Re: [mailop] Strange Behavior from Microsoft IP Address

[Atro Tossavainen via mailop]

> To give you a bit of context, we operate as an ESP, facilitating our 
> customers in sending out newsletters.

If you want anybody to have an opinion on this stuff why don't you
identify yourself, the domain names and the IPs involved.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF

[Atro Tossavainen via mailop]

> The SPF of molgen.mpg.de has `~all` (soft fail):
> 
> $ dig txt molgen.mpg.de +short
> "v=spf1 ip4:141.14.0.0/16 ~all"

But this is irrelevant. The envelope-from of a forwarded message is
the original one - if you do not deliberately rewrite it - and in such
a case, the SPF that is evaluated at the forwarding destination should
be that of the original sender, nothing to do with yours.

As for DKIM, if the forwarded message did not contain a DKIM signature
to begin with, then your options would be

1) continuing to occasionally forward mail that is not DKIM signed at all

or

2) figuring out a way to sign what is essentially random email from
   random third parties using your reputation, which may not be what
   you wanted either.

> We do not want to set up DKIM due to the increased message size,

Now there's a straw man if I ever saw any. If you're worrying about
adding 5-15 lines to messages that frequently contain hundreds,
thousands of lines, you have the luxury of having problems that
nobody else has.

> and complexity of key handling. Is there an alternative?

You can do it. A man+dog shop (looking at the mirror) can do it, so
a university department with people on the IT payroll can do it.

(But you may still not want to sign mail sent by random folks on the
Internet with your domain.)

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] how does mailhash.josephlist.net work?

[Atro Tossavainen via mailop]

> What I found out is that the email content is searched for email
> addresses and if some hash of that email address matches, the email is
> rejected. It's the full email address. Only the domain part does not
> trigger the issue.

Yeah. To my knowledge, the idea of hash blocklists was first publicly
proposed in M3AAWG 41, October 2017.

https://msbl.org/ebl.html has the details.

Ever since, Spamhaus HBL has come up (to address not only email addresses
but also files and cryptocurrency wallets) and it seems that even more
people have taken up the mantle now.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [spamhaus] de-listing requests successful, but only for a couple of days.

[Atro Tossavainen via mailop]

On Fri, Mar 15, 2024 at 08:11:42AM +, Alexandre Dangreau via mailop wrote:
> Hello, 
> 
> In fact, if you need a /64 IPv6 range you probably use the wrong service. For 
> VPS and Public Cloud instances (PCI) the IPv6 range is shared with all the 
> VM, so each VM (VPS or PCI) have one single IPv4 (/32) and one single IPv6 
> (/128).
> 
> Only baremetal have a dedicated /64 IPv6 range. The support team could help 
> you to find a server corresponding to your needs.

Let me point out the obvious: that is a suicidal approach.

You're not exactly running out of /64's. There are altogether
18 446 744 073 709 551 616 of them in the address space, not all of
which are yours, of course, but even if you only have a /32 you
still have 4 billion, and it's safe to say you don't have 4 billion
customers. (I will go deeper into this at the end of this message.)

Spamhaus released their IPv6 policy already in 2011:

https://www.spamhaus.org/resource-hub/dnsbl/spamhaus-releases-ipv6-blocklists-strategy/

They refer to RFC 6177:

https://datatracker.ietf.org/doc/html/rfc6177

I am nobody, but I wholeheartedly wish for OVH to reconsider its
approach and to always assign at least a /64 to a customer, no
matter whether they're buying VPS or bare metal. (It should be
per customer, not per unit of hardware, as well.)

You have over 17 billion /64's in your four /32's. Restricting all
VPS customers to a single /64 is something that could only be caused
by a fundamental, should I say utter, misunderstanding of IPv6.

Once again, please reconsider.

$ whois -h whois.radb.net -- '-i origin AS16276' | grep route6: | grep /32 | 
sort -u
route6: 2001:41d0::/32
route6: 2402:1f00::/32
route6: 2604:2dc0::/32
route6: 2607:5300::/32

Best,
-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Opinions on what qualifies as a "false positive" RBL listing that should be fixed?

[Atro Tossavainen via mailop]

> If the message is "your book is due in five days", it doesn't seem
> reasonable that legitimate addresses are going to belong to
> discontinued domains repurposed as spamtraps within that time
> period. Certainly not a lot of them.

We religiously observe the M3AAWG BCP for maintaining spamtraps and
condition all new recycled domains with a 12-month period of responding
with 550 5.1.1 No such user.

Doesn't stop them. Not talking about this specific sender; _anyone._

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Atro Tossavainen via mailop]

> ... but that does mean trusting 8.8.8.8 with your private secret.

From Spamhaus documentation:

"access to public mirrors requires the use of a non-public, non-shared DNS 
resolver (therefore excluding services like Google Public DNS), while DQS can 
use any DNS channel"

https://docs.spamhaus.com/datasets/docs/source/70-access-methods/data-query-service/010-dqs-differences.html

Now if that was a problem and this private secret got out because of
a query that was just done through Google a few minutes ago, we'd
find out in no time at all because Spamhaus would shut this private
secret down. I also expect we wouldn't have been the first ones to
explore this "problem" if it was one.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Atro Tossavainen via mailop]

> Otherwise you need to stop using Spamhaus -- even if you sign-up,
> perhaps because of the query volume, you still must query them
> directly not via a public resolver.

This is not true.

One of the main points of DQS is that the DNS service you use no
longer matters. They don't need to block the server - if you misused
the DQS (whatever the definition of misuse might be), they can simply
block *you* from accessing the data, not *all users of the same DNS
infrastructure*.

[atossava@x ~]$ nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53

> 2.0.0.127.zen.spamhaus.org
Server: 8.8.8.8
Address:8.8.8.8#53

** server can't find 2.0.0.127.zen.spamhaus.org: NXDOMAIN
> 2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Server: 8.8.8.8
Address:8.8.8.8#53

Non-authoritative answer:
Name:   2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Address: 127.0.0.2
Name:   2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Address: 127.0.0.10
Name:   2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Address: 127.0.0.4

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Atro Tossavainen via mailop]

> Hmm. How do I check that?
> Running nslookup defaults to my local resolver instance.

If it happens silently at the ISP's end, you can't check it - except
indirectly. What are the return codes that you get from your Spamhaus
Zen queries?

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Admin contact for Protonmail

[Atro Tossavainen via mailop]

On Wed, Jan 31, 2024 at 02:03:33PM +, Tarun Singh via mailop wrote:
> Hello Folks, 
> 
> Is there anyone from Protonmail on this distro? Can you please reach out to 
> me offline?

Abuse and postmaster appear to work.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus contact?

[Atro Tossavainen via mailop]

On Fri, Jan 19, 2024 at 03:31:19PM +0100, hg user wrote:
> Ok sorry not "most" but "some may"...
> 
> My checkpoint rep said that they get their reputation lists from other
> companies... is it wrong ?

It's possible that Check Point are just an aggregator and don't actually
have first-hand data. But I don't think of Check Point when somebody
says DNSBL, which may be my own failure :-D

As far as I've been able to tell, Spamhaus, SURBL, Abusix, SpamCop,
SORBS, UCEProtect, PSBL at least all have their own data, I would
even go so far as to guess "exclusively".

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus contact?

[Atro Tossavainen via mailop]

> Since most RBLs exchange data,

Source?

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus contact?

[Atro Tossavainen via mailop]

> > https://www.talosintelligence.com/reputation_center/lookup?search=66.175.222.108
> >
> Thanks for this; I wasn't familiar with Talos Intelligence. Do they publish
> a blocklist?

Paying users only. Paying users include the Finnish government's
internal outsourcing center (Valtori) and Telia (our largest telco).
Their error messages are shit, you don't even know where to look:

/var/log/old/maillog-20220410.gz

Apr  7 12:47:44 mail postfix/smtp[11896]: 52E23100EBBCA: 
to=, relay=mail.cm.telia.net[80.74.207.118]:25, 
delay=0.54, delays=0.09/0/0.14/0.31, dsn=5.0.0, status=bounced (host 
mail.cm.telia.net[80.74.207.118] said: 554 Your access to this mail system has 
been rejected due to poor reputation of a domain used in message transfer (in 
reply to end of DATA command))

It was only by accident that I was able to find out what it was, and
when I did, I also managed to find out that said "poor reputation"
involved Cisco having believed urlscan.io's misassessment that the
Roundcube webmail software on a server is indicative of...

...drum roll...

* PHISHING AGAINST THE GENERIC BRAND OF EMAIL *

which caused Cisco to list all Roundcube servers everywhere.

I shit you not.

This was soon two years ago, but you don't make a fuckup like that
when you're one of the largest companies in the business.

And their error messages continue to suck every bit as much AFAIK.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus contact?

[Atro Tossavainen via mailop]

> We're an email groups service, like Google Groups. Based on evidence
> provided by Spamhaus, it appears that some groups that migrated from Yahoo
> Groups when Y! Groups shut down contained some Spamhaus spamtrap addresses.

That might be the explanation for why some of your customers' lists
contain addresses that ceased to exist before groups.io started to.
It does look rather suspicious when that happens.

> On Spamhaus' suggestion, I built a reverification system late last year and
> tested it on a small group of users. Yesterday, I kicked off a
> reverification to a much larger segment of users.

Looking forward to seeing this in our traps.

This is a third-party observation that has nothing to do with Spamhaus.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Sendgrid phish of the day

[Atro Tossavainen via mailop]

On Wed, Dec 13, 2023 at 05:53:13PM -0500, John R Levine via mailop wrote:
> Phishing their own customers.  I suppose in a karmic sense they
> deserve it.
> 
> (No, CAUCE is not a customer.)

Neither are the resources where Koli-Lõks OÜ spamtraps received the same. :-)


-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Docusign phishing campaign of the decade, brought to you by Microsoft?

[Atro Tossavainen via mailop]

On Tue, Dec 12, 2023 at 06:22:10PM -0600, Jarland Donnell via mailop wrote:
> Hey friends,
> 
> Do me a favor and search your logs for this domain:
> SIBBERTLLC.onmicrosoft.com

Three hits yesterday.

> One customer received 1,347 attempted deliveries from it so far.
> Another, 823. Still counting, and plenty more but with smaller
> numbers. Is there no one at Microsoft watching anything, because if
> this doesn't set off red flags, there are no red flags.

I think there isn't.

This campaign wasn't particularly voluminous towards our spamtraps, we
frequently get hundreds and thousands of any given campaign (such as
the "meet Ukrainian ladies" fake dating scams that are being sent from
throwaway Hotmail accounts all the time).

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Atro Tossavainen via mailop]

> The residential address of the operator is a risk, because spamming is
> a criminal activity in most countries and spammers are sometimes
> organized like the mafia. They hate those lists and try to bring them
> down by all kinds of attacks. Not providing them more attack surface
> than necessary isn't a bad idea.

Domeneshop does not have a residential address.

They list their corporate physical address on their website.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Atro Tossavainen via mailop]

> Well, yeah, not really _impossible_, but I was referring to doing
> monitoring based on DNS lookups, as is normal for DNS BL.

Of course.

> Also, Domeneshop confirmed they operate spam.fail as internal list

OK. I tried tagging them on LinkedIn; it's an automatically generated
corporate page with no owner. I tried tagging Asgeir Kristofersson, a
person who reports currently working there; the tagging was automatically
removed.

> that they indeed have blacklisted Hetzner ranges because "lack of abuse
> handling":

Bastiaan van den Berg even participates here from time to time. Not
that mailing list participation equals anything with respect to
abuse handling.

> Their MX, their rules...

Indeed, but a little bit of transparency would go a long way.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] dnsbl.spam.fail

[Atro Tossavainen via mailop]

> Inability to do external DNS lookups makes it impossible to monitor
> for presence on their list.

https://spam.fail/search?ip=127.0.0.2

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Another very strange microsoft originated email??

[Atro Tossavainen via mailop]

On Thu, Dec 07, 2023 at 12:44:58PM -0800, Randolf Richardson, Postmaster via 
mailop wrote:
>   I'm not familiar with Hertzner, but APNIC's WHOIS indicates a 
> country code of ZZ for the sending IP address's netblock, which the 
> ISO lists as "Unknown or unspecified country."

The descr: reveals what you need to do.

> descr:  Transferred to the RIPE region on 2018-06-27T02:24:02Z.

$ whois -h whois.ripe.net that.ip.add.ress

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Another very strange microsoft originated email??

[Atro Tossavainen via mailop]

On Thu, Dec 07, 2023 at 12:29:37AM +, Suresh Ramasubramanian via mailop 
wrote:
> Free trial account on Microsoft 365 being relayed through Microsoft 365 
> outbounds by a Hetzner IP

As Suresh says.

I've got a copy too. Nothing unusual in it, it definitely came through
M365 infrastructure. From where it was injected to M365 is not that
important - it could have been anything as long as they were capable
of authenticating using the user accounts in that domain.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft's block list?

[Atro Tossavainen via mailop]

On Wed, Nov 22, 2023 at 04:25:36PM +0200, Otto J. Makela via mailop wrote:
> Can someone shed light on a Microsoft/Outlook block list? Our hobby server
> (on upcloud.com) seem to have been blocked for quite some time now.

I have no idea why, but given that upcloud.com spammed my company to
try to sell us their business, I'd be tempted to say that they have
a reputation. The "n" is way too small to claim that it would mean
anything, but maybe this unique data point could serve as that $.02
that you needed to move your VPS to another provider.

(I can provide a complete unredacted copy of the spam to you, you and I
 go back 40 years and I have no issues trusting you with spam evidence.)

> At this time, SPF and DKIM should be correct for our outgoing messages.
> Is there anything to be done, apart from switching to some mail sender
> company instead of ourselves attempting a direct connection?

A direct connection may be perfectly fine. Your server will always be
affected by your hosting provider's reputation. I wouldn't try with
DigitalOcean either.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to report abuse to cloudflare? Only via Web-Form?!? Phishing sites not against cloudflare policy!?!

[Atro Tossavainen via mailop]

If you want any real action from Cloudflare, you have to jump through the
hoop of filling in the web based abuse form. It sucks but only you can
decide whether it's worth your time and effort.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft Abuse Desk - we NEED to talk! (regarding 2a01:111:f403:2e1b::800 and other IP Addresses)

[Atro Tossavainen via mailop]

> 2a01:111:f403:2e1b::800 sent about 50 Spam Mails in October! Either to
> Spam-Taps or being reported by our customers.

50 in a month and you're worried? :-)

We get between 5000 to 9000 a day

yes, a day

from Microsoft outbounds to our spamtrap collection. About one thousand
of those are fake dating porn spam in Finnish. Among the rest, more of
the same in other languages. Plenty of 419, too.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Still Don't understand Google's relaying systems.. Duplicate Return-Path, and other things..

[Atro Tossavainen via mailop]

> They're a legit Google customer. What's there to marvel at?

https://developers.google.com/gmail/api/guides <- have a look.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Still Don't understand Google's relaying systems.. Duplicate Return-Path, and other things..

[Atro Tossavainen via mailop]

On Thu, Oct 26, 2023 at 10:07:30AM -0700, Michael Peddemors via mailop wrote:
> Not to be 'snide' Atro, but that part is pretty obvious..

You would have thought so - I would have thought so too. Which is
why I reacted that way to your asking about it.

> It was the technical details I was searching for, on HOW it is able
> to relay from those IPs.. please review the original post again.. I
> thought I was clear on that..

They're a legit Google customer. What's there to marvel at?

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Still Don't understand Google's relaying systems.. Duplicate Return-Path, and other things..

[Atro Tossavainen via mailop]

> Maybe Brandon can weigh in on or off list, but is there a a way for
> spammers to simply relay out Gmail servers if they are Google Cloud?

$ host -t txt sredplus.com
sredplus.com descriptive text 
"google-site-verification=gyoD4DWS9XSrAmz9s5Pc9OBLvvowksBJtB0Oi-DAlsQ"
sredplus.com descriptive text "v=spf1 mx include:_spf.google.com 
include:24145163.spf02.hubspotemail.net include:sendgrid.net -all"

$ host -t mx sredplus.com
sredplus.com mail is handled by 10 alt3.aspmx.l.google.com.
sredplus.com mail is handled by 5 alt2.aspmx.l.google.com.
sredplus.com mail is handled by 5 alt1.aspmx.l.google.com.
sredplus.com mail is handled by 1 aspmx.l.google.com.
sredplus.com mail is handled by 10 alt4.aspmx.l.google.com.

I guess those two tell you everything you need to know: their email
infrastructure is Google, they're just using it for cold email^W^W
spam in addition to their regular stuff. This is really commonplace
these days.


> 
> 
> -- 
> "Catch the Magic of Linux..."
> 
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
> 
> 604-682-0300 Beautiful British Columbia, Canada
> 
> This email and any electronic data contained are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> Please note that any views or opinions presented in this email are solely
> those of the author and are not intended to represent those of the company.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Amazon SES using SAME sender Domain for multiple customer?

[Atro Tossavainen via mailop]

> Does anyone know, why Amazon is not using their customer's domain as
> envelope sender?

It appears that customers can decide to do it.

> The Username part looks like a completely new random string on every
> email sent. Or is there a way to match one specific Amazon SES customer?

Parts of it may be same.

Our "n" is on the order of 100,000 for August 2023.

In roughly 16,000 of these, the envelope-sender matched the ERE

([0-9a-f]+-){6}000...@eu-west-1.amazonses.com

70% were somehow involved with amazonses.com (that Envelope-From or
another one at that domain).

30% had an envelope-from that did NOT involve amazonses.com or amazon.com.


-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Authentication Bounces by Gmail

[Atro Tossavainen via mailop]

> Might be convinced with this if it weren't for gmail being the source of
> ~40% of the spam we receive.

And that's after all of the botnets and so on have been blocked
through the use of DNSBLs, I suppose?

Mail subject lines seen in our test/dev spamtraps from Google outbounds
over the past two weeks:

For more details please reply
Buy STRONG SMTP Cyber Weapon
Come over to local moms home
common bedtime habit skyrockets dementia risk.
Milf Available for Free Hookups
Come to my place & bang me tonight!
Separated women looking for men
The Ultimate Cure for Urination Frequency at Night

The rate at which our production spamtraps get stuff from Google
outbounds is more or less 1% of all mail, all of the time. This iso
low tens of thousands of spam every day (yes, we're small, with only
low thousands of domain names feeding this). It's mostly fake
dating/hookup crap, with 419 a strong #2 contender and pharma #3.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Authentication Bounces by Gmail

[Atro Tossavainen via mailop]

> I'm sure I've had a long explanation on here in the past year, but the
> short answer is if the message is not DKIM valid and you're forwarding, you
> should rewrite
> the MAIL FROM to a domain you own that will SPF authn the message... and
> try not to forward spam.

That's not how forwarding works, Brandon.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] GMX/Mail.com contact?

[Atro Tossavainen via mailop]

On Fri, May 12, 2023 at 08:29:07PM +, Mike Hillyer via mailop wrote:
> Anyone have a contact? I have someone with an accountant.com address trying 
> to run a check scam on me.
> 
> Mike Hillyer

They're represented on this list and have picked up not too long ago.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] United Airlines / mileageplus DNS/rDNS mismatch issue

[Atro Tossavainen via mailop]

> I think we have to disagree here.  The PTR naming is set via
> SendGrid. It doesn't NEED to be the same as the A record. This is
> for those MTA's that do forward/reverse matching, which isn't always
> successful.
> 
> Yes, doing that for a IPv6 email address to satisfy Google, go ahead.
> 
> But nothing wrong with sending an email from a PTR with a name, that
> doens't have the FQDN forward/reverse matched.

RFC 1912 #2.1

It is 27 years old.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] New to mass mailings

[Atro Tossavainen via mailop]

> Understood. We plan to change the setup over the summer but until then we 
> have to work with what we have. When we change we will probably set up our 
> own postfix server for mail handling.

As far as I can tell it's about a two hour job to do the latter.

> I should have added that our future "mass mailings" would be around 1000 
> emails per week or every two weeks, iow, not too much.

What I said is not about your proposed activities but the fact that
you're planning to share the reputation of your sendouts with that of
any number of other Ionos customers.

> I did check the Ionos sending IP address on a couple of websites, including 
> mxtoolbox.com, and it is not listed.

Good for you. That may change at any time for reasons that have nothing
to do with you, and where the fix is also something you have no control
over. My €.02 is biting the bullet and deploying your own server PDQ.
It also makes it possible for you to do the DKIM signing you mentioned.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] New to mass mailings

[Atro Tossavainen via mailop]

> We are mailing from our own CRM system but using Ionos (1and1.com) as our 
> mail service.

You're setting yourselves up to fail by mailing out of a server shared
by thousands of other customers. The error messages you quote testify
to that. Don't do it.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Any Apple email team on the list? Interesting tidbit like to shed light on...

[Atro Tossavainen via mailop]

On Tue, May 02, 2023 at 10:11:46PM -0400, John Levine via mailop wrote:
> It appears that Michael Peddemors via mailop  said:
> >Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.2\))
> 
> I sent a message to myself from
> 
>  Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
> 
> There's no X-Universal anything. Wherever it came from, it's not the
> Mac mail progaram.

