Re: [mailop] Bounces at cox.net (AUP#CXSNDR)

2024-02-29 Thread Simplelists - Andy Beverley via mailop 
Many thanks to Cox for a quick and effective response. This issue has 
now been resolved.


Andy


On 28/02/2024 14:04, Simplelists - Andy Beverley via mailop wrote:

Hi all,

Has anyone seen an uptick in bounces in the last day or so to cox.net? 
We're seeing many (but not all) emails bounce, showing what are 
described as SPF/DKIM failures (AUP#CXSNDR), but as far as we can tell 
the emails should authenticate correctly. IP range is 78.143.254.0/24.


Is there anyone at Cox that can help?

Thanks,

Andy


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Bounces at cox.net (AUP#CXSNDR)

2024-02-28 Thread Jay Hennigan via mailop 

On 2/28/24 06:04, Simplelists - Andy Beverley via mailop wrote:

Hi all,

Has anyone seen an uptick in bounces in the last day or so to cox.net? 
We're seeing many (but not all) emails bounce, showing what are 
described as SPF/DKIM failures (AUP#CXSNDR), but as far as we can tell 
the emails should authenticate correctly. IP range is 78.143.254.0/24.


Seen the same thing from a low-volume Mailman discussion list. Cox.com 
addresses all bounced with that code.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Bounces at cox.net (AUP#CXSNDR)

2024-02-28 Thread Scott Undercofler via mailop 
Replying off list

> On Feb 28, 2024, at 7:04 AM, Simplelists - Andy Beverley via mailop 
>  wrote:
> 
> Hi all,
> 
> Has anyone seen an uptick in bounces in the last day or so to cox.net? We're 
> seeing many (but not all) emails bounce, showing what are described as 
> SPF/DKIM failures (AUP#CXSNDR), but as far as we can tell the emails should 
> authenticate correctly. IP range is 78.143.254.0/24.
> 
> Is there anyone at Cox that can help?
> 
> Thanks,
> 
> Andy
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Bounces at cox.net (AUP#CXSNDR)

2024-02-28 Thread Michael Rathbun via mailop 
On Wed, 28 Feb 2024 14:04:07 +, Simplelists - Andy Beverley via mailop
 wrote:

>Hi all,
>
>Has anyone seen an uptick in bounces in the last day or so to cox.net?

Looking at consolidated statistics for all our hosted senders, 1,034,662 new
messages in past 72 hours, 6,151 (0.52%) failed.

Looks like the problem may be on your end.

mdr
-- 
  Ad finem pugnabo.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Bounces at cox.net (AUP#CXSNDR)

2024-02-28 Thread Simplelists - Andy Beverley via mailop 

Hi all,

Has anyone seen an uptick in bounces in the last day or so to cox.net? 
We're seeing many (but not all) emails bounce, showing what are 
described as SPF/DKIM failures (AUP#CXSNDR), but as far as we can tell 
the emails should authenticate correctly. IP range is 78.143.254.0/24.


Is there anyone at Cox that can help?

Thanks,

Andy
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Bounces

2023-11-16 Thread Carsten Schiefner via mailop 
One could possibly argue in addition that sending the same email three times - 
where the tiny differences only come clear after close inspection - might not 
help lifting some initial hesitancy.

Even more so when in combination with the above, they are sent to a random set 
of list related addresses such as -request, -bounce and -owner. And when in one 
instance the list address is specified twice.

That leaves impressions with regard to the general tone of the always identical 
email text.

Best,

-C.

> Am 16.11.2023 um 15:43 schrieb Michael via mailop :
> 
> Always terrible when big ESP's simply say 'Remove Us' and think it will 
> happen because they are big, instead of 'asking' why you are being flagged, 
> and what can you do to improve your reputation..
> 
> Especially as a 'Financial Services' related business, the onus is on you to 
> ensure that you are at the top of your game, and have clear transparency..
> 
> And on this list, you better be willing to share exactly what email/domain/ip 
> is having the problem, if you want the community to help you out..
> 
>> On 11/16/23 03:46, Polath, Kiran via mailop wrote:
>> Hello Team,
>> We at Broadridge Financial Solutions sends millions of email as financial 
>> customer communication on behalf of our clients .We see our emails are 
>> frequently getting blocked by charter.net 
>> 
>>  & rr.com, this is impacting our reputation . Can you take it as high 
>> priority and remediate this as it is very important to our customers to have 
>> this resolved. please find the below reasons
>> 550 5.1.0 ...@ ... sender rejected. Please see 
>> https://www.spectrum.net/support/internet/{hash}-{hash} 
>> for more 
>> information. AUP#In-1310
>>
>> 2023-11-15 02:52:11 EST
>>
>> charter.net
>> 550 5.1.0 ...@ ... sender rejected. Please see 
>> https://www.spectrum.net/support/internet/{hash}-{hash} 
>> for more 
>> information. AUP#In-1310
>>
>> 2023-11-15 02:52:11 EST
>>
>> wi.rr.com
>> 550 5.1.0 ...@ ... sender rejected. Please see 
>> https://www.spectrum.net/support/internet/{hash}-{hash} 
>> for more 
>> information. AUP#In-1310
>>
>> 2023-11-15 02:52:11 EST
>>
>> charter.net
>> 550 5.1.0 ...@ ... sender rejected. Please see 
>> https://www.spectrum.net/support/internet/{hash}-{hash} 
>> for more 
>> information. AUP#In-1310
>>
>> 2023-11-15 02:52:10 EST
>>
>> wi.rr.com
>> 550 5.1.0 ...@ ... sender rejected. Please see 
>> https://www.spectrum.net/support/internet/{hash}-{hash} 
>> for more 
>> information. AUP#In-1310
>>
>> 2023-11-15 02:52:10 EST
>>
>> wi.rr.com
>> Regards,
>> *Kiran Kumar Polath*| ICS-Email Operations | Broadridge Financial Solutions 
>> (India) Private Limited
>> Adjacent to Cyber Towers, Hi-Tech City, Madhapur | Hyderabad 500081 
>> Telangana | India | m +91 8008297767| m +91 9154044691
>> 
>> broadridge.com __
>> This message and any attachments are intended only for the use of the 
>> addressee and may contain information that is privileged and confidential. 
>> If the reader of the message is not the intended recipient or an authorized 
>> representative of the intended recipient, you are hereby notified that any 
>> dissemination of this communication is strictly prohibited. If you have 
>> received this communication in error, please notify us immediately by e-mail 
>> and delete the message and any attachments from your system.
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://list.mailop.org/listinfo/mailop
> 
> -- 
> "Catch the Magic of Linux..."
> 
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> 
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.
> 
> 604-682-0300 Beautiful British Columbia, Canada
> ___
> mailop mailing list
> mailop@mailop.org
>

Re: [mailop] Bounces

2023-11-16 Thread Michael via mailop 
Always terrible when big ESP's simply say 'Remove Us' and think it will 
happen because they are big, instead of 'asking' why you are being 
flagged, and what can you do to improve your reputation..


Especially as a 'Financial Services' related business, the onus is on 
you to ensure that you are at the top of your game, and have clear 
transparency..


And on this list, you better be willing to share exactly what 
email/domain/ip is having the problem, if you want the community to help 
you out..


On 11/16/23 03:46, Polath, Kiran via mailop wrote:

Hello Team,

We at Broadridge Financial Solutions sends millions of email as 
financial customer communication on behalf of our clients .We see our 
emails are frequently getting blocked by charter.net 
 & rr.com, this is impacting our reputation . Can you take it as high priority and remediate this as it is very important to our customers to have this resolved. please find the below reasons


550 5.1.0 ...@ ... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash} 
for 
more information. AUP#In-1310




2023-11-15 02:52:11 EST



charter.net

550 5.1.0 ...@ ... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash} 
for 
more information. AUP#In-1310




2023-11-15 02:52:11 EST



wi.rr.com

550 5.1.0 ...@ ... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash} 
for 
more information. AUP#In-1310




2023-11-15 02:52:11 EST



charter.net

550 5.1.0 ...@ ... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash} 
for 
more information. AUP#In-1310




2023-11-15 02:52:10 EST



wi.rr.com

550 5.1.0 ...@ ... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash} 
for 
more information. AUP#In-1310




2023-11-15 02:52:10 EST



wi.rr.com

Regards,

*Kiran Kumar Polath*| ICS-Email Operations | Broadridge Financial 
Solutions (India) Private Limited
Adjacent to Cyber Towers, Hi-Tech City, Madhapur | Hyderabad 500081 
Telangana | India | m +91 8008297767| m +91 9154044691




broadridge.com __

This message and any attachments are intended only for the use of the 
addressee and may contain information that is privileged and 
confidential. If the reader of the message is not the intended recipient 
or an authorized representative of the intended recipient, you are 
hereby notified that any dissemination of this communication is strictly 
prohibited. If you have received this communication in error, please 
notify us immediately by e-mail and delete the message and any 
attachments from your system.


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Bounces

2023-11-16 Thread Polath, Kiran via mailop 

Hello Team,

We at Broadridge Financial Solutions sends millions of email as financial 
customer communication on behalf of our clients .We see our emails are 
frequently getting blocked by 
charter.net
  & rr.com, this is impacting our reputation . Can you take it as high priority 
and remediate this as it is very important to our customers to have this 
resolved. please find the below reasons
550 5.1.0 ...@... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash}
 for more information. AUP#In-1310
2023-11-15 02:52:11 EST
charter.net
550 5.1.0 ...@... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash}
 for more information. AUP#In-1310
2023-11-15 02:52:11 EST
wi.rr.com
550 5.1.0 ...@... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash}
 for more information. AUP#In-1310
2023-11-15 02:52:11 EST
charter.net
550 5.1.0 ...@... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash}
 for more information. AUP#In-1310
2023-11-15 02:52:10 EST
wi.rr.com
550 5.1.0 ...@... sender rejected. Please see 
https://www.spectrum.net/support/internet/{hash}-{hash}
 for more information. AUP#In-1310
2023-11-15 02:52:10 EST
wi.rr.com


Regards,
Kiran Kumar Polath | ICS-Email Operations | Broadridge Financial Solutions 
(India) Private Limited
Adjacent to Cyber Towers, Hi-Tech City, Madhapur | Hyderabad 500081 Telangana | 
India | m +91 8008297767| m +91 9154044691
[cid:image001.png@01DA18B0.5CB99D70]
 [cid:image002.png@01DA18B0.5CB99D70]   
[cid:image003.png@01DA18B0.5CB99D70] 
  
[cid:image004.png@01DA18B0.5CB99D70] 

broadridge.com




This message and any attachments are intended only for the use of the addressee 
and may contain information that is privileged and confidential. If the reader 
of the message is not the intended recipient or an authorized representative of 
the intended recipient, you are hereby notified that any dissemination of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by e-mail and delete the message and any 
attachments from your system.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] bounces on new hotmail.fr mx

2017-09-18 Thread Mathieu Bourdin 
Hi,

We're starting to see bounces on Hotmail.fr that we think are linked to the new 
mx on this domain:

hotmail.fr  MX preference = 5, mail exchanger = mx2.hotmail.com
hotmail.fr  MX preference = 5, mail exchanger = mx3.hotmail.com
hotmail.fr  MX preference = 5, mail exchanger = mx4.hotmail.com
hotmail.fr  MX preference = 2, mail exchanger = 
hotmail-fr.olc.protection.outlook.com
hotmail.fr  MX preference = 5, mail exchanger = mx1.hotmail.com

the bounces 421 4.4.2 Message submission rate for this client has exceeded the 
configured limit are all coming from the new MX 
(hotmail-fr.olc.protection.outlook.com (104.47.9.33))
When mails are retried on the "usual" mx (mx1.hotmail.com) they are delivered 
fine (or may bounce but for other reasons).

Mathieu Bourdin.
NP6 Deliverability team

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Bounces from outbound.protection.outlook.com

2016-04-29 Thread Brielle Bruns 

On 4/29/16 7:25 AM, Benoit Panizzon wrote:

I am seeing in my logs some bounces messages (empty sender) from
> various outbound.protection.outlook.com servers. All those bounce
> messages are directed towards one specific email address which is
> probably used as an envelope field in a spam run.
>
> Now my question is: if it comes from outbound servers for outlook.com,
> shouldn't the mails also pass through some kind of inbound servers at
> outlook.com? If that's the case, how comes that those messages which
> surely have a wrong DMARC, SPF and DKIM pass through the incoming
> gateways?

We have exactly the same problem. We sometimes observe that some of our
customers get DOSed by large volumes of outbound.protection.outlook.com
bounces.

The 'Attacker' apparently is a botnet (aka many different ip
addresses) that fakes the sender@our-domain and sends very small emails
to various non existing recipients hosted on
outbound.protection.outlook.com servers.



I had similar issues a few years ago with Cox.net.

Their mail servers were bounce flooding my mail servers due to a Joe 
Job.  Contacted them, and rather then fixing their mail servers so it 
wouldn't accept-then-bounce or blocking the source, they instead 
blacklisted my e-mail address.


Companies need to get their shit together and solve the source of 
problems, not band-aid random things and pretend like its not going on 
in the first place.



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Bounces from outbound.protection.outlook.com

2016-04-29 Thread Michael Wise 

There are discussions internally on it as well.
It's a known issue.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Peddemors
Sent: Friday, April 29, 2016 7:27 AM
To: mailop@mailop.org
Subject: Re: [mailop] Bounces from outbound.protection.outlook.com

This has been going on for some time now, there was discussion on this list 
regarding the topic, we ended up putting a policy in our platforms just to deal 
with this issue. "Reject messages from senders forging bounce messages".



On 16-04-29 06:25 AM, Benoit Panizzon wrote:
> Hi Renaud
>
>> I am seeing in my logs some bounces messages (empty sender) from 
>> various outbound.protection.outlook.com servers. All those bounce 
>> messages are directed towards one specific email address which is 
>> probably used as an envelope field in a spam run.
>>
>> Now my question is: if it comes from outbound servers for 
>> outlook.com, shouldn't the mails also pass through some kind of 
>> inbound servers at outlook.com? If that's the case, how comes that 
>> those messages which surely have a wrong DMARC, SPF and DKIM pass 
>> through the incoming gateways?
>
> We have exactly the same problem. We sometimes observe that some of 
> our customers get DOSed by large volumes of 
> outbound.protection.outlook.com bounces.
>
> The 'Attacker' apparently is a botnet (aka many different ip
> addresses) that fakes the sender@our-domain and sends very small 
> emails to various non existing recipients hosted on 
> outbound.protection.outlook.com servers.
>
> Our domains are protected by SPF.
>
> In the first place, the outlook.com services should not accept emails 
> to non existent recipients and then send 'late' bounces to the fake 
> sender, resulting in some kind of amplificator attack.
>
> Secondly if the sender domains is protected by SPF with -all that 
> email should be rejected my Microsoft right away during SMTP handshake.
>
> None of both is done.
>
> I documented the case and how to reproduce.
>
> I did try to open a trouble ticket with the Microsoft Security. It was 
> impossible, because we, as an ISP do not use any outlook.com services.
> I did try to explain the microsoft security agent for long time, that 
> his handling of the issue was completely wrong and that it was not a 
> question what M$ product we use, but he did not want to connect me to 
> his supervisor as we are no M$ customer and therefore there is no way 
> to open an abuse/security trouble ticket. WTF!
>
> I contacted ab...@mircosoft.com several times about the issue, without 
> reply.
>
> I even went so far to notify the Heise Journal security team with the 
> hint that kind of an mail traffic amplificator attack was possible via 
> outlook.com, to try to increase the pressure on Microsoft to look into 
> the issue, but they unfortunately considered this not serious enough.
>
> We cannot block the IP Addresses of the 
> outbound.protection.outlook.com as this would also affect a lot of legitimate 
> email.
>
> So I have no solution here and don't know how I can make Microsoft 
> take my reports seriously.
>
> Kind regards
>
> -Benoît Panizzon-
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchill
> i.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7c
> michael.wise%40microsoft.com%7c3fc434694f8e4074848608d370405fad%7c72f9
> 88bf86f141af91ab2d7cd011db47%7c1=7Eum6zY7yX4NG1ow7WJtLB4fxEl2ts7
> sORPom8QPnVI%3d
>



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at 
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.linuxmagic.com=01%7c01%7cmichael.wise%40microsoft.com%7c3fc434694f8e4074848608d370405fad%7c72f988bf86f141af91ab2d7cd011db47%7c1=EJdTxj5ll%2b64Ete01z9ia16yraNQeU2oRzmSS77UNxU%3d
 @linuxmagic

A Wizard IT Company - For More Info 
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.wizard.ca=01%7c01%7cmichael.wise%40microsoft.com%7c3fc434694f8e4074848608d370405fad%7c72f988bf86f141af91ab2d7cd011db47%7c1=WThx%2bu882V%2bo%2bm470Frr3cj1xaV%2fC%2b37Lt0jrQVIVbk%3d
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email a

Re: [mailop] Bounces from outbound.protection.outlook.com

2016-04-29 Thread Michael Peddemors 
This has been going on for some time now, there was discussion on this 
list regarding the topic, we ended up putting a policy in our platforms 
just to deal with this issue. "Reject messages from senders forging 
bounce messages".




On 16-04-29 06:25 AM, Benoit Panizzon wrote:

Hi Renaud


I am seeing in my logs some bounces messages (empty sender) from
various outbound.protection.outlook.com servers. All those bounce
messages are directed towards one specific email address which is
probably used as an envelope field in a spam run.

Now my question is: if it comes from outbound servers for outlook.com,
shouldn't the mails also pass through some kind of inbound servers at
outlook.com? If that's the case, how comes that those messages which
surely have a wrong DMARC, SPF and DKIM pass through the incoming
gateways?


We have exactly the same problem. We sometimes observe that some of our
customers get DOSed by large volumes of outbound.protection.outlook.com
bounces.

The 'Attacker' apparently is a botnet (aka many different ip
addresses) that fakes the sender@our-domain and sends very small emails
to various non existing recipients hosted on
outbound.protection.outlook.com servers.

Our domains are protected by SPF.

In the first place, the outlook.com services should not accept emails
to non existent recipients and then send 'late' bounces to the fake
sender, resulting in some kind of amplificator attack.

Secondly if the sender domains is protected by SPF with -all that email
should be rejected my Microsoft right away during SMTP handshake.

None of both is done.

I documented the case and how to reproduce.

I did try to open a trouble ticket with the Microsoft Security. It was
impossible, because we, as an ISP do not use any outlook.com services.
I did try to explain the microsoft security agent for long time, that
his handling of the issue was completely wrong and that it was not a
question what M$ product we use, but he did not want to connect me to
his supervisor as we are no M$ customer and therefore there is no way
to open an abuse/security trouble ticket. WTF!

I contacted ab...@mircosoft.com several times about the issue, without
reply.

I even went so far to notify the Heise Journal security team with the
hint that kind of an mail traffic amplificator attack was possible via
outlook.com, to try to increase the pressure on Microsoft to look into
the issue, but they unfortunately considered this not serious enough.

We cannot block the IP Addresses of the outbound.protection.outlook.com
as this would also affect a lot of legitimate email.

So I have no solution here and don't know how I can make Microsoft take
my reports seriously.

Kind regards

-Benoît Panizzon-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Bounces from outbound.protection.outlook.com

2016-04-29 Thread Renaud Allard via mailop 
Hi Michael,

On 04/29/2016 04:22 PM, Michael Wise wrote:
> Protection.outlook.com is Office365, and *NOT* "HotMail".
> 
> If you have samples of the malicious NDRs, please send them to me, and
> I'll see if there's a way to squelch it.
> 

I never implied that protection.outlook.com is hotmail in any way.

I don't have samples of those NDRs as they are all sent to a non
existent mailbox. I can send you logs of when it happened. If you really
want the NDR messages themselves, I will have to create a mailbox in
which they can be stored.



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Bounces from outbound.protection.outlook.com

2016-04-29 Thread Michael Wise 

Heh.

Just to be clear, when I say, "HotMail", I'm implying the consumer offering 
known as, "Outlook.com". It's confusing as , and I really wish they had 
chosen another name, but alas.

Logs should suffice, but if there's any way to get a sample to know the shape 
of the attack when it hits us, even better.

Is it all to the same user on your system, or is there a structure to the 
unknown mailbox names?

Aloha,
Michael.
--
Sent from my Windows Phone

From: Renaud Allard<mailto:ren...@allard.it>
Sent: ‎4/‎29/‎2016 7:30 AM
To: Michael Wise<mailto:michael.w...@microsoft.com>; Benoit 
Panizzon<mailto:benoit.paniz...@imp.ch>; 
mailop@mailop.org<mailto:mailop@mailop.org>
Subject: Re: [mailop] Bounces from outbound.protection.outlook.com

Hi Michael,

On 04/29/2016 04:22 PM, Michael Wise wrote:
> Protection.outlook.com is Office365, and *NOT* "HotMail".
>
> If you have samples of the malicious NDRs, please send them to me, and
> I'll see if there's a way to squelch it.
>

I never implied that protection.outlook.com is hotmail in any way.

I don't have samples of those NDRs as they are all sent to a non
existent mailbox. I can send you logs of when it happened. If you really
want the NDR messages themselves, I will have to create a mailbox in
which they can be stored.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Bounces from outbound.protection.outlook.com

2016-04-29 Thread Benoit Panizzon 
Hi Renaud

> I am seeing in my logs some bounces messages (empty sender) from
> various outbound.protection.outlook.com servers. All those bounce
> messages are directed towards one specific email address which is
> probably used as an envelope field in a spam run.
> 
> Now my question is: if it comes from outbound servers for outlook.com,
> shouldn't the mails also pass through some kind of inbound servers at
> outlook.com? If that's the case, how comes that those messages which
> surely have a wrong DMARC, SPF and DKIM pass through the incoming
> gateways?

We have exactly the same problem. We sometimes observe that some of our
customers get DOSed by large volumes of outbound.protection.outlook.com
bounces.

The 'Attacker' apparently is a botnet (aka many different ip
addresses) that fakes the sender@our-domain and sends very small emails
to various non existing recipients hosted on
outbound.protection.outlook.com servers.

Our domains are protected by SPF.

In the first place, the outlook.com services should not accept emails
to non existent recipients and then send 'late' bounces to the fake
sender, resulting in some kind of amplificator attack.

Secondly if the sender domains is protected by SPF with -all that email
should be rejected my Microsoft right away during SMTP handshake.

None of both is done.

I documented the case and how to reproduce.

I did try to open a trouble ticket with the Microsoft Security. It was
impossible, because we, as an ISP do not use any outlook.com services.
I did try to explain the microsoft security agent for long time, that
his handling of the issue was completely wrong and that it was not a
question what M$ product we use, but he did not want to connect me to
his supervisor as we are no M$ customer and therefore there is no way
to open an abuse/security trouble ticket. WTF!

I contacted ab...@mircosoft.com several times about the issue, without
reply.

I even went so far to notify the Heise Journal security team with the
hint that kind of an mail traffic amplificator attack was possible via
outlook.com, to try to increase the pressure on Microsoft to look into
the issue, but they unfortunately considered this not serious enough.

We cannot block the IP Addresses of the outbound.protection.outlook.com
as this would also affect a lot of legitimate email.

So I have no solution here and don't know how I can make Microsoft take
my reports seriously.

Kind regards

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__


pgprr__zoXkYN.pgp
Description: Digitale Signatur von OpenPGP
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Bounces from outbound.protection.outlook.com

2016-04-29 Thread Renaud Allard via mailop 
Hello,

I am seeing in my logs some bounces messages (empty sender) from various
outbound.protection.outlook.com servers. All those bounce messages are
directed towards one specific email address which is probably used as an
envelope field in a spam run.

Now my question is: if it comes from outbound servers for outlook.com,
shouldn't the mails also pass through some kind of inbound servers at
outlook.com? If that's the case, how comes that those messages which
surely have a wrong DMARC, SPF and DKIM pass through the incoming gateways?

I have a attached a list of servers sending the bounces, in case it may
help. Feel free to contact me privately if you need more informations.

Regards
H=mail-am1hn0245.outbound.protection.outlook.com
H=mail-am1hn0246.outbound.protection.outlook.com
H=mail-am1hn0247.outbound.protection.outlook.com
H=mail-am1hn0248.outbound.protection.outlook.com
H=mail-am1hn0249.outbound.protection.outlook.com
H=mail-am1hn0250.outbound.protection.outlook.com
H=mail-am1hn0251.outbound.protection.outlook.com
H=mail-am1hn0252.outbound.protection.outlook.com
H=mail-am1hn0253.outbound.protection.outlook.com
H=mail-am1hn0254.outbound.protection.outlook.com
H=mail-am1hn0342.outbound.protection.outlook.com
H=mail-am1on0053.outbound.protection.outlook.com
H=mail-am1on0055.outbound.protection.outlook.com
H=mail-am1on0056.outbound.protection.outlook.com
H=mail-am1on0059.outbound.protection.outlook.com
H=mail-am1on0073.outbound.protection.outlook.com
H=mail-am1on0074.outbound.protection.outlook.com
H=mail-am1on0075.outbound.protection.outlook.com
H=mail-am1on0079.outbound.protection.outlook.com
H=mail-am1on0082.outbound.protection.outlook.com
H=mail-am1on0086.outbound.protection.outlook.com
H=mail-am1on0089.outbound.protection.outlook.com
H=mail-am1on0095.outbound.protection.outlook.com
H=mail-am1on0096.outbound.protection.outlook.com
H=mail-am1on0101.outbound.protection.outlook.com
H=mail-am1on0102.outbound.protection.outlook.com
H=mail-am1on0105.outbound.protection.outlook.com
H=mail-am1on0106.outbound.protection.outlook.com
H=mail-am1on0107.outbound.protection.outlook.com
H=mail-am1on0108.outbound.protection.outlook.com
H=mail-am1on0109.outbound.protection.outlook.com
H=mail-am1on0114.outbound.protection.outlook.com
H=mail-am1on0116.outbound.protection.outlook.com
H=mail-am1on0117.outbound.protection.outlook.com
H=mail-am1on0120.outbound.protection.outlook.com
H=mail-am1on0121.outbound.protection.outlook.com
H=mail-am1on0122.outbound.protection.outlook.com
H=mail-am1on0123.outbound.protection.outlook.com
H=mail-am1on0124.outbound.protection.outlook.com
H=mail-am1on0125.outbound.protection.outlook.com
H=mail-am1on0126.outbound.protection.outlook.com
H=mail-am1on0127.outbound.protection.outlook.com
H=mail-am1on0129.outbound.protection.outlook.com
H=mail-am1on0130.outbound.protection.outlook.com
H=mail-am1on0131.outbound.protection.outlook.com
H=mail-am1on0138.outbound.protection.outlook.com
H=mail-am1on0139.outbound.protection.outlook.com
H=mail-am1on0140.outbound.protection.outlook.com
H=mail-am1on0141.outbound.protection.outlook.com
H=mail-am1on0143.outbound.protection.outlook.com
H=mail-am1on0144.outbound.protection.outlook.com
H=mail-am1on0145.outbound.protection.outlook.com
H=mail-am1on0147.outbound.protection.outlook.com
H=mail-am1on0148.outbound.protection.outlook.com
H=mail-am1on0609.outbound.protection.outlook.com
H=mail-bl2hn0245.outbound.protection.outlook.com
H=mail-bl2hn0246.outbound.protection.outlook.com
H=mail-bl2hn0247.outbound.protection.outlook.com
H=mail-bl2hn0248.outbound.protection.outlook.com
H=mail-bl2hn0249.outbound.protection.outlook.com
H=mail-bl2hn0250.outbound.protection.outlook.com
H=mail-bl2lp0209.outbound.protection.outlook.com
H=mail-bl2lp0210.outbound.protection.outlook.com
H=mail-bl2on0061.outbound.protection.outlook.com
H=mail-bl2on0066.outbound.protection.outlook.com
H=mail-bl2on0082.outbound.protection.outlook.com
H=mail-bl2on0083.outbound.protection.outlook.com
H=mail-bl2on0118.outbound.protection.outlook.com
H=mail-bl2on0127.outbound.protection.outlook.com
H=mail-bl2on0129.outbound.protection.outlook.com
H=mail-bl2on0130.outbound.protection.outlook.com
H=mail-bl2on0133.outbound.protection.outlook.com
H=mail-bl2on0146.outbound.protection.outlook.com
H=mail-bl2on0751.outbound.protection.outlook.com
H=mail-bl2on0792.outbound.protection.outlook.com
H=mail-bl2un0251.outbound.protection.outlook.com
H=mail-bl2un0252.outbound.protection.outlook.com
H=mail-bl2un0253.outbound.protection.outlook.com
H=mail-bl2un0254.outbound.protection.outlook.com
H=mail-bn1bhn0245.outbound.protection.outlook.com
H=mail-bn1bhn0246.outbound.protection.outlook.com
H=mail-bn1bhn0247.outbound.protection.outlook.com
H=mail-bn1bhn0248.outbound.protection.outlook.com
H=mail-bn1bhn0249.outbound.protection.outlook.com
H=mail-bn1bhn0250.outbound.protection.outlook.com
H=mail-bn1bhn0251.outbound.protection.outlook.com
H=mail-bn1bhn0252.outbound.protection.outlook.com