Re: blacklisting the likes of sendgrid, mailgun, mailchimp etc.
On Thu, 17 Sep 2020, Kevin A. McGrail wrote: sendgrid has seriously fallen from grace this year despite numerous attempts to contact them and assist. https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/ also sheds light on the issue too. There's also a RBL for compromised sendgrid user IDs. See the thread starting at: https://marc.info/?l=spamassassin-users=159803815425176=2 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- All I could think about was this bear is so close to me I can see its teeth. I could have kissed it. I wished I had a gun. -- Alyson Jones-Robinson --- Tomorrow: Talk Like a Pirate day
Re: blacklisting the likes of sendgrid, mailgun, mailchimp etc.
On 9/18/2020 6:38 AM, Loren Wilton wrote: https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/ also sheds light on the issue too. . SendGrid knows (or should konw) that it has compromised accounts. It could find out what some of them are for free by downloading Rob's list of 25 or so compromised accounts. I strongly suspect that many of those accounts on our 2 Sendgrid lists are just plain 'ol spammers, NOT compromised. So some are compromised, some are spammers. And the list has grown to 594 SendGrid IDs (currently, as I type this) - much more than 25! Also, the list of domains found at the end of the SMTP-FROM that we're also deeming as spam or malicous has likewise grown to 87 domains SEE: https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt AND: https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl.txt https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl-rbldnsd.txt (2nd one formatted for rbldnsd) I'm seeing evidence/reports that Sendgrid is likely using this data to greatly improve their system, and that this (maybe combined with their other efforts?) is finally starting to improve things? So that is good news. But I'm also shocked at how many hours go by where certain egregious accounts on our Sendgrid DNSBLs STILL stay in circulation while continuing to send spams, sometimes criminal phishing spams. But I also understand that they have to be careful about overly trusting 3rd party data, to ensure that they don't overreact to what might be an occasional false positive. It shouldn't be too long before they figure out that False Positives in those two Sendgrid lists are very very rare... practically non-existent. They probably should at least PAUSE campaigns pending further investigation. They should at least do that much, imo. (They MIGHT also be suffering from the increasingly common and flawed view in the ESP industry - that not-illegal and CAN-SPAM-compliant mail is always legit and not spam - mistakenly not understanding that spam doesn't have to be illegal and malware, in order to be unsolicited and undesired by the recipient (aka "spam"). Maybe them seeing those types of accounts in our data is confusing them? I don't know - but much of the ESP industry is in great need of a "reset" - and this data is a good first step towards that!) I was planning to spend much time this past week (1) adding this data to my own customer's direct query and rsync feeds, and (2) improving the instructions, including providing more specific instructions for adding this free version to various MTAs - but all that time got put into performance and effectiveness enhancements instead. Therefore, the data has greatly improved in just the past few days. New data sources were added into the mix - and many others of these spams these that were previously getting missed, are now getting caught - and the time from such a spam being first received - to that data getting into the list - has improved from about 1/2 a minute, to just a few seconds! -- Rob McEwen invaluement.com
RE: blacklisting the likes of sendgrid, mailgun, mailchimp etc.
But now it is Sendgrid tomorrow it is some other company, fact is were stuck with this trend of spammers outsourcing their spam trying to mix it with legitimate email. Legitimate clients are not aware of this and use these companies because of whatever ill advised reason. I am thinking about documenting this behaviour on 'my' hosting pages so people can read and be aware of this. I think if everyone does this, legitimate clients will stay away from these businesses. And if they stay away from these businesses, it is for 'smaller' providers easier to manage (eg. blanket block the whole owned range) -Original Message- To: users@spamassassin.apache.org Subject: Re: blacklisting the likes of sendgrid, mailgun, mailchimp etc. > https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-a > ccounts/ > also sheds light on the issue too. . SendGrid knows (or should konw) that it has compromised accounts. It could find out what some of them are for free by downloading Rob's list of 25 or so compromised accounts. It could find out what some of the other 400 are for $15 each, and could find out what some of the major offenders are for $400 each. Let's see, 400 compromised accounts times $400 is $16,000 dollars. SendGrid or Twillio can't afford a $16,000 cash outlay to find the account names of the major compromised accounts? Their head of security probably gets that much a month in salary and bonuses. It would be a trivial expense. So what could they do once they knew which acocunts are compromised? Are they helpless, and can only wring their hands and issue press releases saying They Have A Plan? No. They can SHUT THE DAMN ACCOUNTS DOWN. Issue refunds to the owners if they feel generous. Tell the owners to open new accounts with 2FA. But they won't do this, because they get their money from sending spam. Loren
Re: blacklisting the likes of sendgrid, mailgun, mailchimp etc.
https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/ also sheds light on the issue too. . SendGrid knows (or should konw) that it has compromised accounts. It could find out what some of them are for free by downloading Rob's list of 25 or so compromised accounts. It could find out what some of the other 400 are for $15 each, and could find out what some of the major offenders are for $400 each. Let's see, 400 compromised accounts times $400 is $16,000 dollars. SendGrid or Twillio can't afford a $16,000 cash outlay to find the account names of the major compromised accounts? Their head of security probably gets that much a month in salary and bonuses. It would be a trivial expense. So what could they do once they knew which acocunts are compromised? Are they helpless, and can only wring their hands and issue press releases saying They Have A Plan? No. They can SHUT THE DAMN ACCOUNTS DOWN. Issue refunds to the owners if they feel generous. Tell the owners to open new accounts with 2FA. But they won't do this, because they get their money from sending spam. Loren
