On 2022-01-11 12:32 p.m., Mark G Thomas via mailop wrote:
Hi,
On Tue, Jan 11, 2022 at 11:21:47AM -0800, Michael Peddemors via mailop wrote:
On 2022-01-11 11:04 a.m., Mark G Thomas via mailop wrote:
Here's an example from one ticket, however I'm more looking for whether
there is anything I can do to facilitate improving this overall, then
starting trying to intervene about (many!) specific tickets and IPs. I
would be happy to help with more details off-list, if so requested. I
also could relay suggestions or procedural instructions to our support
group.
redac...@enlogic.gr: host
enlogic-gr.mail.protection.outlook.com[104.47.17.74]
said: 550 5.7.511 Access denied, banned sender[172.104.233.127]. To request
removal from this list please forward this message to
del...@messaging.microsoft.com. For more information please go to
http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410)
[DB8EUR05FT065.eop-eur05.prod.protection.outlook.com] (in reply to RCPT TO
command)
Mark
No comments on Linode spamming, but looking at this, have to comment.
host enlogic.gr
enlogic.gr has address 172.105.85.167
enlogic.gr mail is handled by 0 enlogic-gr.mail.protection.outlook.com
host 172.104.233.127
127.233.104.172.in-addr.arpa domain name pointer extmail.enlogic.gr
If microsoft thinks that the email server for that domain is their
infrastructure, why would they accept any email from outside MS with
that domain, if it isn't authenticated.
The rejection message looks pretty clear.. banned sender.
What is the address in the MAIL FROM, it looks liek @enlogic.gr?
In this specific case, the sender was reported to be an address @kentia.gr.
host kentia.gr
kentia.gr has address 31.22.115.154
kentia.gr mail is handled by 10 mx1.mydomain.ro.
kentia.gr mail is handled by 20 mx2.mydomain.ro.
kentia.gr mail is handled by 5 obd0bh.static.otenet.gr.
host -t TXT kentia.gr
kentia.gr descriptive text "v=spf1 a mx ip4:62.38.3.0/24
ip4:62.38.240.10 ip4:195.46.27.139/29 ip4:172.104.233.127
a:outgoing.holservices.gr -all"
I don't think you would get a response quickly from MS, if they
think they are authoritive for the email domain. Anyone can put up
a PTR record or MAIL FROM forging a domain on their networks. I get
...
Got it. I can look at other cases, which may have other issues. This was
an example I snagged, but I'm sure there are other different scenarios.
Something changed and now we have this flood of tickets, many from
people who have been e-mailing successfully to MS recipients for a long
time, until a few weeks ago when something changed.
Is there anything I can do to help our support people in handling this?
Mark
You 'could' simply send an email from the command line to a MS address,
using one of your own domains (with of course a wide SPF record) to see
if this is an IP based reputation issue, or a domain based reputation issue.
You 'could' subscribe to something like 'HetrixTools' to see when IP(s)
on your network get listed on RBL's
You 'could' put in a network alert in your egress routers to report when
too high of SYN packets are generated from an IP address in your
networks destined to certain ports.
You 'could' start offering 'rwhois' automation, eg a person gets an IP
address on your networks, the ownership is updated in your 'rwhois' server.
You 'could' do a random walk on your networks for suspicious PTR records.
(See where I am heading? Stop the threats first, reduces support calls)
But, the thing I was pointing out, and this goes for anyone on the list,
if you want to shout out for help, make sure you provide the list
members with as much detail as possible.
Let's try to get the full information of one (1) case, to confirm that
there isn't something obvious that could be causing issues.
And pick an easier case where the MX and SPF records are a little
simpler and sane, where you see the problem.
However, in December there WAS a smaller outbreak from Linode IP(s) i
seem to recall.. maybe might have triggered something..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
