Re: [mailop] DMARC processing

On Tue, Dec 19, 2023, at 7:20 PM, Tara Natanson via mailop wrote: > On Tue, Dec 19, 2023 at 3:29 PM Eduardo Diaz Comellas via mailop > wrote: >> Hi all, >> >> Thanks all for the suggestions. I will give a try to some of them to >> see if they are a good fit for our usage case. >> >> We handle

Re: [mailop] scam prevention

On 12/8/20 11:26 AM, mailop@mailop.org wrote: > But if it did happen - be ready for the chorus of... "But it used to show the > person's name, why did it change?  Can you change it back?" That what I assumed too. However, the complaints are extremely low for us (we do employ a nuanced approach

Re: [mailop] scam prevention

On 12/8/20 10:41 AM, mailop@mailop.org wrote: > On 12/8/20 5:13 AM, Tim Bray via mailop wrote: > I *REALLY* dislike the idea.  I think it is fundamentally flawed, in a mostly > non-technical way. ... > This one of the reasons why I hate the idea of not showing the full email > address in email c

Re: [mailop] Effeciveness (or not) of SPF

On 12/8/20 1:02 AM, Hans-Martin Mosner via mailop wrote: > Am 07.12.20 um 23:51 schrieb Thomas Walter via mailop: >> >> I fully agree, but gmail is a bad example, because they actually support >> importing remote mailboxes with pop3 which does not require forwarding. >> We never tried that, but it

Re: [mailop] O365 contact (or suggestions)

It's more about Azure AD, so getting the case routed to that team is probably best. Typically, you need premier support to get decent engagement from Microsoft. I'm not sure what kind of process they have to prove tenant ownership in that situation, but I imagine it's a manual sort of verifica

Re: [mailop] sendgrid.net

On 10/5/20 6:02 PM, Eric Tykwinski via mailop wrote: > I’m not sure about SendGrid per say, but Twilio is mainly an API provider, so > full OAUTH, private keys, et al, as I’m a customer of their SMS, phone > service, et al. > As far as I know SendGrid is the same, but not saying that hacked websi

Re: [mailop] sendgrid.net

On 9/25/20 11:26 AM, Jay Hennigan via mailop wrote: > Even before the phishing became overwhelming they were a significant source > of spam, primarily "targeted" via purchased lists. For at least the past six > months the phishing has been overwhelming. While they claim to be working on > the pr

Re: [mailop] [External] Re: How to do Outbound Relay from M365 previously O365

On 9/18/20 9:49 AM, Kevin A. McGrail via mailop wrote: > On 9/18/2020 10:18 AM, Ken O'Driscoll via mailop wrote: >> You need to set up mail flow connectors in Exchange Online. Authentication >> is certificate and/or IP based. >> >> I think this explains it fairly well:  >> https://docs.microsoft.c

Re: [mailop] Just how does SendGrid fail this badly?

Most ESPs allow forging of arbitrary domains (usually requiring just an email loop verification *to* any address in the domain).  It's good for business.  Their customers don't understand SPF/DKIM/DMARC, in their defense.   Plus, it's technically a misdeployment for any domain to publish DMARC i

Re: [mailop] Microsoft Outlook "Modern Authentication"?

On 6/17/20 11:15 PM, Dave Warren via mailop wrote: > A bit late, sorry. > > On Tue, Jun 2, 2020, at 04:55, Ken O'Driscoll via mailop wrote: >> On Thu, 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote: >>> Does anyone know if there is any alternative to Outlook to access >>> >>> Exchang

Re: [mailop] Sendgrid and phishing

On 6/17/20 1:50 PM, Robert L Mathews via mailop wrote: > Several months ago I suggested (among other things) that SendGrid block > "From" headers matching prominent domain names until the messages have > been manually reviewed. The fact that "don't let random customers send > mail saying it's from

Re: [mailop] Abusix Potentially Compromised Account Report

On 5/19/20 5:51 AM, Thomas Walter via mailop wrote: > On 19.05.20 12:01, Jaroslaw Rafa via mailop wrote: >> A shared account by itself is a security loophole. > Why is that? You can perfectly share an account with IMAP4 Access > Control Lists. > > The issue is not the shared account, the issue is

Re: [mailop] Abusix Potentially Compromised Account Report

Finally got one! I expect these reports to be largely a lagging indicator of 3rd party password dumps, reflecting a certain subset of credential stuffing scenarios. I don't think anyone in our organization is comparing all available breached password hashes to local hashes, so it's nice to s

Re: [mailop] mailbox auth for system integration

On 2/10/20 2:24 PM, Brandon Long wrote: On Mon, Feb 10, 2020 at 11:56 AM Jesse Thompson via mailop mailto:mailop@mailop.org>> wrote: On 2/7/20 6:31 PM, Brandon Long via mailop wrote: > > > On Fri, Feb 7, 2020 at 4:07 PM Philip Paeps via mailop

Re: [mailop] mailbox auth for system integration

ot more hoops", but I think that for the remaining system integration use cases I'll need to shop around for a smaller mailbox provider that is willing to commit to supporting basic auth (along with necessary security controls to mitigate against credential abuse) for the medium te

[mailop] mailbox auth for system integration

Microsoft O365 and Google G Suite are both retiring basic authentication for client access to mailboxes. As a result, ALL clients will need to support OAuth on a very short timeline. End-user MUAs aside, I'm worried about systems that rely on a mailbox for integration (RT, and the like). I su

Re: [mailop] [FEEDBACK] Approach to dealing with List Washing services, industry feedback..

On 1/6/20 2:04 PM, John Johnstone via mailop wrote: > It is interesting how quiet it is on this topic. IMO, that's because it falls into the "I know it when I see it, but I can't realistically prevent it" category. Legitimate marketers (for example, some people within my own institution) have a

Re: [mailop] IMAP clients that support OAUTH

Looks like Office 365 is about to implement it https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Improving-Security-Together/bc-p/870818#M27214 Jesse From: mailop on behalf of Jesse Thompson via mailop Sent: Saturday, August 24, 2019 11:37 PM

Re: [mailop] seeking Samsung contact

Somewhat related: we had a similar problem with Gmail's "send mail as" autoconfig for our SMTP MSA. The wrong info wasn't coming from our SRV records, our autoconfig service, our autodiscover service, and it wasn't using mail. or any other well-known. IIRC Google front-line support claimed t

Re: [mailop] IMAP clients that support OAUTH

hink someone wrote a sasl module for it, but I didn't pursue that one Brandon On Sat, Aug 24, 2019, 6:59 PM Jesse Thompson via mailop mailto:mailop@mailop.org> > wrote: Is the list of IMAP clients that support OAUTH here https://en.m.wikipedia.org/wiki/Compari

[mailop] IMAP clients that support OAUTH

Is the list of IMAP clients that support OAUTH here https://en.m.wikipedia.org/wiki/Comparison_of_email_clients up to date?   ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Block spam at smtp time, but then still forward to users spam box

After much internal debate (about a year ago) we started rejecting high rated spam for a variety of motivations, and we do not also deliver to the recipient like your colleague proposes. We make one-off exceptions, and the only general exception is if the message is sent from a list, since we d

Re: [mailop] Mailing list with From header munging... and Outlook

ith From header munging... and Outlook To: Brandon Long, Jesse Thompson Cc: mailop@mailop.org On Fri 15/Mar/2019 23:46:13 +0100 Brandon Long via mailop wrote: > On Fri, Mar 15, 2019 at 2:54 PM Jesse Thompson via mailop wrote: >> >> As it stands now, these "conditional" is

Re: [mailop] Mailing list with From header munging... and Outlook

On 3/13/2019 10:53 PM, Paul Gear via mailop wrote: > On 12/3/19 11:48 pm, Jesse Thompson via mailop wrote: >> On 3/12/2019 1:50 AM, Benjamin BILLON wrote: >>> So, the question is rather why Jesse and Michael's messages contain a >>> Reply-To: header, and not your

Re: [mailop] Mailing list with From header munging... and Outlook

d > > Aloha, > > Michael. > > -- > > *Michael J Wise* > MicrosoftCorporation| Spam Analysis > > "Your Spam Specimen Has Been Processed." > > Got the Junk Mail Reporting Tool > <http://www.microsoft.com/en-us/download/details.aspx?id=18275

Re: [mailop] Mailing list with From header munging... and Outlook

On 3/12/2019 3:36 AM, Alessandro Vesely wrote: > On Tue 12/Mar/2019 02:43:38 +0100 Neil Jenkins wrote: >> On Tue, 12 Mar 2019, at 09:26, Jesse Thompson via mailop wrote: >>> When someone reply-alls to a munged message it only composes a message to >>> the >>>

Re: [mailop] Mailing list with From header munging... and Outlook

On 3/12/2019 1:50 AM, Benjamin BILLON wrote: > So, the question is rather why Jesse and Michael's messages contain a > Reply-To: header, and not yours. > > (What will my contain? Surprise surprise! Using Outlook) Well, splio.com publishes p=none, so this list isn't munging it, as expected. Thi

[mailop] Mailing list with From header munging... and Outlook

Hi all, We're making a push to get mailing lists to implement header munging because of gov domains adopting DMARC p=reject. Does anyone know what's up with Outlook (Office 365 Pro Plus) when "Reply All" is used? When someone reply-alls to a munged message it only composes a message to the Re

Re: [mailop] Microsoft SPF failing our email internally against their own servers

Microsoft is rewriting the MAIL FROM to the primary address of the mailbox for forwarded mail, which allows SPF to pass (and also works with hybrid outbound routing, assuming your outbound MTAs are listed in SPF for all of your domains). But they don't rewrite the From header, so that breaks DM

Re: [mailop] Microsoft SPF failing our email internally against their own servers

I would bet it has to do with the way you set up your inbound and outbound connectors in your Exchange Online tenant. You should not need to include EOP in your SPF (although IIRC there is no way to set up hybrid routing for OOFs) We had some tenant-tenant routing issues in 2015 due to the way

Re: [mailop] Business justification for DNSSEC?

On 10/16/18 7:08 AM, Patrick Ben Koetter wrote: > * Brotman, Alexander : >> OPENPGPKEY and SMIME/A also use DNSSEC, if you're interested in those >> protections for your users. > > Though either, OPENPGPKEY and SMIMEA, have seen wide adoption yet. And > allthough we wrote smilla

[mailop] Business justification for DNSSEC?

Opportunistic DANE TLS 2) Require TLS Option 3) Inter-domain SMTP with TLSA - MX lookup checks, SMTP server checks Technologies that are explicitly working around the lack of DNSSEC: 4) MTA-STS 5) STARTTLS Everywhere Thanks, Jesse Thompson University of Wisconsin-Madison

Re: [mailop] DMARC p=quarantine pct=0

On 4/9/2018 8:50 PM, Philip Paeps wrote: On 2018-04-09 11:09:37 (-0500), Jesse Thompson wrote: The amount of DMARC data for a large decentralized university is daunting, so my approach is to compartmentalize issues that can be addressed. Thank you for collecting and analysing this data

Re: [mailop] DMARC p=quarantine pct=0

On 4/9/2018 1:19 PM, Aaron Richton wrote: On Mon, 9 Apr 2018, Jesse Thompson wrote: 2) When people start seeing headers rewritten we can use that as an attention mechanism to make people aware of email authentication as a concept, and convince people to tackle the other indirect mail flow

Re: [mailop] DMARC p=quarantine pct=0

of other servers accepting your legitimate email might depend on setting up DMARC to clean out the garbage... Brandon On Fri, Apr 6, 2018 at 10:48 AM Jesse Thompson <mailto:jesse.thomp...@wisc.edu>> wrote: Well, that's the crux of the issue.  If I make this change and

Re: [mailop] DMARC p=quarantine pct=0

s than correct.  In this case, it'll just mean that mail that doesn't pass will more likely be marked as spam, so it's probably mostly safe if you've gotten most of your sources covered.  And let me know, I can hassle them again if it's broken again. Brandon

Re: [mailop] DMARC p=quarantine pct=0

er Google Groups. On Thu, Apr 5, 2018 at 7:00 PM, Jesse Thompson <mailto:jesse.thomp...@wisc.edu>> wrote: Does anyone know of any negative side effects of setting a DMARC policy: p=quarantine pct=0 ? Is it equivalent to: p=none ? I'm curious because I want to tr

[mailop] DMARC p=quarantine pct=0

Does anyone know of any negative side effects of setting a DMARC policy: p=quarantine pct=0 ? Is it equivalent to: p=none ? I'm curious because I want to trigger Google Groups (and maybe others list forwarders?) to rewrite the From in a DMARC compliant fashion *prior* to changing the domain's

Re: [mailop] Microsoft IPs automatically unsubscribing recipients?

On 2/27/2018 4:34 PM, Aaron Richton wrote: On Tue, 27 Feb 2018, Jesse Thompson wrote: Then, I guess, why not POST (or GET) the unsubscribe link anyway?  If the user indicated a desire for a facilitated unsubscribe, why not try? The major issue in this situation is that the users *didn&#

Re: [mailop] Microsoft IPs automatically unsubscribing recipients?

On 2/23/2018 3:25 PM, Grant Taylor via mailop wrote: On 02/23/2018 12:28 PM, David Carriger wrote: Can you tell if the URL accesses are GETs or POSTs? Do you action on your one-click-unsubscribe based on GETs?  -  I thought one-click-unsubscribe was purposefully supposed to require POSTs to av

Re: [mailop] Salesforce - ensuring DMARC passes and aligned

. If you're a Salesforce client, you should ultimately reach out to Salesforce support to ask them to advise as to what's doable within the specifics of your setup. Cheers, Al Iverson On Mon, Jan 29, 2018 at 3:21 PM, Jesse Thompson wrote: Does anyone know if you can set up Salesforc

[mailop] Salesforce - ensuring DMARC passes and aligned

Does anyone know if you can set up Salesforce to use only a subdomain for DMARC compliance? Their docs seem to indicate that there isn't a way to control the use of domains used in the From header. I don't think that the Sender ID approach in their documentation is ideal, and the Email Relay

Re: [mailop] SPF/DMARC and subdomains

What about the idea of extending DMARC to allow a domain owner to publish a policy that says "All email using my domain in the SMTP Mail From must be aligned to the From: header domain." DMARC already has the subdomain policy capability, and alignment could be achieved using DKIM or SPF for le

Re: [mailop] Gmail's postmaster tools

On 7/9/2015 7:12 PM, Brandon Long wrote: Unfortunately, it re-uses the webmaster tools domain ownership stuff, so Interesting side effect: as soon as you verify ownership, Google immediately sends any active webmaster alerts for your domain to you. An identical alert about a suspected hacked

Re: [mailop] Gmail's postmaster tools

On 7/13/2015 8:13 PM, John R Levine wrote: Google's record doesn't affect SPF. Look at section 4.5 of RFC 7208, and you'll see that SPF takes all of the records returned for the TXT lookup, and only picks the one that starts with v=spf1. Other records are ignored and don't count toward the look

Re: [mailop] Gmail's postmaster tools

Can the TXT record be removed after Google's verification? On 7/10/2015 1:08 PM, Franck Martin wrote: I suggest all using the CNAME capability to avoid to overload the TXT record at the root, which will create some issues with your SPF. Suddenly the TXT query does not fit in a single DNS packet.