Re: [mailop] What is the story with QQ.COM?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, 2019-06-02 at 20:12 +, Benjamin BILLON via mailop wrote: > If those emails seem to be sent from botnets, I believe they're not > sent from QQ.com. They have a SPF -all policy, a p=none DMARC policy, > and I can't check if they have DKIM but it's quite possible. We get a little legit email from qq.com, but it is all DKIM signed. We don't directly check dmarc policy records, but the milter(1) here has the ability to essentially enforce a dmarc-like requirement. The end result is that we reject any mail claiming to be from qq.com that is not signed by qq.com, essentially changing their p=none to p=reject. (1) https://www.five-ten-sg.com/dnsbl/ We can (manually) compensate for errors in dmarc records. For example, booking.com has a p=reject, but we see mail "From:.*@booking.com" dkim signed by sg.booking.com. Strict dmarc would reject that. We enforce a requirement that mail from booking.com be signed by either booking.com or sg.booking.com. There are other domains with similar errors. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlz1oTkACgkQL6j7milTFsEdEgCbBIJGU31kAaHGJ+lQGuf0pXFN ZRYAn3YpgZgXCyRCu/09Hw/IUSMWFJNs =upff -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] What is the story with QQ.COM?
On Sat, 1 Jun 2019 03:17:32 -0700 Brian Kantor via mailop wrote: > For the past several months, one of the mailboxes on one of my > servers has been getting messages, mostly in Chinese character sets > that I can't decipher, short little messages from various senders > with FROM addresses like 123456...@qq.com. At least a thousand a > day, sometimes as many as 2500 or more in one 24-hour period. We've had this problem too. We've ended up blocking @qq.com email addresses entirely, and haven't had any complaints (and we do have at least one customer in China). Andy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] What is the story with QQ.COM?
If those emails seem to be sent from botnets, I believe they're not sent from QQ.com. They have a SPF -all policy, a p=none DMARC policy, and I can't check if they have DKIM but it's quite possible. So isn't it just a case of usual spoofing? Like it could have been many other things than @qq.com, and the guy just picked that one? (not to mention that 123456789@ looks obviously fake anyway) -- Benjamin -Original Message- From: mailop On Behalf Of Thomas Walter via mailop Sent: samedi 1 juin 2019 12:58 To: mailop@mailop.org Subject: Re: [mailop] What is the story with QQ.COM? Hey Brian, On 01.06.19 12:17, Brian Kantor via mailop wrote: > For the past several months, one of the mailboxes on one of my servers > has been getting messages, mostly in Chinese character sets that I > can't decipher, short little messages from various senders with FROM > addresses like 123456...@qq.com. At least a thousand a day, sometimes > as many as 2500 or more in one 24-hour period. "Tencent QQ, also known as QQ, is an instant messaging software service developed by the Chinese tech giant Tencent." In China people prefer digits over letters. To a native English-speaker, remembering a long string of digits might seem harder than memorizing a word - but that’s if you understand the word. So for many Chinese, numbers are easier to remember than Latin characters... Sometimes these are also homophones - similar sounding. Like 1688.com is pronounced “yow-leeyoh-ba-ba" - alibaba.com. I'd guess someone is abusing the system - perhaps similar to all the Skype requests people get / got a while ago? Regards, Thomas Walter -- Thomas Walter Datenverarbeitungszentrale FH Münster - University of Applied Sciences - Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83 64 908 Fax: +49 251 83 64 910 www.fh-muenster.de/dvz/ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] What is the story with QQ.COM?
On Sat, 1 Jun 2019 03:17:32 -0700, Brian Kantor via mailop wrote: >Has anyone else seen this or had it happen to their mailboxes? We get about three successful deliveries per week that fit this description. They all come from CBL-listed boxes, almost entirely in .cn. We would probably see several hundred per day, but it looks like most of the IPs lead off with an instant-death spamtrap, which takes them out of circulation for a day (first offence) or longer. They are rather aggressive in their reconnection attempts. mdr -- "There will be more spam." -- Paul Vixie ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] What is the story with QQ.COM?
Hey Brian, On 01.06.19 12:17, Brian Kantor via mailop wrote: > For the past several months, one of the mailboxes on one of my > servers has been getting messages, mostly in Chinese character sets > that I can't decipher, short little messages from various senders > with FROM addresses like 123456...@qq.com. At least a thousand a > day, sometimes as many as 2500 or more in one 24-hour period. "Tencent QQ, also known as QQ, is an instant messaging software service developed by the Chinese tech giant Tencent." In China people prefer digits over letters. To a native English-speaker, remembering a long string of digits might seem harder than memorizing a word - but that’s if you understand the word. So for many Chinese, numbers are easier to remember than Latin characters... Sometimes these are also homophones - similar sounding. Like 1688.com is pronounced “yow-leeyoh-ba-ba" - alibaba.com. I'd guess someone is abusing the system - perhaps similar to all the Skype requests people get / got a while ago? Regards, Thomas Walter -- Thomas Walter Datenverarbeitungszentrale FH Münster - University of Applied Sciences - Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83 64 908 Fax: +49 251 83 64 910 www.fh-muenster.de/dvz/ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
