Hi Mark, Not sure if it is related but I’ve seen a bunch of spam and phish SPF authenticated as wisconsin.bbb.org at a personal Gmail account. That particular subdomain has an SPF include for a domain which looks to be controlled by a spam group - vocus-bounce[.]com. Maybe reputation is bleeding across the subdomains?
Regards, Brian > On Oct 26, 2023, at 4:37 PM, Mark Stanley via mailop <mailop@mailop.org> > wrote: > > Notice: This message was sent from an external sender. Please use caution > when opening links, viewing attachments, or responding. > > Kevin - I believe they do send some bulk emails, that was one of our thoughts > yesterday. > > What was strange was that they were able to send to Google for about 4 hours > yesterday afternoon and then it started happening again. There was brief > respite where I thought I resolved the issue. All other domains work > perfectly fine - no bounce backs, no error messages, nothing. > > I have also tested without the signatures and the messages are still being > rejected. Sending blank messages or messages with just simple text strings > still get rejected. > > I have another customer who uses Google Workspace, where I could potentially > take out a ticket on their behalf to have Richmond.bbb.org struck from the > spam list. > > Mark W. Stanley, Managed Services Engineer > Richweb, Inc. / mstan...@corp.richweb.com > O: 804-368-0421 X 120 > richweb.com / hvens.com > > -----Original Message----- > From: Kevin A. McGrail <kevin.mcgrail-mai...@pccc.com> > Sent: Thursday, October 26, 2023 4:27 PM > To: mailop@mailop.org; Mark Stanley <mstan...@corp.richweb.com> > Subject: gmail deliverability issue was mailop Digest, Vol 39, Issue 48 > > Caution! This message was sent from outside your organization. > > Hi Mark, > > I saw this and your test from the loopback. Everything looked good from > ARC/DKIM/SPF/DMARC. We've been seeing Google requiring DKIM authentication > lately so we wanted to confirm that wasn't the issue. > > Are you sending bulk emails? I noticed it's the BBB and they send a lot of > messages people might mark as spam. > > The error from Google says that their antispam system has marked it as spam. > Is there any content of note in your messages that are getting blocked? > Anything like links in a signature to URLs that might be in a blocklist? > > One thought to get that escalated is to email a Google Workspace paying > customer and have them make a support request about the issue. > > Regards, > > KAM > > > On 10/26/2023 4:07 PM, Mark Stanley via mailop wrote: >> RAPTOR REMARK: Alert! Please be careful! This email is from an EXTERNAL >> sender. Be aware of impersonation and credential theft. >> >> KAM - I sent a message as one of my users to that email address you supplied >> and listed below is the bounceback message we get: >> >> More Info for Email Admins >> Status code: 550 5.7.350 >> >> When Office 365 tried to send the message to the recipient (outside Office >> 365), the recipient's email server (or email filtering service) suspected >> the sender's message is spam. >> >> If the sender can't fix the problem by modifying their message, contact the >> recipient's email admin and ask them to add your domain name, or the >> sender's email address, to their list of allowed senders. >> >> Although the sender may be able to alter the message contents to fix this >> issue, it's likely that only the recipient's email admin can fix this >> problem. Unfortunately, Office 365 Support is unlikely to be able to help >> fix these kinds of externally reported errors. >> >> Original Message Details >> Created Date: 10/26/2023 8:05:05 PM >> Sender Address: ba...@richmond.bbb.org >> Recipient Address: markwstanley2...@gmail.com >> Subject: testing again >> >> Error Details >> Error: 550 5.7.350 Remote server returned message detected as spam -> >> 550 5.7.1 [104.47.57.168 12] Our system has detected that this message >> is;likely unsolicited mail. To reduce the amount of spam sent to Gmail,;this >> message has been blocked. Please visit; >> https://support.google.com/mail/?p=UnsolicitedMessageError for >> more;information. m14-20020a5d4a0e000000b003296b69535csi124898wrq.495 - gsmtp >> Message rejected by: mx.google.com >> >> Notification Details >> Sent by: BL3PR04MB8106.namprd04.prod.outlook.com >> >> We experienced a brief respite from all this yesterday afternoon and all >> users could actively send to Google domains. As of about noon today, it >> started happening again. >> >> Mark W. Stanley, Managed Services Engineer Richweb, Inc. / >> mstan...@corp.richweb.com >> O: 804-368-0421 X 120 >> richweb.com / hvens.com >> >> -----Original Message----- >> From: mailop <mailop-boun...@mailop.org> On Behalf Of >> mailop-requ...@mailop.org >> Sent: Thursday, October 26, 2023 3:54 PM >> To: mailop@mailop.org >> Subject: [SUSPECTED SPAM] mailop Digest, Vol 39, Issue 48 >> >> Caution! This message was sent from outside your organization. >> >> Send mailop mailing list submissions to >> mailop@mailop.org >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://list.mailop.org/listinfo/mailop >> or, via email, send a message with subject or body 'help' to >> mailop-requ...@mailop.org >> >> You can reach the person managing the list at >> mailop-ow...@mailop.org >> >> When replying, please edit your Subject line so it is more specific than >> "Re: Contents of mailop digest..." >> >> >> Today's Topics: >> >> 1. Re: Still Don't understand Google's relaying systems.. >> Duplicate Return-Path, and other things.. (Atro Tossavainen) >> 2. Re: [External] Need Help with Google Deliverability Issue >> (Kevin A. McGrail) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Thu, 26 Oct 2023 22:17:49 +0300 >> From: Atro Tossavainen <mail...@atrotossavainen.fi> >> To: mailop@mailop.org >> Subject: Re: [mailop] Still Don't understand Google's relaying >> systems.. Duplicate Return-Path, and other things.. >> Message-ID: <20231026191749.gq28...@dm7.infinitemho.fi> >> Content-Type: text/plain; charset=iso-8859-1 >> >>> They're a legit Google customer. What's there to marvel at? >> https://developers.google.com/gmail/api/guides <- have a look. >> >> -- >> Atro Tossavainen, Founder, Partner >> Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635) Tallinn, Estonia >> tel. +372-5883-4269, https://www.koliloks.eu/ >> >> >> ------------------------------ >> >> Message: 2 >> Date: Thu, 26 Oct 2023 15:43:53 -0400 >> From: "Kevin A. McGrail" <kevin.mcgrail-mai...@pccc.com> >> To: mailop@mailop.org >> Subject: Re: [mailop] [External] Need Help with Google Deliverability >> Issue >> Message-ID: <726fd9fa-da01-4d35-b711-25bbd218a...@pccc.com> >> Content-Type: text/plain; charset="utf-8"; Format="flowed" >> >> Mark, was there a bounce message with any information? >> >> Send a message to raptorloopb...@raptoremailsecurity.com and that will >> tell you what that spam scanner sees to check your SPF, DKIM, DMARC, etc. >> >> Regards, >> KAM >> >> On 10/26/2023 3:13 PM, Mark Stanley via mailop wrote: >>> I have recently migrated one of our customers from Google to >>> Office365 and have been encountering deliverability issues when >>> sending to Google >>> >>> Raptor Remark: Please be careful! This email is from an EXTERNAL >>> sender. Be aware of impersonation and credential theft. >>> >>> I have recently migrated one of our customers from Google to >>> Office365 and have been encountering deliverability issues when >>> sending to Google-related domains. All other domains are perfectly >>> fine and haven’t seen any issues. Listed below are the headers for a >>> bounced email to a Gmail account: >>> >>> ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; >>> cv=pass; >>> >>> b=IUdOSeOS2v8fBqFRT+2+ob/64xDWHCrxU6br11+L6Gjlytj2kEMHoVq7TCpkgY1uKHg >>> /IxVBQh1bpLReem8wfvKVM4ncibBVmls1IAmgt/fFxBThm7Vgfc3HZUlmk0NYy+0ifABU >>> O8cVWXE9nz0/XyjTXfmI2lo0CX4Ysgk+mN5FxmFHz1yCDYJomM0k8Naxr7+nO8d9TC7TQ >>> /U2QlH6aHfa2I+kHP/vxNAYPumA6At7aBtXh7o5ULqNt3LDrW/tTJua/8M6Z5KZccU2GH >>> a/wlEaaEH4g9/cLSPGn28kDx5bj1j5jMdl7zXjnETZYymGCEKFJwJMOFecCl3kI4YX7g= >>> = >>> >>> ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; >>> d=microsoft.com; >>> >>> s=arcselector9901; >>> >>> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchang >>> e-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData- >>> 0:X-MS-Exchange-AntiSpam-MessageData-1; >>> >>> bh=U1XPevLPW3kgepb4RRUmQy20bmFrzeFdm+z8xjlDhQo=; >>> >>> b=MveUHC2brc6+/jbu/Q1RrDABPlHSagEN1omoqqUmP04RPTk60M+AZtFEC2tF2LImub4 >>> A1RvvL/w9FjP+lysSfftGpywNPazJHaPgGiW44cqS2S84sGkJFDgHCivhnSfBKYBKHFGv >>> AZhjYe16CXWERd//M0u/yGtTRPoG8J/OSKUcugiMpsburQ6ffOHOmRLERu+w8fBKn7A+4 >>> rwIDoKP2/efhZNJ7xQWk/Z6MAB32UXmxWPYOY+/kUMRyQ1Z5Sf2ZAT9MoRnVldID4W9He >>> GMA75Ticxl8Dt0e/Q+XoD4f7BEHKpwoznNEr9HSLNQXkQSbSuPharKncn3fZEyIbQh6A= >>> = >>> >>> ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender >>> ip is >>> >>> 198.154.181.224) smtp.rcpttodomain=gmail.com >>> smtp.mailfrom=richmond.bbb.org; >>> >>> dmarc=pass (p=none sp=none pct=100) action=none >>> header.from=richmond.bbb.org; >>> >>> dkim=pass (signature was verified) header.d=richmond.bbb.org; >>> dkim=pass >>> >>> (signature was verified) >>> header.d=mail-dkim-us-west-2.prod.hydra.sophos.com; >>> >>> arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=richmond.bbb.org] >>> >>> dkim=[1,1,header.d=richmond.bbb.org] >>> >>> dmarc=[1,1,header.from=richmond.bbb.org]) >>> >>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; >>> d=richmond.bbb.org; >>> >>> s=selector1; >>> >>> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchang >>> e-SenderADCheck; >>> >>> bh=U1XPevLPW3kgepb4RRUmQy20bmFrzeFdm+z8xjlDhQo=; >>> >>> b=IBp6WddL0tAEtjsUg9TLjHYmU5nmyIqGMASfttCAkZzzJQLOspzOwgifiLEXyz3lfCw >>> mIC89UkBptAT4Z0p5sFvDUNDTtWkMoK5nPxNpjJAZenjDXSrwRfwcj0WOjcLV7VaIvVYy >>> Es2Db+8tikyWrR2VJ2I9iNAYJkIWqwP50u9jcPYUj3FHKR44B7cxTz1VXeegS2RPjZ968 >>> HuIvKsGx6gKSgtWobvcPsYgNA3apo1BZ/Y+i3h7cGx1cdJJPED5uyyeIj8dZ/l28DoMSE >>> TkT29DVqCcKvgbVQUyM2URBFUgvksANuYRRjFcE119QOlQSsyGyl1ligENnsozK5MyYQ= >>> = >>> >>> Received: from DM6PR07CA0095.namprd07.prod.outlook.com >>> (2603:10b6:5:337::28) >>> >>> by CO6PR04MB8329.namprd04.prod.outlook.com (2603:10b6:303:134::10) >>> with >>> >>> Microsoft SMTP Server (version=TLS1_2, >>> >>> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.22; Thu, >>> 26 Oct >>> >>> 2023 19:00:26 +0000 >>> >>> Received: from DS1PEPF0001708E.namprd03.prod.outlook.com >>> >>> (2603:10b6:5:337:cafe::30) by DM6PR07CA0095.outlook.office365.com >>> >>> (2603:10b6:5:337::28) with Microsoft SMTP Server (version=TLS1_2, >>> >>> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.19 via >>> Frontend >>> >>> Transport; Thu, 26 Oct 2023 19:00:25 +0000 >>> >>> X-MS-Exchange-Authentication-Results: spf=pass (sender IP is >>> 198.154.181.224) >>> >>> smtp.mailfrom=richmond.bbb.org; dkim=pass (signature was verified) >>> >>> header.d=richmond.bbb.org;dmarc=pass action=none >>> >>> header.from=richmond.bbb.org; >>> >>> Received-SPF: Pass (protection.outlook.com: domain of >>> richmond.bbb.org >>> >>> designates 198.154.181.224 as permitted sender) >>> >>> receiver=protection.outlook.com; client-ip=198.154.181.224; >>> >>> helo=mfod-usw2.prod.hydra.sophos.com; pr=C >>> >>> Received: from mfod-usw2.prod.hydra.sophos.com (198.154.181.224) by >>> >>> DS1PEPF0001708E.mail.protection.outlook.com (10.167.17.134) with >>> Microsoft >>> >>> SMTP Server (version=TLS1_2, >>> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id >>> >>> 15.20.6933.18 via Frontend Transport; Thu, 26 Oct 2023 19:00:25 +0000 >>> >>> Received: from ip-172-17-2-248.us-west-2.compute.internal >>> (ip-172-17-2-248.us-west-2.compute.internal [127.0.0.1]) >>> >>> by mfod-usw2.prod.hydra.sophos.com (Postfix) with ESMTP id >>> 4SGZqr6KmBzdZMC >>> >>> for <markwstanley2...@gmail.com>; Thu, 26 Oct 2023 19:00:24 >>> +0000 (UTC) >>> >>> X-Sophos-Product-Type: Mailflow >>> >>> X-Sophos-Email-ID: 331699fdd3364172b148bf658ab8ad0a >>> >>> Received: from NAM12-DM6-obe.outbound.protection.outlook.com >>> >>> (mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169]) >>> >>> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 >>> bits)) >>> >>> (No client certificate requested) >>> >>> by mf-outbound-usu-west-2.prod.hydra.sophos.com (Postfix) with ESMTPS >>> id >>> >>> 4SGZqq1wzhzRhQn >>> >>> for <markwstanley2...@gmail.com>; Thu, 26 Oct 2023 19:00:23 +0000 >>> (UTC) >>> >>> ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; >>> cv=none; >>> >>> b=kJDl3l74RdoxT1QOA0ix5VgwvFhYhqzcUgGkZr0vhcxIyulP8EGiqJBMBBHFnEBAvzw >>> Yh6Wl3yoAV1RR5U6jCUuNWAHYG6lqhXMRycSJXMZCbJGY+k8DMwhMVOY48VMec+GZ8SzQ >>> OfjzIzoZ3eF6eLKvgc9ZVRyIP4y5EV3oOxn1SXnNP4uXC9Y6X+FLUW00R/RTiHFPlytHt >>> 4hhEktZ/5bGIMHknGHbLhcfsulVbFAfDPxCuI0lqwkpTOrlX4EjOEI09nEXghzxBhAOUm >>> LX4eFJBcRfzMlUDlriv6gyYniTKeOVNuwn7eOb6Smy4W7STqkRth8Z48BmFYVCcexKMw= >>> = >>> >>> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; >>> d=microsoft.com; >>> >>> s=arcselector9901; >>> >>> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchang >>> e-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData- >>> 0:X-MS-Exchange-AntiSpam-MessageData-1; >>> >>> bh=U1XPevLPW3kgepb4RRUmQy20bmFrzeFdm+z8xjlDhQo=; >>> >>> b=j2oLsbNnA/8EGoq5tIM6WVMrAI8PefNYnRWMOmg9EoJTFxXNOViT1vcYZ1Tv80gLv/W >>> ICsLnQTBQrxDExEwVBZ636+WRwdjj9vOo0Mh6+O/mt8PDPxGLP+DfAxi0O000rB7d0hsQ >>> 6gugFt17fTwmrY7shWwVS94HM1SYFtcwpAJgeWLMJhgBrFCvWl1NzFtK7kLcmEzZL2RKC >>> Y+jy2MzFQMBJIcwM1G9pImeuxXM8evpuih/Q7GTnBivqS7Al2c4W0JnJCFoLopkJGYcTD >>> ddHPbg5PpopBWjR6UrbNXHvlCZeMsXXFQThIv9ZCcQnVgCHJZ4Ou84eskjk6eyRyQnbQ= >>> = >>> >>> ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass >>> >>> smtp.mailfrom=richmond.bbb.org; dmarc=pass action=none >>> >>> header.from=richmond.bbb.org; dkim=pass header.d=richmond.bbb.org; >>> arc=none >>> >>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; >>> d=richmond.bbb.org; >>> >>> s=selector1; >>> >>> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchang >>> e-SenderADCheck; >>> >>> bh=U1XPevLPW3kgepb4RRUmQy20bmFrzeFdm+z8xjlDhQo=; >>> >>> b=IBp6WddL0tAEtjsUg9TLjHYmU5nmyIqGMASfttCAkZzzJQLOspzOwgifiLEXyz3lfCw >>> mIC89UkBptAT4Z0p5sFvDUNDTtWkMoK5nPxNpjJAZenjDXSrwRfwcj0WOjcLV7VaIvVYy >>> Es2Db+8tikyWrR2VJ2I9iNAYJkIWqwP50u9jcPYUj3FHKR44B7cxTz1VXeegS2RPjZ968 >>> HuIvKsGx6gKSgtWobvcPsYgNA3apo1BZ/Y+i3h7cGx1cdJJPED5uyyeIj8dZ/l28DoMSE >>> TkT29DVqCcKvgbVQUyM2URBFUgvksANuYRRjFcE119QOlQSsyGyl1ligENnsozK5MyYQ= >>> = >>> >>> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; >>> t=1698346819; >>> >>> s=v1; d=mail-dkim-us-west-2.prod.hydra.sophos.com; >>> >>> h=Content-Type:Date:Subject:To:From; >>> >>> bh=U1XPevLPW3kgepb4RRUmQy20bmFrzeFdm+z8xjlDhQo=; >>> >>> b=jcJw6d6HDGLRjPmeM/Ye+DF43hHJMaao4by5+Jfi6F45SAggkc4D41+8pFSpNk2t >>> >>> Qx7LNQOyPjHyJ4K1AqYgL973657era/YNEniTZsHKZS5CIyFqjxQBu73Uk0YkrXzw3W >>> >>> L6oNeNo4Bp/kKYZXG8aKNFFBTUkea06TysmByIp4T+AiSUca1JkVpcciwzviaqhoc18 >>> >>> lP9L/2U/ORZUDEzh037Jmx0CKYP30w9Ry3fp9cYmfkGUSvY0lIu2fwa5mDodB65OWjp >>> >>> uoIFFVzDGfpi28usziso1gO89Ih7n0MMIj6TTrGJx0ZzuxKXZilwUIg9zKNr8ey1Gka >>> >>> LtUlmxEqag== >>> >>> Received: from BY5PR04MB6706.namprd04.prod.outlook.com >>> (2603:10b6:a03:22e::24) >>> >>> by MN2PR04MB7134.namprd04.prod.outlook.com (2603:10b6:208:1e3::24) >>> >>> with Microsoft SMTP Server (version=TLS1_2, >>> >>> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.19; Thu, >>> 26 Oct >>> >>> 2023 19:00:20 +0000 >>> >>> Received: from BY5PR04MB6706.namprd04.prod.outlook.com >>> >>> ([fe80::4324:9275:a4f7:113c]) by >>> BY5PR04MB6706.namprd04.prod.outlook.com >>> >>> ([fe80::4324:9275:a4f7:113c%3]) with mapi id 15.20.6933.019; Thu, 26 >>> Oct 2023 >>> >>> 19:00:19 +0000 >>> >>> Any insight into this is greatly appreciated. We have getting bounce >>> backs for several days now, but experienced a brief period where >>> Google domains were able to be reached. >>> >>> *Mark W. Stanley, Managed Services Engineer* >>> >>> Richweb, Inc. / mstan...@corp.richweb.com >>> >>> O: 804-368-0421 X 120 >>> >>> richweb.com / hvens.com >>> >>> >>> RAPTOR REMARK: Alert! Please be careful! This email is from an EXTERNAL >>> sender. Be aware of impersonation and credential theft. >>> >>> _______________________________________________ >>> mailop mailing list >>> mailop@mailop.org >>> https://list.mailop.org/listinfo/mailop >> -------------- next part -------------- An HTML attachment was >> scrubbed... >> URL: >> <https://list.mailop.org/private/mailop/attachments/20231026/96d95649/ >> attachment.htm> >> >> ------------------------------ >> >> Subject: Digest Footer >> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> https://list.mailop.org/listinfo/mailop >> >> >> ------------------------------ >> >> End of mailop Digest, Vol 39, Issue 48 >> ************************************** >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> https://list.mailop.org/listinfo/mailop > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
