Return-Path:
Received: from smtpout06.a1.net (HELO smtpout06.a1.net) (80.75.33.6)
...
From: "myGov-alert"
Anyone know the A1 People? They should restrict MAIL FROM to only
addresses on their email server? (IP sending this was on their own
networks as well)
Should be a reminder to everyon
On 2019-09-19 8:35 a.m., Al Iverson via mailop wrote:
Thus there are three categories of subscriber responses:
- Clicked on unsub link or "no" button. Stop mailing.
- Clicked on opt-in link or "yes" button. Continue mailing.
- Did nothing. Send one reminder mail asking them again to opt-in in
7-1
Seeing reports dated as of Aug 31, purportedly from our IP(s), however
the attachments show obviously that the source was not from our IP(s).
Headers look totally messed up, but for instance getting reports to us,
that originated from A2 Hosting through MailChannels.. back on Aug 31..
Yet the
lly we
can get to the bottom of this.
One of my colleagues will reach out to you off list.
Regards,
Adrian
On 24 Sep 2019, at 15:12, Michael Peddemors via mailop
wrote:
Seeing reports dated as of Aug 31, purportedly from our IP(s), however the
attachments show obviously that the source w
Hehe.. don't feel bad, we have even seen receipts for our Spam
Protection product(s) end up in their spam folders sometimes..
If it isn't because you are missing an SPF record for your domain, it is
likely content.. we can send the same message with a few lines stripped
and it will get through
On 2019-10-07 8:18 a.m., Paul Smith via mailop wrote:
On 07/10/2019 15:47, Graeme Fowler via mailop wrote:
Also you're on OVH, about which a quick look through the list's
archives will possibly prove instructive. It's reasonably likely (as
likely as not) that you're running on an IP in a neig
On 2019-10-07 8:43 a.m., Scott Techlist via mailop wrote:
I'm watching this thread with a lot of interest. I believe I saw where the OP
was referred here on the Postfix list where those guys expected the OP to get
some more technical help instead of get a better rep :)
Recently my server has
Either it is a 'bounce' attack, or extensive compromises across their
networks..
EHLO command received, args: li195-97.members.linode.com
MAIL command received, args: FROM:<> BODY=8BITMIME
Doesn't really bother us, nothing getting to in boxes, but pretty
extensive. You might want to be a litt
Speaking of Hetzner, any comments on the recent spat of widespread usage
of the amazon.com, 163.com, jobs.com on your networks?
Are these compromises, bad sign-ups, or some actual other usage patterns?
On 2019-10-21 6:51 a.m., Hetzner Blacklist via mailop wrote:
My job involves (trying to) m
On 2019-10-22 8:26 a.m., Hetzner Blacklist via mailop wrote:
Bad sign-ups, there's been an uptick of that in the past ~2 weeks.
We usually find and kick them out within a few hours, but if you see
anything showing up in your logs for more than 24 hours, you're very
welcome to contact me.
Am 22
AS long time readers of this list know, I like to once in a while share
what we are seeing happening in the world, from our Spam Auditor reports
and other data sets..
Have to start off by saying, we have seen a marked drop in spam leakage
from GMAIL over the last couple of weeks, and while it
Just thought I would pass on the nature of a spam outbreak we are seeing
from them... Please reach out off list..
--
"Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.li
Quiet Holiday Monday.. Lest We Forgot..
Compromise IoT devices:
But it seems that the Emotet guys went into full gear on a spam run this
weekend, unlikely to affect most people other than adding load to the
servers, or perform list washing.. but the big jump is noticable.. this
one report met
On 2019-11-23 11:05 a.m., Tom Ivar Helbekkmo via mailop wrote:
"Rolf E. Sonneveld via mailop" writes:
What would be a good strategy for this customer to update his list of
contacts?
In the olden days, one would simply write a script, using expect(1) or
similar, to go through the addresses, c
Just in case you are wondering about a large increase in DUL sourced
spam overnight, (and of course, most systems probably stop the bulk of
it), it appears to be a Windows based bot, that is sending..
MAIL FROM: @marketplace.amazon.in
Interestingly, no SPF records for "marketplace.amazon.in"
While it is a wonderful long weekend for our friends in the US, the rest
of us have probably been working, instead of shopping and often that
work is dealing with the increase in both spam and bulk marketing, and
often phishing hiding in both.. usually long weekends are favorite times
for the n
On 2019-12-02 3:59 p.m., John Levine via mailop wrote:
I warned a guy away from Hetzner and OVH if he wants to send mail so he
reasonably asked what VPS provider in Europe is better for sending mail.
Any suggestions?
Also, how different is it if at OVH and Hetzner if you use their outbound
mail
On 2019-12-02 4:53 p.m., Steve Holdoway via mailop wrote:
December 3, 2019 1:46 PM, "Luis E. Muñoz via mailop" wrote:
On 2 Dec 2019, at 15:59, John Levine via mailop wrote:
I warned a guy away from Hetzner and OVH if he wants to send mail so > he
reasonably asked what VPS provider in Europe
Anyone know if there is any value in the X-HM-Spam-Status values?
It isn't a base64 string, so it must be a proprietary string, but
wondering if it actually has any value for receivers, to see if 163.com
has already flagged the outgoing message as likely spam..
Received: from m176116.mail.qiye
Thanks Al for posting this..
As a rule, everyone should be deprecating port 110/143 for
authentication and using the SSL/TLS versions..
Hopefully, this will help convince all other ISP's to at least do that.
-- Michael --
And of course, a quick pitch on email clients should consider
Hi All,
This is my last friendly post for 2019, as you know I like to
occasionally remark on the state of things and what we see as emerging
trends that our Spam Auditing team picks up..
For those who don't want to read the whole thing, this is my chance to
wish EVERYONE a very prosperous 20
Our team received an alert message, but that ended up in the spam
folder.. Out of curiosity had them look at it, originally assumed is was
the attached message that triggered it.. but ended up being the FBL
message itself.
The header from is :feedbackl...@rackspacefbl.senderscore.net", however
Our team is discussing this internally, and curious about others
position on addressing list washing services.. Some are better than
others of course, identifying themselves correctly..
But then there are those on Digital Ocean or AWS that use throwaway
domains, or no clear identifiers..
Whi
A new round of Digital Ocean badness appears to be starting up...
Thought it worth the heads up.. (Eg, SendGrid)
Of course, these are probably phishing attempts.. Fake Bounce mails..
Fake Pill Spammer, really spammy format..
Malformed headers etc..
But might affect your reputations.. ongoing as
Oh, and forgot to mention the payload..
https://storage.googleapis.com/rr-m/insta%20oth%20o.html";>
On 2020-01-16 8:32 a.m., Michael Peddemors via mailop wrote:
A new round of Digital Ocean badness appears to be starting up...
Thought it worth the heads up.. (Eg, SendGrid)
Of cours
On 2020-01-16 11:16 p.m., M. Omer GOLGELI via mailop wrote:
Guess that is exactly why I don't add a whitelist rule to Facebook mails
and let them rot in Quarantine boxes.
If they send to unverified, non-existing users without content, no
matter where it is from, they are spam.
Especially when a
On 2020-01-16 2:39 p.m., Frank Bulk via mailop wrote:
We and our customers occasionally get email from netoworksolutions.com as it
pertains to their services. I noticed that their domain name has two
different kinds of SPF errors -- anyone know anyone in their mail or DNS
operations that can eff
Too bad so many email client softwares have developed a bad reputation
for when they ask for 'Access to your contacts', doing far too much with
that information..
Even me, accidentally have posted a message to the mailing list, when
meant to send to an individual.
But it is helpful, whether
I often speak on this topic to ISP's, and I remind them, never argue
with your customer on what is spam, and what isn't spam..
Sure, block/mark the 99% that is pretty obvious and fits everyone's
definition of spam, by let your USERS decide on the fringe cases..
"If a message is in the spam fo
On 2020-01-23 3:26 p.m., Michael Wise via mailop wrote:
Or at the very least, hover over should show all the details.
And yeah, never take the Friendly From, 822 From, or 821 Mail From for
Granite.
Aloha,
Michael.
How long do I have to hover my finger over the screen before it shows
the
On 2020-01-27 10:04 a.m., John Levine via mailop wrote:
In article <20200127101751.ga2...@rafa.eu.org>,
Jaroslaw Rafa via mailop wrote:
If we are at this topic, I wonder since long time why none, literally none
publicly available Internet service where users' private data is stored and
needs to
And of course I TOTALLY forgot to discuss the implications of credential
phishing...
Um.. SendGrid..
Return-Path: @sendgrid.net>
Received: from xvfrqpfv.outbound-mail.sendgrid.net (HELO
xvfrqpfv.outbound-mail.sendgrid.net) (168.245.67.248)
From: "Mailbox"
Subject: Action Required: Important
On 2020-01-30 6:50 a.m., rps462 via mailop wrote:
"Please contact your Internet service provider since part of their
network is on our blocklist (S3140). You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors.";
I have an ISP based out of AWS that has been ge
Well, as usual the only thing you can say is that it is not usual.
Interestingly, a strong drop in the number of spam emails sent from
botnets on IoT devices, compromised routers, etc.
In general, it reflects a growing trend for spammers to move to
alternative methods.
This week, in a conti
UCE-PROTECT-2 and UCE-PROTECT-3 to be more precise..
It might be that you have bad 'neighbours'.
inetnum: 190.8.32/20
status: allocated
aut-num: N/A
owner: Trilogy Dominicana, S.A.
ownerid: DO-CEDO-LACNIC
responsible: Packet Core
address: 30 de marzo, 30, -
address:
Interestingly,
(And yes, it has been happening a long time)
We just engaged on this issue (and others) with senior members of their
abuse team.
First reported to Amazon on November 27th, but this is a great example
why we escalated to senior members responsible.
Aside from slow take down t
ption to
get a dedicated IP/PTR.
I know of some operators that already are being more aggressive, eg
denying SMTP traffic..
If it walks like duck, and talks like a duck..
On 2020-02-10 8:57 a.m., Michael Rathbun via mailop wrote:
On Sat, 8 Feb 2020 09:15:49 -0800, Michael Peddemors via m
On 2020-02-10 11:47 a.m., Jesse Thompson via mailop wrote:
On 2/7/20 6:31 PM, Brandon Long via mailop wrote:
On Fri, Feb 7, 2020 at 4:07 PM Philip Paeps via mailop
mailto:mailop@mailop.org>> wrote:
__
On 2020-02-07 15:51:22 (-0800), Philip Paeps wrote:
On 2020-02-07 14:32:
For the record, (just back from M3AAWG, what a great event) AUTH attacks
from Tor networks ARE a thing.
While it might seem that the number of attacks from Tor Nodes, vs
legitimate AUTH requests from people that like using Tor for everything
is really one sided..
(Don't get me wrong, even we
On 2020-02-25 3:12 a.m., Simon Lyall via mailop wrote:
Thank you for all the suggestions. I've put together a couple of pages:
https://www.mailop.org/faq/
https://www.mailop.org/best-practices/
as a start. What do people think needs to be added or changed?
Simon.
Mailop Admin Team.
Thanks
No, but that is a valuable list that can show the 'why' of real
fines/levies. Be nice if they included a few Canadian examples
https://www.theglobeandmail.com/business/article-crtc-levies-fines-against-two-companies-under-canadas-anti-spam-law/
https://crtc.gc.ca/eng/DNCL/dnclc_2019.htm
https
Hehe.. another one.. (You think it would be self obvious)
When you talk about transparency, the idea is that the domain in the PTR
should have a URL, where contact information related to abuse for/from
that domain can be found..
97.107.24.93x1 1.outbound1.email-aeg.com
97.107.24.95
host 192.158.224.5
5.224.158.192.in-addr.ARPA domain name pointer server.divebums.com
host -t TXT divebums.com
divebums.com descriptive text "v=spf1 ip4:192.158.224.5
ip4:174.36.50.170 ip4:192.110.160.37 +ip4:168.235.104.229
ip4:192.158.224.5 a mx -all"
NetRange: 192.158.224.0 - 192.158
But yes, in general... SendGrid is letting a lot more obvious spam slip
out..
Received: by filter1485p1las1.sendgrid.net with SMTP id
filter1485p1las1-8217-5E5BDA86-2
2020-03-01 15:53:42.040986297 + UTC m=+2053389.093756661
Received: from [23.83.134.244] (unknown [23.83.134.244])
It is a shame that even the IETF has fallen victim to the threats of
CORVID-19, and had to cancel their in-person meetings in Vancouver, but
in the spirit, wanted to remind everyone that we can still help move
discussions around email security forward, without meeting in person.
On that note,
Seeing a larger than normal bot net, coming from Chinese IP(s), performs
an email sending check to a qq.com address.
Windows 7 Botnet by appearances.
A quick grep in your logs for any account trying to send to
165043...@qq.com will tell you if you are being targeted today.
Once compromised,
This should be a FAQ for the mailing list. For questions like this,
regarding an IP or email server, always provide the IP Address in the
initial report to the mailing list.
On 2020-03-18 7:00 a.m., Kotlikov, Anna via mailop wrote:
Hi all,
A client of mine has been consistently seeing spam
While you are at it, ask gmx if they can stop leaking obvious Mitre
attack emails, via their webmail(s) ;)
SanMar Order Confirmation for Order #759086
From: "Perla Orelia"
Curious, how many companies do a virus check in WebMail when uploading
an attachment?
On 2020-03-18 7:30 a.m., Udeme U
On 2020-03-18 3:18 p.m., Grant Taylor via mailop wrote:
n 3/18/20 3:10 PM, Miles Fidelman via mailop wrote:
Is that definitive that Comcast reported spam to senderscore? Or
is that supposition on your part.
I suspect that it was Comcast themselves. I don't think it's likely
that one of
Amazing times, streets are near empty in Vancouver, but that's a good
thing. It means we are working together. And while our offices are
virtually empty, work goes on..
One thing we see out of this, is of course an increase in mailings from
all companies, advising their customers of the situ
On 2020-03-24 9:35 a.m., micah anderson via mailop wrote:
Steve Freegard via mailop writes:
I included the partial SHA-1 to be compatible with automation and
tooling around the HaveIBeenPwned API - see
https://haveibeenpwned.com/API/v3#PwnedPasswords
I understand that desire, but I wish the
Once again, always best to include an ACTUAL IP address in your first
email, so it can be addressed in the most timely manner.
For the record, one thing is that we hear about mailchimp customers
saying that they have a 'dedicated' IP address, however they still have
the generic PTR records.. Y
Hi All,
A short form version of my weekly 'lay of the land' email, and might be
a little quiet the next two weeks
Early reports show a huge increase in compromised email account spam,
and from first appearances it looks like a well know control panel
(cPanel) was targeted for this one.. Unfo
Just so everyone is aware, bad guys operating on Amazon?
Recent new activity, all from EC2 space, forging gmail, msn,
marketwatch, legacy, and many other brands.. Wide Spread, hundreds of
IP(s)..
Unless of course they all moved to Amazon ;)
Nmap scan report for ec2-18-236-174-50.us-west-2.co
Understand your frustration, especially when the big guys don't SWIP (or
rwhois) very clearly...
NetRange: 172.253.0.0 - 172.253.255.255
CIDR: 172.253.0.0/16
NetName:GOOGLE
NetHandle: NET-172-253-0-0-1
Parent: NET172 (NET-172-0-0-0-0)
NetType:Direct A
About to go into another weekend, so a good time to post an update on
what our spam auditing team is seeing in the wild this week.
* SendGrid compromised accounts sending phishing
Seeing a lot more cases of this occurring again, mostly phishing attacks.
* Amazon forged domain spam.. seeing hun
I notice that you are using an AWS address..
NetRange: 52.0.0.0 - 52.31.255.255
CIDR: 52.0.0.0/11
NetName:AT-88-Z
NetHandle: NET-52-0-0-0-1
Parent: NET52 (NET-52-0-0-0-0)
NetType:Direct Allocation
OriginAS:
Organization: Amazon Technologies Inc. (AT-
Just arrived in the fbl mailbox..
This is a Mail.Ru Abuse Report for an email message received from domain
.com, IP 104.128.152.18, on Sat, 24 Mar 2018 06:00:01 +.
Version: 1
Original-Mail-From: Ðврора
Source: Mail.Ru
Abuse-Type: complaint
Subscription-Link: https://fbl.returnpath.
Just another update, on what our spam auditing team is seeing as trends
This week, notable activity that our teams are seeing...
* Amazon AWS abuse continues, pretty obvious spammers
You would think that when 500-1000 IP(s) are detected each day that
Amazon would worry about running out of
On 2020-04-30 3:07 p.m., Andrew C Aitchison wrote:
On Thu, 30 Apr 2020, Michael Peddemors via mailop wrote:
Just another update, on what our spam auditing team is seeing as trends
...
* o265 leakage
Have they lost a century ?
Naw, according to the recent US CERT notice, since people
Since on the topic of SendGrid..
Received: from dhl.com (unknown)
by geopod-ismtpd-2-1 (SG) with ESMTP
id yXjQUIVNTmWUp86G27YZTw
for ;
Tue, 05 May 2020 10:02:57.886 + (UTC)
From: DHL Express
Subject: Shipment Arrival Notice.
Date: Tue, 05 May 2020 10:02:57 +00
DrTnreYcGkW29+W8SlXhMCPQICHWXv4c4UPqo4BYpwT6WdoB1GFSwuwd6mNC9sCJf1r
5PzIFZRABSj7gKeokjHm7Lnl8QkLAKEXf2JojGJnXeyze4NC/w39UhwzU/ki7FK6ScIgZx+gfhUQEe
W/8/g7BcHCE1Lc+BnEOTTL+ZjLy6xWcHvoTOvSwKTV5H7YXMjUPnsbijhXY/GG1vgjjAfJT228fgF5
JgGA5Yu0hMI46ZfVGtVOMh
On 5/5/2020 9:48 AM, Michael Peddemors via mail
Not strictly email related..
Our networks are under a 'little' attack right now, not really a
traditional DDOS attacks, but pretty sure our spam auditing team has
riled up a group out of Russia..
However, mixed in with some known questionable networks over there...
80.82.65.253
87.251.74.44,
On 2020-05-07 10:19 a.m., Nick via mailop wrote:
On 2020-05-07 18:07 BST, John Levine via mailop wrote:
My users have lots of addresses and my mail system lets them use
whatever From: address they want.
Interesting. That seems liberal, and also risky isn't it? What's the
advantage that makes
Hi all,
Hoping to get out of the office early today, start of the long weekend,
but remember, that's when the 'bad guys' like working.. but wanted to
get an update out before I go...
This week, it has still been about the really bad problem over at
SendGrid/Twilio shared senders.. with
Still seeing the phishing attempts.. Only reason there is less, is some
of the older IP(s) still in blacklists ;)
Just kidding, but volume high enough to show that they don't have the
issue handled as of yet..
On 2020-05-19 12:48 p.m., Chris via mailop wrote:
I'm seeing a very significant dro
Glad to hear something is being done on it, but...
(Quickly checks the spam folder.. )
Still coming in.. Netflix Phish for instance.. Seems like they are now
just using the same method, but with slightly more obfuscated From
friendly names..
Always nice when the spammers add email addresses
Yeah, over the last 10 years we banged our head on how a universal
method would work, and yes.. all vulnerable to abuse..
In the end, if mailchimp actually DID use the sender's email in the MAIL
FROM, it might make it easier.. If they did had a way to see that this
was an invite..
You 'could
HOLD THE PHONE!!
Do we hear a ESP actually recommending that all their email gets sent to
a junk folder .. hehehe..
But again, the best way for an email to support what you are suggesting,
is if you are transparent in the MAIL FROM, so that 'Allow Sender I am
subscribed to' would actually wo
Yeah, and IMHO (don't hit me) that VERP should go the way of the Dodo..
If a domain owner wants to have MailChimp send bulk email for them, they
should add MailChimp to their SPF record.. and have their domain in the
MAIL FROM.. it helps improve delivery dates.. eg the ISP can safely
'whitelis
Wow! Open ended question, and also depends on the SPF record..
Some you WANT to block at the edge (aside from the whole email
forwarding thing) and some you may simply want to filter.
But by rejecting, that IS a notification .. hehehe..
However, for many individuals out there trying their bes
On 2020-06-04 12:08 p.m., Matthew Grove via mailop wrote:
Hi,
Just to clarify, Mailchimp does remove addresses from specific lists
when we receive a hard bounce. Atro is correct; we do not suppress hard
bounced addresses globally across all of our users for a number of
reasons. Each user's li
We also had a problem with them (One of our ISP email clusters) , a case
where we had two (2) PTR records, and two A Records, but either their
lookup, or their 3rd party tools weren't smart enough to check each
entry to find a A <<>> PTR match...
When contacted, they responded by saying that '
etting that 554 error?
Cheers,
Al Iverson
On Tue, Jun 9, 2020 at 9:49 AM Michael Peddemors via mailop
wrote:
We also had a problem with them (One of our ISP email clusters) , a case
where we had two (2) PTR records, and two A Records, but either their
lookup, or their 3rd party tools weren'
Hehehe.. testing from a Digital Ocean IP might NOT be the best ..
But anyone getting a sense from the reports so far that this might be
GEO IP restrictions at the edge?
Maybe they using GEO IP blocking UNLESS on an internal whitelist?
Usually only see that on IPv6 ports, but maybe that is what
Working example..
telnet mx01.t-online.de 25
Trying 194.25.134.72...
Connected to mx01.t-online.de.
Escape character is '^]'.
220-mailin82.aul.t-online.de T-Online ESMTP receiver fssmtpd2025 ready.
220 T-Online ESMTP receiver ready.
QUIT
221-2.0.0 mailin82.aul.t-online.de closing.
221 2.0.0 Closi
You are always best to frame the question to the list members, as 'what
am i possibly doing wrong', than just asking for a removal.
When all else fails, could it be your provider?
This 'appears' to be what the error message is saying..
(BTW, the guy from Microsoft who lurks on here will be quic
I have missed a couple of weeks, but since I was here.. took a look
quickly at what the Spam Auditors are reporting this week...
* Uptick in Send Grid phishing attacks
(They STILL don't have a handle on this? COVID budget cuts?)
* Spammers back to old tricks on lax hosting providers
(See Sni
Going on two months since first reported, and last weekend was really
high counts of new Send Grid IP(s) sending obvious phishing..
On 2020-06-17 6:26 a.m., Faisal Misle via mailop wrote:
I’ve been seeing it too... Mailgun, PayPal, etc
A SG rep replied to a SDLU thread yesterday about the sa
A significant activity alert was detected over night.
IDC Frontier Inc. 164.46.0.0 - 164.46.255.255
It appears that maybe someone removed port 25 blocking on egress?
Or changed some filtering mechanism?
Any comments?
Return-Path:
Received: (qmail 12711 invoked from network); 17 Jun 2020 13:21
eve Freegard
Senior Product Owner
Abusix Intelligence
On 17/06/2020 15:28, Michael Peddemors via mailop wrote:
A significant activity alert was detected over night.
IDC Frontier Inc. 164.46.0.0 - 164.46.255.255
It appears that maybe someone removed port 25 blocking on egress?
Or changed some filterin
On 2020-06-17 11:31 p.m., Benoît Panizzon via mailop wrote:
Hi
Anybody else seeing increase phishing through sendgrid? They look
fairly convincing.
I suspect the IP Ranges of Sendgrid are bound for a global blacklisting
if they keep ignoring abusive behaviour of their customers.
We have
On 2020-06-18 4:37 a.m., Benoît Panizzon via mailop wrote:
Allow your customers to set an additional PTR.
AFAIK only one PTR per RR is allowed, even if most DNS allow to set
multiple ones.
And when you say 'only one PTR per RR' is "allowed", could you explain
that further? "allowed" by whom
On 2020-06-18 3:57 a.m., Andreas Bueggeln - NOC - Profihost AG via
mailop wrote:
- the ptr to the server ip hast to resolve to the customer domain and
vice versa
But they need to do a more sophisticated PTR <<>> A record matching, to
handle multiple PTR records..
- the mails are not allowed
On 2020-06-18 9:43 a.m., Jaroslaw Rafa via mailop wrote:
Dnia 18.06.2020 o godz. 08:55:35 Michael Peddemors via mailop pisze:
- the web pages of the domain must have an correct imprint
This is one that people forget about, and I agree with.. And I wish
I could find the old MAAWG
On 2020-06-18 11:14 p.m., Benoît Panizzon via mailop wrote:
Hi Michael
And when you say 'only one PTR per RR' is "allowed", could you
explain that further? "allowed" by whom, or what policy.
I recall we ran into some problems with systems that attempt to match A
and PTR records and only consi
On 2020-06-19 7:59 a.m., Leo Gaspard via mailop wrote:
Hello all,
We handle an email forwarder. Recently, we have been having more and
more issues with people reporting forwarded emails as spam, that end up
(probably) deteriorating the reputation of our email servers.
Since every email client
Well, will post an update later when the Spam Auditors have finished..
But the weekend was the biggest doozy in a long time..
And while we all happily picked on Amazon (they still have problems) it
seems this weekend all the big cloud providers had spammers working
overtime..
Just a quick po
Seeing a recent rash of fake job application spam coming from your
servers..
Can't remember which #malware engine uses this pattern off the top of my
head, but the email template contains an .xls password protected, with
the '1234'
X-TOI-EXPURGATEID: 150726::1592860321-8954-87EE5AE6/19/6
Just a friendly point out..
Return-Path:
Received: from v118-27-72-15.thcj.static.cnode.io (HELO amazon.co.jp)
(118.27.72.15)
From: Amazon
If you see a similar combination, you might just want to block it in the
SMTP layer..
We added it (amazon.co.jp) to our known sender forgery list(s),
uot;v=DMARC1; p=quarantine; pct=100;
rua=mailto:dmarc-repo...@bounces.amazon.com
<mailto:dmarc-repo...@bounces.amazon.com>;
ruf=mailto:dmarc-repo...@bounces.amazon.com
<mailto:dmarc-repo...@bounces.amazon.com>"
On Tue, Jun 30, 2020 at 12:25 PM Michael Peddemors via mailop
mai
One thing not mentioned so far in this thread, is data collection..
While many D'oh providers claim NOT to log or track, simply by using
HTTPS opens up the door to exposing personal browsing habits..
It is very easy to simply 'extend' any HTTPS request, to include other
information in the req
Very High volume SMTP Auth type attacks, but either a broken bot, or an
attempt at Denial of Service..
Range, 192.241.227.0/24
Naming Convention: zg-0626-70.stretchoid.com
It's a 'fast talker' attack, sending EHLO before waiting for the CONNECT
string..
Just in case anyone else is encounter
Gmail finally locking down on spamming from Gsuite?
Will wonders never cease...
;)
(Hey, actually the spam folder DOES seem to have less the last few days)
On 2020-07-09 2:57 p.m., Nathan She via mailop wrote:
Hey everyone,
A client of ours is seeing their sales reps and account managers lock
This mornings reports show that while the SendGrid problem is still
ongoing, seems like MailGun is starting to see abuse problems as well.
Interestingly, we also see that they have decided to start using some
Amazon IP space for this as well, unfortunate that they don't have an
SWIP for those
Hey Yahoo,
You still haven't addressed line wrapping your DKIM lines..
While 540 characters in a header probably won't break most systems, it
would be more internet friendly to wrap them at a more reasonable
amount, makes it a lot easier for those who want to copy/paste/print
headers from you
While most of these are probably already stopped, via various RBL's and
rulesets common to most spam protection, it is worth posting..
Seeing the infection spike again, but strangely all from Chinese IP Ranges.
Note, for the one provider, it is especially a bad overnight jump.
*.adsl-pool.jlcc
On 2020-07-21 9:15 a.m., Bill Cole via mailop wrote:
On 19 Jul 2020, at 22:38, Chris via mailop wrote:
It is particularly bizarre that it infests one ISP like this. I'm
wondering if someone managed to force the infection to do IP
reallocations frequently to IP-hop. Cutwail normally has thous
This thread pops up every couple months.
We have found that the FIRST thing you need to do is put a sane SPF
record in place for IPv4 traffic.. This has resolved the issue for most
of the cases we have seen for clients.
On 2020-07-24 7:44 a.m., Al Iverson via mailop wrote:
This is all good
Hi All,
Going into another weekend, and there is a lot of activity out there.
* Amazon EC2 spam on the increase again
* SendGrid Abuse still ongoing
* Similar patterns emerging in other ESP's
* Increase in VPS activation for malware Spam
* Cutwail increases on Chinese IP Space
* Emotet activates
101 - 200 of 547 matches
Mail list logo
