Re: [swinog] Coop.ch geoblocking?
On 2021-06-23 10:48, Franco wrote: On 22.06.21 08:58, Jeroen Massar wrote: I suggest using a mailhost that has proper spam filtering, considering it is trivial to identify that the sending host is not properly configured, why bother accepting mail from it? That's not enough. In first place, the SWINOG contributors should be protected from being crawled. -> SWINOG homework Won't fix a thing. Also as a public list, it is public. As noted anybody can subscribe or archive the list. As an example: https://www.mail-archive.com/swinog@lists.swinog.ch/msg07408.html Apparently 3 years old: https://swinog.swinog.narkive.com etc etc etc.. And a spammer can just simply also subscribe, next to the avenue of a hacked computer of one of the members who does not clean out their mailbox. Greets, Jeroen PS: I simply use my mail address everywhere publicly, as spam will come anyway from whatever source when the address is public somewhere, one just need to filter and classify properly: good old Spamassassin with a few RBLs, bit of mimedefang and you are pretty good already (5 per day in my case), any other (mostly paid) resources will bring spam amount close to 0 while being able to actually use your mail address. Spam is the way of live and unfortunately there is always going to be some source where it will be coming from, as long as the spammers gain something from their spams... (that something I am still wondering about, but clearly they must gain something even if the procentiles are super low). Oh, and yes, to avoid From: spamming, do have proper DKIM/SPF/DMARC checks, they 'solve' the spamming issue quite a bit, with only few mailinglists being problematic while forwarding. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
Hey guys, On 21.06.21 21:35, Serge Droz wrote: > Hi all > > It seems there is a SWINOG member who should clean his computer. > > Happy hunting > Serge I don't think so. Root problem is the SWINOG mailman archive which happens to be very open: http://lists.swinog.ch/public/swinog/2021-June/thread.html http://lists.swinog.ch/public/swinog/2021-June/007518.html Even for a stupid crawler it is quite easy to collect your email address from there. That's the reason why I don't like to post to this list: it automatically makes me a future victim of SWINOG external SPAM. I once posted something to this list (must be 10 years ago). It took less than a week for the first SPAM mails to arrive. In fact, anyone who ever posted to this list is subject to direct spam. SWINOG should really re-think its list archive... On 22.06.21 08:58, Jeroen Massar wrote: > I suggest using a mailhost that has proper spam filtering, considering it is > trivial to identify > that the sending host is not properly configured, why bother accepting mail > from it? That's not enough. In first place, the SWINOG contributors should be protected from being crawled. -> SWINOG homework On 21.06.21 23:42, Jeroen Massar wrote: > Full headers would be rather useful to determine the real origin of that > message... Full ACK. Preferrably in the correct order. So for the sake of completeness, let's do the header dance: > X-Authenticated-Sender: cloudserver2.webbossuk.com: in3d...@in3days.org > X-Get-Message-Sender-Via: cloudserver2.webbossuk.com: authenticated_id: > in3d...@in3days.org > Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com > [95.172.31.250]) (using TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 > (256/256 bits)) (No client certificate requested) by > mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for > ; Mon, 21 Jun 2021 18:11:47 + (UTC) > Received: from [136.35.59.161] (port=45371 helo=in3days.org) by > cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from > ) id 1lvNEU-00069P-CD for s.d...@protonmail.ch; > Mon, > 21 Jun 2021 17:57:10 +0100 Email coming from 136-35-59-161.googlefiber.net [136.35.59.161] sent through cloudserver2.webbossuk.com (esmtpsa -> authenticated) which happens to host in3days.org. So most probably a hacked web hosting account. However, this does not help much, since the root cause is the SWINOG mailman archive. You will get spam from all over the world. Gruass, Franco ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
Hi, Jeroen Massar schrieb am Tue, Jun 22, 2021 at 08:58:00AM +0200: > That is a very odd ordering of headers: > > > Received: from [136.35.59.161] (port=45371 helo=in3days.org) by > > cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from > > ) id 1lvNEU-00069P-CD for s.d...@protonmail.ch; Mon, > > 21 Jun 2021 17:57:10 +0100 > > Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com > > [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > (256/256 bits)) (No client certificate requested) by > > mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for > > ; Mon, 21 Jun 2021 18:11:47 + (UTC) > > Those normally go the other way around (top one is the newest). Unfortunately some broken wannabe mail servers reorder them. Most prominent example is that groupware server named Microsoft Exchange which claims to also be a mail server (but fails in many aspects). > Nevertheless... there are two options for this kind of spam: > > - something subscribe(s|d) to the list and just spams directly > - something parses the mailman archives and spams directly I suspect a third option and that one is what Serge wrote initially: Someone who was already subscribed to the list for a while caught an Emotet-like malware earlier this year on a client device which reads this list's mail. That malware scraped the infected computer's mail archive and forwarded/exfiltrated it to the malware operators. And now that malware gang replies to these mails to persons in the mail headers with faked real names from other persons also listed in these headers. And since this is about a mail from a mailing list, none of the IPs or e-mail addresses in the headers of the mail forwarded by Serge need to be related to the actually infected host or its owner. (With non-mailing-list mails it's much easier to figure out the infected host as it's usually a host of either the sender or one of its recipients — unless BCC was used of course.) > Nothing list-admins or members could do anything about. Sure. But Serge is nevertheless completely right when he writes: > > > > It seems there is a SWINOG member who should clean his > > > > computer. Exactly: Someone subscribed to this list runs a computer which got infected with an Emotet-like malware which scrapes local mail archives, usually those of Microsoft Outlook. Regards, Axel -- /~\ Plain Text Ribbon Campaign | Axel Beckert \ / Say No to HTML in E-Mail and News| a...@deuxchevaux.org (Mail) X See http://arc.pasp.de/ | a...@noone.org (Mail+Jabber) / \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web) ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
TLDR: Spam outside of swinog list by participating in mailinglist... That is a very odd ordering of headers: > Received: from [136.35.59.161] (port=45371 helo=in3days.org) by > cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from > ) id 1lvNEU-00069P-CD for s.d...@protonmail.ch; Mon, > 21 Jun 2021 17:57:10 +0100 > Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com > [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > (256/256 bits)) (No client certificate requested) by > mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for > ; Mon, 21 Jun 2021 18:11:47 + (UTC) Those normally go the other way around (top one is the newest). Nevertheless... there are two options for this kind of spam: - something subscribe(s|d) to the list and just spams directly - something parses the mailman archives and spams directly Nothing list-admins or members could do anything about. Closing the archives is a silly option, closing subscriptions another silly one, why bother having a mailinglist in that case. Noting that I suggest using a mailhost that has proper spam filtering, considering it is trivial to identify that the sending host is not properly configured, why bother accepting mail from it? Then again, from the order of those headers, does not look like the receiver is properly configured either. Greets, Jeroen -- > On 20210622, at 08:40, Serge Droz wrote: > > Sure, here you go: > > Content-Transfer-Encoding: quoted-printable > Content-Type: text/html; charset=utf-8 > References: > <7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA==@protonmail.internalid> > X-Pm-Date: Mon, 21 Jun 2021 15:57:11 + > X-Pm-External-Id: <6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown> > X-Pm-Internal-Id: > 7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA== > To: "Serge Droz" > Reply-To: "Roger" > From: "Roger" > Subject: Re: [swinog] Coop.ch geoblocking? > X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > (256/256 bits) > Delivered-To: s.d...@protonmail.ch > X-Original-To: s.d...@protonmail.ch > X-Antiabuse: Sender Address Domain - in3days.org > X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12] > X-Antiabuse: Original Domain - protonmail.ch > X-Antiabuse: Primary Hostname - cloudserver2.webbossuk.com > X-Antiabuse: This header was added to track abuse, please include it with > any abuse report > X-Authenticated-Sender: cloudserver2.webbossuk.com: in3d...@in3days.org > Return-Path: > X-Get-Message-Sender-Via: cloudserver2.webbossuk.com: authenticated_id: > in3d...@in3days.org > X-Pm-Content-Encryption: on-delivery > Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; > d=in3days.org ; s=default; > h=MIME-Version:Message-ID:Subject:From:To:Date:Content-Type: > > Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: > Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: > In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: > List-Post:List-Owner:List-Archive; > bh=uAxy3zLHqvfXb2TMYjrhYr5Z2Iu5r3NwESS4F1OCQg8=; > b=pK1dKfuL2dIP2X5U9hf1z+iIGv > e9DBaAUxWcNJsesFiRorFjvKyzPWnZ+20RDKKpGfsaEjcu7xuxyYrZbfICXsM0mzgfCry/DVoe+QU > c2uMZspDly4ulZf0mp4o2Yx66GNBHlh0s0yZOjzrBc9whwJSk01vPFoKc/qthRVzR2Tc4GrsW4MlF > R02FpGbOo3XzfjLoWwRWn52qVGvEaScq2tk8O4YAWm14iMUIGPHMZbmT9UWsODV7TvQDyRjQTb9YA > IaffxFi0eEjohCq5WyMOBJbGq91Me/rI9o8Hhsqv5bnh3W1qI4K5L+nUn2tvRckpY/S9r2+BQORdE > 99Vu9hyQ==; > X-Pm-Spam: 0yeiAIic37iBOIJChpR3Y2bi4AiOiuHVZb8miiACL3cpJI6ZC2CIIMQGw2YDZDNmd > > RkNDzGUOOgDz4EGN2NiU0sIHzCJIYIS6gsHImIzlNwX3iW0YOAiwiACL2cvNUicmwiAOLACiwVmc > 3b0JogIjwi0ILAjgGB1U0XFh9fTETEFUUByT6YEUEIFh8gTE0WFbYh2lTBycEUgYVjcmk3JbX4Gg > w4CMFIQN9ORlF05TINFQgojR2cuVVyZGvGRIZMXg09mbHI1BxpYmg2gcY4WgGB1UFIlJ9yY2uFxZ > IADuIBCMEVM11FX0B1NURU0gE9kQTWgoRNSFpCBTbNmslRWdCZpBBtbizXNZYdWlt4GXCMx4RLIE > fU1SVFkMfRUSVQgUVzTWn2FcZBSogMXYSY2BxpYWECBZSl0Ny9GIEILRNpIHh25ZdVHymBSZmct9 > 4gXG0XVYa9GygM3JGZt9luYWgG4XM4CxLREIUSf1lHU0EkVTI1ElhN3c2ZgUFzaGgGEIRtEJvBST > icEBBzSyuWdaYRX1sUmcGIv5BudClWNZcN3hslmcVeuxZhIHkGlbX4Gtx4CMEILR1fSUMkFVSQUg > zVWT2cnFBoZSgXMYYQXghVGb3cgQ5lb2hHZIblGkLREIUSg0Igb3gEsRcl2n0FmbXdlJ4tXGxC4M > IRELf1USkVMFRfSUgUYRTVWznF2cSZoBMgYX2SBYYxWpEBCZ0SNl9yIGLERIINHph52ZHdyVBmZS > tm9cX4Gg25WZWZvxUtcGvnJZbBSkh12bWac5AwbigjALUNkWJ9FRlTQ9wgQkjmVUZlW2gQWZmdhl > EgIGsmVcYkXgg4Wa3UhBhhbWgXMdUJEMi4GXHIg0fQ== > X-Pm-Spamscore: 0 > X-Pm-Origin: external > X-Pm-Spam-Action: dunno > Message-Id: <6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown> > Received: from [1
Re: [swinog] Coop.ch geoblocking?
Sure, here you go: Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 References: <7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA==@protonmail.internalid> X-Pm-Date: Mon, 21 Jun 2021 15:57:11 + X-Pm-External-Id: <6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown> X-Pm-Internal-Id: 7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA== To: "Serge Droz" Reply-To: "Roger" From: "Roger" Subject: Re: [swinog] Coop.ch geoblocking? X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Delivered-To: s.d...@protonmail.ch X-Original-To: s.d...@protonmail.ch X-Antiabuse: Sender Address Domain - in3days.org X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12] X-Antiabuse: Original Domain - protonmail.ch X-Antiabuse: Primary Hostname - cloudserver2.webbossuk.com X-Antiabuse: This header was added to track abuse, please include it with any abuse report X-Authenticated-Sender: cloudserver2.webbossuk.com: in3d...@in3days.org Return-Path: X-Get-Message-Sender-Via: cloudserver2.webbossuk.com: authenticated_id: in3d...@in3days.org X-Pm-Content-Encryption: on-delivery Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=in3days.org ; s=default; h=MIME-Version:Message-ID:Subject:From:To:Date:Content-Type: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uAxy3zLHqvfXb2TMYjrhYr5Z2Iu5r3NwESS4F1OCQg8=; b=pK1dKfuL2dIP2X5U9hf1z+iIGv e9DBaAUxWcNJsesFiRorFjvKyzPWnZ+20RDKKpGfsaEjcu7xuxyYrZbfICXsM0mzgfCry/DVoe+QU c2uMZspDly4ulZf0mp4o2Yx66GNBHlh0s0yZOjzrBc9whwJSk01vPFoKc/qthRVzR2Tc4GrsW4MlF R02FpGbOo3XzfjLoWwRWn52qVGvEaScq2tk8O4YAWm14iMUIGPHMZbmT9UWsODV7TvQDyRjQTb9YA IaffxFi0eEjohCq5WyMOBJbGq91Me/rI9o8Hhsqv5bnh3W1qI4K5L+nUn2tvRckpY/S9r2+BQORdE 99Vu9hyQ==; X-Pm-Spam: 0yeiAIic37iBOIJChpR3Y2bi4AiOiuHVZb8miiACL3cpJI6ZC2CIIMQGw2YDZDNmd RkNDzGUOOgDz4EGN2NiU0sIHzCJIYIS6gsHImIzlNwX3iW0YOAiwiACL2cvNUicmwiAOLACiwVmc 3b0JogIjwi0ILAjgGB1U0XFh9fTETEFUUByT6YEUEIFh8gTE0WFbYh2lTBycEUgYVjcmk3JbX4Gg w4CMFIQN9ORlF05TINFQgojR2cuVVyZGvGRIZMXg09mbHI1BxpYmg2gcY4WgGB1UFIlJ9yY2uFxZ IADuIBCMEVM11FX0B1NURU0gE9kQTWgoRNSFpCBTbNmslRWdCZpBBtbizXNZYdWlt4GXCMx4RLIE fU1SVFkMfRUSVQgUVzTWn2FcZBSogMXYSY2BxpYWECBZSl0Ny9GIEILRNpIHh25ZdVHymBSZmct9 4gXG0XVYa9GygM3JGZt9luYWgG4XM4CxLREIUSf1lHU0EkVTI1ElhN3c2ZgUFzaGgGEIRtEJvBST icEBBzSyuWdaYRX1sUmcGIv5BudClWNZcN3hslmcVeuxZhIHkGlbX4Gtx4CMEILR1fSUMkFVSQUg zVWT2cnFBoZSgXMYYQXghVGb3cgQ5lb2hHZIblGkLREIUSg0Igb3gEsRcl2n0FmbXdlJ4tXGxC4M IRELf1USkVMFRfSUgUYRTVWznF2cSZoBMgYX2SBYYxWpEBCZ0SNl9yIGLERIINHph52ZHdyVBmZS tm9cX4Gg25WZWZvxUtcGvnJZbBSkh12bWac5AwbigjALUNkWJ9FRlTQ9wgQkjmVUZlW2gQWZmdhl EgIGsmVcYkXgg4Wa3UhBhhbWgXMdUJEMi4GXHIg0fQ== X-Pm-Spamscore: 0 X-Pm-Origin: external X-Pm-Spam-Action: dunno Message-Id: <6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown> Received: from [136.35.59.161] (port=45371 helo=in3days.org) by cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from ) id 1lvNEU-00069P-CD for s.d...@protonmail.ch; Mon, 21 Jun 2021 17:57:10 +0100 Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for ; Mon, 21 Jun 2021 18:11:47 + (UTC) Mime-Version: 1.0 Date: Mon, 21 Jun 2021 17:57:11 +0200 Authentication-Results: mailin025.protonmail.ch; dkim=pass (2048-bit key) header.d=in3days.org header.i=@in3days.org header.b="pK1dKfuL" Authentication-Results: mailin025.protonmail.ch; spf=none smtp.mailfrom=in3d...@in3days.org Authentication-Results: mailin025.protonmail.ch; dmarc=none (p=none dis=none) header.from=in3days.org Authentication-Results: mailin025.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=in3days.org header.a=rsa-sha256 On 21.06.21 23:42, Jeroen Massar wrote: > Full headers would be rather useful to determine the real origin of that > message... > > Greets, > Jeroen > > >> On 20210621, at 21:35, Serge Droz wrote: >> >> Hi all >> >> It seems there is a SWINOG member who should clean his computer. >> >> Happy hunting >> Serge >> >> >> >> Forwarded Message >> Subject: Re: [swinog] Coop.ch geoblocking? >> Date:Mon, 21 Jun 2021 17:57:11 +0200 >> From:Roger >> Reply-To:Roger >> To: Serge Droz >> >> >> >> Good day! >> >> We mail document to you again. You can
Re: [swinog] Coop.ch geoblocking?
Full headers would be rather useful to determine the real origin of that message... Greets, Jeroen > On 20210621, at 21:35, Serge Droz wrote: > > Hi all > > It seems there is a SWINOG member who should clean his computer. > > Happy hunting > Serge > > > > Forwarded Message ---- > Subject: Re: [swinog] Coop.ch geoblocking? > Date: Mon, 21 Jun 2021 17:57:11 +0200 > From: Roger > Reply-To: Roger > To: Serge Droz > > > > Good day! > > We mail document to you again. You can discover it at the link lower: > > > annanigrodermatologia.it/mac-lesch/s_droz-80.zip > > > > > >> Hoi Roger > > ich denke nur das diese unterdrückung von unerwünschten >> meinungen falsch > ist . > Das sehe ich auch so. Aber das macht Coop >> ja nicht. > und im sinne coop finde ich es erstens nutzlos und >> zweitens bedenklich > wenn man security probleme mit regionalesn >> beschänkungen zu vermindern > versucht statt sie zu beseitigen > Keine >> Ahnung warum das Coop macht, ist aber ihr Recht, ist ja Ihre Webseite. >> Gruss Serge > .. so long ;) > > Roger > > > On 28.02.2021 19:37, Serge >> Droz wrote: >> I think you misunderstand what free speech is. Free >> speach means, you >> cannot be punished for what you say, nothing >> more. It does not guarantee >> you an audience, or a platform. >> An, >> although a bit US centric, explanation is here: >> >> https://www.aclu.org/other/what-censorship >> >> If blocking is a good >> idea for security reasons is en entirely different >> questions, and >> has nothing what so ever to do with free speech or >> censorship. >> >>>> Best >> Serge >> >> >> >> -- >> Serge Droz >> Security Lead >> >> Proton Technologies AG >> -- Serge Droz Security Lead Proton >> Technologies AG > > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
all, from what I saw within the last years, more and more companies us cloud based proxy services (like e.g. McAfee Cloud proxies). Since these proxies are sometimes misused to produce nonsense (do evil things) on the internet through these proxies, site admins block IPs belonging to that individual proxy - leaving he other IPs belonging to the local (country assigned)cluster's proxies alone, some of the nodes work for certain sites and some not ... - Am 3. Mrz 2021 um 22:04 schrieb Roger ro...@mgz.ch: > yeah .. blocking connection from an proxy, i step more and more in such > crazy sites, mostly i close the session and forgett about it > > there are a lot of reason to use a Proxy, i think this is a similar > paranoia based behaviour as filtering ICMP echo or worse ICMP at all. > i think its just die idea to keep other Admin busy with investigate why > the users are not able to open the Page, other explanation i dont have. > i will be shure they would even call telnet to www.blick.ch 80 as evil > and insecure :D, because Telnet is insecure, they read on PC Bild :D > > Roger > > On 03.03.2021 10:44, Benoît Panizzon wrote: >> Follow up on this. >> >> They use this service: >> https://www.brightcloud.com/tools/url-ip-lookup.php >> >> Which list the affected IP in 'high risk' category 'proxy'. >> >> I opened a case with them to find out the cause. >> >> They delistet 157.161.57.65 but not 157.161.57.70. Maybe I should >> change the PTR of the later one :-). That only was an exit for very >> short time (immediate abuse complaints). >> >> Also 'Tor' is a separate category. So if my experiments with Tor >> triggered that issue, why didn't they list it as 'Tor' which they have >> as a category. >> >> Another cause might be, that I use a transparent proxy to cache some >> content in my LAN. But that only is accessible from my LAN, but of >> course this might inject HTTP header indicating the proxy connection. >> >> Also L2TP and PPTP is accessible, so I can access my private ipv4 space >> from outside. So did they scan for those services and flag it as >> 'proxy'? >> >> I'm looking forward for their reply. >> > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
yeah .. blocking connection from an proxy, i step more and more in such crazy sites, mostly i close the session and forgett about it there are a lot of reason to use a Proxy, i think this is a similar paranoia based behaviour as filtering ICMP echo or worse ICMP at all. i think its just die idea to keep other Admin busy with investigate why the users are not able to open the Page, other explanation i dont have. i will be shure they would even call telnet to www.blick.ch 80 as evil and insecure :D, because Telnet is insecure, they read on PC Bild :D Roger On 03.03.2021 10:44, Benoît Panizzon wrote: Follow up on this. They use this service: https://www.brightcloud.com/tools/url-ip-lookup.php Which list the affected IP in 'high risk' category 'proxy'. I opened a case with them to find out the cause. They delistet 157.161.57.65 but not 157.161.57.70. Maybe I should change the PTR of the later one :-). That only was an exit for very short time (immediate abuse complaints). Also 'Tor' is a separate category. So if my experiments with Tor triggered that issue, why didn't they list it as 'Tor' which they have as a category. Another cause might be, that I use a transparent proxy to cache some content in my LAN. But that only is accessible from my LAN, but of course this might inject HTTP header indicating the proxy connection. Also L2TP and PPTP is accessible, so I can access my private ipv4 space from outside. So did they scan for those services and flag it as 'proxy'? I'm looking forward for their reply. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
Hi, On Wed, Mar 03, 2021 at 10:44:25AM +0100, Benoît Panizzon wrote: > Also L2TP and PPTP is accessible, so I can access my private ipv4 space > from outside. So did they scan for those services and flag it as > 'proxy'? Given that PPTP auth is roughly equivalent to "no access control", I'd strongly recommend against using that in 2021... (https://www.heise.de/security/artikel/Der-Todesstoss-fuer-PPTP-1701365.html - this was 2012) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
Follow up on this. They use this service: https://www.brightcloud.com/tools/url-ip-lookup.php Which list the affected IP in 'high risk' category 'proxy'. I opened a case with them to find out the cause. They delistet 157.161.57.65 but not 157.161.57.70. Maybe I should change the PTR of the later one :-). That only was an exit for very short time (immediate abuse complaints). Also 'Tor' is a separate category. So if my experiments with Tor triggered that issue, why didn't they list it as 'Tor' which they have as a category. Another cause might be, that I use a transparent proxy to cache some content in my LAN. But that only is accessible from my LAN, but of course this might inject HTTP header indicating the proxy connection. Also L2TP and PPTP is accessible, so I can access my private ipv4 space from outside. So did they scan for those services and flag it as 'proxy'? I'm looking forward for their reply. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
> 157.161.57.65 => blocked (main NAT ip) > 157.161.57.66 => Ok (a static server ip not used anymore) > 157.161.57.68 => Ok (a static client ip) > 157.161.57.70 => blocked (alternate NAT ip seldom used) > 157.161.5.199 => blocked (Gateway IP, not usually used as src, except > local stuff on the Mtik like DNS) > > Weird! Anyone has insight in what geoIP database coop uses? Or if there > are other criteria they use for blocking? Perhaps they're using some outdated OS where the distributor never bothered to update the geocoding libraries, even when they were obsoleted upstream, such as [1] :) Jokes aside, perhaps they also have some sort of blocking heuristic in place that goes beyond plain country-based blocking. Did you do anything from those IPs that could have gotten you onto some (unrelated) blocking lists? [1] https://rpmfind.net/linux/RPM/centos/7.9.2009/x86_64/Packages/GeoIP-1.5.0-14.el7.x86_64.html ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
Censorship is a third party forbidding you access to some information. Someone saying I only want grant access to my information/website to some people is at their discretion. That is, if some othortity would tell Coop to restrict access, they would otherwise give, then itt's censorship. Why would I even say this: Because if you muddle the meanings of censorship you essentially are normalizing censorship. If everything is censorship, than nothing is censorship. Best Serge On 28/02/2021 14:52, roger mgz wrote: > > Question is why Geoblocking at all, its a form of Censorship which > should be condemned > > btw: Even Coop is calling for Globalisation ;) > > Just my 5 cent's > > > Am 28.02.2021 um 12:33 schrieb Benoit Panizzon: >> Dear List >> >> Having issue in accessing www.coop.ch >> >> "Aus Sicherheitsgründen ist ein Login aus Ihrem Land nicht erlaubt". >> >> And a hint I shall not use a VPN or Proxy. >> >> No proxy or VPN in use, just IPv4 NAT, as confirmed by 'wieistmeineip'. >> (www.coop.ch is not IPv6 yet) >> >> So I supposed a messed up GeoIP Database and changed my SNAT IP a couple >> of times (all those IP are registered with country=CH @RIPE since >> decades and I never had such issues) >> >> 157.161.57.65 => blocked (main NAT ip) >> 157.161.57.66 => Ok (a static server ip not used anymore) >> 157.161.57.68 => Ok (a static client ip) >> 157.161.57.70 => blocked (alternate NAT ip seldom used) >> 157.161.5.199 => blocked (Gateway IP, not usually used as src, except >> local stuff on the Mtik like DNS) >> >> Weird! Anyone has insight in what geoIP database coop uses? Or if there >> are other criteria they use for blocking? >> > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > -- Serge Droz Security Lead Proton Technologies AG ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
Hello, In the last time more local internet Radios must acitive geoblocking. You can check this too. There is the Problem. The company audion-music.ch. Want money for every transmission which is not in Switzerland. Normaly in Switzerland is the Suisa for this. When you must pay to an other company it will be lot money to pay. And you don't know if other companies will money to... Greetings Xaver -Ursprüngliche Nachricht- Von: swinog-boun...@lists.swinog.ch [mailto:swinog-boun...@lists.swinog.ch] Im Auftrag von roger mgz Gesendet: Sonntag, 28. Februar 2021 14:53 An: swinog@lists.swinog.ch Betreff: Re: [swinog] Coop.ch geoblocking? Question is why Geoblocking at all, its a form of Censorship which should be condemned btw: Even Coop is calling for Globalisation ;) Just my 5 cent's Am 28.02.2021 um 12:33 schrieb Benoit Panizzon: > Dear List > > Having issue in accessing www.coop.ch > > "Aus Sicherheitsgründen ist ein Login aus Ihrem Land nicht erlaubt". > > And a hint I shall not use a VPN or Proxy. > > No proxy or VPN in use, just IPv4 NAT, as confirmed by 'wieistmeineip'. > (www.coop.ch is not IPv6 yet) > > So I supposed a messed up GeoIP Database and changed my SNAT IP a > couple of times (all those IP are registered with country=CH @RIPE > since decades and I never had such issues) > > 157.161.57.65 => blocked (main NAT ip) > 157.161.57.66 => Ok (a static server ip not used anymore) > 157.161.57.68 => Ok (a static client ip) > 157.161.57.70 => blocked (alternate NAT ip seldom used) > 157.161.5.199 => blocked (Gateway IP, not usually used as src, except > local stuff on the Mtik like DNS) > > Weird! Anyone has insight in what geoIP database coop uses? Or if > there are other criteria they use for blocking? > ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
Hello, I think it could be a security problem. Coop is working with Money and Points in Switzerland. And in other countries you can't order products. But Coop and Migros clients has attacs to the Points. (Profit and Cumulus form other countries. I think the Blocking is to make a litter saver. And Migros and Coop are not delivery things in other countries... Greetings Xaver -Ursprüngliche Nachricht- Von: swinog-boun...@lists.swinog.ch [mailto:swinog-boun...@lists.swinog.ch] Im Auftrag von roger mgz Gesendet: Sonntag, 28. Februar 2021 14:53 An: swinog@lists.swinog.ch Betreff: Re: [swinog] Coop.ch geoblocking? Question is why Geoblocking at all, its a form of Censorship which should be condemned btw: Even Coop is calling for Globalisation ;) Just my 5 cent's Am 28.02.2021 um 12:33 schrieb Benoit Panizzon: > Dear List > > Having issue in accessing www.coop.ch > > "Aus Sicherheitsgründen ist ein Login aus Ihrem Land nicht erlaubt". > > And a hint I shall not use a VPN or Proxy. > > No proxy or VPN in use, just IPv4 NAT, as confirmed by 'wieistmeineip'. > (www.coop.ch is not IPv6 yet) > > So I supposed a messed up GeoIP Database and changed my SNAT IP a > couple of times (all those IP are registered with country=CH @RIPE > since decades and I never had such issues) > > 157.161.57.65 => blocked (main NAT ip) > 157.161.57.66 => Ok (a static server ip not used anymore) > 157.161.57.68 => Ok (a static client ip) > 157.161.57.70 => blocked (alternate NAT ip seldom used) > 157.161.5.199 => blocked (Gateway IP, not usually used as src, except > local stuff on the Mtik like DNS) > > Weird! Anyone has insight in what geoIP database coop uses? Or if > there are other criteria they use for blocking? > ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Coop.ch geoblocking?
Question is why Geoblocking at all, its a form of Censorship which should be condemned btw: Even Coop is calling for Globalisation ;) Just my 5 cent's Am 28.02.2021 um 12:33 schrieb Benoit Panizzon: Dear List Having issue in accessing www.coop.ch "Aus Sicherheitsgründen ist ein Login aus Ihrem Land nicht erlaubt". And a hint I shall not use a VPN or Proxy. No proxy or VPN in use, just IPv4 NAT, as confirmed by 'wieistmeineip'. (www.coop.ch is not IPv6 yet) So I supposed a messed up GeoIP Database and changed my SNAT IP a couple of times (all those IP are registered with country=CH @RIPE since decades and I never had such issues) 157.161.57.65 => blocked (main NAT ip) 157.161.57.66 => Ok (a static server ip not used anymore) 157.161.57.68 => Ok (a static client ip) 157.161.57.70 => blocked (alternate NAT ip seldom used) 157.161.5.199 => blocked (Gateway IP, not usually used as src, except local stuff on the Mtik like DNS) Weird! Anyone has insight in what geoIP database coop uses? Or if there are other criteria they use for blocking? ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog