponsors


To enable the KAM rule set via an sa-update channel see the channel page 
 at 
https://mcgrail.com/template/kam.cf_channel
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Fake fax spam from sendgrid

[Kevin A. McGrail via mailop]

On 10/19/2020 8:29 PM, John Levine via mailop wrote:
> I'm getting a steady stream of spam from Sendgrid purporting to be
> Efax messages, with what appears to be an XLS spreadsheet attached.
> The return addresses are all over the place but they all come through
> Sendgrid, e.g., 
John, Sendgrid has become a havent for malware/spammers/phishers since
Q1 this year.

Are you using spamassassin?  There is an ESP plugin and some items in
KAM.cf to combat the scurge.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Lashback UBL (unsubscore.com) not working?

[Kevin A. McGrail via mailop]

They know about the issue and are working on a new server
infrastructure.  I've bcc'd them to see if there are new updates to share.

Regards,

KAM

On 10/13/2020 12:21 PM, Mark G Thomas via mailop wrote:
> Hi,
>
> On Thu, Sep 24, 2020 at 02:21:00PM -0400, Kevin A. McGrail via mailop wrote:
>> Just an update from lashback:
>>
>> We're in the midst of a total migration to the cloud. Things should be
>> back to normal soon.
> Our rsync connection attempts to rsync.unsubscore.com are still failing. The
> last successful was on 9/14/2020.
>
> I have no idea who to reach out to about it.
>
> Mark
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] Lashback UBL (unsubscore.com) not working?

[Kevin A. McGrail via mailop]

They know about the issue and are working on a new server
infrastructure.  I've bcc'd them to see if there are new updates to share.

Regards,

KAM

On 10/13/2020 12:21 PM, Mark G Thomas via mailop wrote:
> Hi,
>
> On Thu, Sep 24, 2020 at 02:21:00PM -0400, Kevin A. McGrail via mailop wrote:
>> Just an update from lashback:
>>
>> We're in the midst of a total migration to the cloud. Things should be
>> back to normal soon.
> Our rsync connection attempts to rsync.unsubscore.com are still failing. The
> last successful was on 9/14/2020.
>
> I have no idea who to reach out to about it.
>
> Mark
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [External] sendgrid.net

[Kevin A. McGrail via mailop]

On 9/25/2020 9:36 AM, Michael via mailop wrote:
> What's the consensus on sendgrid.net? I don't know anything about
> them, but I had the impression that they were a reputable company.
> Lately, I've noticed a lot of phishing emails coming from them. Does
> anyone just block them completely?
>
I've been very saddened.  Sendgrid was a reputable ESP that has fallen
from grace.  About 6-7 months ago, we started seeing pretty large
amounts of spam from them.  I've personally tried reaching out to Twilio
/ Sendgrid leadership to alert them to the issue.

The KAM.cf ruleset has rules that mark sendgrid higher due to the
proclivity for phishes.

Krebs as done an article on it:
https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/

mailop, the SA mailing list and others have all discussed the issue for
months.

Invaluement released a plugin / list for this issue as well - See
https://www.invaluement.com/serviceproviderdnsbl/

Until Sendgrid acknowledges and works to resolve the issue, I must
recommend that they are avoided.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Lashback UBL (unsubscore.com) not working?

[Kevin A. McGrail via mailop]

Just an update from lashback:

We're in the midst of a total migration to the cloud. Things should be
back to normal soon.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Lashback UBL (unsubscore.com) not working?

[Kevin A. McGrail via mailop]

On 9/24/2020 12:22 PM, Robert L Mathews via mailop wrote:

> We use the Lashback UBL described at  as
> a (small part of) scoring incoming mail. The actual list domain name is
> "unsubscore.com".
>
> About 10 days ago I noticed that the timestamps on their rsyncable files
> stopped updating. I contacted them about this but got no response.
>
> Today the DNS for the "unsubscore.com" domain name appears to have
> stopped working, so attempts to download the files or use the live
> blacklist are failing:
>
>  $ dig 2.0.0.127.ubl.unsubscore.com
>  ...
>  status: SERVFAIL
>
> Are the Lashback / unsubscore.com folks on this list, or does anyone
> know if that list is dead?

I was looking at similar issues with DNS stopping on our rsync for them
since I'm a public mirror for Lashback.  I have reached out to them to
see if I can get some insight to share.

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: How to do Outbound Relay from M365 previously O365

[Kevin A. McGrail via mailop]

On 9/18/2020 11:51 AM, Andrew C Aitchison via mailop wrote:
> As I say, I am not sure that any of this will directly help with your
> issue. 

As you say, not directly because I'm worried about outbound not
inbound.  However, this article [1] seems to back up the fact that they
turned off the capability in the past year.  I think they turned it off/
broke it for outbound as well but did not implement any mechanisms to
replace it.  Thank you!

[1]https://developer.microsoft.com/en-us/graph/blogs/end-of-support-for-basic-authentication-access-to-exchange-online-apis-for-office-365-customers/

Regards,
KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: How to do Outbound Relay from M365 previously O365

[Kevin A. McGrail via mailop]

On 9/18/2020 10:18 AM, Ken O'Driscoll via mailop wrote:
> You need to set up mail flow connectors in Exchange Online.
> Authentication is certificate and/or IP based.
>
> I think this explains it fairly well: 
> https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail
>
Thanks, but for outbound FROM m365 to the internet through a smarthost,
this wouldn't suffice.  We couldn't accept Microsoft's Cert or all of
Microsoft's IPs for relay without significant risk of inevitable abuse.

I don't think I'm missing something on this but completely open to the
fact that I might be.

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] How to do Outbound Relay from M365 previously O365

[Kevin A. McGrail via mailop]

Hello Mailoppers,

I might have asked this before but I've been going round and round with
Microsoft tech support on SMTP basics.  Microsoft has, no joke, been
working on answer this questions since June 30th.  It's been a very bad
shotgun approach of sending random knowledge bases, doing screenshares,
watching their interface crash, etc.

For years, we used to relay mail from m365 through our on-premise
Linux-based SMTP server using basic plain SMTP AUTH.  At some point,
they removed it but can't say when.  They really have no record it ever
worked other than the fact that we have the relay in place on some
accounts that back in June stopped working. 

Does anyone know what authentication methods might work with m365?  Ever
seen a KB or anything about it?  I am sad to say they are recommending
things like allowing all of their IP range to relay and the very nice
tech who is helping is just too junior to understand how bad an idea
that is.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] antispamcloud.com (SpamExperts) forensics reports format

[Kevin A. McGrail via mailop]

On 9/9/2020 1:12 PM, Sébastien Riccio via mailop wrote:
> We are parsing dmarc reports using parsedmarc and the forensics
> reports coming from antispamcloud.com seems not to follow the
> recommended reporting format (AFRF) and therefore are considered invalid.
>
> Maybe is there anyone from SpamExperts in this list that could
> enlighten me about how we could request to receive the reports in a
> common format?
>

I've forwarded the email to Dreas with SpamExperts to see if he can
weigh in!

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Seeing a 255.255.255.255 ip in received header from Microsoft

[Kevin A. McGrail via mailop]

Hi Michael,

On 9/2/2020 10:05 PM, Michael Wise via mailop wrote:

> That means it was local. Pay it no mind, unless you like blocking all traffic 
> that was entered via the UX.

Well, I noticed today that the stock SpamAssassin rules will mark it as a 
illegal IP in the Received header.  

Can I suggest that MS use perhaps 127.0.0.255 or something that represents 
local better? I don't believe the 255 class A is IANA valid 
(https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml).

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Seeing a 255.255.255.255 ip in received header from Microsoft

[Kevin A. McGrail via mailop]

Howdy Mailopers,


Anyone seen a received header like this before with the from on quad
255's from an email from hotmail?

Received: from 255.255.255.255 (255.255.255.255) by
MN2PR10CA0026.namprd10.prod.outlook.com (2603:10b6:208:120::39) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.20 via
Frontend Transport; Tue, 1 Sep 2020 12:39:43 +

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: This is..Concerning: DatabaseUSA Wins Case Against The Spamhaus Project

[Kevin A. McGrail via mailop]

On 8/4/2020 12:24 PM, Rob Nagler via mailop wrote:
> It is actually more sinister than anybody realizes. I did some
> research into Charles "Charlie" Benn. 
>
> He is working on new technology  to
> get spam into the UK and the EU. He works undercover for a real estate
> company
>  (note
> that he doesn't appear 
> on their staff page).  I believe he's actually an Eastern European
> with bases in East London, ZA and Reading, UK. He falsely accepted
> service to undermine Spamhaus, which has been hunting him for years.

Oooh, the plot thickens!  I look forward to a Jason Bourne anti-spam movie.

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Gmail IMAP xyzzy ?

[Kevin A. McGrail via mailop]

On 8/2/2020 6:43 PM, John Levine via mailop wrote:
> When I connect to Gmail's IMAP server, one of the capbilities it advertises 
> is "xyzzy".  Anyone know what that is?
>
> I know the etymology (same place as plugh) but what's it supposed to do?
>
> Signed,
> Wondering

John/Wondering,

Just an easter egg referencing Colossal Cave.  It will just respond OK
nothing happens.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Microsoft giving Server Busy errors for M365

[Kevin A. McGrail via mailop]

Microsoft's anti-spam seems to be misfiring again but for once it is on
the m365 paid customer.  Seeing deferred messages like dsn=4.0.0,
stat=Deferred: 451 4.7.500 Server busy. Please try again later from
[38.124.232.13]. (S77714)
[CO1NAM04FT003.eop-NAM04.prod.protection.outlook.com]

Anyone know how to open a ticket about this?  Working for m365
customer(s) to open support tickets but is there a place for ISPs to let
Microsoft know they have an issue?

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Outbound from M365 to relay off our SMTP with SMTPAUTH

[Kevin A. McGrail via mailop]

Hi All,

I've got a long outstanding Anyone out there know what I'm missing in
trying to have M365 relay all outgoing mail through our on-premise SMTP
servers?

I've opened support tickets but they went to evolveip.net with no response.

Here's what I used to do:

  - Admin | Exchange -> Mail Flow | Connectors -> create new connector
  - from 365 to partner
  - use when email sent to these domains
  - list domain names
  - route email through smart hosts
  - set to smtp.pccc.com

Has that setting been moved?  Does it not work with SMTP AUTH anymore?

Happy to share more info.

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Microsoft Block list (S3150)

[Kevin A. McGrail via mailop]

The SNDS/JMRP program used to.  Anecdotally, the feedback loop
disappeared with the advent of GDRP and/or CCPA early this year.

Regards,
KAM

On 6/29/2020 7:16 AM, Laura Atkins via mailop wrote:
> On the advice of their lawyers Microsoft doesn’t share that
> information with senders. 
>
> laura 
>
>
>
>> On 29 Jun 2020, at 06:18, Esteban Fonseca via mailop
>> mailto:mailop@mailop.org>> wrote:
>>
>> Hello all,
>>
>> Has anyone ever had success getting feedback from Microsoft ? Stuff
>> like what caused the block, and when, things that may help you nail
>> down the issue ? We've got new IPs assigned by our ISP and they were
>> blocked since they were assigned to us, meaning that it was not us
>> (my company)  who caused the block, but they still say the IPs don't
>> qualify for mitigation.
>>
>> Thanks a lot,
>> Esteban.
>>
>>
>> On 27/06/2020 5:54 am, Tim Bray via mailop wrote:
>>>
>>> On 24/06/2020 23:03, Al Iverson via mailop wrote:
 Yep, fill out this form:http://go.microsoft.com/fwlink/?LinkID=614866
 Wait a few days for a reply.
 First reply might just be a "we're routing your ticket" response.
 Second reply might be useful, or it might be completely bonkers.
 You might have to calmly state your case repeatedly.
 They might say they see nothing wrong. Stick to your guns and show
 them the data.
 Eventually, after a number of replies, they'll say that the IP
 qualifies for mitigation and that the block will be rescinded within
 48-72 hours.
>>>
>>>
>>> And this process does work.   Takes a few days and a few emails back
>>> and forwards.
>>>
>>> Our corporate email server IPv4 address got blocked at hotmail
>>> recently.   Nothing received from the junk mail reporting system.
>>>
>>> It is slightly frustrating, because I'd like to know what we did
>>> wrong.   I'd be the first to change something if we were.
>>>
>>> Maybe we did nothing wrong and just tripped a rate limit, filter or
>>> keyword or something.
>>>
>>> Tim Bray
>>>
>>>
>>> ___
>>> mailop mailing list
>>> mailop@mailop.org 
>>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 
>> ___
>> mailop mailing list
>> mailop@mailop.org 
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
> -- 
> Having an Email Crisis?  We can help! 800 823-9674 
>
> Laura Atkins
> Word to the Wise
> la...@wordtothewise.com 
> (650) 437-0741
>
> Email Delivery Blog: https://wordtothewise.com/blog
>
>
>
>
>
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com 

https://www.linkedin.com/in/kmcgrail

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Attention Michael Wise - need your assistance

[Kevin A. McGrail via mailop]

On 6/18/2020 7:11 AM, Stefano Bagnara via mailop wrote:
> On Thu, 18 Jun 2020 at 13:00, Abuse via mailop  wrote:
>> It is clear, but what must we do when the front door is closed too?
>> I used the Support Funnel but didn't get any responses, not even the first 
>> response from the robot giving me the SRX#.
> We use an outlook.com/hotmail.com email address to open requests to
> microsoft services as they often had issues delivering email to our
> own business domain.
> So if you didn't try yet, you may want to try this way.
>
> Of course this won't fix the issue with their funnel ignoring you
> after 2-4 templated replies, but maybe will fix your current issue.

+1, Great point, Stefano. I too have used this before and it helped a
lot to make sure comms were open to discuss the issue.

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] dcc down / dead?

[Kevin A. McGrail via mailop]

Vernon has emailed me that everything is renewed.  Can you confirm it
looks good now?

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] dcc down / dead?

[Kevin A. McGrail via mailop]

> The DNS zone dcc-servers.net expired:
>
> Registrar Registration Expiration Date: 2020-05-22T17:54:35Z

Thanks.  I've email Vernon to let him know!

Regards,
KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] dcc down / dead?

[Kevin A. McGrail via mailop]

On 5/23/2020 7:23 AM, Stefan Bauer via mailop wrote:
>
> Hi,
>
>
> seems like the main DCC servers are down (dcc1-6.dcc-servers.net),
> also the website.
>
> Archive last mails are from end 19.
>
>
> Anybody knows more? Did i miss some announcement?
>

Stefan, hi, I run a DCC mirror and not aware of anything.  And
https://www.rhyolite.com/dcc/ is online for me.  Forwarded your email to
Vernon for more troubleshooting.

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] SNDS Down?

[Kevin A. McGrail via mailop]

On 5/7/2020 8:56 AM, Mike Hammett via mailop wrote:
> Is SNDS down? I'm unable to login. 
>
I just logged into it and it worked. 
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: SendGrid Abuse unresponsive

[Kevin A. McGrail via mailop]

On 5/5/2020 5:50 PM, Carl Byington via mailop wrote:
> On Tue, 2020-05-05 at 07:48 -0700, Michael Peddemors via mailop wrote:
> > This is a little too obvious, and while historically SendGrid ran a
> > tight ship, and got a little lee way from spam auditors.. it's getting
> > very bad, and going on for too long.. risking loosing any preferential
> > treatment..
>
> It is bad enough that our local spamassassin rules add 5 points if the
> message is dkim signed by sendgrid.net.
>
We have rules for sendgrid as well in KAM.cf due to the prevalence for
abuse.  If you are using Apache SpamAssassin and the KAM.cf ruleset
(https://mcgrail.com/downloads/KAM.cf), I'd love to see spamples that
get through.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Mail.com Contact?

[Kevin A. McGrail via mailop]

Hi All,

Seeing a blacklist on one of our SMTP IPs with mail.com (which powers
email.com and gmx.de from our issues).

Can't find our IP on a blacklist and no response from the postmaster
contact sent to https://postmaster.mail.com/en/contact

Anyone here on list have a good contact or can figure out an RBL with
38.124.232.14 on it?  I know about backscatterer but don't consider them
very legit because they are pay for delist.

Best,

KAM



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Google DMARC reports

[Kevin A. McGrail via mailop]

Just an update that we got a flurry of Google DMARC reports a few hours ago.

On 4/23/2020 12:59 PM, Brandon Long wrote:
> Thanks for the note, we're looking into it.
>
> Brandon
>
> On Thu, Apr 23, 2020 at 8:19 AM Kevin A. McGrail via mailop
> mailto:mailop@mailop.org>> wrote:
>
> +1 here.  I sent an oob note to a Googler who might help.
>
> Regards,
>
> KAM
>
> On 4/23/2020 10:55 AM, Ewald Kessler | Webpower via mailop wrote:
>> Seeing it too. Received the last one on Tuesday 11:41 AM (CET).
>> Don't see anything reported after April 21 in GPT either.
>>
>> Regards,
>> Ewald
>>
>> On Thu, 23 Apr 2020 at 15:39, Ken O'Driscoll via mailop
>> mailto:mailop@mailop.org>> wrote:
>>
>>
>> We haven't received a Google DMARC report for any domain
>> since Tuesday (21 Apr.), is anyone one else seeing this?
>>
>> Ken.
>> ___
>> mailop mailing list
>> mailop@mailop.org <mailto:mailop@mailop.org>
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>>
>>
>>
>> -- 
>> Deliverability & Abuse Management, www.webpower-group.com
>> ewald.kess...@webpower.nl <mailto:ewald.kess...@webpower.nl>
>> t: +31 342 423 262 
>> li: www.linkedin.com/in/ewaldkessler
>> <http://www.linkedin.com/in/ewaldkessler>
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org <mailto:mailop@mailop.org>
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
> ___
> mailop mailing list
> mailop@mailop.org <mailto:mailop@mailop.org>
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Google DMARC reports

[Kevin A. McGrail via mailop]

+1 here.  I sent an oob note to a Googler who might help.

Regards,

KAM

On 4/23/2020 10:55 AM, Ewald Kessler | Webpower via mailop wrote:
> Seeing it too. Received the last one on Tuesday 11:41 AM (CET). Don't
> see anything reported after April 21 in GPT either.
>
> Regards,
> Ewald
>
> On Thu, 23 Apr 2020 at 15:39, Ken O'Driscoll via mailop
> mailto:mailop@mailop.org>> wrote:
>
>
> We haven't received a Google DMARC report for any domain since
> Tuesday (21 Apr.), is anyone one else seeing this?
>
> Ken.
> ___
> mailop mailing list
> mailop@mailop.org 
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
>
> -- 
> Deliverability & Abuse Management, www.webpower-group.com
> ewald.kess...@webpower.nl 
> t: +31 342 423 262
> li: www.linkedin.com/in/ewaldkessler
> 
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Barracuda ESS is mass-accessing websites on my server, why?

[Kevin A. McGrail via mailop]

Just to loop around that Jay gets a gold star for being correct and
Barracuda has reached out to me.  I've sent this response below to them
and fingers crossed we'll work this out asap.  - KAM

1st, Thanks for reaching out.  This reply is NOT to shoot the
messenger.  In fact, hit me with an address and we'll send you a small
thank you.

2nd, Please consider this a formal complaint that needs to be handled
with expediency.  We're all in this to stop the bad actors and keep mail
flowing!

3rd, Your scanner DOSed our servers in February and today.  That
triggered our SOAR in February then leading to a number of tickets for
remediation with ESS users.  You can likely cross reference to
[redacted] as one of the cases.  We turned off the SOAR capabilities for
your IPs and identify the race condition again today.

4th, I can see that method as a good idea, however, your systems are
effectively DOSsing our servers. We don't have an unusual setup which
likely means you are abusing other systems too. I request that you
immediately disable this feature of ESS until you can find the race
condition.

5th, You are not using a proper user agent to reflect that the system is
a bot, it is hitting us with many concurrent requests, and you are not
adhering to the robots.txt which has a 20 second crawl rate.  See the
attached picture which is suitable for internal review but please don't
use it publicly as it contains sensitive data.

6th, Happy to share more logs but you'll notice they are all effectively
hitting the same home page.

7th, this is NOT the only site we've seen it with.  This just happens to
be a time when I saw the "attack" and fired up a few things to watch it.


On 4/1/2020 5:35 PM, Kevin A. McGrail wrote:
> On 4/1/2020 5:22 PM, Jay Hennigan via mailop wrote:
>> On 4/1/20 13:16, Kevin A. McGrail via mailop wrote:
>>> Anyone from Barracuda on the list or have a contact?
>>>
>>> I have a screenshot and logs showing a lot of concurrent accesses
>>> from 209.222.82.X which appears to be IPs for ess barracuda.  I'd
>>> normally call it a DOS attack.  Looks like robots gone bad but they
>>> aren't using a proper robot tag or honoring the robots.txt
>>> crawl-delay either:
>> Perhaps a URL on the server was included in some form of spam or
>> legitimate bulk mail and Barracuda is automatically checking it on
>> behalf of many recipients as part of their email filtering?
>>
>> Some spam filtering services follow links, Barracuda may be one of them.
> I completely agree with you Jay.  That seems like a likely scenario
> since this is also the inbound MX IPs for them so it's definitely their
> address,but if that is indeed the case, they should use a proper User
> Agent string reflecting it is a bot and it should honor robots.txt. 
> They've effectively DOSsed a server twice now doing this.
>
> Regards,
>
> KAM
>

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Barracuda ESS is mass-accessing websites on my server, why?

[Kevin A. McGrail via mailop]

On 4/1/2020 5:22 PM, Jay Hennigan via mailop wrote:
> On 4/1/20 13:16, Kevin A. McGrail via mailop wrote:
>> Anyone from Barracuda on the list or have a contact?
>>
>> I have a screenshot and logs showing a lot of concurrent accesses
>> from 209.222.82.X which appears to be IPs for ess barracuda.  I'd
>> normally call it a DOS attack.  Looks like robots gone bad but they
>> aren't using a proper robot tag or honoring the robots.txt
>> crawl-delay either:
>
> Perhaps a URL on the server was included in some form of spam or
> legitimate bulk mail and Barracuda is automatically checking it on
> behalf of many recipients as part of their email filtering?
>
> Some spam filtering services follow links, Barracuda may be one of them.

I completely agree with you Jay.  That seems like a likely scenario
since this is also the inbound MX IPs for them so it's definitely their
address,but if that is indeed the case, they should use a proper User
Agent string reflecting it is a bot and it should honor robots.txt. 
They've effectively DOSsed a server twice now doing this.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Barracuda ESS is mass-accessing websites on my server, why?

[Kevin A. McGrail via mailop]

Anyone from Barracuda on the list or have a contact?

I have a screenshot and logs showing a lot of concurrent accesses from
209.222.82.X which appears to be IPs for ess barracuda.  I'd normally
call it a DOS attack.  Looks like robots gone bad but they aren't using
a proper robot tag or honoring the robots.txt crawl-delay either:

209.222.82.234 - - [01/Apr/2020:14:37:25 -0400] "GET / HTTP/1.0" 200
11771 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; W
OW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.234.236551585766180153"
209.222.82.235 - - [01/Apr/2020:14:43:30 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.235.236671585766183863"
209.222.82.229 - - [01/Apr/2020:14:45:00 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.229.23733158576618728"
209.222.82.232 - - [01/Apr/2020:14:45:01 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.232.23651158576618449"
209.222.82.235 - - [01/Apr/2020:14:45:08 -0400] "GET / HTTP/1.0" 200
11680 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; W
OW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.235.123711585766184763"
209.222.82.235 - - [01/Apr/2020:14:45:09 -0400] "GET / HTTP/1.0" 200
11680 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; W
OW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.235.123691585766185460"
209.222.82.235 - - [01/Apr/2020:14:45:15 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.235.123721585766186775"
209.222.82.230 - - [01/Apr/2020:14:45:16 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.230.237121585766186232"
209.222.82.229 - - [01/Apr/2020:14:45:16 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.229.236641585766185777"
209.222.82.228 - - [01/Apr/2020:14:45:17 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.228.23666158576618427"
209.222.82.228 - - [01/Apr/2020:14:45:17 -0400] "GET / HTTP/1.0" 200
11680 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; W
OW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.228.236531585766184100"
209.222.82.231 - - [01/Apr/2020:14:45:19 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.231.236571585766184178"
209.222.82.232 - - [01/Apr/2020:14:45:21 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.232.237341585766187267"
209.222.82.229 - - [01/Apr/2020:14:45:21 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.229.123701585766184123"
209.222.82.235 - - [01/Apr/2020:14:45:23 -0400] "GET / HTTP/1.0" 200
11680 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; W
OW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.235.237601585766188315"
209.222.82.231 - - [01/Apr/2020:14:45:23 -0400] "GET / HTTP/1.0" 200
8899 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WO
W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.231.237591585766188286"
209.222.82.230 - - [01/Apr/2020:16:03:21 -0400] "GET / HTTP/1.0" 200
11771 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; W
OW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729)" "209.222.82.230.8481585771256694"

Regards,

KAM

-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com 

https://www.linkedin.com/in/kmcgrail

Re: [mailop] what is spam was Re: [External] Re: Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

[Kevin A. McGrail via mailop]

On 3/27/2020 5:21 PM, Grant Taylor via mailop wrote:
> I believe that what the consent covers needs to be refined.
>
> Consent to receive transactional email is not implicit consent to
> receive non-transactional emails.

For non transaction emails like adverts afterwards, I typically look in
detail at the T / legalese for the site.  I don't rate if they are
sneaky or opt-out versus opt-in, etc. just whether they have consent. 
If they do, and they have a working unsubscribe process, I won't list
them.  Many RBL operators act differently and that's why they can be so
prone to false positives. 

If anyone wants to discuss specific cases, I could walk through our
analysis process.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] what is spam was Re: [External] Re: Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

[Kevin A. McGrail via mailop]

On 3/27/2020 11:43 AM, John Levine via mailop wrote:
> In article  
> you write:
>> -=-=-=-=-=-
>> -=-=-=-=-=-
>>
>> On 3/26/20 11:20 AM, John R Levine via mailop wrote:
>>> As I'm sure you're aware, we've seen way too much spam from people who 
>>> imagine that COVID is an excuse to reanimate zombie lists.
>> Is there any precedent on how fresh / recent the "established business 
>> relationship" must be to cover sending largely superfluous email?
> I don't think it's the kind of thing for which anyone could define a
> fixed rule beyond the obvious -- send people mail they want to get.

I think the problem is what do you consider evidence of spam to then
actually block that email?

I use the definition from Chris Santere that *spam is about consent NOT
content.*

I do NOT care what your email contains.  That's not by business.  What
is my business is the consent to receive the email.

And I take a the approach that there are implicit consent in
transactions.  For example, you buy something from XYZ big box store's
website.  There is a 100% implicit consent that you can receive emails
about that order such as a receipt and shipping status.

Now, if their checkout process has a sign up for their advertisements,
that's also consent to receive those ads.  I'd LIKE them to use opt-in
requirement with a verification process on the email but I have to
accept that many T say they can contact you and they make the sign-up
for advertisements as a bit sneaky.  I also see where people have a
legal requirement to contact people.  For example, you buy something
from me and it's recalled, I have to notify you even if it's been 10
years. At the end of the day, though, that is consent and it's therefore
not spam.

This is the "test" I apply when analyzing spam, creating rules and
blacklisting things.  For me, I look to be VERY surgical and not
interrupt legit mail.

HTH,

KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

[Kevin A. McGrail via mailop]

On 3/27/2020 6:25 AM, Paul Smith via mailop wrote:
>> If the original poster meant something different by ESP, I
>> misunderstood their terminology.
>>
> That's fine. It's worth clarifying terminology.

Hi All,

Great point about terminology.  I'm the CEO emeritus for Peregrine
Computer Consultants Corporation or PCCC. Just thought I would write a
little about my firm.  I love this list and keeping the email flowing!

Are we an ESP? Are we an ISP?  Since we are moving away from hosting
websites and focusing on email, I consider ourselves an ESP.  We run
what I call a boutique ISP.  We do this hosting for our research so we
can provide email security expertise to the world.  Since we provide
hosting and SaaS-based email security, for the purpose of this list, ESP
is the best. 

We are experts in anti-spam.  We are the authors of KAM.cf and I've been
involved with the SpamAssassin project since the nascent days coming up
on 2 decades.  We have 3 Apache SpamAssassin PMC members who work for
us.  We helped invent the concept of RBLs and we are public mirrors for
quite a few.  Oh and we are also involved with MIMEDefang which should
be undergoing a small Renaissance soon.

I welcome opportunities to help others and feel free to connect on LI:
https://www.linkedin.com/in/kmcgrail/

Regards,

KAM

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

[Kevin A. McGrail via mailop]

On 3/27/2020 4:32 AM, Laura Atkins wrote:
> All in all, I think you need to look a lot harder at what your free
> customers are sending to their “friends and family” and think harder
> about restricting their ability to cause problems for your paying
> customers.

Just a note, we don't have free customers (except for NPOs where we
donate our services).  It's the free services we are sending to that
seem to have the most issues.  For example, we'll see our JMRP / SNDS be
fine and mail flowing to paying o365 without issue but we'll have rate
limiting with hotmail/msn/live/outlook.

For us, it's really looking like the volume is through the roof being
the issue.  That's been the result of all the tickets so far.  All FPs,
all triggered by raise in volume.  I wish they would use percentages
like JMRP does.  This really looks like AI going awry.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

[Kevin A. McGrail via mailop]

On 3/26/2020 1:09 PM, Jay Hennigan via mailop wrote:
> It's primarily fatigue on how XYZ place is dealing with the virus
> where the recipient hasn't heard from XYZ place in the better part of
> a decade.

We'll agree to disagree.  This isn't spam as there was consent and it's
transactional based.  Is it annoying, sure.  I don't suggest it but
there is a transactional relationship here.  It's not spam.

But I also don't think it's what causing the issues we are seeing.  So
far, every situation has been looked and agreed it was a FP.

> People sending politically charged email to friends and family
> typically don't use ESPs for that. 

We are an ESP that provides support for cPanel, o365, g suite, kerio,
sendmail, and exchange.  We have a wide variety of customers and mail
streams.  And one of the complaints was 109 false positives of a person
sending news articles to a group of friends. 

Anyway, stay safe!

regards,
KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Re: Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

[Kevin A. McGrail via mailop]

On 3/26/2020 12:37 PM, John Levine wrote:
> In article <62e55123-d1d0-f67b-9d03-191c8caaa...@pccc.com> you write:
>
>> We're a small ESP but respected and vigilant anti-spam community
>> members.  However, our mail volume is through the roof because of the
>> pandemic and we're seeing false positive issues with deliverability. 
> Do you know what your customers are sending?  If it's blasts of "hey
> person who visited our web site eight years ago, we're very concerned
> about COVID and we're washing our hands and here's a coupon", they're
> not false positives.

Hi John,

Messages of all type but not a single feedback loop complaint.  These
are definitely FPs as I disagree with your statement that a notice about
COVID-19 from someone who signed up to a list would be false positives. 
These are confirmed, opt-in customer / community lists.  Things like
Fire Department staff and Knights of Columbus member lists.

Most of what's causing issues seems to be politically charged emails
going to friends and family.  And fatigue on how XYZ place is dealing
with the virus.

But we are also seeing things like Board messages for First Responders
getting marked as spam which is insane.  People are just overwhelmed and
volumes are high so it's less a blocking issue and more a rate-limiting
issue.  I fear we are seeing a LOT of "I'll click the spam box to try
and clean up my mailbox" behavior.  Especially since most of the issues
we are seeing are with freemail providers.  I think a lot of AI is going
bonkers with just the surge in content.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Horrible week for email deliverability - Looking for help with RackSpace/Emailsrvr

[Kevin A. McGrail via mailop]

Hi All,

We're a small ESP but respected and vigilant anti-spam community
members.  However, our mail volume is through the roof because of the
pandemic and we're seeing false positive issues with deliverability. 

Currently having mail rate limited with emailsrvr.com.  Tried to report
an issue to emailsrvr per their process [1] but our email is declined [2].

I've asked the recipient to open a ticket but is anyone here from
rackspace because you A) have an issue on your FAQ and B) we'd like to
get our IP range 38.124.232.0/24 especially .8 through .14
remediated/whitelisted ASAP.

Regards,

KAM

[1]

https://postmaster.emailsrvr.com/faq

How can I resolve issues delivering to your system?

If you notice problems with your deliverability, check that you are not
on a blacklist. There is a collection of the blacklists used by our
system on the External Resources
 page.

You can check this by using a service such as the Spamhaus, Sorbs, or
Lashback Unsubscribe Blacklist.

Also check to make sure you are using proper authentication, such as:

# DMARC 
# DKIM 
# SPF 

You can send messages to postmas...@emailsrvr.com
 for further assistance.

[2]

We are sorry to have to inform you that your support request could not
be delivered. Emailed support requests must be sent from the email
address of a current account Administrator or Company Contact. We
apologize for any inconvenience.

To update your administrator email address, log into the control panel
at cp.rackspace.com , and perform the
following steps:

 1. Click the "My Account" link at the top of the page.
 2. In the "Administrators" section, click the "View Current Admins" link.
 3. Click your "Admin ID."
 4. Under "Additional Information," enter your email address in the
"Email" box.
 5. Click the "Save" button.

To update your company contact information, log into the control panel
at cp.rackspace.com , and perform the
following steps:

 1. Click the "My Account" link at the top of the page.
 2. In the "Company Information" section, click the "Manage Contacts" link.
 3. To add a new company contact, click the "Add Company Contact"
button. To edit a current contact, click the contact Name.
 4. Enter/modify the required fields.
 5. Click the "Save" button.

If you are unable to access the control panel, please contact your
Company Contact or Administrator for assistance.

Helpful Links:

  * Support: http://www.rackspace.com/knowledge_center/
  * Easy Client Setup Tool: https://emailhelp.rackspace.com/

We look forward to assisting you.

Rackspace Email and Apps Support

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] Who runs the mailspike BL and why are they blocking Yahoo?

[Kevin A. McGrail via mailop]

On 3/19/2020 2:40 PM, John Levine via mailop wrote:
> One of my users reported that I was rejecting mail from Yahoo, and I found it
> was because at least one of Yahoo's outbound addresses 74.6.128.32 is listed
> at bl.mailspike.net.
>

I sent a heads-up to mailspike about this email.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Anyone from Barracuda to contact please?

[Kevin A. McGrail via mailop]

Have IPs showing clean from BRBL with tickets open from recipients aka
Barracuda customers.  Traceroutes show it gets fair enough that it's
unclear if it is an AWS or barracuda issue but we can't get to port 25.

Looking for any guidance to find out what might be the issue to help
Barracuda support.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [External] sendgrid sending spam claiming to be chase.com

[Kevin A. McGrail via mailop]

On 12/23/2019 10:42 PM, Carl Byington via mailop wrote:
> The spam was sent with a From: header of @email.chase.com.
> _dmarc.email.chase.com. has a txt record with p=reject, so it was
> rejected here. Sendgrid - you should be able to check that at your end,
> and just not send anything that violates the dmarc restriction published
> by the ostensible sender.

Carl,

We've been seeing the same over the past few weeks as a growing threat. 
They are abusing sendgrid and the SPF records and the envelope from to
mimic some big players.  If you use Apache SpamAssassin, I'm working on
rules with KAM.cf to combat this.  Email me off list and I'll take a
look at your spamples. 

If there is a sendgrid rep on the list, please contact me as well.

Regards,

KAM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop