date:20170801

[mailop] Google Postmaster Tools - Authentification accuracy or issue on my side ?

2017-08-01 Thread Yves-Marie Le Pors Chauvel

Hi there,

Since a few weeks from now, I'm having some results I don't really
understand with Google Postmaster Tools.

When I take a look at the Authentification page, my SPF and DKIM compliancy
are always 100% but my DMARC compliancy is variation from day to day (from
5.9% to 77.3%) without changing anything on my side.

If I check on Dmarcian, for Google reports, I have a compliance level of
100%...

Does any one have any idea where it should come from ?

Regads,

-- 
Yves-Marie LE PORS-CHAUVEL
Email Product Manager
*T: +33 2 23 45 57 99* (3043)
3 rue de Paris - Atalis 2 / Batiment D - 35 510 Cesson Sévigné
www.ccmbenchmark.com
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google Postmaster Tools - Authentification accuracy or issue on my side ?

2017-08-01 Thread Ken O'Driscoll

Hi Yves-Marie,

My guess, and it's just a guess, is that the discrepancy might be down to
the "alignment" of the SPF and DKIM records.

DMARC requires that the domain of the SPF approved email source in the
envelope header (return-path) matches the domain in the From address. It
also requires that DKIM selector domain matches that of the From address
domain.

However, in the absence of DMARC, SPF and DKIM are not bound to the From
address domain in any way. You can protect an email with SPF and DKIM using
any domain name(s) and it will still validate.

So, I suspect that Google Postmaster may be reporting correctly validating
SPF and DKIM authentication but also indicating that not all of that is
aligned, i.e. not compliant with your DMARC policy.

The easiest thing to do is look at the DMARC failure email reports and see
what they are saying.

Ken.

-- 
Ken O'Driscoll / We Monitor Email
t: +353 1 254 9400 | w: www.wemonitoremail.com

Need to understand deliverability? Now there's a book:
www.wemonitoremail.com/book

On Tue, 2017-08-01 at 09:54 +0200, Yves-Marie Le Pors Chauvel wrote:
> Hi there,
> 
> Since a few weeks from now, I'm having some results I don't really
> understand with Google Postmaster Tools.
> 
> When I take a look at the Authentification page, my SPF and DKIM
> compliancy are always 100% but my DMARC compliancy is variation from day
> to day (from 5.9% to 77.3%) without changing anything on my side.
> 
> If I check on Dmarcian, for Google reports, I have a compliance level of
> 100%...
> 
> Does any one have any idea where it should come from ?
> 
> Regads,
> 
> -- 
> Yves-Marie LE PORS-CHAUVELEmail Product Manager
> T: +33 2 23 45 57 99 (3043)   3 rue de Paris - Atalis 2 / Batiment D
> - 35 510 Cesson Sévigné
> www.ccmbenchmark.com  
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Anyone have contacts at Orange (France)?

2017-08-01 Thread Michael Peddemors

Significant increases in spam from them, but the reason our team wants a 
contact for them, is the strange case of missing received headers for 
mail processed via their systems that started a few months back..


eg..

Received: from smtp07.smtpout.orange.fr (HELO smtp.smtpout.orange.fr) 
(80.12.242.129)

by  with (DHE-RSA-AES128-SHA encrypted) SMTP
(47d57a92-7694-11e7-b574-001e67492cec); Tue, 01 Aug 2017 01:34:52 -0700
Received: from localhost ([10.162.66.161])
by mwinf5d13 with ME
id rkao1v0093UlTPu03kaoYi; Tue, 01 Aug 2017 10:34:48 +0200
X-ME-Helo: localhost
X-ME-Date: Tue, 01 Aug 2017 10:34:48 +0200
X-ME-IP: 10.162.66.161
Date: Tue, 1 Aug 2017 08:34:44 +
To: 
From: "M. SOLOMON 0615850055" 
Reply-To: il...@pourcreer.fr
Subject: =?utf-8?Q?au_bureau_ou_=C3=A0_domicile?=
Message-ID:
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

We would expect that the actual SMTP servers themselves should be 
inserting a received header.. and that we would see a FQDN for the 
'mwinf5d13' that received the email.. Hard to tell if this was a webmail 
processed email, or open relay from their networks..


If any one has a contact, (we tried postmaster already) I will forward 
it on to the team ..



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone have contacts at Orange (France)?

2017-08-01 Thread Alarig Le Lay

Hi,

(I’m not in orange’s mail staff, just a customer of the ISP part, I’m
not enough crazy to use another mail server than my own ;)

On mar.  1 août 08:54:45 2017, Michael Peddemors wrote:
> We would expect that the actual SMTP servers themselves should be inserting
> a received header.. and that we would see a FQDN for the 'mwinf5d13' that
> received the email.. Hard to tell if this was a webmail processed email, or
> open relay from their networks..

If it could help you, this is what I get when I use their SMTP relay:
https://paste.swordarmor.fr/raw/p3sU

I don’t see any 1918 IP, so I guess that your mail comes from the
webmail.

> If any one has a contact, (we tried postmaster already) I will forward it on
> to the team ..

This address never worked for me.

-- 
alarig


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone have contacts at Orange (France)?

2017-08-01 Thread Michael Peddemors


Seems you have the same problem when using the outbound SMTP..

Return-Path: 
Delivered-To: ala...@swordarmor.fr
Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr 
[80.12.242.129])

(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
(No client certificate requested)
by togepi.gozmail.bzh (Postfix) with ESMTPS id 773F21A0070
for ; Tue,  1 Aug 2017 19:07:46 +0200 (CEST)
Received: from airmure.swordarmor.fr ([86.229.168.245])
by mwinf5d14 with ME
id rt7m1v0035J0xQe03t7m42; Tue, 01 Aug 2017 19:07:46 +0200
X-ME-Helo: airmure.swordarmor.fr

=== Trying smtp.orange.fr:25...
=== Connected to smtp.orange.fr.
<-  220 mwinf5d14 ME ESMTP server ready

Doesn't seem that the give a proper FQDN even in their EHLO/HELO 
response, and/or the initial greeting.


So, hard to tell whether this server you are connecting to is the same 
as the the outbound relay... (eg if you are actually connecting to 
smtp07 when sending) but I highly doubt it... since it probably goes out 
at least SOME form of filtering/balancing system.


And when you look at the host entries..

smtp.orange.fr has address 193.252.22.84
smtp.orange.fr has address 193.252.22.86

This confirms that, so they aren't following RFC's as far as properly 
inserting relay received headers..




On 17-08-01 10:14 AM, Alarig Le Lay wrote:

Hi,

(I’m not in orange’s mail staff, just a customer of the ISP part, I’m
not enough crazy to use another mail server than my own ;)

On mar.  1 août 08:54:45 2017, Michael Peddemors wrote:

We would expect that the actual SMTP servers themselves should be inserting
a received header.. and that we would see a FQDN for the 'mwinf5d13' that
received the email.. Hard to tell if this was a webmail processed email, or
open relay from their networks..


If it could help you, this is what I get when I use their SMTP relay:
https://paste.swordarmor.fr/raw/p3sU

I don’t see any 1918 IP, so I guess that your mail comes from the
webmail.


If any one has a contact, (we tried postmaster already) I will forward it on
to the team ..


This address never worked for me.



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone have contacts at Orange (France)?

2017-08-01 Thread Anne P. Mitchell Esq.

Michael, please contact me directly, offlist. We have contacts at Orange.

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, 
SuretyMail Email Reputation Certification and Inbox Delivery Assistance
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

Attorney at Law / Legislative Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Author: The Email Deliverability Handbook
Member, California Bar Cyberspace Law Committee
Member, Colorado Cybersecurity Consortium
Member, Board of Directors, Asilomar Microcomputer Workshop
Member, Advisory Board, Cause for Awareness
Member, Board of Directors, Greenwood Wildlife Rehabilitation
Member, Elevations Credit Union Member Council
Former Chair, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose

Available for consultations by special arrangement.
amitch...@isipp.com | @AnnePMitchell
Facebook/AnnePMitchell  | LinkedIn/in/annemitchell

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google Postmaster Tools - Authentification accuracy or issue on my side ?

2017-08-01 Thread Benjamin BILLON via mailop

I see these disparities for domains that are used in MAIL FROM / envelope
header / return-path (for SPF), and that sometimes are used for DKIM
signing (so it's not 0%), but not always (so it's not 100%).

With no more detail about your settings, content and traffic it would be
hard to help, but adding an ruf= in your DMARC record will most probably
give you more insight.

Cheers,
-- 
Benjamin

2017-08-01 13:41 GMT+02:00 Ken O'Driscoll :

> Hi Yves-Marie,
>
> My guess, and it's just a guess, is that the discrepancy might be down to
> the "alignment" of the SPF and DKIM records.
>
> DMARC requires that the domain of the SPF approved email source in the
> envelope header (return-path) matches the domain in the From address. It
> also requires that DKIM selector domain matches that of the From address
> domain.
>
> However, in the absence of DMARC, SPF and DKIM are not bound to the From
> address domain in any way. You can protect an email with SPF and DKIM using
> any domain name(s) and it will still validate.
>
> So, I suspect that Google Postmaster may be reporting correctly validating
> SPF and DKIM authentication but also indicating that not all of that is
> aligned, i.e. not compliant with your DMARC policy.
>
> The easiest thing to do is look at the DMARC failure email reports and see
> what they are saying.
>
> Ken.
>
> --
> Ken O'Driscoll / We Monitor Email
> t: +353 1 254 9400 | w: www.wemonitoremail.com
>
> Need to understand deliverability? Now there's a book:
> www.wemonitoremail.com/book
>
>
> On Tue, 2017-08-01 at 09:54 +0200, Yves-Marie Le Pors Chauvel wrote:
> > Hi there,
> >
> > Since a few weeks from now, I'm having some results I don't really
> > understand with Google Postmaster Tools.
> >
> > When I take a look at the Authentification page, my SPF and DKIM
> > compliancy are always 100% but my DMARC compliancy is variation from day
> > to day (from 5.9% to 77.3%) without changing anything on my side.
> >
> > If I check on Dmarcian, for Google reports, I have a compliance level of
> > 100%...
> >
> > Does any one have any idea where it should come from ?
> >
> > Regads,
> >
> > --
> > Yves-Marie LE PORS-CHAUVELEmail Product Manager
> > T: +33 2 23 45 57 99 (3043)   3 rue de Paris - Atalis 2 / Batiment D
> > - 35 510 Cesson Sévigné
> > www.ccmbenchmark.com
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Concurrent Messages and Proper Time to Keep a Connection Open

2017-08-01 Thread Michael Wise via mailop



It's nice, from time to time, to be able to Telnet to port 25 and type in the 
commands manually for testing.

I know, I should write some simple scripts. ☹


Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool ?



-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Mark Milhollan
Sent: Monday, July 31, 2017 5:48 PM
To: mailop 
Subject: Re: [mailop] Concurrent Messages and Proper Time to Keep a Connection 
Open



On Mon, 31 Jul 2017, Ryan Harris wrote:



>Naturally we don't want to cause unrest within the ecosphere by keeping

>connections open for too long.



Have you looked at the related RFCs?  (2821 and 1123 primarily but et

seq)





>>It would seem kind of pointless to keep a connection open for 10

>>minutes to save 2s of connection time, for example.

>

>

>Agreed, but when you are sending high volumes of email, optimizing the

>opening of a connection and reuse of a connection is worth us investigating.



Everyone varies, be prepared to adapt.





/mark



___

mailop mailing list

mailop@mailop.org

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=04%7C01%7Cmichael.wise%40microsoft.com%7C1898188ddbf84093489508d4d87361cc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636371437460737038%7CUnknown%7CVW5rbm93bnx7IlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiT3RoZXIifQ%3D%3D%7C-1&sdata=rPIRgwTghVwpwh9V9jMZcOh2NLWrBsaZt2N2CL6Od1A%3D&reserved=0
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Concurrent Messages and Proper Time to Keep a Connection Open

2017-08-01 Thread Steve Atkins


> On Aug 1, 2017, at 12:03 PM, Michael Wise via mailop  
> wrote:
> 
>  
> It's nice, from time to time, to be able to Telnet to port 25 and type in the 
> commands manually for testing.
> I know, I should write some simple scripts. ☹

http://www.jetmore.org/john/code/swaks/ is what you want for that.

Cheers,
  Steve

>  
> Aloha,
> Michael.
> --
> Michael J Wise
> Microsoft Corporation| Spam Analysis
> "Your Spam Specimen Has Been Processed."
> Got the Junk Mail Reporting Tool ?
>  
> -Original Message-
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Mark Milhollan
> Sent: Monday, July 31, 2017 5:48 PM
> To: mailop 
> Subject: Re: [mailop] Concurrent Messages and Proper Time to Keep a 
> Connection Open
>  
> On Mon, 31 Jul 2017, Ryan Harris wrote:
>  
> >Naturally we don't want to cause unrest within the ecosphere by keeping
> >connections open for too long.
>  
> Have you looked at the related RFCs?  (2821 and 1123 primarily but et
> seq)
>  
>  
> >>It would seem kind of pointless to keep a connection open for 10
> >>minutes to save 2s of connection time, for example.
> > 
> > 
> >Agreed, but when you are sending high volumes of email, optimizing the
> >opening of a connection and reuse of a connection is worth us investigating.
>  
> Everyone varies, be prepared to adapt.
>  
>  
> /mark
>  
> ___
> mailop mailing list
> mailop@mailop.org
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=04%7C01%7Cmichael.wise%40microsoft.com%7C1898188ddbf84093489508d4d87361cc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636371437460737038%7CUnknown%7CVW5rbm93bnx7IlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiT3RoZXIifQ%3D%3D%7C-1&sdata=rPIRgwTghVwpwh9V9jMZcOh2NLWrBsaZt2N2CL6Od1A%3D&reserved=0
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Concurrent Messages and Proper Time to Keep a Connection Open

2017-08-01 Thread Jay Hennigan


On 7/31/17 4:21 PM, Ryan Harris via mailop wrote:

Optimizing for connection reuse since the overhead of creating 
connections is actually high for us. So we want to send as many messages 
as we can over a single connection before closing it.


So do that. When you have no more messages to deliver, close the 
connection.


Naturally we don't want to cause unrest within the ecosphere by keeping 
connections open for too long.


When you don't have any more mail to send *at that time* close the 
connection immediately after the final OK from receiving system. Leaving 
it open just because you might have more mail later ties up resources on 
the recipient's side with zero benefit to the recipient. If everyone did 
this, it could turn into a form of DDoS.


Agreed, but when you are sending high volumes of email, optimizing the 
opening of a connection and reuse of a connection is worth us investigating.


And when you're finished with the high volume, close the connection. If 
you have more volume later, re-open it.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Concurrent Messages and Proper Time to Keep a Connection Open

2017-08-01 Thread Michael Wise via mailop



Thanks!



I ❤ BASH on Ubuntu on Windows, BTW.

I do rather like to keep my hand in... At least from time to time.

The only thing that gives me fits is IMAP.


Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool ?



-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Steve Atkins
Sent: Tuesday, August 1, 2017 12:13 PM
To: mailop 
Subject: Re: [mailop] Concurrent Messages and Proper Time to Keep a Connection 
Open





> On Aug 1, 2017, at 12:03 PM, Michael Wise via mailop 
> mailto:mailop@mailop.org>> wrote:

>

>

> It's nice, from time to time, to be able to Telnet to port 25 and type in the 
> commands manually for testing.

> I know, I should write some simple scripts. ☹



https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jetmore.org%2Fjohn%2Fcode%2Fswaks%2F&data=04%7C01%7Cmichael.wise%40microsoft.com%7C3bdeec5b41c54551ae9608d4d911f934%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636372118604092303%7CUnknown%7CVW5rbm93bnx7IlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiT3RoZXIifQ%3D%3D%7C-1&sdata=tltTw6cfGj8BYMzT6BSE7xdNyongukobMkuF3tnK%2F3s%3D&reserved=0
 is what you want for that.



Cheers,

  Steve



>

> Aloha,

> Michael.

> --

> Michael J Wise

> Microsoft Corporation| Spam Analysis

> "Your Spam Specimen Has Been Processed."

> Got the Junk Mail Reporting Tool ?

>

> -Original Message-

> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Mark

> Milhollan

> Sent: Monday, July 31, 2017 5:48 PM

> To: mailop mailto:mailop@mailop.org>>

> Subject: Re: [mailop] Concurrent Messages and Proper Time to Keep a

> Connection Open

>

> On Mon, 31 Jul 2017, Ryan Harris wrote:

>

> >Naturally we don't want to cause unrest within the ecosphere by

> >keeping connections open for too long.

>

> Have you looked at the related RFCs?  (2821 and 1123 primarily but et

> seq)

>

>

> >>It would seem kind of pointless to keep a connection open for 10

> >>minutes to save 2s of connection time, for example.

> >

> >

> >Agreed, but when you are sending high volumes of email, optimizing

> >the opening of a connection and reuse of a connection is worth us 
> >investigating.

>

> Everyone varies, be prepared to adapt.

>

>

> /mark

>

> ___

> mailop mailing list

> mailop@mailop.org

> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchill

> i.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=04%7C01%7C

> michael.wise%40microsoft.com%7C1898188ddbf84093489508d4d87361cc%7C72f9

> 88bf86f141af91ab2d7cd011db47%7C1%7C0%7C636371437460737038%7CUnknown%7C

> VW5rbm93bnx7IlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiT3RoZXIifQ%3D%

> 3D%7C-1&sdata=rPIRgwTghVwpwh9V9jMZcOh2NLWrBsaZt2N2CL6Od1A%3D&reserved=

> 0 ___

> mailop mailing list

> mailop@mailop.org

> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchill

> i.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=04%7C01%7C

> michael.wise%40microsoft.com%7C3bdeec5b41c54551ae9608d4d911f934%7C72f9

> 88bf86f141af91ab2d7cd011db47%7C1%7C0%7C636372118604092303%7CUnknown%7C

> VW5rbm93bnx7IlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiT3RoZXIifQ%3D%

> 3D%7C-1&sdata=vK6DaOfPwULZfw7GM9kojiUIf0YyswlDA7Xq4lHTuGA%3D&reserved=

> 0





___

mailop mailing list

mailop@mailop.org

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=04%7C01%7Cmichael.wise%40microsoft.com%7C3bdeec5b41c54551ae9608d4d911f934%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636372118604092303%7CUnknown%7CVW5rbm93bnx7IlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiT3RoZXIifQ%3D%3D%7C-1&sdata=vK6DaOfPwULZfw7GM9kojiUIf0YyswlDA7Xq4lHTuGA%3D&reserved=0
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Gmail labeled as Spam based on content

2017-08-01 Thread Paul Witting

Anyone from Gmail here? Hopefully I'm not off topic.

CEO was complaining about mail not getting to clients (not mail campaigns, just 
day to day business). He sent a simple Subject: Test w/ Body Test (+ signature) 
to his personal Gmail account and Gmail flagged it as spam based on "content". 
I duplicated it sending from my own account to my own account (even included 
his signature) and it came through to my inbox, no issues. . SPF and DMARC both 
passed on the original message. How is the message he sends getting flagged as 
spam while the identical message I send gets right through.

Thank you,

Paul

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail labeled as Spam based on content

2017-08-01 Thread Dave Warren

On Tue, Aug 1, 2017, at 13:48, Paul Witting wrote:
> Anyone from Gmail here? Hopefully I’m not off topic.


>  


> CEO was complaining about mail not getting to clients (not mail campaigns, 
> just day to day business). He sent a simple Subject: Test w/ Body Test (+ 
> signature) to his personal Gmail account and Gmail flagged it as spam based 
> on “content”. I duplicated it sending from my own account to my own account 
> (even included his signature) and it came through to my inbox, no issues. . 
> SPF and DMARC both passed on the original message. How is the message he 
> sends getting flagged as spam while the identical message I send gets right 
> through.
Gmail is far from the only provider to take knowledge learned from individual 
user activity into account when spam filtering. Perhaps your CEO has a habit of 
using Gmail's spam handling features to deal with legitimate mail, or has 
otherwise flagged a lot of similar messages as spam in the past?
While Google doesn't talk about the details, it seems that open and click rates 
are likely a factor too, perhaps the CEO sends a lot of stuff to himself that 
is deleted unread, Google may have decided this mail is less valuable for this 
recipient.
You can override using filters if needed.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] 1&1 / Mail.com Abuse Contact

2017-08-01 Thread Jaren Angerbauer

Thanks to everyone for the quick responses -- issue has been addressed.

--Jaren

On Mon, Jul 31, 2017 at 4:02 PM, Jaren Angerbauer  wrote:

> Hi,
>
> Not sure if anyone is here from 1&1 -- looking for someone within that
> organization that I can work with on an abuse issue.
>
> Thanks,
>
> --Jaren
>
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail labeled as Spam based on content

2017-08-01 Thread Laura Atkins

> On Aug 1, 2017, at 1:48 PM, Paul Witting  wrote:
> 
> Anyone from Gmail here? Hopefully I’m not off topic. 
>  
> CEO was complaining about mail not getting to clients (not mail campaigns, 
> just day to day business). He sent a simple Subject: Test w/ Body Test (+ 
> signature) to his personal Gmail account and Gmail flagged it as spam based 
> on “content”. I duplicated it sending from my own account to my own account 
> (even included his signature) and it came through to my inbox, no issues. . 
> SPF and DMARC both passed on the original message. How is the message he 
> sends getting flagged as spam while the identical message I send gets right 
> through. 

Gestalt filtering. https://wordtothewise.com/2017/06/filtering-by-gestalt/ 

In more modern filtering, particularly at Gmail, scoring is dynamic. There are 
still rules and they still assign scores. But the scores themselves can be 
modified by other scores in the process. It’s not a simple sum of scores so 
changing anything can change the overall status of a message.

Take two identical messages and two IP addresses one with an arbitrary 
reputation of 5 and another with an arbitrary reputation of 10. By the score 
and sum method, the final email reputation scores would be message+5 and 
message+10. With relative scoring, though, the IP reputations might turn out to 
be 2 and 13.

There’s also a big piece of individual filtering there - if you send from your 
account to your account with any sort of regularity, then that pattern will 
affect how mail from you, to you is delivered outside of whatever filtering 
there is. I’ve had to stop using my “main” gmail account for tests and go to a 
new one because Gmail figured out I regularly send from @wttw to @gmail and has 
prioritized that mail into the inbox. If I send to a different @gmail account, 
it goes to bulk. 

With the symptoms you describe, however, I’d look hard at the domain reputation.

laura 

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail labeled as Spam based on content

2017-08-01 Thread Brett Schenker

Anyone have a good suggestion to research domain reputation? IP ratings are
easy, but domain seems to be much more difficult (there's one or two go tos
for me).

On Tue, Aug 1, 2017 at 5:09 PM, Laura Atkins 
wrote:

>
> On Aug 1, 2017, at 1:48 PM, Paul Witting 
> wrote:
>
> Anyone from Gmail here? Hopefully I’m not off topic.
>
> CEO was complaining about mail not getting to clients (not mail campaigns,
> just day to day business). He sent a simple Subject: Test w/ Body Test (+
> signature) to his personal Gmail account and Gmail flagged it as spam based
> on “content”. I duplicated it sending from my own account to my own account
> (even included his signature) and it came through to my inbox, no issues. .
> SPF and DMARC both passed on the original message. How is the message he
> sends getting flagged as spam while the identical message I send gets right
> through.
>
>
> Gestalt filtering. https://wordtothewise.com/2017/06/filtering-by-gestalt/
>
> In more modern filtering, particularly at Gmail, scoring is dynamic. There
> are still rules and they still assign scores. But the scores themselves can
> be modified by other scores in the process. It’s not a simple sum of scores
> so changing anything can change the overall status of a message.
>
> Take two identical messages and two IP addresses one with an arbitrary
> reputation of 5 and another with an arbitrary reputation of 10. By the
> score and sum method, the final email reputation scores would be message+5
> and message+10. With relative scoring, though, the IP reputations might
> turn out to be 2 and 13.
>
> There’s also a big piece of individual filtering there - if you send from
> your account to your account with any sort of regularity, then that pattern
> will affect how mail from you, to you is delivered outside of whatever
> filtering there is. I’ve had to stop using my “main” gmail account for
> tests and go to a new one because Gmail figured out I regularly send from
> @wttw to @gmail and has prioritized that mail into the inbox. If I send to
> a different @gmail account, it goes to bulk.
>
> With the symptoms you describe, however, I’d look hard at the domain
> reputation.
>
> laura
>
> --
> Having an Email Crisis?  800 823-9674 <(800)%20823-9674>
>
> Laura Atkins
> Word to the Wise
> la...@wordtothewise.com
> (650) 437-0741
>
> Email Delivery Blog: http://wordtothewise.com/blog
>
>
>
>
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>


-- 
Brett Schenker
Man of Many Things, Including
5B Consulting - http://www.5bconsulting.com
Graphic Policy - http://www.graphicpolicy.com

Twitter - http://twitter.com/bhschenker
LinkedIn - http://www.linkedin.com/in/brettschenker
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Penetration testing phishing emails

2017-08-01 Thread David Harris

Hi,

We have a potential customer in the business of doing penetration testing, and 
they want to send penetration testing phishing emails authorized by a target 
company to that company's own employees.

If we allowed this in our network, I would require:

(1) Evidence to our satisfaction that this was authorized by the target company

(2) An X- header explaining what they are doing with a link to find more info

(3) Use of a from address at a domain name like 
“whatever-company-name-is-phishing.com” -- which would have a web-page 
explaining what they do

(4) The approval of our upstream's Abuse Desk.

I’m considering also requiring:

(5) Emails must be DKIM signed with a d= of the target company domain name.

For example:

From: f...@whatever-company-name-is-phishing.com
To: emplo...@example.com
DKIM-Signature: … d=example.com ….

Thoughts? Are there best practices for something like this?

Thanks,

David Harris


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail labeled as Spam based on content

2017-08-01 Thread Laura Atkins



> On Aug 1, 2017, at 2:26 PM, Brett Schenker  wrote:
> 
> Anyone have a good suggestion to research domain reputation? IP ratings are 
> easy, but domain seems to be much more difficult (there's one or two go tos 
> for me).

When I’m looking into domain reputation I look for answers to the following 
questions: 

* Where is this domain used? 
* What types of mail does it show up in?
* What does the website look like if I go to the bare URL?
* What does the whois record look like?
* What does the SPF record look like?
* Does this company have an affiliate program?
* Does this company have an easy to find signup link on their website?
* Is this domain listed on any of the domain based blocklists?

There are some other questions I ask and specifics that I look at, but I can’t 
share all my secrets publicly.

laura 


> 
> On Tue, Aug 1, 2017 at 5:09 PM, Laura Atkins  > wrote:
> 
>> On Aug 1, 2017, at 1:48 PM, Paul Witting > > wrote:
>> 
>> Anyone from Gmail here? Hopefully I’m not off topic. 
>>  
>> CEO was complaining about mail not getting to clients (not mail campaigns, 
>> just day to day business). He sent a simple Subject: Test w/ Body Test (+ 
>> signature) to his personal Gmail account and Gmail flagged it as spam based 
>> on “content”. I duplicated it sending from my own account to my own account 
>> (even included his signature) and it came through to my inbox, no issues. . 
>> SPF and DMARC both passed on the original message. How is the message he 
>> sends getting flagged as spam while the identical message I send gets right 
>> through. 
> 
> Gestalt filtering. https://wordtothewise.com/2017/06/filtering-by-gestalt/ 
> 
> 
> In more modern filtering, particularly at Gmail, scoring is dynamic. There 
> are still rules and they still assign scores. But the scores themselves can 
> be modified by other scores in the process. It’s not a simple sum of scores 
> so changing anything can change the overall status of a message.
> 
> Take two identical messages and two IP addresses one with an arbitrary 
> reputation of 5 and another with an arbitrary reputation of 10. By the score 
> and sum method, the final email reputation scores would be message+5 and 
> message+10. With relative scoring, though, the IP reputations might turn out 
> to be 2 and 13.
> 
> There’s also a big piece of individual filtering there - if you send from 
> your account to your account with any sort of regularity, then that pattern 
> will affect how mail from you, to you is delivered outside of whatever 
> filtering there is. I’ve had to stop using my “main” gmail account for tests 
> and go to a new one because Gmail figured out I regularly send from @wttw to 
> @gmail and has prioritized that mail into the inbox. If I send to a different 
> @gmail account, it goes to bulk. 
> 
> With the symptoms you describe, however, I’d look hard at the domain 
> reputation.
> 
> laura 
> 
> -- 
> Having an Email Crisis?  800 823-9674  
> 
> Laura Atkins
> Word to the Wise
> la...@wordtothewise.com 
> (650) 437-0741  
> 
> Email Delivery Blog: http://wordtothewise.com/blog 
> 
> 
> 
> 
> 
> 
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org 
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 
> 
> 
> 
> 
> 
> -- 
> Brett Schenker
> Man of Many Things, Including
> 5B Consulting - http://www.5bconsulting.com 
> Graphic Policy - http://www.graphicpolicy.com 
> 
> Twitter - http://twitter.com/bhschenker 
> LinkedIn - http://www.linkedin.com/in/brettschenker 
> 
-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Penetration testing phishing emails

2017-08-01 Thread Steve Atkins

> On Aug 1, 2017, at 2:37 PM, David Harris  wrote:
> 
> Hi,
> 
> We have a potential customer in the business of doing penetration testing, 
> and they want to send penetration testing phishing emails authorized by a 
> target company to that company's own employees.
> 
> If we allowed this in our network, I would require:
> 
> (1) Evidence to our satisfaction that this was authorized by the target 
> company

In writing, from an officer of the target company, that satisfies your lawyers.

> 
> (2) An X- header explaining what they are doing with a link to find more info

Reasonable. I might also require the contact information for someone inside
the target company - if the security people go into lockdown mode, why should
they trust what a malicious third-party is telling them?

> 
> (3) Use of a from address at a domain name like 
> “whatever-company-name-is-phishing.com” -- which would have a web-page 
> explaining what they do

That would make the phishing much less likely to succeed, which is counter to
the point of pen-testing.

> 
> (4) The approval of our upstream's Abuse Desk.

That'll be a fun conversation. :)

> 
> I’m considering also requiring:
> 
> (5) Emails must be DKIM signed with a d= of the target company domain name.

If this is a pen-test (as opposed to an employee training exercise) that's a 
bit like
requiring your pen-tester to use the root passwords you give them. I'd push back
against that, if the enterprise email filters are part of what I were testing.

> 
> For example:
> 
> From: f...@whatever-company-name-is-phishing.com
> To: emplo...@example.com
> DKIM-Signature: … d=example.com ….
> 
> Thoughts? Are there best practices for something like this?

None of this is going to do much to mitigate the reputation impact on the IP 
address
range it's sent from, unless you've also managed to negotiate a free pass from 
all the mail
filtering and reputation providers used across the company.

Best practice is probably to do it from somebody else's network space. I'd be 
wary about
whether this is what your potential client intends.

Cheers,
  Steve
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Penetration testing phishing emails

2017-08-01 Thread Michael Peddemors

While some pen testing companies who do that want to make it as 
realistic as possible (phishing emails, eg in the same manner a villain 
would do) it depends on the target employees that they are trying to 
'phish' test..


Normal employees are not sophisticated, and the content alone is enough.

Unless the pen testing company was testing another security company, or 
very tech savvy targets, I would do the following:


* Add a TXT record clearly showing the purpose.
* Use a separate domain/sub-domain
* Have the PTR record from the sending server CLEARLY spell out.
-- PTR pentest.legitimatedomain.com
* Ensure that there is an ab...@phishdomain.com
* Have accurate SWIP/rwhois for the IP in question, with clear COMMENT 
section

* Have the whois record for the phishdomain clearly show legitimacy
* Have an associated website matching the phishdomain.

However, in general the later is probably part of the pen test.  Simply 
going to the site, might actually be the exploit, or it might add to the 
legitimacy.


A tough one.. but I would really suggest that you get a legal disclaimer 
from the target company, with the ability to confirm that the target 
indeed registered the disclaimer.


But of course, the 'obvious' question, is why they are looking to use 
your network ;)  If they are a pen testing company without their own IP 
space, did they just set up shop?


Social Engineering can be used just as easily against you, as the 
targets.. Sounds like something a Kevin Mitnick might invent..




On 17-08-01 02:37 PM, David Harris wrote:

Hi,

We have a potential customer in the business of doing penetration testing, and 
they want to send penetration testing phishing emails authorized by a target 
company to that company's own employees.

If we allowed this in our network, I would require:

(1) Evidence to our satisfaction that this was authorized by the target company

(2) An X- header explaining what they are doing with a link to find more info

(3) Use of a from address at a domain name like 
“whatever-company-name-is-phishing.com” -- which would have a web-page 
explaining what they do

(4) The approval of our upstream's Abuse Desk.

I’m considering also requiring:

(5) Emails must be DKIM signed with a d= of the target company domain name.

For example:

From: f...@whatever-company-name-is-phishing.com
To: emplo...@example.com
DKIM-Signature: … d=example.com ….

Thoughts? Are there best practices for something like this?

Thanks,

David Harris


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Penetration testing phishing emails

2017-08-01 Thread David Harris

Hi Steve,

On Aug 1, 2017, at 4:57 PM, Steve Atkins  wrote:
>> (2) An X- header explaining what they are doing with a link to find more info
> 
> Reasonable. I might also require the contact information for someone inside
> the target company - if the security people go into lockdown mode, why should
> they trust what a malicious third-party is telling them?

Great idea!

>> (5) Emails must be DKIM signed with a d= of the target company domain name.
> 
> If this is a pen-test (as opposed to an employee training exercise) that's a 
> bit like
> requiring your pen-tester to use the root passwords you give them. I'd push 
> back
> against that, if the enterprise email filters are part of what I were testing.

The goal is to test the employees, not the spam filtering or anti-phishing 
software.

One thing I forgot to mention is that our customer would request that the 
target company whitelist the sending IP addresses in their spam filter, if 
possible. This is in everyone’s best interest so that the employees see the 
message and have the opportunity to be tested.

Thank you,

David Harris

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Anyone Else notice a significant reduction in spam leakage from Gmail over last couple of weeks?

2017-08-01 Thread Michael Peddemors


Be interesting to know if they made changes, but no matter what..

"Kudos' and hats off.."

Now if we can only convince them to have tighter SPF records ;)

Return-Path: 

Received: from aton.hk (HELO mail.aton.hk) (58.64.196.210)

(Dont' worry, still goes to spam folder but.. would make it easier for everyone 
else)

(And if email operators would bite the bullet and force envelopeFrom that are 
on their servers.. )

Next one we want to see improvement on... (Oh, don't want to pick on them 
Michael)


 
--

"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone Else notice a significant reduction in spam leakage from Gmail over last couple of weeks?

2017-08-01 Thread Brandon Long via mailop

Tighter how?
spf_checker_util: output header:   softfail (google.com: domain of
transitioning ptp...@gmail.com does not designate 58.64.196.210 as
permitted sender) client-ip=58.64.196.210;

You want it to just fail?  That would be silly, we expect people to
forward email.

I'll pass on your compliments.

Brandon

On Tue, Aug 1, 2017 at 3:42 PM, Michael Peddemors
 wrote:
> Be interesting to know if they made changes, but no matter what..
>
> "Kudos' and hats off.."
>
> Now if we can only convince them to have tighter SPF records ;)
>
> Return-Path: 
>
> Received: from aton.hk (HELO mail.aton.hk) (58.64.196.210)
>
> (Dont' worry, still goes to spam folder but.. would make it easier for
> everyone else)
>
> (And if email operators would bite the bullet and force envelopeFrom that
> are on their servers.. )
>
> Next one we want to see improvement on... (Oh, don't want to pick on them
> Michael)
>
>
>
> --
> "Catch the Magic of Linux..."
> 
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> 
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
> 
> 604-682-0300 Beautiful British Columbia, Canada
>
> This email and any electronic data contained are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> Please note that any views or opinions presented in this email are solely
> those of the author and are not intended to represent those of the company.
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone Else notice a significant reduction in spam leakage from Gmail over last couple of weeks?

2017-08-01 Thread Michael Peddemors

Aside from the evil's of forwarding, and the methods that are available 
to do that without running afoul of SPF.. that is an argument for 
another day.  Every modern email client now supports checking multiple 
mailboxes don't they ;)


...

host -t TXT gmail.com
gmail.com descriptive text "v=spf1 redirect=_spf.google.com"

host -t TXT _spf.google.com
_spf.google.com descriptive text "v=spf1 include:_netblocks.google.com 
include:_netblocks2.google.com include:_netblocks3.google.com ~all"


host -t TXT _netblocks.google.com
_netblocks.google.com descriptive text "v=spf1 ip4:64.18.0.0/20 
ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 
ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 
ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 
ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"


host -t TXT _netblocks2.google.com
_netblocks2.google.com descriptive text "v=spf1 ip6:2001:4860:4000::/36 
ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 
ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"


host -t TXT _netblocks3.google.com
_netblocks3.google.com descriptive text "v=spf1 ip4:172.217.0.0/19 
ip4:108.177.96.0/19 ~all"


Okay, I admit it is clearer and cleaner that many operators.. but are 
they ALL outgoing mail systems that should have an envelope from of 
@gmail.com?


(I think gmail.com should be separate from google.com, IMHO)

I would expect that most of those IP(s) should be relaying out the 
appropriate gmail servers.. Most of that 74.125.0.0/16 doesn't even have 
PTR records, so I am sure they are not used for sending email..


But yes, the -all would be nicer... ;)

By being able to reject during the SMTP handshake, it would also help 
alert the sending servers admin's to a problem with compromised accounts..


But yeah, might be living in a dream world.. for a little bit yet.

I will take the step in the right direction for today, and tip my hat..




On 17-08-01 04:37 PM, Brandon Long wrote:

Tighter how?
spf_checker_util: output header:   softfail (google.com: domain of
transitioning ptp...@gmail.com does not designate 58.64.196.210 as
permitted sender) client-ip=58.64.196.210;

You want it to just fail?  That would be silly, we expect people to
forward email.

I'll pass on your compliments.

Brandon

On Tue, Aug 1, 2017 at 3:42 PM, Michael Peddemors
 wrote:

Be interesting to know if they made changes, but no matter what..

"Kudos' and hats off.."

Now if we can only convince them to have tighter SPF records ;)

Return-Path: 

Received: from aton.hk (HELO mail.aton.hk) (58.64.196.210)

(Dont' worry, still goes to spam folder but.. would make it easier for
everyone else)

(And if email operators would bite the bullet and force envelopeFrom that
are on their servers.. )

Next one we want to see improvement on... (Oh, don't want to pick on them
Michael)



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop




--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone Else notice a significant reduction in spam leakage from Gmail over last couple of weeks?

2017-08-01 Thread Brandon Long via mailop

So, yes, our records covert our entire IP space, which is way more
than we have servers for, and that is unfortunate.  I've had an open
bug for a couple of years to fix this, but the _netblocks thing is
used by things other than SPF, so it's complicated.

-all is just plain silly.

If you want to reject, DMARC will do that, but we haven't even moved
gmail.com to p=reject, because the false positive rate would be too
high.  Maybe when ARC is finalized and gets more traction.

And although I realize a lot of folks like to pin things on IP
reputations, to separate the world... there are a lot of GSuite
customers, more than we are likely to want to use separate IPs for,
which is why we go through the trouble of having dkim/spf so that
hopefully you can use authenticated domains for your reputation
systems instead.  Especially in terms of IPv6 usage.

Brandon

On Tue, Aug 1, 2017 at 5:05 PM, Michael Peddemors
 wrote:
> Aside from the evil's of forwarding, and the methods that are available to
> do that without running afoul of SPF.. that is an argument for another day.
> Every modern email client now supports checking multiple mailboxes don't
> they ;)
>
> ...
>
> host -t TXT gmail.com
> gmail.com descriptive text "v=spf1 redirect=_spf.google.com"
>
> host -t TXT _spf.google.com
> _spf.google.com descriptive text "v=spf1 include:_netblocks.google.com
> include:_netblocks2.google.com include:_netblocks3.google.com ~all"
>
> host -t TXT _netblocks.google.com
> _netblocks.google.com descriptive text "v=spf1 ip4:64.18.0.0/20
> ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18
> ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20
> ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
>
> host -t TXT _netblocks2.google.com
> _netblocks2.google.com descriptive text "v=spf1 ip6:2001:4860:4000::/36
> ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36
> ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
>
> host -t TXT _netblocks3.google.com
> _netblocks3.google.com descriptive text "v=spf1 ip4:172.217.0.0/19
> ip4:108.177.96.0/19 ~all"
>
> Okay, I admit it is clearer and cleaner that many operators.. but are they
> ALL outgoing mail systems that should have an envelope from of @gmail.com?
>
> (I think gmail.com should be separate from google.com, IMHO)
>
> I would expect that most of those IP(s) should be relaying out the
> appropriate gmail servers.. Most of that 74.125.0.0/16 doesn't even have PTR
> records, so I am sure they are not used for sending email..
>
> But yes, the -all would be nicer... ;)
>
> By being able to reject during the SMTP handshake, it would also help alert
> the sending servers admin's to a problem with compromised accounts..
>
> But yeah, might be living in a dream world.. for a little bit yet.
>
> I will take the step in the right direction for today, and tip my hat..
>
>
>
>
>
> On 17-08-01 04:37 PM, Brandon Long wrote:
>>
>> Tighter how?
>> spf_checker_util: output header:   softfail (google.com: domain of
>> transitioning ptp...@gmail.com does not designate 58.64.196.210 as
>> permitted sender) client-ip=58.64.196.210;
>>
>> You want it to just fail?  That would be silly, we expect people to
>> forward email.
>>
>> I'll pass on your compliments.
>>
>> Brandon
>>
>> On Tue, Aug 1, 2017 at 3:42 PM, Michael Peddemors
>>  wrote:
>>>
>>> Be interesting to know if they made changes, but no matter what..
>>>
>>> "Kudos' and hats off.."
>>>
>>> Now if we can only convince them to have tighter SPF records ;)
>>>
>>> Return-Path: 
>>>
>>> Received: from aton.hk (HELO mail.aton.hk) (58.64.196.210)
>>>
>>> (Dont' worry, still goes to spam folder but.. would make it easier for
>>> everyone else)
>>>
>>> (And if email operators would bite the bullet and force envelopeFrom that
>>> are on their servers.. )
>>>
>>> Next one we want to see improvement on... (Oh, don't want to pick on them
>>> Michael)
>>>
>>>
>>>
>>> --
>>> "Catch the Magic of Linux..."
>>> 
>>> Michael Peddemors, President/CEO LinuxMagic Inc.
>>> Visit us at http://www.linuxmagic.com @linuxmagic
>>> 
>>> A Wizard IT Company - For More Info http://www.wizard.ca
>>> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
>>> 
>>> 604-682-0300 Beautiful British Columbia, Canada
>>>
>>> This email and any electronic data contained are confidential and
>>> intended
>>> solely for the use of the individual or entity to which they are
>>> addressed.
>>> Please note that any views or opinions presented in this email are solely
>>> those of the author and are not intended to represent those of the
>>> company.
>>>
>>>
>>> ___
>>> mailop mailing list
>>> mailop@mailop.org
>>> https://chilli.no

Re: [mailop] Penetration testing phishing emails

2017-08-01 Thread Michael Rathbun

On Tue, 1 Aug 2017 16:37:55 -0500, David Harris  wrote:

>Thoughts? Are there best practices for something like this?

I will note that, when Microsoft Global Security tried their own version of
this a few years back, intending to gauge the degree to which the employee
population would fall for phishing, they neglected to alert us, and discovered
that the spam analysts had shut down the entire project within about ten
minutes.  Had we known what they wanted to test, we would have looked on with
interest and provided some performance metrics for them.

mdr
-- 
There's a funny thing that happens when you know the correct
answer.  It throws you when you get a different answer that
is not wrong.-- Dr Bowman (Freefall)


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Google Postmaster Tools - Authentification accuracy or issue on my side ?

Re: [mailop] Google Postmaster Tools - Authentification accuracy or issue on my side ?

[mailop] Anyone have contacts at Orange (France)?

Re: [mailop] Anyone have contacts at Orange (France)?

Re: [mailop] Anyone have contacts at Orange (France)?

Re: [mailop] Anyone have contacts at Orange (France)?

Re: [mailop] Google Postmaster Tools - Authentification accuracy or issue on my side ?

Re: [mailop] Concurrent Messages and Proper Time to Keep a Connection Open

Re: [mailop] Concurrent Messages and Proper Time to Keep a Connection Open

Re: [mailop] Concurrent Messages and Proper Time to Keep a Connection Open

Re: [mailop] Concurrent Messages and Proper Time to Keep a Connection Open

[mailop] Gmail labeled as Spam based on content

Re: [mailop] Gmail labeled as Spam based on content

Re: [mailop] 1&1 / Mail.com Abuse Contact

Re: [mailop] Gmail labeled as Spam based on content

Re: [mailop] Gmail labeled as Spam based on content

[mailop] Penetration testing phishing emails

Re: [mailop] Gmail labeled as Spam based on content

Re: [mailop] Penetration testing phishing emails

Re: [mailop] Penetration testing phishing emails

Re: [mailop] Penetration testing phishing emails

[mailop] Anyone Else notice a significant reduction in spam leakage from Gmail over last couple of weeks?

Re: [mailop] Anyone Else notice a significant reduction in spam leakage from Gmail over last couple of weeks?

Re: [mailop] Anyone Else notice a significant reduction in spam leakage from Gmail over last couple of weeks?

Re: [mailop] Anyone Else notice a significant reduction in spam leakage from Gmail over last couple of weeks?

Re: [mailop] Penetration testing phishing emails

26 matches

Site Navigation

Mail list logo

Footer information