Our traps get a slow but steady drip of messages from Apple outbounds.

Last month, one tenth of a percent of those messages (which tells the
astute reader there's got to have been at least one thousand such
messages) contained the header X-Universally-Unique-Identifier.

Almost half of the messages we got were mail sent from anywhere else
_to_ an Apple account that has been configured to forward email to
an address that has never worked (before being made into a spamtrap),
though.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] emailage.com ?

[Atro Tossavainen via mailop]

On Mon, Apr 24, 2023 at 10:44:47AM +0200, Jasper Spaans via mailop wrote:
> Hello,
> 
> We're seeing quite some postfix PREGREET errors in incoming smtp
> traffic from hosts claiming to be emailage.com (by lexisnexis). Does
> anyone know whether this is just a dressed up list washing service,
> or would it be worthwhile for our customers if we start whitelisting
> them?

My $.02:

[root@mail ~]# grep emailage /etc/postfix/*
/etc/postfix/helo_access:emailage.com   REJECT Spam list cleaners are 
welcome to take a hike

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] delisting from Invaluement ivmURI

[Atro Tossavainen via mailop]

> One of our brand's domain has been listed on the Invaluement ivmURI RBL.

The operator is present here on Mailop. They should be waking up
soonish - I can't remember where they are but there's a chance they're
on the west coast and that would mean it's soon 5 am there.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] warming up IPs, Microsoft?

[Atro Tossavainen via mailop]

> I believe it, but the more relevant question is what fraction that is of the 
> total
> mail they send.  I see way more real mail than spam from them.

I can only speak to the mail we see. I am sure all of the entities
that are sending to our spamtraps mostly send good email. I simply
could not have any visibility to the rest.
 
-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] warming up IPs, Microsoft?

[Atro Tossavainen via mailop]

> You have to validate each domain you use for sending, which is a
> modest pain, but that's one of the reasons their mail stream is
> pretty clean.

Do you mean AWS SES specifically? They're consistently #4 by volume
in our dataset (occasionally even #3, rarely #5), next only to
SendGrid, ExactTarget and Mailchimp.

In February we had close to 6000 separate domains sending from
AWS SES to our spamtraps.

The corresponding number is more than 15,500 for SendGrid, less than
5500 for ExactTarget, and close to 15,000 for Mailchimp (closer to
16,000 when you take into account the fact that the senders with
freemail From's are not one, but many).

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Intuit directly spaming

[Atro Tossavainen via mailop]

> > harder to give due suspision on sendgrid because they give full

It's actually kind of easy.

Is the IP announced by AS11377?

Yes? -> SendGrid.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Intuit directly spaming

[Atro Tossavainen via mailop]

> Interesting to me Atro said this is sendgrid. I saw sendgrid format
> sender address but headers do no show any sendgrid. So now its
> harder to give due suspision on sendgrid because they give full
> infrastructure to rent for other domain like intuit?

Yes.

Full headers (munged of course) and plaintext content

https://pastebin.com/88xXcVZh

This will remain up for a week.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Intuit directly spaming

[Atro Tossavainen via mailop]

On Mon, Feb 27, 2023 at 08:05:31PM +0100, Faisal Misle via mailop wrote:
> I wonder if its the similar MO as PayPal, where they use Quickbooks accounts 
> to send fake invoices... so it uses the legitimate QB stream

Right on the money, that is exactly what it is.


-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Hetzner

[Atro Tossavainen via mailop]

> what is your data that shows hetzner being worse than others in this field?

What is the point you are trying to make by trying to turn this into
a race where it wasn't one previously? We are discussing Hetzner
specifically, prompted by the original post from Lena, last I checked.

> hetzner has grown big and in absolute numbers it's clear that the
> number of abuse is big - but only relative numbers are fair to
> compare!

In addition to making the mistake of trying to make it a race, you are
also mistaking a qualitative discussion for a quantitative one.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Hetzner

[Atro Tossavainen via mailop]

> Ever been on the receiving end of a retaliatory abuse complaint?

Yup, that too.

> As a Hetzner customer I expect some trust in the company I pay money
> to,

As do I, as a Hetzner customer.

> that they'll give me a chance to face my accuser and fix the
> problem if there is one, or give a response as to why I shouldn't
> have to if there isn't a problem.

I, too, expect to be told what the nature of the problem is.

Where the report comes from should be completely irrelevant.

I frequently don't bother with complaints of abuse to Hetzner because
I get back the autoreply that states I am expected to OK them forwarding
it verbatim to the spammer. Most of the spammers I would complain about
are not the hijacked systems but the dedicated ones.

> There are two sides to every story, surprisingly companies aren't
> keen to just kick all of their customers out by third party demand,
> on demand.

Not expecting shooting on sight, as already said. Some safety measures
would be nice though, such as not outsourcing the ToSsing of spammers
to the spammers themselves.


> 
> On 2023-02-07 07:15, Atro Tossavainen via mailop wrote:
> >>Neither do I. The response simply describes what is happening. When a
> >>third party X complains that Hetzner customer Y is a spammer, I
> >>consider
> >>it only appropriate that Hetzner passes the complaint along and asks Y
> >>for a statement, and does not simply impose restrictions on Y based on
> >>X's say-so. Informing X of what the internal process entails does not
> >>look offensive, let alone insulting, to me.
> >
> >Have you ever been on the receiving end of retaliation from a
> >spammer, Ralph?
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Hetzner

[Atro Tossavainen via mailop]

> If we were passing them on verbatim we wouldn’t have to manually
> process them.

Suppose it is so, then.

> As for the spammers comment, you know that the vast majority of spam
> leaving our network is from compromised servers.

You would know that beyond any doubt. I don't have comprehensive
stats, although I may have guesses.

> Most spam complaints we get are for legitimate clients. There are
> spammers who try to sign up with us, but those that get through and
> start spamming don't last very long.

OK.

I'm curious about the Russian spam list spammer on 78.47.158.139 four
days ago, as well as the dedicated 419 domain on 168.119.9.111 two
weeks ago, if you are at liberty to discuss.

(As well as the Japanese credit card phishers everywhere.

 Subject: [実録]格安カードで騙された！

88.99.150.167
188.40.100.144
138.201.209.250
95.216.221.140
195.201.12.225
148.251.202.161
78.47.187.206
135.181.5.246
95.217.226.237
116.203.45.186
176.9.44.204
65.109.189.33
95.217.211.68
144.76.32.106
188.34.190.243 
)

> We deal with this by giving our client a chance to resolve the
> issue.

But you don't know the legitimate client from the illegitimate one
before you do, which could mean you might be passing on information
that the illegitimate one could then use for retaliating against the
complainant.

> If they don't, then we take action. Blocking servers for a
> single abuse complaint without first informing our client about a
> potential issue is not something that a reliable hosting partner
> would do.

Not expecting you to shoot on sight, that's for sure.

Admittedly I also don't know how much information in the initial
complaint you actually do forward to the customer. In the absence
of reliable evidence to the contrary, I am expecting it to be
"everything."

(Which brings us back to square one: don't enable further abuse.)

I'd love to be wrong on that.

> These are dealt with in a timely manner, and a quick look at the
> blacklists that show data for entire networks/companies will show
> that we take spam seriously.

Having only one live SBL is indeed an indication of mostly getting
it right. Many others have dozens, hundreds.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Hetzner

[Atro Tossavainen via mailop]

> Neither do I. The response simply describes what is happening. When a
> third party X complains that Hetzner customer Y is a spammer, I consider
> it only appropriate that Hetzner passes the complaint along and asks Y
> for a statement, and does not simply impose restrictions on Y based on
> X's say-so. Informing X of what the internal process entails does not
> look offensive, let alone insulting, to me.

Have you ever been on the receiving end of retaliation from a spammer, Ralph?

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Hetzner

[Atro Tossavainen via mailop]

Thanks Bastiaan for picking up the red courtesy phone so fast.

> I’m not seeing anything offensive or insulting in our response.

I am referring to the fact that the wording of the autoreply suggests
that Hetzner is simply passing complaints verbatim to the spammers
themselves and not dealing with it yourselves.

To me, that _is_ offensive and insulting, because as we all know, we
(tinw) don't want the spammer to know about us, we don't want the
spammer to remove just us, we want you to remove the spammers, and
there is nothing the spammer themselves can accomplish to that end.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Freenet.de Contact

[Atro Tossavainen via mailop]

> Thank you for this. I usually avoid role-based addresses when trying to reach 
> out to someone about email if only because I rarely if every receive any 
> response, but I wrote to that one today hoping for a response.

This is actually an interesting viewpoint.

Should others also do the same with respect to companies represented
here on Mailop? Especially if others have been told not to reach out
personally, but only to use role addresses?

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Google spurning the City of Kuopio, Finland

[Atro Tossavainen via mailop]

Hello world,

It was reported in Finnish news today https://yle.fi/a/74-20014495 that
the city of Kuopio (#8 largest in the country) is unable to send email
to addresses served by Google and that this would be expected to last
for about two weeks.

According to the comments in the article, the reason for the problems
was a problem on the email server of the city which caused the domain
name kuopio.fi to end up on a block list at Google.

The news article links to a press release from the city itself. It says
that for about a week, the city has had problems sending email from
Microsoft environments to Google accounts.

I am not affiliated with the city of Kuopio or their ICT partner
Istekki myself, I'm just watching this as a curious onlooker.

Based on what I see in spamtraps, "sending email from Microsoft environments"
isn't happening. 100% of the (very small amount of) email genuinely sent
from the City of Kuopio is sent from a dedicated server managed by Istekki
which is not a Microsoft environment.

If there is anything that should be reported back to the City of Kuopio
or their ICT partners, I'm happy to act as the local conduit. :-D

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is there a way to unsubscribe from Nextdoor emails?

[Atro Tossavainen via mailop]

Here's my €.02. The context for this is

http://mainsleaze.spambouncer.org/may-2021-in-spamtraps-esps/

(and similar posts on same site before, as well as my LinkedIn posts on
the same topic later)

Here's a data point to the current conversation.

[atossava@x ~]$ for i in 202?-??_ESP-blog/202*_esp_sendgrid*; do 
nextdoor=`fgrep -c .nextdoor.com $i`; total=`wc -l < $i`; month=`echo $i | cut 
-f1 -d_`; echo $month: `expr 1000 \* $nextdoor / $total` ‰ ; done

Output:

2021-01: 7 ‰
2021-02: 7 ‰
2021-03: 7 ‰
2021-04: 7 ‰
2021-05: 8 ‰
2021-06: 7 ‰
2021-07: 9 ‰
2021-08: 9 ‰
2021-09: 11 ‰
2021-10: 12 ‰
2021-11: 11 ‰
2021-12: 13 ‰
2022-01: 17 ‰
2022-02: 33 ‰
2022-03: 32 ‰
2022-04: 32 ‰
2022-05: 31 ‰
2022-06: 29 ‰
2022-07: 34 ‰
2022-08: 46 ‰
2022-09: 43 ‰
2022-10: 36 ‰
2022-11: 32 ‰

Another one is that they keep adding more trap addresses to hit, and
we've had control over these for years. Opt-in it is not.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Contact at Outlook?

[Atro Tossavainen via mailop]

On Wed, Nov 23, 2022 at 04:01:30PM -0600, Jarland Donnell via mailop wrote:
> Assuming that doesn't pan out, can you file an abuse complaint with
> their DNS provider? Sure can't hurt anything.

Oddly enough Microsoft's DNS provider is... Microsoft.

Microsoft has an employee participating on this list.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Google Gives Gmail Mass Email Services the Boot

[Atro Tossavainen via mailop]

On Fri, Nov 18, 2022 at 10:56:26AM -0700, Anne Mitchell via mailop wrote:
> It's about time, and to the extent that you were involved (if at all), 
> Brandon, *thank you*!
> 
> "Users of mass email services such as Gmass, Woodpecker, Lemlist and others 
> that have been using Gmail’s API to send bulk email that tricked recipients 
> into thinking that they were receiving personal one-to-one emails have been 
> put on notice today by Google: “Applications that use multiple accounts to 
> abuse Google policies, bypass Gmail account limitation, circumvent filters 
> and spam, or otherwise subvert restrictions are prohibited from accessing 
> Gmail API scopes.”"
> 
> https://www.isipp.com/blog/google-gives-gmail-mass-email-services-the-boot/

Much appreciated. Thanks to all who contributed to make this happen.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [Public] trouble delivering to cox.net

[Atro Tossavainen via mailop]

> I do see a not
> insignificant amount of mail to invalid recipients so you might want to
> check that you're understanding/processing bounces/deferrals properly.

Koli-Lõks OÜ spamtraps concur, seeing mail from USAA both to typotraps
as well as recycled domains. These are of course no longer undeliverable,
but a health check on the data ought to get rid of them just the same.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Threat Update.. Tales from the Trenches..

[Atro Tossavainen via mailop]

> >PS, don't know what o365 is doing, but a marked reduction in uncaught spam 
> >leaking from their networks..
> >
> Really? I'm seeing a constant stream of fake dating spam from apparently 
> compromised O365 accounts, with no end in sight.

I'm with Hans-Martin on this one.

> Many of them use link shorteners (mostly tinyurl.com), content text
> has so little variation that good old regex rules get all of them,
> so it seems to be just a single spamming operation. Targets are
> german, so that may be a reason you're not seeing those.

Targets are also Swedish and Finnish.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] abuse@ equivalent for yahoo dot com?

[Atro Tossavainen via mailop]

> You can use https://senders.yahooinc.com/contact

Email responses to email abuse. thank you, very much

Best regards, RFC 2142

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP noise from *.bouncer.cloud

[Atro Tossavainen via mailop]

> Fine. You're responsible for delivering mail submitted to you, and
> it is entirely reasonable to confirm that the entity you are
> accepting it from has provided a usable address. What Postfix then
> does to verify it is exactly what would be done if a message was
> simply accepted without verification.

Does not take into account the matter of spam with forged headers.

I didn't send that email, and you're "verifying" whether I did, doing
exactly the same as Radek's woodpecker-as-a-service. No different from
my perspective.

[root@mail ~]# grep -i sender /etc/postfix/helo_access*
/etc/postfix/helo_access:inpost.tmes.trendmicro.com REJECT Sender Address 
Verification is Abusive
/etc/postfix/helo_access.pcre:/\.mailspamprotection\.com/   REJECT Sender 
Address Verification is Abusive
/etc/postfix/helo_access.pcre:/\.pphosted\.com/ REJECT Sender Address 
Verification is Abusive

And that's just some of the big names doing it.

> This is a bit less clear, but I'd say that is fine because you have
> every reason to believe that you are acting on behalf of the address
> owner, not some 3rd party who may not have acquired the address
> legitimately.

This, too, can be co-opted by people who aren't your users.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP noise from *.bouncer.cloud

[Atro Tossavainen via mailop]

> Atro appears to object to this use. I disagree.

It's abusable. Your users might not be who you think they will be.

> Arguably this is less expensive than "double opt in", which is doing
> a similar thing.

Yes. It also returns a different category of result.

> One way around that might be for the
> final step be to send the applicant a copy of their completed form.
> If this bounces, then you ask them to correct the address.

Yup.

> Of course, if they give *someone-elses* email (whether by accident
> or deliberately) you have just mailed personal data to a third party

People will mistype their address. Some of the typos exist. I know
because I have access to some of those that do - we are in the
business of spamtrapping, some of our traps are typo domains, and
some of the stuff that comes in is... not bulk email.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP noise from *.bouncer.cloud

[Atro Tossavainen via mailop]

> Regarding the above, I have the following question:
> 
> What do you (and maybe other people on the list) think about such email
> verification method ("abusing RCPT TO") used as part of:
> 
> a) mail receiving process - I'm thinking here for example about the Postfix
> feature "reject_unverified_recipient" that checks sender's email using this
> method before accepting (or rejecting, if sender's email doesn't verify) the
> message (see http://www.postfix.org/ADDRESS_VERIFICATION_README.html ). Some
> other MTAs have similar features too, there are also milters that do this.

Yes, Sender Address Verification is abusive as well because it causes
the systems doing it to woodpecker on anybody whose addresses are forged
as senders in spam.

And so is Challenge/Response based spam filtering.

> b) website registration process - some time ago I was maintaining some
> website where people often mistyped their email addresses. Due to the
> nature of the website the typical "click on confirmation link that
> arrives via email" approach could not be used

List members will probably argue eloquently for why "could" is the
wrong word to use here. I don't mean there is anything wrong with
your grammar, your language is perfectly fine.

> anything except the registration form). So I included the code that did the
> email verification ("abusing RCPT TO") upon form submission, and in case of
> a verification failure, asked the user to correct the address.  

...potentially causing some users not to be able to fill in the form
at all if the receiving email system was aware of such attempts and
refused to serve them. ;)

> Do you think using this method of email verification in such cases
> is OK or not?

If it is, then it must be OK in all cases. This is, after all, the
intended use case for Radek's system as per his previous correspondence.

But I don't think it is.

In my opinion, whether you do it yourself or outsource it to a partner
cannot be a factor in whether it is abusive. Neither is the volume. The
main bit is that the creator of any such system has observed the fact
that EXPN and VRFY are no longer available, so they have decided to
circumvent this fact and impose themselves on the mail server owners
in ways they can't pre-emptively break without breaking all email.

The solution to that, then, is rejecting all connections from such
systems, either within SMTP or on the network level. But doing that
requires observing where it is coming from first.

Those blocks tend to be of a set-and-forget nature.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP noise from *.bouncer.cloud

[Atro Tossavainen via mailop]

Czesc, Radek,

> We assume that:
> - our customer (data controller) who requested us to verify the email address 
> got it in a legal way
> - our customer is obeying anti-spam policies.

So do all the ESPs. But their customers send mail, and the recipients
are able to act upon it, informing the ESP of problem clients and
sometimes even getting traction.

In the case of email verifiers, there is no message, and there is no
email recipient to do the same.

The only people who have any visibility to the efforts of woodpeckers
who abuse SMTP (EXPN and VRFY were disabled and even removed from mail
software for a reason) are grumpy mail server admins who have much less
time than your average spam recipient for this kind of behaviour.

"Email verification" abusing RCPT TO produces zero benefits in exchange
for nonzero resource use for the target system owners.

I had entered "bouncer.cloud" in my list of HELOs to reject offhand a
long time before this conversation. Don't worry, you're not alone; the
list of similar players is dozens of lines long, could probably be made
shorter by replacing most of the existing rules with entries in the
regex version of the same, and additionally, some of the HELO rejects
are redundant now that the networks involved have been entered into the
firewall drop list, entities who have been kind enough to register their
own networks such as Mailinblack or Kickbox are no longer able to make
any connections to our systems at all.

> Thank you again for the opportunity to be here - if you are already tired of 
> me - please let me know.

Having said all of the above, I truly welcome the fact that you have
shown up here to own up and explain what it is that you are doing and
where you are coming from with this. It may not make matters any
better from the perspective of whether anybody's inclined to accept
email verification attempts, but from my perspective, somebody who
shows up in a potentially hostile environment such as this deserves
some kudos just for doing it. We've discussed this offline before and
I wanted to say this in public too.

Pozdrawiam, A.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] State of the Union - Update due to activity..

[Atro Tossavainen via mailop]

On Tue, Aug 30, 2022 at 05:36:16PM -0500, Jarland Donnell via mailop wrote:
> That subdomain style, I've been eyeballing that trend for a while.
> This guy got super mad at me for identifying that trend on a network
> that hadn't yet started sending spam: 
> https://forum.directadmin.com/threads/rbl_dns_list-suggestion.64780/post-350740

LOL.

That network (212.192.216.0/22) was assigned by Serverion to "voldeta-mnt"
(Des Capital B.V., AS213035) on 2022-06-04T10:45:44Z.

This is what came up first for me when I googled that business name:

https://scamalytics.com/ip/isp/des-capital-b-v

The spam started a week later. It was a 419.

On July 1-2, there was a massive spam run that rivalled the monthly
output of some minor ESPs in the same recipient mailboxes. All your
basic kinds of garbage affiliate spam.

I get the impression plonking AS213035 in a router's null-route list
might amount to lossless compression. The list of networks that this
AS advertises is 67 lines long even after doing the CIDR math to show
it in its most compact form, and they're everywhere, AfriNIC, RIPE,
ARIN and APNIC ranges are all present in that list.

Best regards,
-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] State of the Union - Update due to activity..

[Atro Tossavainen via mailop]

On Tue, Aug 30, 2022 at 01:11:20PM -0700, Michael Peddemors via mailop wrote:
> Hehehe...
> 
> No, I meant who are behind these..

https://emailable.com/abuse/

> Is AWS alright with this..

I suppose the answer is yes. Getting any kind of answer to any question
out of them is beyond difficult, so this may be simply by implication.

> Trouble is how to tell good email validators from bad ones..
> Even, what is a good validator vs a bad one..

The good email validators don't show up on your mail servers. They do
stuff on their own, based on DNS and other things that don't require
turning into a woodpecker.

> And how about transparency?  Technically, I don't see the reasoning
> why to do this, and if you need to do it, not be transparent about
> it..

Yes.

I didn't write this

https://www.spamhaus.org/news/article/722/on-the-dubious-merits-of-email-verification-services

and I have nothing to do with the folks who did, but it's hard to
disagree with anything in it.

> Now, if there was only some method to see if you really have
> permission to use an email address.. ;)

Interested in buying a bridge in southern NYC? ;-)

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] State of the Union - Update due to activity..

[Atro Tossavainen via mailop]

> In other news.. Any comments about these guys on AWS?
> 
> 3.217.146.99  1   mx25.herpderpderpderp.com
> 3.223.197.220 1   mx2.emailablev.com
> 3.226.89.155(RS)  2   va1.mx-check.com

Sure.

[root@mail ~]# egrep 'herpderp|emailablev|mx-check' 
/etc/postfix/helo_access.pcre 
/emailablev\.com/   REJECT Spam list cleaners are welcome to take a 
hike
/herpderpderpderp\.com/ REJECT Spam list cleaners are welcome to take a 
hike

[root@mail ~]# egrep 'herpderp|emailablev|mx-check' /etc/postfix/helo_access
mx-check.com   REJECT Spam list cleaners are welcome to take a hike

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] I understand less and less why I accept any mail at all from Sendgrid

[Atro Tossavainen via mailop]

On Wed, Aug 17, 2022 at 11:44:18AM -0700, Luke via mailop wrote:
> That account was terminated on the 14th. For what it is worth (and I know
> this is worth very little here), our system did prevent more than ~90% of
> their *attempted* mail from ever leaving our pipes. So I like to tell
> myself we prevented 9 million phish instead of telling myself we sent 1
> million phish. Kidding of course...
> 
> Thomas, if you're still seeing mail arrive *today* with those unsubscribe
> links, that would be incredibly strange. Would love to chat offline if
> that's actually what you're seeing. An account sending email 3 days after
> being terminated isn't really a thing that happens.

A thing that might have affected the sending is that Radix (the .store
registry) took the sending domain out on 2022-08-14 at 03:23:40 UTC.

At least you'd hope that non-existent domains couldn't be used as senders.

The spamtraps do concur with what you say though, that flood was on
the 12th and 13th, ending around 10 pm UTC on the 13th.

More recently, what's the deal with user accounts 28489652, 28470998,
28470691, 27864014 and especially 5965629?

> 
> Luke
> 
> On Wed, Aug 17, 2022 at 10:09 AM Thomas Ho via mailop 
> wrote:
> 
> > Funny how we're still seeing this exact same template spewing out of
> > Sendgrid for days.
> >
> > I guess (hope) they're busy working on tackling much more malicious spam
> > coming from their network.
> >
> > -Thomas
> >
> > On 8/13/22 15:46, John Levine via mailop wrote:
> > > This showed up today, send to the email of my father who died in 2019.
> > >
> > > Full copy available on request to anyone who has a plausible use for it.
> > > -- Forwarded message --
> > > Date: Sat, 13 Aug 2022 15:41:20
> > > From: support 
> > > Reply-To: g...@hansa-fx.com
> > > To: x@x.x
> > > Subject: IP address blacklisted(Child Pornography Act 1996 violated)
> > >
> > > Hello,
> > >
> > > We have found instances of child pornography accessed from your IP
> > > address. This is a punishable offence under The Child Pornography
> > > Prevention Act of 1996 . For now we are blacklisting your IP address
> > > and if there is any further action from Microsoft you will be informed
> > > via email.
> > >
> > > If this was not you and you suspect potential hack or id theft contact
> > > Microsoft Support Team at +1-808-460-7701
> > >
> > > Microsoft Support
> > > +1-808-460-7701
> > >
> > > support
> > >
> > > 16 Central, HCW , Tampa , FL
> > >
> > > Unsubscribe (
> > >
> > https://u28413401.ct.sendgrid.net/asm/unsubscribe/?user_id=2401=jGkM5n0umWt5giSnrpl6O4tFPc5wzKFsV94hjZBX8pQIheAKOas_zWNsEOncd-HbCkpbIvoVXgT8sU6DigWO_eN-7q_f3_YdzG22esQZaeYvwfRfC4RvAZR91smd6V5UOKs3K3YnTNLu7eqpmNs5MgibY69YuER5xZyCM1zKjcZ-8WdqDiZ09ZDW8MnPZwlCq4ExdET6b1FfymKFmn0M57AS6OrQ9Z41ntAYLbucVhznk0bqlHrqgYAhJmD8r32C-y6jAiILcbSJnjKcwbO4A2XlH2Xq_STVI0NZNEGJSk3rsNiS1BljdqcVvog_l47a_9QqpTTzdEtJxb76h7njtiNvZmy2GahPuC5VtdWCFL8sw8dhTZN792pmswmZV8Stx9YNphaZCY0Zz-Y-6B3oy7d_C-u0550ED8DjIh5dQKo05hHfkqQv-JzGA1cm2BIQcEaDOWBAXIFPQhsZtmN1NV352KGimJzF1zQBc869JXc0LNV6lWdxB9tHv9FPAxyyUvAI7GCYEprshgEYBXxNc5vwH5SsHnk5XXKpbVztKb-rF_CXEu4_sVDZt1dcMerLreg5jj1abowz0vzCxu91ljSE_625gU2Nfvwf_evzfEtaDdgklH90ndYyZNjTEUFL7B1TCJ3FIyVfY2tfVarBYX_aZRyujWy2HMNwhbJApYoFQ5KIVbl8odCtVRe5Ss6z720nEmO6S3yE8IgJXIPTCuYH_plCZ2es85QKi21w-gGWICt3gPZNDYpxq2V23Amf9DtI98NiQg93_f9tWLu3ncR_l7Xu-QyQ-NHpZGOZzJGJl6hZO0NKhBs2fS-DSZwbI8sy0pFprpTmbArND7x-CkuBHe5H1WW0FyHCHb1NLsK9SBn-aJMsk0xtAowOpzMGPsWj_AFn12Gj1MU2qh_
> > >
> > Zc4tlcFvAEIaXfZnGVU0Y8MqPIL7zCaF4I01Q1GxU7wziTkPwcMyeUT8qvfjbtJnQ9_zTMykNipOu1NmmemXBHGJml3neoZ75wscSo_2XSg1AKGk0ceEGUu-Xrj5FsTwd4i_Lvu6i2aPAKpRgkCrLZN7x_Cy7fsLksN8juSIi3m-GYcaCMsxtAjo9xI9ZewQel_kjR-Nl43qwegdl1Al5eZmDY0VY749OELIRduc-SUty-0Pmt4NZPKD7hqCkVV6X_qgRC2aKxJAlFKIU03FW1R6Iueoz4qstvxH32NPeLz2H_OoTdTI=
> >
> > > ) - Unsubscribe Preferences (
> > >
> > https://u28413401.ct.sendgrid.net/asm/?user_id=28413401=iw27W5ySrSfDVCRlPaXMu5zZMK6M9L26Fq8UYqOfdZhoMDAwdTAwMFT1ohToGkgPLNAwsvCWjLkjDNagBfBVNm4La20qWnyb349Ffm1yfrD4ctSwuskuNp7Uzh4IUp41Fz5FYgodIco5ievuqL7nDm63AdCvifURyfq07C4ck6IkGGV9omBlZ8ahQz-3tfQdDuXkkIDKsln-j8pQTiYAA5cnxyzRrdDZKAPFE-nAcd6eB4cSSmMY09NNRAhGs5YRCqXXGKB4rg8QCfDbyNXKbsVbIl5lf9NZ3QOD2WjZhkFDFX0rv2rLzw3FsHRqaNyT-YRCrW_0zWBcn4nYM2r8jngI78F3qjI8LsQOcjXBVa27_OUX4cPEoqAibJW0zJHhKOD20KWDGgE2k6TUiFpMPQ1eHg6A28fWkJsffmFbKXirplWlcEo7iw3oiiUcVpREbcdELBXZ8MiiKIPil6T7if1FH2oBhwKnbyzjiUxo3uIlxos0Yr-xV-3ZA_h5o4JifaCzIFwNYxzT3hqapJw6njG_wUCUfT9z8McN5CzkKNjQc4WxwiMuld1JJbyzB5tjNjAHAht1wirqjrrFBHoG
> > >
> > 

Re: [mailop] I understand less and less why I accept any mail at all from Sendgrid

[Atro Tossavainen via mailop]

On Sat, Aug 13, 2022 at 06:46:02PM -0400, John Levine via mailop wrote:
> This showed up today, send to the email of my father who died in 2019.
> 
> Full copy available on request to anyone who has a plausible use for it.

Got a few hundred.

SendGrid user ID 28413401. Sending IP 167.89.38.98 is on SpamCop, but
not on any other major blocklists that I could see, yet.

Radix (the registry for .store and a few other new TLDs) has been
alerted separately.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

> Ideally, a SMTP return code should differentiate the reason for rejection.
> There should be a different code for non-existing user, technical problems
> (like mailbox full) or policy-based reject.

You know, they actually did think of that.

https://datatracker.ietf.org/doc/html/rfc5321#section-4.2.3

https://datatracker.ietf.org/doc/html/rfc3463#page-14

> Although I'm not sure if in the
> latter case it is possible to differentiate if the policy rejection is
> "general" (eg. related to sending IP) or for the particular sender's email
> address.

Doesn't look like it to me.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

> Talking about anti-fraud, anti-spam at self-service ESP level, that's

What an excellent writeup. Thank you Simon for this!

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

> I would love a way to give those addresses (in a hashed form) to ESPs saying 
> "Look, if somsone is sending to those, it's a bogus list and does not pass 
> muster, and you should reject the customer".
> 
> I'd love a way to put those addresses in the DNS as a similar flag.  "Do not 
> allow this address to be added to any mailing lists, promotional marketing, 
> or 

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

> If we agree that IP addresses, email addresses and real names are all PII as 
> per GDPR, your example is comparable to Cloudflare.

The idea that IP addresses could be personal data has always blown my
mind, but the GDPR does classify it as such.

> The end-user browsing a website is sending PII (its IP address, along with 
> cookies and whatnot) to CF, which it then forwards to the proxied website. 
> The visitor that does not know how to block cookies on their browser, also 
> cannot know it is sending its PII to CF.
> 
> Does this turn CF into a data controller? If CF decides that the end user is 
> indeed a bot because of data gathered among various CF clients, does it 
> become a data controller?

IANAL, so I freely admit I'm just talking out of my ass here.

Cloudflare's own position https://www.cloudflare.com/gdpr/introduction/
is that they are a data processor.

The nuances of the situation are slightly different because in the case
of ESPs, they are dealing with personal data that their customer (the
actual brand or whatever) has deliberately made available to them for
the performance of the contracted service.

In the case of CF, their customers' "customers", aka website visitors,
don't necessarily have any prior relationship with the CF customer, and
probably did not deliberately supply an IP address to the CF customer
to be included in their record (say, along with name and email address)
even if there is a prior relationship and an existing customer file.

What does CF do with the collection of IP addresses that it inevitably
amasses as a side effect of providing the proxy service to its customers?

Does it store them and use them later for some purpose without being
ordered to do so by their own customers, or does it either just ditch
them after the connection is done, or at most pass it to the origin
server in the form of a True-Client-IP: header in the HTTP requests?

I don't have anything resembling an answer for you, just musings.

> Going back to the example of an ESP, does the hash of the email address 
> equate the email address as per GDPR?

At least from the MSBL EBL perspective (https://www.msbl.org/hashbls.html)
it looks as if hashes ought not to constitute personal data. Now I happen
to think that whoever is behind the EBL (and everybody who was in Toronto
knows it) is not a lawyer, but at the same time, they just might have
done their due diligence and have this checked by a competent lawyer.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

Hans-Martin Mosner wrote:

> Especially in the area of freemailer spam (and somewhat ESP spam, of course), 
> hashes of spammy mail senders could be used to share reputation among mailops 
> without handling actual e-mail addresses.

Er, I think you mean

https://msbl.org/ebl.html

which was presented to the public in M3AAWG 41, Toronto, October 2017.

Ever since, Spamhaus have also made their own take of the same idea.
It is the HBL. The HBL has a wider scope (in addition to email
addresses, it also considers file attachments and cryptocurrency
wallets), but availability is somewhat restricted whereas the use
of the MSBL EBL is free as in free beer.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

> I got none of it, and nobody could figure out why for a while. It
> finally turned out that the ESP had added our entire domain name to
> some sort of global blocklist they have, solely based on my
> complaints that the ESP was letting their customers repeatedly send
> spam to our role addresses like support@, billing@, and info@. (The
> address the large company was trying to send to was not one of those
> addresses.)

BTDTGTTS. The people who were then on the other side of this incident
are probably among mailop readers.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

Lem said:

> I question your assertion that "bounces for X sender doesn’t mean that it 
> shouldn’t be mailed for Y sender".

Indeed if, say, an address doesn't exist, it doesn't exist whether the
sender is X or Y.

Also, if the mail platform rejects mail from the sender's IPs or domains,
it will probably do that for X and Y alike.

According to people who know better than I do, and any M3 member (which
would mean at least Laura and Lem) has had the chance to hear them out
in person, maintaining a suppression list that is above the level of a
single customer makes the ESP a _data controller_ in terms of the GDPR.

When they're doing stuff for their customers only, individually (as in,
data from customer X does not affect the proceedings for customer Y),
they are a _data processor_ and that's where they want to be.

Becoming a data controller entails needing a legitimate basis for
processing the personal data of the customer's customers, with whom
the ESP does not have any kind of a direct business relationship so
it's really very hard to justify. You can probably pull the notes on
"so, you want to be a data controller" from the past conference
proceedings from the members area.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

> Many of the ESPs that we certify will require senders with certain types of 
> lists (size, industry, etc.) to reconfirm a percentage of their list upon 
> upload.  And make no mistake, good ESPs scan uploaded lists for the same 
> things as do list-washi...er..."list hygiene" services.

Anything you can do about list hygiene that doesn't involve being a
woodpecker on the mail servers of unrelated third parties is great.

Checking for addresses at domains that don't exist involves checking
DNS. I believe nobody's going to be bothered about a few DNS queries.

Checking for addresses that violate mailbox name syntax as per RFC5322
is another no-brainer that is just a data quality check and doesn't
go outside your platform at all.

Cheers,
-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

> Sadly, there is at least one legitimate reasons to allow this:
> how else could a customer change ESP ?

There is that. But since the new ESP has no immediate way of knowing
anything about the legitimacy of the uploaded list, the problem remains.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

On Wed, Jul 20, 2022 at 12:41:53PM -0600, Brie via mailop wrote:
> So, hey, yeah, Sendgrid and Zoom...
> 
> It's still going on even though it was 'being looked into'.

It is. But I looked at the amount of .zoom.us stuff in all the SendGrid
output in our traps from January to June and the trend is almost
consistently downwards,

January 0.35%
February0.27%
March   0.23%
April   0.25%
May 0.19%
June0.11%

YMMV.

> Why do you not respect permanent errors when delivering?

I've been asking all the ESPs the same question for at least the seven
years that Koli-Lõks OÜ has existed.

Ever since a respected figure in the industry said that keeping a domain
without MX is not quite the same as having it responding 550 5.1.1 to
everything, we have been priming all new spamtrap domains by having them
respond 550 5.1.1 to everything for at least 12 months.

(I disagree with the idea that ESPs should not trust their own systems
when they get a NXDOMAIN response, but it's not a big deal for us to do
this if it helps. I am not quite convinced it does, based on the results.)

Technically, based on the idea that ESPs would actually act on
undeliverables the way you suggest, this should lead to our only being
able to catch botnet and other thoroughly illegitimate spam and hardly
any ESP content at all.

You would think so, wouldn't you. 

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Trouble sending mail to French providers

[Atro Tossavainen via mailop]

On Tue, Jul 12, 2022 at 11:59:22AM +, Frietschy, Carlo via mailop wrote:
> Since Friday around 12 o'clock we receive 5xx error messages from most major 
> French mail providers like Orange, SFR, Free, Laposte, Wanadoo, etc. with 
> messages like:
> 
> - Mail rejete. Mail rejected. OFR_506 [506]
> - 5.7.1 Service refuse. Veuillez essayer plus tard. service refused, please 
> try later. LPN007_510
> - spam detected

I bet you've run into Signal Spam somehow.

https://www.signal-spam.fr/

Amicalement, A.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Looking for contact at iphmx.com

[Atro Tossavainen via mailop]

Hey Sidsel, Bastiaan,

On Tue, Jun 28, 2022 at 01:09:45PM +0200, Hetzner Blacklist via mailop wrote:
> That error message means your IP has a poor email reputation on Cisco Talos:
> https://talosintelligence.com/reputation_center/

Cisco Talos has to be the most opaque reputation service I have come
across so far.

They also take the word of a third party (SecurityTrails, or whatever
their IP intelligence arm is called, in this case) as gospel. Or at
least took, some time ago.

The good folks at SecurityTrails figured out a few months ago that the
presence of the RoundCube webmail product counts as "phishing against
the generic brand of email" (I shit you not) and as a result, Cisco
proceeded to list all domains operating RoundCube as bad.

How do I know? I got hit, that's how. :-D

Took me a good deal of time to even figure out who were responsible
and how, and probably wouldn't have been possible without M3AAWG
contacts. Also, I found out that some parties trusting Cisco Talos
intelligence (such as Telia Finland or the government ICT centre of
Finland) are so far behind the requirements of their jobs you
wouldn't believe they had been hired by anyone.

> 
> Regards
> Bastiaan
> 
> Am 28.06.2022 um 12:09 schrieb Sidsel Jensen via mailop:
> >Hi
> >I'm trying to locate a contact to mx1.hc1932.iphmx.com - does anybody know 
> >who to reach out to? They don't respond through ab...@enom.com 
> >mailto:ab...@enom.com (which was the only address whois showed as everything 
> >else was heavily redacted)
> >I'm trying to solve a deliverability problem towards them:
> >host mx1.hc1932.iphmx.com[216.71.154.96] refused to talk to me: 
> >554-esa6.hc1932.iphmx.com 554 Your access to this mail system has been 
> >rejected due to the sending MTA's poor reputation. If you believe that this 
> >failure is in error, please contact the intended recipient via alternate 
> >means.
> >I guess mailop applies as "alternate means" ;-)
> >Kind Regards,
> >Sidsel Jensen
> >Architect of Deliverability and Abuse @ Open-Xchange

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] OVH contact required - 54.38.34.203 - vps-28239cc9.vps.ovh.net

[Atro Tossavainen via mailop]

Cher M CARON

> Sorry but I represent OVH email team (not abuse), I have no power and 
> visibility on stuff out our email offer perimeter.

This is understood.

> As I say in private, the abuse form https://www.ovh.com/abuse/#!/ permit to 
> report spam problems. It ensure to abuse team enough information to check and 
> block.

If a ticket system does not allow email input with similar outcomes
it has to be considered as broken.

I had one that did (Request Tracker v2.x) at a former workplace ever
since September 11, 2001 (but I disclaim responsibility for the follow-up
effects later that day), and I was late to the game when I installed it
then.

> Moreover you will receive a ticket number and a notification when it’s close.

This should be possible irrespective of whether tickets are opened by
webform, email, phoning in, or other channels I didn't even think to
mention yet.

> To be honest I follow the Dima case but not your case. If I start to handle 
> abuse cases out of normal process it will be the mess…

It is true. However, OVH appears to have somewhat of a systemic problem,
and any amount of Mailop'ers writing to you or to Romain does not solve
that. The normal process needs to be improved quite a bit.

Amicalement,
-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Curious, any one seeing fake SpamCop reports over the weekend?

[Atro Tossavainen via mailop]

On Mon, Jun 13, 2022 at 08:10:23AM -0700, Michael Peddemors via mailop wrote:
> Real strange, fake abuse addresses..

Plenty of the same in the spamtraps.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Help with identifying invalid email domains

[Atro Tossavainen via mailop]

On Wed, May 25, 2022 at 03:00:19PM -0400, Omid Majdi via mailop wrote:
> Hey all,
> 
> I'm looking to see if anyone has compiled any lists of invalid email domains? 
> Examples of such would be typo domains and/or domains that accept all 
> local-part addresses such as gmai.com, gmail.co, googlemai.com, or 
> proton.com. If there's any resources someone could share for known invalid 
> domains that would be incredibly helpful.

You're looking to identify spamtraps.

Don't expect much help from this audience :-D

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] To Sendinblue, Mailjet, SES, ActiveCampaign, and every other

[Atro Tossavainen via mailop]

> Don't just remove the addresses from customers' lists, but remove
> the customers, as they are obviously using addresses without
> consent,

You will probably find that just about every ESP operates a single
opt-in regime.

> which would be against your AUP (you do have an AUP that
> requires confirmed opt-in, do you?).

They probably don't.

I'd also hazard a guess that 100% of the unwanted email Jarland is
receiving at the moment is coming from entities generally unrelated
to the matter who are being used as hapless conduits for the abuse
by whoever goes around forge-subscribing these addresses.

I am not particularly interested in defending the practice of using
single opt-in for mailing list subscription. I am simply stating that
this is likely to be the case and that your assumption that the T
of ESPs would generally require COI is unrealistically optimistic.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] is caniuseapurchasedemaillist.com down?

[Atro Tossavainen via mailop]

On Wed, Apr 27, 2022 at 11:00:46AM -0500, Al Iverson via mailop wrote:
> Try https://www.shouldiuseapurchasedemaillist.com

Excellent job Al. Thanks on behalf of everyone.

> 
> (I tried to keep it brand free, not trying to sell anything there,
> other than best practices.)
> 
> Cheers,
> Al
> 
> On Wed, Apr 27, 2022 at 10:58 AM Anne Mitchell via mailop
>  wrote:
> >
> > > i need this page from time to time.
> > >
> > > caniuseapurchasedemaillist.com
> >
> > I know it's not as succinct as caniuseapurchasedemaillist.com ;~), but 
> > until that site is back up feel free to use:
> >
> > https://www.isipp.com/blog/can-i-use-this-list/
> >
> > Anne
> >
> > ---
> > Outsource your email deliverability headaches to us, and get to the inbox, 
> > guaranteed!
> > www.GetToTheInbox.com
> >
> > Anne P. Mitchell,  Esq.
> > CEO Get to the Inbox by SuretyMail
> > Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing 
> > law)
> > Author: The Email Deliverability Handbook
> > Board of Directors, Denver Internet Exchange
> > Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
> > Prof. Emeritus, Lincoln Law School
> > Chair Emeritus, Asilomar Microcomputer Workshop
> > Counsel Emeritus, MAPS: Mail Abuse Prevention System (now the anti-spam 
> > division of TrendMicro)
> >
> >
> >
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> 
> 
> 
> -- 
> Al Iverson / Deliverability blogging at www.spamresource.com
> Subscribe to the weekly newsletter at wombatmail.com/sr.cgi
> DNS Tools at xnnd.com / (312) 725-0130 / Chicago (Central Time)
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] is caniuseapurchasedemaillist.com down?

[Atro Tossavainen via mailop]

On Wed, Apr 27, 2022 at 04:15:20PM +0200, Simon Luger via mailop wrote:
> Hi
> 
> i need this page from time to time. 
> 
> caniuseapurchasedemaillist.com

I love it too. Looks like MailChimp may have forgotten to pay the rent
on the Digital Ocean droplet.

In the meantime, for the Finnish reader,

http://www.voinkokayttaaostettujasahkopostilistoja.com/

Thanks Pekka.

> 
> 
> 
> Simon Luger
> 
> sendeffect - mehr erreichen
>  --
> 
> WEBanizer AG
> Schulgasse 5
> 84359 Simbach am Inn
> Telefon: +49 (0) 8571 - 97 39 690
> 
> Handelsregister: Amtsgericht Landshut HRB 5177 | Ust. ID.: DE 2068 62 070 
> WEBanizer AG
> 
> Vorstand: Ottmar Neuburger
> Aufsichtsrat: Tobias Neuburger 
> 
> https://www.sendeffect.de
> https://www.webanizer.de
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] The final death of Mailjet

[Atro Tossavainen via mailop]

On Mon, Apr 25, 2022 at 03:18:30PM -0500, Jarland Donnell via mailop wrote:
> I'd like to encourage other mail providers to begin holding Mailjet
> accountable for the spam they send. Today, in reaction to receiving
> 1 abuse complaint per spam email sent from their platform, they
> finally had enough of hearing about it:
> 
> Reported error:   550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient
> cont...@mailjet.com not found by SMTP address lookup

I most recently submitted a complaint on Feb 23. It was received at
Google at that time.

[root@mail ~]# zgrep abuse@mailjet /var/log/old/maillog-20220227.gz
Feb 23 23:39:24 mail postfix/smtp[25643]: 114E710052430: 
to=, relay=aspmx.l.google.com[64.233.165.26]:25, delay=2.1, 
delays=0.11/0.02/0.42/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK  1645652364 
z5si683247ljz.173 - gsmtp)

I would suspect that this is a case of botched Google to Microsoft
migration rather than immediate proof of malicious intent.

It is also noteworthy that Mailjet is not an independent operation,
has not been for almost a year.

https://www.mailgun.com/blog/company/mailgun-acquires-european-competitor-mailjet/

Consequently, writing to abuse@ the new owners might be a thing.

I've taken the liberty of pointing this out within the club.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Russian crypto phish campaign via sendgrid to stolen Robinhood account

[Atro Tossavainen via mailop]

On Sun, Apr 24, 2022 at 11:02:42PM -0400, John R Levine via mailop wrote:
> I've gotten several copies of this phish sent to an address stolen
> from a closed Robinhood brokerage account.  It's sent from Sendgrid,
> with a link to a web host at AWS that does a couple of web redirects
> to a web server at 176.113.115.238 in St Petersburg.  The web site
> purports to be Metamask, which is a crypto wallet.  I suppose people
> wth Robinhood accounts would be good targets.
> 
> Anyone else seeing this?

Yes, the Koli-Lõks spamtraps have the same. Not in great quantities,
but some trickled in both yesterday and today.

> 
> Copy of the spam here:  http://spample.iecc.com/rvj/23695345
> 
> R's,
> John

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SendGrid, what happens when you don't address the root problem (Indeed Phishing)

[Atro Tossavainen via mailop]

> You think we would be done with SendGrid conversations two years ago..

No such thing.

> And two hours later, a phishing attempt from a SendGrid IP hit the
> spam folder...
> 
> Return-Path: 
> Received: from wrqvndzq.outbound-mail.sendgrid.net (HELO
> wrqvndzq.outbound-mail.sendgrid.net) (149.72.45.228)

Confirmed, seen here too.

> From: Verify 2FA <2...@indeed-verify.com>
> Subject: Indeed for Employers - Your Account Required 2FA Verification.
> Reply-To: 2...@indeed-verify.com

X-Entity-ID: Z9o86N06AN6V9pUxLwsPGQ==

(even though "26471268" should be more than enough)

> One more reason to flag all of SendGrid shared servers as spam?

They're definitely the biggest ESP in our spamtraps, have been
for more than a year solid.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Exact Target (Pardot) unsubscribe link is insecure..

[Atro Tossavainen via mailop]

On Wed, Apr 13, 2022 at 10:21:18AM -0700, Michael Peddemors via mailop wrote:
> Return-Path: 
> 
> 
> Click on the unsubscribe link, and it goes to an insecure pardot page.

Envelope-senders are not links, though.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Bogon? 81.70.92.213

[Atro Tossavainen via mailop]

On Mon, Mar 21, 2022 at 07:35:59AM +0100, Hans-Martin Mosner via mailop wrote:
> Hi folks,
> 
> in a trustworthy Received: line of a spam I found the source IP
> 81.70.92.213. Strangely, this IP is pingable, and traceroute finds a
> way, but neither the IP whois nor the BGP looking glass show to whom
> it belongs. Not being really knowledgeable about the global routing
> mechanisms, this somehow looks like a bogon to me.
> 
> Did anyone else see IPs in that vicinity and has a better explanation?

The Koli-Lõks OÜ spamtraps have a couple of spams every day from this
range. It's enough to verify that they exist, but this level of messaging
in our low four figures of domain names receiving the stuff is otherwise
utterly insignificant. It's a Tencent cloud range.

$ whois -h whois.cymru.com 81.70.92.213
[Querying whois.cymru.com]
[whois.cymru.com]
AS  | IP   | AS Name
45090   | 81.70.92.213 | TENCENT-NET-AP Shenzhen Tencent Computer Systems 
Company Limited, CN

% [whois.apnic.net]
% Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html

% Information related to '81.68.0.0 - 81.71.255.255'

% Abuse contact for '81.68.0.0 - 81.71.255.255' is 'qcloud_net_d...@tencent.com'

inetnum:81.68.0.0 - 81.71.255.255
netname:TENCENT-CN
descr:  Tencent Cloud Computing (Beijing) Co., Ltd
descr:  Floor 6, Yinke Building, 38 Haidian St, Haidian District
country:CN

https://en.wikipedia.org/wiki/Tencent

Best regards,
-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone here from emailsrvr.com? - Getting throttled from new IP range

[Atro Tossavainen via mailop]

On Sun, Mar 20, 2022 at 06:49:33PM +, Graeme Slogrove via mailop wrote:
> Hi,
> 
> If anyone from emailsrvr.com is on this list, please contact me. A new IP 
> range is being limited.

That is Rackspace isn't it?


-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone heard of this network? Looks like a spear phishing operation?

[Atro Tossavainen via mailop]

> RIPE says it's IPXO Limited, at a mail drop in suburban London, a phone
> number in Lithuania, and a tech contact at an address in Paris with
> no hint that he works there.  Sounds totally legit to me.

IPXO Ltd (London) is Heficed (Lithuania). According to their home page,
they are a "Fully Automated IP Address Lease & Monetization Marketplace".

Gustavas is here because I pinged their CEO Vincentas Grinius whom I
have met several times at M3AAWG, which means there's a chance John L
might have, too. Now we may think whatever we do about their business,
but at least the guys are here, owning up, and having a chat with us.

Cheers
-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Musings on Mail Service Operators

[Atro Tossavainen via mailop]

> Email - as we know it - should have been dead years ago.  But instead we
> keep adding band-aid after band-aid after band-aid to the system.

It's not that people haven't tried. And not all of them have been
wholly unequipped to do so, either. You are of course aware of Professor
Dan J. Bernstein's Internet Mail 2000, for example.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone from Sendgrid or Twilio on this list?

[Atro Tossavainen via mailop]

> I’ve gotten the header from the successful test that our customer sent to his 
> Yahoo account, but the IP Addresses gathered there didn’t appear in any of 
> our servers logs either.

Are they not either of the two you mentioned?

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Atro Tossavainen via mailop]

> Yep, I know you, Sendgrid, told me that you'd be working on it with
> Zoom.  And, as expected, nothing ever happened and they still keep
> coming.

About 0.3% of the spams that Koli-Lõks spamtraps got from SendGrid
in December 2021 matched .zoom.us.

It's large enough to be noticeable, but nothing compared to the largest
single SendGrid customer in the same traps - a Taiwanese newspaper whose
emissions amounted to more than 10% of the SendGrid total over the same
time range.

The Zoom stuff is hitting both typo addresses as well as recycled ones.

> Because, lets be honest here, based on what others are reporting, it
> looks like that I'd have an easier time trying to broker world peace
> AND cure cancer than it would be to get you guys to deal with abuse
> from your network.

In our traps, SendGrid continues to be #1 of the ESPs, but only by a
smallish margin against #2, Salesforce Marketing Cloud. Mailchimp,
at #3, is way below. Our data comes from a relatively small data set
of about two thousand domain names receiving mail, but even so, it's
large enough to get *something* from more than 250 ESPs every month,
and that's just the ones we've managed to identify so far.

> But, frankly, if you (Sendgrid) or them (Zoom) ain't going to do
> jack shit, then don't fucking tell me you are "working on it".

The basic problem is allowing an ESP customer to import a list that
existed before the customer became a customer of this ESP. I can't
think of an ESP that would not allow that.

Another basic problem is allowing the addition of new addresses without
COI. I can't think of an ESP that would require strict COI.

I'd be happy to be set straight on both counts.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Ethics Complaint to Princeton (was: Bizarre GDPR/CCPA scam spam from Princeton researchers)

[Atro Tossavainen via mailop]

On Wed, Dec 22, 2021 at 09:57:54AM -0700, Anne P. Mitchell, Esq. via mailop 
wrote:
> P.S.  These two notes from Jonathan Mayer are appended to the 
> https://privacystudy.cs.princeton.edu/ site;  the newest is from yesterday.
> 
> Note from Jonathan Mayer, the Principal Investigator (Saturday, December 18 @ 
> 11:30pm)

He also tweeted about it.

https://twitter.com/jonathanmayer/status/1472427321047101442

The audience has of course let him have a piece of their mind.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] spamhaus blocking Linode IPv6 (2a01: 7e01)

[Atro Tossavainen via mailop]

> Would it be possible for the two sides (blocklists and a cloud/hosting 
> providers) to come together and have some kind of automated notification?

Objection, requires an interest in collaboration from hosting providers.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)

[Atro Tossavainen via mailop]

> Sure. Linode could decide to stop operating a public nuisance and
> police their sewer more effectively. Historically, Spamhaus has a
> long record of delisting network operators who reform their
> abuse-handling.

This isn't even about that. This is only about Linode cramming more
than one customer into a /64 against best current practice, pure and
simple.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)

[Atro Tossavainen via mailop]

On Thu, Nov 25, 2021 at 04:22:05PM +0200, Mary via mailop wrote:
> 
> But that is not a real solution is it?

It is because it's the right thing to do in the first place.

> Maybe linode and spamhaus can come up with a better solution between them?

I would not expect any changes on the policy of the latter.

> 
> 
> 
> On Thu, 25 Nov 2021 13:48:27 + Riccardo Alfieri via mailop 
>  wrote:
> 
> > Hi Mary,
> > 
> > please see: 
> > https://www.linode.com/community/questions/266/ipv6-64-blocks-on-linode
> > 
> > Linode can assign you a /64 that will probably solve your problems.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)

[Atro Tossavainen via mailop]

On Thu, Nov 25, 2021 at 03:07:02PM +0200, Mary via mailop wrote:
> 
> I think Linode does not follow the /64 rule and assigns thousands of 
> customers within the 2a01:7e01::/64 block. They user a bunch of blocks, 
> depending on their data centre.
> 
> I think by default each client is assigned a single /128 IPv6 address per 
> server.

See

https://www.spamhaus.org/organization/statement/012/spamhaus-ipv6-blocklists-strategy-statement

> :(

Indeed. That would seem like a very counterproductive approach from Linode.

> 
> 
> On Thu, 25 Nov 2021 05:57:03 -0600 Jarland Donnell via mailop 
>  wrote:
> 
> > Blacklists tend to target a whole /64 at once for IPv6 and this is 
> > standard behavior. I just looked at my two Linode VMs and both have one 
> > IPv6 from the same /64. It's possible that Linode is assigning a /64 per 
> > customer and that no one else is in the same /64 as you. This is a 
> > reasonable expectation, and while arguing over v6 implementation will 
> > probably continue for the rest of my lifetime, this is an expected 
> > standard. Here's a little fun thing people like to use as a quick 
> > reference on that note: https://slash64.net/
> > 
> > This would suggest that Spamhaus is not blocking all of Linode's IPv6, 
> > but instead just you, a single customer with a single /64. This would be 
> > for the reasons that they note, and would need to be resolved prior to 
> > requesting delisting. If you're certain that the listing has nothing to 
> > do with you, then you'll want to ask Linode support if there could be 
> > anyone else on that /64. If they say yes, stop sending mail over IPv6 
> > from Linode right away, because blacklists will target a /64 at once and 
> > Linode's implementation will be proven at that moment to be bad. I don't 
> > think that'll be the case though.
> > 
> > On 2021-11-25 05:15, Mary via mailop wrote:
> > > I first noticed that all outgoing emails that are using IPv6
> > > addresses, are being rejected by anyone using zen.spamhaus.org
> > > 
> > > I then tried a bunch of my addresses and they all tested as listed in
> > > https://check.spamhaus.org/
> > > 
> > > Please see attached screenshot.
> > > 
> > > 
> > > 
> > > On Thu, 25 Nov 2021 12:52:18 +0200 Atro Tossavainen via mailop
> > >  wrote:
> > >   
> > >> On Thu, Nov 25, 2021 at 12:33:54PM +0200, Mary via mailop wrote:  
> > >> > Hello everyone,
> > >> >
> > >> > I noticed today that spamhaus.org is blocking large net blocks of IPv6 
> > >> > (2a01:7e01) owned by Linode. Pretty much all my clients hosted at 
> > >> > Linode are being blocked en mass (for IPv6 only).  
> > >> 
> > >> https://www.spamhaus.org/sbl/listings/linode.com contains nothing on
> > >> IPv6. What exactly are you seeing?
> > >>   
> > >> > Is there a way to inform spamhaus about this rather aggressive 
> > >> > blocking and get things sorted?
> > >> >
> > >> > Thank you.
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > ___
> > >> > mailop mailing list
> > >> > mailop@mailop.org
> > >> > https://list.mailop.org/listinfo/mailop  
> > >> 
> > >> --
> > >> Atro Tossavainen, Chairman of the Board
> > >> Infinite Mho Oy, Helsinki, Finland
> > >> tel. +358-44-5000 600, http://www.infinitemho.fi/
> > >> ___
> > >> mailop mailing list
> > >> mailop@mailop.org
> > >> https://list.mailop.org/listinfo/mailop  
> > > 
> > > ___
> > > mailop mailing list
> > > mailop@mailop.org
> > > https://list.mailop.org/listinfo/mailop  
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] spamhaus blocking Linode IPv6 (2a01:7e01)

[Atro Tossavainen via mailop]

On Thu, Nov 25, 2021 at 12:33:54PM +0200, Mary via mailop wrote:
> Hello everyone,
> 
> I noticed today that spamhaus.org is blocking large net blocks of IPv6 
> (2a01:7e01) owned by Linode. Pretty much all my clients hosted at Linode are 
> being blocked en mass (for IPv6 only).

https://www.spamhaus.org/sbl/listings/linode.com contains nothing on
IPv6. What exactly are you seeing?

> Is there a way to inform spamhaus about this rather aggressive blocking and 
> get things sorted?
> 
> Thank you.
> 
> 
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Reporting/detecting google groups spam

[Atro Tossavainen via mailop]

On Sun, Oct 17, 2021 at 01:04:53PM -0700, Dan Mahoney (Gushi) via mailop wrote:
> All,
> 
> For years now I've been the target of a number of resumes from
> UAE-based google-groups.

Have a look at these two things.

  https://www.spamhaus.org/rokso/spammer/SPM1559/syedsmarketing

  
https://www.spamhaus.org/rokso/evidence/ROK13034/syedsmarketing/10-2021-group-uae

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] google at spamhaus

[Atro Tossavainen via mailop]

> If this was an intentional listing by SpamHaus, I applaud them doing
> a 'shot over the bow'..

XBL listings should be all automated? https://www.spamhaus.org/xbl/

However, there is the fact that

https://www.spamhaus.org/sbl/listings/google.com

has, at the moment, 342 intentional (manually created) listings.

> There should no longer be a 'too big to
> block' get out of jail free card.

On the other hand, any larger reputation service listing the outbound
mail servers of Gmail, O365 or Yahoo would be a recipe for disaster.

> 
> Even our threat mitigation teams are now working on Gmail specific
> rulesets, and more 'rejection' instead of 'filtering' especially
> with the obvious bad junk.. but they aren't very far from where
> other RBL's will start joining policies and actions that demand
> accountability.
> 
> 
> 
> On 2021-08-31 4:36 a.m., Laura Atkins via mailop wrote:
> >Google is a huge source of spam, particularly B2B spam. There’s an
> >entire industry built of companies selling plugins and other
> >services that allow you to spam through your G Suite account. Yes,
> >Google blocks outbound (for 24 hours) if one user sends more than
> >1000(?) messages a day. But the businesses just run multiple G
> >Suite accounts. In “good” news, a lot of this mail is thrown away
> >or dropped on the floor by filters, but companies tell me that
> >it’s hugely profitable, so much so that they’d rather buy another
> >set of domains / G suite account than give up the spam.
> >
> >laura
> >
> >
> >
> >>On 31 Aug 2021, at 11:04, Tim Bray via mailop  >>> wrote:
> >>
> >>Hi all,
> >>
> >>I noticed that a google IPv6 address was recently listed in spamhaus XBL.
> >>
> >>2607:f8b0:4864:20::82c at  2021-08-30 19:27:45 UTC
> >>
> >>I just thought this a bit unusual and worth a mention.  Probably
> >>the first time I've seen spamhaus block a genuine sender (to me)
> >>
> 
> 
> 
> -- 
> "Catch the Magic of Linux..."
> 
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
> 
> 604-682-0300 Beautiful British Columbia, Canada
> 
> This email and any electronic data contained are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> Please note that any views or opinions presented in this email are solely
> those of the author and are not intended to represent those of the company.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So uh... Zoom/Sendgrid... How's that webinar spam investigation coming?

[Atro Tossavainen via mailop]

On Wed, Aug 04, 2021 at 11:16:15AM -0600, Brielle via mailop wrote:
> Like the title asks?
> 
> Still seeing it daily in my logs hitting the system filters...  Same
> source accounts, same general bodies with no unsubscribes, sent
> through Zoom's accounts at Sendgrid...

Confirmed, vehemently.

> I don't mean to be impatient and all, but it has been a while...

I am not holding my breath. If I wasn't in the business of deliberately
collecting spam... AS11377, you know what I mean...

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop