Re: [mailop] Sendgrid and phishing

2020-06-18 Thread Jay Hennigan via mailop 

On 6/18/20 07:52, Michael Peddemors via mailop wrote:


From: "Netflix" 

How is that not already a check on egress after a couple of months.. Do 
you REALLY think you are going to have a customer who named themselves 
that using your service?


Inquiring minds want to know...


Follow the money.

Sendgrid is in the business of sending email. They are getting paid to 
do this. Despite their appearance here and on other lists, and despite 
their repeated claims that they're trying to put a stop to it, reality 
says otherwise.


Ask yourselves, has any other ESP exhibited this behavior, and if so has 
it ever gone on for this long?




--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-18 Thread Michael Peddemors via mailop 

On 2020-06-17 11:31 p.m., Benoît Panizzon via mailop wrote:

Hi


Anybody else seeing increase phishing through sendgrid?  They look
fairly convincing.



I suspect the IP Ranges of Sendgrid are bound for a global blacklisting
if they keep ignoring abusive behaviour of their customers.



We have an automated system that catches these now of course, but yeah.. 
The "Netflix" one is getting pretty old..


Len, maybe you can help us understand the inner workings over there.. No 
one likes to play 'whack-a-mole', but how is it that the friendly name 
in the From as, eg..


From: "Netflix" 

How is that not already a check on egress after a couple of months.. Do 
you REALLY think you are going to have a customer who named themselves 
that using your service?


Inquiring minds want to know...


(Quick spot check on the spam folder umm.. yep.. 8 new phishing 
emails detected from SendGrid)


Return-Path: 

Received: from wrqvbwxx.outbound-mail.sendgrid.net (HELO 
wrqvbwxx.outbound-mail.sendgrid.net) (149.72.185.170)


Subject: Maintaintance Requested
From: BARE_TARGET_DOMAIN 

Obvious Phishing, this time email phishing..

Judging by how many hits that triggered in the automated reports, it ran 
for a while..


Actually, seems like they even changed up midstream, when they didn't 
get blocked, and used a different email template from the same account.


Timestamps show they had been running at LEAST 8 hours, with at least 
THREE different phishing campaigns




--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid and Phishing

2020-06-17 Thread Len Shneyder via mailop 
Something is a little off with the auto-responder we tested it last week
and it was working, just ran a test now and nothing yet so we'll dig into
that. In the meantime we are receiving anything you send to
ab...@sendgrid.com

Len Shneyder
VP Industry Relations
[image: Twilio] 
EMAIL l...@twilio.com
TWITTER @LenShneyder 


On Wed, Jun 17, 2020 at 2:30 PM Faisal Misle  wrote:

> I’ve had mixed luck... sometimes it auto replies, sometimes it doesn’t.
>
> I sometimes wonder if their Proofpoint gateway is quarantining them - or
> if they added a bypass rule for their abuse mailbox (as it should be)
>
> Best,
> Faisal
>
> PGP Key: C8FD029B
> 
>
>
> On Wed, Jun 17, 2020 at 4:17 PM, Tim Bray via mailop 
> wrote:
>
> On 17/06/2020 16:01, Len Shneyder via mailop wrote:
>
> Hi All,
>
> Appreciate the discussion. As was mentioned in another forum we are aware
> of the problem—the entire time is engaged in deploying a comprehensive fix
> that will prevent a wave like this in the future. Just to be perfectly
> clear, there is no leak of credentials as one post suggests. In the mean
> time if you want to send example/headers to ab...@sendgrid.com they are
> being reviewed, you can CC me too. We will play some whackamole as we look
> to implement a more thorough solution. Again, thank you all for your
> vigilance and feel free to ping me.
>
>
>
> Thanks for confirming the correct abuse address.   It doesn't auto reply
> or anything so was a bit worried I'm sending stuff and nobody checking.
>
> Fortunately some of the links are blocked by google safe browsing, which I
> guess limits the damage.
>
>
>
> --
> Tim Bray
> Huddersfield, gb...@kooky.org
>
>
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid and Phishing

2020-06-17 Thread Faisal Misle via mailop 
I’ve had mixed luck... sometimes it auto replies, sometimes it doesn’t.

I sometimes wonder if their Proofpoint gateway is quarantining them - or if 
they added a bypass rule for their abuse mailbox (as it should be)

Best,
Faisal

PGP Key: [C8FD029B](https://pgp.faisal.ec/)

On Wed, Jun 17, 2020 at 4:17 PM, Tim Bray via mailop  wrote:

> On 17/06/2020 16:01, Len Shneyder via mailop wrote:
>
>> Hi All,
>>
>> Appreciate the discussion. As was mentioned in another forum we are aware of 
>> the problem—the entire time is engaged in deploying a comprehensive fix that 
>> will prevent a wave like this in the future. Just to be perfectly clear, 
>> there is no leak of credentials as one post suggests. In the mean time if 
>> you want to send example/headers to ab...@sendgrid.com they are being 
>> reviewed, you can CC me too. We will play some whackamole as we look to 
>> implement a more thorough solution. Again, thank you all for your vigilance 
>> and feel free to ping me.
>
> Thanks for confirming the correct abuse address. It doesn't auto reply or 
> anything so was a bit worried I'm sending stuff and nobody checking.
>
> Fortunately some of the links are blocked by google safe browsing, which I 
> guess limits the damage.
>
> --
> Tim Bray
> Huddersfield, GB
> t...@kooky.org___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Jesse Thompson via mailop 
On 6/17/20 1:50 PM, Robert L Mathews via mailop wrote:
> Several months ago I suggested (among other things) that SendGrid block
> "From" headers matching prominent domain names until the messages have
> been manually reviewed. The fact that "don't let random customers send
> mail saying it's from @microsoft.com" hasn't been implemented in that
> time frame is disappointing.

More to the point: why should *any* ESP send "From" *any* domain without having 
explicit DMARC aligned authorization via SPF or DKIM?  At the very least, an 
ESP shouldn't allow their customers use domains that have a published DMARC 
policy that would result in quarantine or reject for the ESP's mail. 

I know the answer is that small businesses commonly use freemail providers, and 
they still want to send marketing as their brand, and if the ESP takes hard 
line on authorization their prospective customer might choose to do business 
with a competing ESP... 

But maybe those freemail domains should be the exception to the rule. 

We also saw a round of phishing sent from SendGrid that was "spoofing" some 
arbitrary .com domain.  And I mean to say "spoofing" lightly, since I'm fairly 
confident that SendGrid (as would any responsible ESP) did verify their 
customer's ability to receive mail at an address within that domain, so either:

1) a mailbox was compromised and used to authorize SendGrid to use the domain
2) a SendGrid customer account was compromised and the attacker was 
piggybacking on a prior authorization.  

If the former: all the more reason to have a slightly higher bar for ESPs 
achieving domain authorization.  
If the later: much tougher challenge.

Jesse

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid and Phishing

2020-06-17 Thread Len Shneyder via mailop 
Yep, that's strange. It should kick off an autoresponder. I'll look into
that.

If you have fresh headers you can share with me I'd appreciate it.

Thank you very much!

-L


Len Shneyder
VP Industry Relations
[image: Twilio] 
EMAIL l...@twilio.com
TWITTER @LenShneyder 


On Wed, Jun 17, 2020 at 2:17 PM Tim Bray  wrote:

> On 17/06/2020 16:01, Len Shneyder via mailop wrote:
>
> Hi All,
>
> Appreciate the discussion. As was mentioned in another forum we are aware
> of the problem—the entire time is engaged in deploying a comprehensive fix
> that will prevent a wave like this in the future. Just to be perfectly
> clear, there is no leak of credentials as one post suggests. In the mean
> time if you want to send example/headers to ab...@sendgrid.com they are
> being reviewed, you can CC me too. We will play some whackamole as we look
> to implement a more thorough solution. Again, thank you all for your
> vigilance and feel free to ping me.
>
>
>
> Thanks for confirming the correct abuse address.   It doesn't auto reply
> or anything so was a bit worried I'm sending stuff and nobody checking.
>
> Fortunately some of the links are blocked by google safe browsing, which I
> guess limits the damage.
>
>
>
> --
> Tim Bray
> Huddersfield, gb...@kooky.org
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] SendGrid and Phishing

2020-06-17 Thread Tim Bray via mailop 

On 17/06/2020 16:01, Len Shneyder via mailop wrote:

Hi All,

Appreciate the discussion. As was mentioned in another forum we are 
aware of the problem—the entire time is engaged in deploying a 
comprehensive fix that will prevent a wave like this in the future. 
Just to be perfectly clear, there is no leak of credentials as one 
post suggests. In the mean time if you want to send example/headers to 
ab...@sendgrid.com  they are being 
reviewed, you can CC me too. We will play some whackamole as we look 
to implement a more thorough solution. Again, thank you all for your 
vigilance and feel free to ping me.





Thanks for confirming the correct abuse address.   It doesn't auto reply 
or anything so was a bit worried I'm sending stuff and nobody checking.


Fortunately some of the links are blocked by google safe browsing, which 
I guess limits the damage.




--
Tim Bray
Huddersfield, GB
t...@kooky.org

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Robert L Mathews via mailop 
On 6/17/20 10:22 AM, Carl Byington via mailop wrote:

> In the last 24 hours:

Yeah, I see phishing attempts that we rejected for DMARC failures like:

 Received: from microsoft.com (unknown)
  by ismtpd0004p1lon1.sendgrid.net (SG) with ESMTP id PP-Z30gTRGS8qMv1NXRDhA
  for ; Tue, 16 Jun 2020 06:55:20.140 + (UTC)
 From: 
 Date: Tue, 16 Jun 2020 06:55:20 + (UTC)
 Subject: Service Update  : info,

I mean, come on.

Several months ago I suggested (among other things) that SendGrid block
"From" headers matching prominent domain names until the messages have
been manually reviewed. The fact that "don't let random customers send
mail saying it's from @microsoft.com" hasn't been implemented in that
time frame is disappointing.

-- 
Robert L Mathews, Tiger Technologies

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Carl Byington via mailop 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2020-06-17 at 08:55 -0500, Michael Rathbun via mailop wrote:
> > Pointing out to users reporting these that blocking Sendgrid
> entirely
> (the temptation arises) would take out the SG traffic that is highly
> desired (at least 70%).

Two months ago we started treating mail arriving with a DKIM signature
from sendgrid.net as a moderated mailing list, with a few exceptions for
known senders. The resulting mail volume is low enough, combined with
the high value phishing targets, that we can do manual moderation. In
the last 24 hours:

2 recipients Failure Account Verification Message***Secure Immediately**
4 recipients Remove Your Criminal Convictions
1 recipient  Up To $2,000,000 In Capital
4 recipients Immediate Email Update
4 recipients Account Verification
1 recipient  Important Email Verification
1 recipient  Important Security Notice


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCXupRAxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsEmZwCghtTG5kkAqV9dpohH5Og27kVH1bwA
nAiPDWod3X8GU7jzCHTeoKitHUzh
=jgq/
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Alan Hodgson via mailop 
On Wed, 2020-06-17 at 08:55 -0500, Michael Rathbun via mailop wrote:
> On Wed, 17 Jun 2020 14:00:35 +0100, Tim Bray via mailop w
> rote:
> > Anybody else seeing increase phishing through sendgrid?  They look fairly
> > convincing.
> 
> General spam (several per week) and phishing, especially some very nicely
> done"Reconfirm you Netflix payment method" at several per day.
> Pointing out to users reporting these that blocking Sendgrid entirely
> (thetemptation arises) would take out the SG traffic that is highly desired
> (atleast 70%).

Yeah. Tempting though. I got a dozen phishes literally From: 
supp...@amazon.com from them a few weeks ago.

Just zero attempt to authenticate senders it seems.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Michael Rathbun via mailop 
On Wed, 17 Jun 2020 14:00:35 +0100, Tim Bray via mailop 
wrote:

>Anybody else seeing increase phishing through sendgrid?  They look 
>fairly convincing.

General spam (several per week) and phishing, especially some very nicely done
"Reconfirm you Netflix payment method" at several per day.

Pointing out to users reporting these that blocking Sendgrid entirely (the
temptation arises) would take out the SG traffic that is highly desired (at
least 70%).

mdr
-- 
   "There will be more spam."
  -- Paul Vixie


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Michael Peddemors via mailop 
Going on two months since first reported, and last weekend was really 
high counts of new Send Grid IP(s) sending obvious phishing..




On 2020-06-17 6:26 a.m., Faisal Misle via mailop wrote:

I’ve been seeing it too... Mailgun, PayPal, etc

A SG rep replied to a SDLU thread yesterday about the same issue

“We are working to get a handle on this on a few fronts. These senders in
this thread have been banned. I don't have insight into the compliance
side, but it is being worked on."

Best,
Faisal

PGP Key: C8FD029B 


On Wed, Jun 17, 2020 at 8:00 AM, Tim Bray via mailop > wrote:

Hi,

Anybody else seeing increase phishing through sendgrid?  They look
fairly convincing.

A few paypals, and a few amazons.

I thought sendgrid were ok?    Has somebody leaked a big pile of
sendgrid usernames and passwords or something?


--
Tim Bray
Huddersfield, GB
t...@kooky.org


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop




___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Olivier Depuydt via mailop 
Hello.

I received the Phishing email from the fake Paypal Support, from Sendgrid's
platform on May the 29th, on a personal email address.
I have forwarded it to Paypal's phishing support on June the 1srt.
So, this issue has weeks if you still see emails like that.

Best regards,

Olivier
Deliverability Engineer at Cheetah Digital

Le mer. 17 juin 2020 à 15:32, Faisal Misle via mailop  a
écrit :

> I’ve been seeing it too... Mailgun, PayPal, etc
>
> A SG rep replied to a SDLU thread yesterday about the same issue
>
> “We are working to get a handle on this on a few fronts. These senders in
> this thread have been banned. I don't have insight into the compliance
> side, but it is being worked on."
>
> Best,
> Faisal
>
> PGP Key: C8FD029B 
>
>
> On Wed, Jun 17, 2020 at 8:00 AM, Tim Bray via mailop 
> wrote:
>
> Hi,
>
> Anybody else seeing increase phishing through sendgrid?  They look
> fairly convincing.
>
> A few paypals, and a few amazons.
>
> I thought sendgrid were ok?Has somebody leaked a big pile of
> sendgrid usernames and passwords or something?
>
>
> --
> Tim Bray
> Huddersfield, GB
> t...@kooky.org
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>


-- 

Olivier Depuydt

Site Reliability Engineer


Web   |  Blog 
  |  Linkedin   |  Twitter
  |  Facebook











 
 
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

2020-06-17 Thread Faisal Misle via mailop 
I’ve been seeing it too... Mailgun, PayPal, etc

A SG rep replied to a SDLU thread yesterday about the same issue

“We are working to get a handle on this on a few fronts. These senders in
this thread have been banned. I don't have insight into the compliance
side, but it is being worked on."

Best,
Faisal

PGP Key: [C8FD029B](https://pgp.faisal.ec/)

On Wed, Jun 17, 2020 at 8:00 AM, Tim Bray via mailop  wrote:

> Hi,
>
> Anybody else seeing increase phishing through sendgrid? They look
> fairly convincing.
>
> A few paypals, and a few amazons.
>
> I thought sendgrid were ok? Has somebody leaked a big pile of
> sendgrid usernames and passwords or something?
>
> --
> Tim Bray
> Huddersfield, GB
> t...@kooky.org
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop