> Executables should be blocked in order to minimize the attack surface
> but most of the droppers are embedded in office documents or pdf files.
> They rely of features of these file formats that are quite rarely
> used in legit documents: process execution, filesystem access,
> internet access, e
This code for Exim blocks compromised accounts automatically:
https://github.com/Exim/exim/wiki/BlockCracking
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> From: Benoit Panizzon
> we mainly get the usual problems with customers who hand out their
> email credentials in reply to phishing emails or get trojans who steal
> them from their computers.
>
> To mitigate those problems we have implemented those mechanisms:
> * If count(IP) in delta time >
> From: Brandon Long
> Messages are delivered or bounced with zero exceptions
Can messages be bounced after being accepted by Gmail (DSN/NDR)?
If yes then why not reject during SMTP session instead?
___
mailop mailing list
mailop@mailop.org
http://chi
> From: Eric Tykwinski
> This is were I wish there was some standardization of bounce messages.
> If email server operators could receive reports of X number of bounces
> reliably it may cut down on the number of compromised accounts considerably,
> by scripting some sort of shutdown of the accoun
> From: chris
> We are simply trying to
> design our systems so that when something happens like a customers account
> getting compromised that once we can stop the cause that we can get the
> customers mail flowing again and they arent stuck waiting hours and days
> for each RBL to remove the li
> From: Michael Wise
> The account has probably already been killed.
I doubt that. I quoted entire header and the one-line body, but:
==
Date: Fri, 4 Sep 2015 22:03:03 +0300
From: l...@lena.kiev.ua
To: ab...@microsoft.com
Subject:
> From: "John Levine"
> RFC 5782 says that a live DNSxL does list 127.0.0.2 to show that it's
> alive, and does not list 127.0.0.1 to show that it's not wildcarded.
> We published that in 2010 but it was in draft form for quite a while
> before that. For IPv6 BLs, you list :::127.0.0.2 and do
> > 'HELO [65.55.234.213]' or 'EHLO [65.55.234.213]' .. perfectly legal but
> > something malware and bots do as well..
>
> While HELOing like this that might be perfectly "legal", this is
> something which is probably going to be blocked as well by many/most
> servers.
I selectively greylist in
> I'm curious if someone can explain why a few sites
> have a "local_policy" that overrides our DMARC settings.
Perhaps because DMARC breaks discussion mailing lists
like this one.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cg
> From: Aleksandr Miroslav
> I have one domain that I use for my wife's family. Let's call it
> family.example.org. I have 6 lists on family.example.org. The largest of
> these have 7 people on it, the rest are about 3-4 people.
>
> The 7 member list is the main one we use to keep in touch with m
> From: Brandon Long
> To whitelist abuse@domain, you would need to:
> This won't disable our blatant spam blocking a smtp-time, however. And
> there is no way to disable the antivirus blocking either (I see some folks
> who complain about that as well).
I think that by default addresses abuse
> Another issue in that is the choice to send mail over IPv6. This has
> well-known risks of running into more draconian filtering than sticking
> with IPv4, and the operators of the mailing lists system have clearly
> NOT considered those risks or their mitigation.
> Mailing list managers should
> I don't know where
> to buy the brand of LSD that they did at UC Berkeley when they wrote this,
> in order to make m4 make sense.
They chose incomprehensible m4 in order to coerce you to buy support from them.
___
mailop mailing list
mailop@mailop.or
> From: Cyril - ImprovMX
> It turns out that one of their link in the email is broken into multiple
> line (following the RFC on that)
Solution: don't follow the RFC on that, don't break into multiple lines.
If you use Exim then in transports
driver = smtp
.ifdef _OPT_TRANSPORT_SMTP_MESSAGE_LI
> You will still run into a fair number of systems that still see % as
> an attempt to do source routing and reject the message.
Including default Exim config:
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_default_configuration_file.html
denydomains = !+local_domains
> From: Slavko
I'm curious: do you get many legitimate connections to tls_on_connect port 465
(instead of STARTTLS 587)?
Do you tell your users how to use 587, 465 or both?
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailo
Two examples:
co.uk
bk.ru
Looks similar, right? But there are multiple domains under .co.uk
belonging to multiple different corporaions, like under .com
bk.ru belongs to single corporation (it owns also mail.ru).
If a mailbox provider wants to spam-filter by domain, they have to use
a list of su
Russian government blocked ProtonMail and SmartMail -
not only web-interfaces, but port 25 too.
[root@lena ~]# telnet mail.protonmail.ch 25
Trying 185.70.40.103...
telnet: connect to address 185.70.40.103: Connection refused
I'm moving my VPS outside Russia.
Talks about fake bomb threats
> Either links to existing material or specific stuff written for pages
> on would be welcome.
Blocking of compromised mail accounts (for Exim):
https://github.com/Exim/exim/wiki/BlockCracking
___
mailop mailing list
mailop@mailop.org
https://chilli.no
> I have searched a few emails, but fail to see why they would be a
> target. Maybe only a few of them are the real targets, with other
> addresses being added in order to conceal those?
I suspect that the bot is spamming random web-forms
like various bots try to spam my guestbook with ads with li
According to Юлия П. in Abuse Team Mail.ru,
they'll not change their new unannounced policy:
messages from mailing lists (at groups.io) from authors @yandex.ru
are rejected by mail.ru though DMARC for yandex.ru is p=none.
Thus, mail.ru became unusable for all people who participate
in discussion m
> My guess is that the solution is to have your mailing list software
> (groups.io) use the mailing list address in the 5322.From
> (like how this list works)
No, I'll tell list members to ditch mail.ru
and use Gmail or @yandex.ru instead (with more reasonable policies).
Unless the mail.ru admin
> From: Alessio Cecchi
> we are an email hosting provider, and as you know many users use weak
> passwords, or have trojan on their PC that stolen their password that
> are used to sent spam or doing some kinds of fraud.
>
> We already have a "script" that checks, from log files, the country o
> From: Jaroslaw Rafa
> "low reputation of the sending domain"
I'm afraid that it'll be the same for any free domain name
(because of abuse by spammers). Unfair, yes.
But possibly content of your emails causes Gmail users to click "Spam"
more often than caused by average user stupidity.
Or you
> From: Marcel Becker
> We only send FBL/CFL reports if the user actually hits the "Report as Spam"
> button in our apps.
In the past yahoo sent FBL when the user deletes a message from Spam folder,
including "delete everything". May be even when messages expire.
I'd not be surprised if this beh
> From: "Sebastian Nielsen"
> for example *.xyz is a big spam hole... Don't know why spammers love
> that TLD, but 99.99 % from that TLD is spam. Would want to see *.xyz
> eradicated from the whole internet...
I communicated with 6 honest people with email addresses *.xyz
__
> The good folks at SecurityTrails figured out a few months ago that the
> presence of the RoundCube webmail product counts as "phishing against
> the generic brand of email" (I shit you not)
By default RoundCube doesn't include originating-IP into headers
of outgoing emails. Default means vast ma
Kai Siering wrote on [mailop]:
> how about starting internal discussions within that community
> to include a default rejection of any mail from @t-online.de
> in Exim's default configuration?
> As nearly no-one who is deploying Exim
> (or Postfix, Sendmail for that matter)
> will be able to *sen
> T-Online clearly states in their terms and conditions that they will
> block servers who perform sender verfication towards them.
Then a different check:
deny condition = ${if or{\
{eqi{$sender_address_domain}{t-online.de}}\
.ifdef _HAVE_LOOKUP_DNSDB
{forany{${lookup dnsdb{>: defer_nev
m<1 die in_peace else wreck havoc
>
> ?
I don't know why, but Exim's ${readsocket works without the "quit":
[root@lena ~]# time exim -be '${readsocket{inet:mx00.t-online.de:25}{}{2s}}!'
220-mailin78.mgt.mul.t-online.de T-Online ESMTP receiver fssmtpd ready.
22
> Just ban *.top, *.xyz, *.club, *.shop, *.buzz, *.work
>
> Ban it in both rDNS, MFROM and Mime From.
I communicated with 6 honest people with email addresses *.xyz
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
I emailed abuse()hetzner.com:
=
Your user at 136.243.150.82 hosts malware to exploit vulnerability in
mail (SMTP) servers. In the log of my Exim:
2023-01-17 00:33:40 +0200 SMTP call from newcloud.thevinylspectrum.com (x)
[104.200.146.132] dropped: too many syntax or protocol errors (last co
> > > They have SPF, but no DKIM (NXDOMAIN for the _domainkey.bsi.de)
> > > Or did I miss something?
> >
> > The DKIM keys would be at ._domainkey.bsi.de
>
> Yes, but as long as the parent of *any* selector does not exist, there
> is a very good chance, that not any selector exists.
>
> If the q
> If the DNS name xxx._domainkey.example.com exists, then
> _domainkey.example.com exists too.
dig 3._domainkey.lena.kiev.ua txt
3._domainkey.lena.kiev.ua. 66633 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb...
dig _domainkey.lena.kiev.ua txt
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5741
> That (sub)domain is not DNSSEC signed, thus it will work with
> (many) recursive resolvers for some time. DNSSEC mandates
> NoDATA for empty non terminals, thus there can be problem
> once it become signed (and SW and/or admin will not be
> upgraded).
Okay, I created a TXT record for the parent
> From: "Gellner, Oliver"
> when I grep Microsoft DMARC reports for temperror, there are hundreds of
> hits. Nevertheless I don't see why you should change your policy because
> one recipients is unable to reliably operate a DNS client.
> dm-jobs.com
> dmglobal4
> temperro
> From: "L. Mark Stone"
> FWIW, for a while now we have been outright blocking all email from any
> subdomain of onmicrosoft.com
> If anyone has an example of how what we are doing would lead to a false
> positive, I would be grateful to know please.
One of my 3500 customers uses email address
> only 24 hours after setting it up on a brand new
> ip address at port 587 I am already getting sasl auth brute force
> attempts from about 15 different servers.
Did they all try to send a message or closed or dropped the connection
after your sofware accepted the password?
I'd be curious to l
Hi Mark,
> We're seeing instances of emails being rejected by Microsoft with DKIM
> errors, and I have no idea why. It's happening to maybe 1% of the email we
> send to Microsoft properties (outlook.com, hotmail.com, live.com, etc).
> For a given list message, if it
> fails for one Microsoft reci
40 matches
Mail list logo
