Bit of a strange week this week, seems almost like the spammer groups
are taking turns. Emotet's new email templates, being sent from
compromised accounts has been increasing, with some of it sneaking
through current filtering methods, so the spam auditors have been busy
tweaking filtering rul
While there are unfortunately good email operators on the OVH network,
unfortunately our data shows a lot more abuse than good..
BTW, speaking of OVH, anyone know these guys?
167.114.98.1512 guesser8.wdemg4.com
167.114.98.2273 guesser1.wdemg.com
NetR
Hi Len,
We have been extremely busy over here, so I haven't had a chance to
circle back around, but for the record, volumes are still excessive, and
our team is detected malicious, easily identifiable spam on a regular
basis..
Received: from o2.hv1nn.shared.sendgrid.net (HELO
o2.hv1nn.share
On 2020-08-11 9:39 a.m., Michael Peddemors via mailop wrote:
Hi Len,
DOH! Sorry about that Len.. and list..
--
"Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit
Volume picking up, not decreasing..
149.72.37.171 x3 wrqvnrxb.outbound-mail.sendgrid.net
149.72.58.197 x6 wrqvpxcr.outbound-mail.sendgrid.net
149.72.64.32x3 wrqvqhnh.outbound-email.sendgrid.net
149.72.73.203 x7 wrqvqwcb.outbound-mail.sendgrid.net
149.72.90.203 x1
company, you should be held responsible for what leaves your network.. IMHO
On 2020-08-12 2:16 p.m., Richard W via mailop wrote:
When I checked this morning there was like 662 different Sendgrid IPs
hit our traps in the previous 24 hours.
Richard
On 2020-08-12 2:47 p.m., Michael Peddem
Return-Path:
Received: from wrqvcdpk.outbound-mail.sendgrid.net (HELO
wrqvcdpk.outbound-mail.sendgrid.net) (149.72.205.49)
Subject: Your attention is urgently required.
From: Verizon
--
"Catch the Magic of Linux..."
Mi
Too early yet.. (to enforce globally)
But start selectively forcing it for the bigger players known to support
this..
On 2020-08-26 9:50 a.m., Scott Mutter via mailop wrote:
How many mail operators out there are forcing outbound SMTP
communications to use TLS? Is this a common practice now
More and more companies are requiring transparency.
mail.mydomain.com
There SHOULD be a URL associated with the domain ('mydomain.com') in the
PTR.. And that URL should reflect the organization that is responsible
for activity related to that domain.. I will have to dig up that M3AAWG
Nest Pr
se*
MicrosoftCorporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail <http://go.microsoft.com/fwlink/?LinkID=614866> ?
-Original Message-
From: mailop On Behalf Of Michael Peddemors
via mailop
Sent: Wednesday, August 26, 2020 12:30 P
It's been a while since I did one of these, planning on having the team
members prepare these and start posting the bi-weekly updates.
This week, has seen an overall increase of spam from many sources, and
of course phishing attempts in general are a large part of it. Emotet
is leading the wa
Speaking of SendGrid.. (Again)
BTW, our guys policy, on detection of 'phishing' the IP is posted to
RBL's.. otherwise it is probably just scored a little higher..
But does anyone know these guys? Looks like they have bought or used a
bad mailing list, or they have a sign process being abused
Your iPhone should be connecting to port 587/465 and don't block
localhost.localdomain there.. clients should be able to send almost any
EHLO, just block localhost.localdomain on port 25. IMHO
On 2020-10-02 1:34 p.m., John Devine via mailop wrote:
I think IOS v14 changed to sending using that
Sounds like some script kiddies were busy targeting a couple of
reputation services with a DDOS attack overnight, ICMP and NTP
amplification attack..
On 2020-10-08 12:27 a.m., Hetzner Blacklist via mailop wrote:
Just a quick heads-up: the 0spam blacklist is down.
The website (0spam.org) can'
On 2020-10-14 3:18 p.m., Christian Huber via mailop wrote:
Hello,
it seems like microsoft/office/hotmail has blacklisted our complete ASN
(AS34549). I tried to get in touch with every opportunity they gave but no
reply since 48 hours. We haven't seen any mail abuse since weeks and I don't
get
Yeah, it's still happening, thankfully the volume is getting a lot
lower, but probably because they keep getting themselves listed, and
more and more filtering rules are targeting SendGrid phishing specifically..
I stopped getting numbers, when we started seeing less than 10 new IP(s)
in a day
By default we still distribute with a 10MG maximum size, but frankly
almost all of our customers has bumped it to the maximum we recommend,
which is 20MG. (the odd one even went to 30, but we don't recommend that)
Too bad this isnt' escalated to a recommended standard.
How about we use this a
On 2020-10-30 7:25 a.m., Marcel Becker via mailop wrote:
On Fri, Oct 30, 2020 at 1:11 AM Atro Tossavainen via mailop
mailto:mailop@mailop.org>> wrote:
Why does Google bounce after accepting a message? At Google's scale,
the potential to become the world's biggest spammer simply through
It's been a while since I sent one of these out, and since one of the
senior threat researchers is off this week, on a well deserved break,
thought I would take a look at what the rest of the team is reporting..
* The amount of leakage from Gmail and o365 continues to climb, are they
getting b
Never heard of anyone doing that... It really wouldn't make sense
On 2020-11-13 6:31 a.m., Tonya Gordon via mailop wrote:
Good morning! Does anyone have any insight into the following question we
received from a customer?
“If we're using a wildcard SSL cert across multiple sending/bounce/trac
that are revealing in a TLS handshake, but that is a
different story..
On 2020-11-13 7:00 a.m., Ralf Hildebrandt via mailop wrote:
* Michael Peddemors via mailop :
Never heard of anyone doing that... It really wouldn't make sense
Hm, why not? After all, if somebody controls the certifi
Seems like Arcor.de is using a 3rd party for something, and it's email
functions are being abused..
Judging by the SPF record, it looks like they are intentionally using
this 3rd party service..
host -t TXT arcor.de
arcor.de descriptive text "v=spf1 include:spf.xion.oxcs.net
ip4:151.189.0.0
On 2020-11-26 9:08 a.m., Hans-Martin Mosner via mailop wrote:
Am 25.11.20 um 19:28 schrieb Michael Peddemors via mailop:
Seems like Arcor.de is using a 3rd party for something, and it's email
functions are being abused..
Judging by the SPF record, it looks like they are intentionally
I STRONGLY suggest that you either SWIP or create a 'rwhois' service for
that IP range, so it CLEARLY shows that the IP(s) are related to your
email services..
inetnum:145.253.0.0 - 145.254.255.255
netname:DE-ARCOR-2314
country:DE
org:ORG-MAT1-RIPE
admin
For us, we encourage SPF usage in DNS, simply because the 'big guys'
want it or penalize you...
As far as inbound, while SPF can be treated as a marker for various
forgeries, and also sometimes a specific spam vector, we usually ONLY
reject based on SPF if...
* The companies SPF is sane
*
I know, I know.. most already are looking at Azure sourced email with
suspicion, but kind of wanted to wait until others chimed in on this one..
Took a bit to actually find examples that made it through our filters,
even to sandbox addresses.. because the email's are so obvious..
Return-Path:
On 2020-12-14 11:48 a.m., Mary via mailop wrote:
Looking at 1st of December till today, every single spam that passed all
filters came from gmail.
I assume you are not yet blocking @trix... ;)
--
"Catch the Magic of Linux..."
--
On 2020-12-14 2:45 p.m., Stuart Henderson via mailop wrote:
On 2020/12/15 00:28, Mary via mailop wrote:
Indeed, I am not blocking it for two reasons:
1) I was never sure why 50% of all gmail spam seem to originate from
trix.bounces.google.
2) The other 50% has regular gmail received headers.
Anyone else noticing an increase in o365 tenant back scatter?
Seeing a lot more vacation message(s) type 'rules' that are causing
'backscatter', with an empty MAIL FROM, and responding to NDR events..
We weren’t able to deliver your email to X because we don’t monitor
this mailbox.
Get
In general, outbound rate limiting is the most important, but as to
outbound scanning, it really depends on your size.
A smaller email system, might be able to depend strictly on outbound
rate limiters, but larger ones need outbound scanning as well, because
of piggyback spammers... the ones w
On 2020-12-17 12:27 a.m., Hans-Martin Mosner via mailop wrote:
Am 09.10.20 um 12:27 schrieb Hans-Martin Mosner via mailop:
Hello,
do others see spam waves from cloudapp.azure.com, too?
So, after 9 weeks, despite several abuse reports to the appropriate places,
this still continues (and not a
I don't know if they are giving up, finally realizing that generating
spam for IoT devices isn't getting through, but it seems that we are at
a 12 month low for that form of attack.
Don't get me wrong, still averaging 25% of all inbound traffic to SMTP
ports coming from DUL networks with no PT
On 2020-12-21 10:56 a.m., Eric Tykwinski via mailop wrote:
Just a heads up:
v=spf1 include:spf2.bluehost.com include:_spf.qualtrics.com
include:_spf.google.com include:_spf.salesforce.com
include:sparkpostmail.com include:spf.mailjet.com -all
evaluating...
Results - PermError SPF Permanent E
I should also comment further (and MW, were you kidding about sending
abuse reports from Azure space to cert@)?
Spam Auditing team has been tacking the Azure spammer bots for a while,
and you will notice that while they usually have the cloudapp ptr naming
convention at the time of delivery, t
On 2021-01-20 5:39 a.m., Vittorio Bertola via mailop wrote:
I could understand listing specific providers if they were clearly and openly
tolerant of spammers, but listing big chunks of the entire industry at once?
Personally, I think this is the year that you can expect to see more of
that,
On 2021-01-21 6:03 a.m., Jim Popovitch via mailop wrote:
It's never been about the $$, it's always been about
identifying the responsible party.
Which is why I am always surprised, that some providers choose NOT to
offer 'rwhois' that shows the responsible party, and when they started
using t
On 2021-01-21 6:01 a.m., Gregory Heytings via mailop wrote:
it is impossible for server providers to do this:
Umm.. it's not impossible, and it's not even that difficult..
It's a choice.. there are many service providers out there that do a
bang up job.. You'll have to explain why one service
Yes, someone should give them kudo's for that, at least they made an
effort.. of course, someone occasionally gets around that.. saw last
week someone abusing their IP space, but in general reports from that
network are GREATLY reduced from historical levels.
-- Michael --
PS, the 'ha
On 2021-01-21 8:20 a.m., Gregory Heytings via mailop wrote:
One concrete example: AS16276 has 3583744 IPs. Out of these, 2327 sent
a spam in the last 7 days according to uceprotect. That might seem like
a high number, but it's only 0.05% of the address space of that AS.
Because of this all IP
One year anniversary of phishing from SendGrid/Twilio...
And the problem is SO easy to fix
On 2021-01-22 6:08 a.m., Hans-Martin Mosner via mailop wrote:
Well I'm not complaining about the spam from them - it's a steady flow, nothing
new.
But it looks like they have filters on their abuse bo
On 2021-01-23 7:38 a.m., Noel Butler via mailop wrote:
it might be old skool, where the new kds on hte block want to use
clusterfs, but no, thast asking for trouble, and lots of media horror
stories about mail down fr days at isps around teh world justify
avoiding it, good ol NFS " just works"
NetRange: 66.151.16.0 - 66.151.23.255
CIDR: 66.151.16.0/21
NetName:PNAP-CHG-BLAST-RM-01
NetHandle: NET-66-151-16-0-1
Parent: PNAP-06-2001 (NET-66-150-0-0-1)
NetType:Reassigned
OriginAS:
Customer: Blastcomm (C00498966)
RegDate:2003-03-31
Up
This one was almost too funny, as in it's list of To addresses, almost
all the emails were related to addresses used to report malware.. looks
like an infosec member might have their email compromised, and took
advantage of their address books.. but when you see a recipient list
with 100's of r
ilar, but
the logistical challenges of preventing outbound spam without pissing
off customers is /far/ greater than the challenge of preventing inbound
spam without pissing off customers.
On Wed, Feb 3, 2021 at 11:49 AM Michael Peddemors via mailop
mailto:mailop@mailop.org>> wrote:
This
On 2021-02-04 12:56 p.m., Ned Freed via mailop wrote:
PITA, still not sure if its worth it.
It's wonderful when dealing with political campaigns. Use a different subaddress
for each, and you can tell who is buying/selling lists.
And if they don't support it, well, you didn't really to donate
On 2021-02-08 7:37 a.m., Alan Hodgson via mailop wrote:
Unfortunately getting mail accepted at MS or Google from a new VPS seems
to be nearly impossible. I would love to be proved wrong, though, by
those more knowledgeable.
Probably depends on the network reputation where the VPS is located.
B
Didn't take Google spammers long to figure out using + addressing to try
and get by spam filters.. or personal block lists..
Return-Path:
From: "Bitcoin Trader"
Judging by volume, I am sure that there are no sane rate limiters in
place..
I would think that any use of a + address, usually
On 2021-02-12 6:54 a.m., Damon via mailop wrote:
Len Shneyder is a great guy and part of the old guard. I trust he
hasn't moved to the darkside.
I am sure he is doing as much as he can but there isn't much help out
there for those of us responsible for keeping bad actors off our
systems.
RBLs: Y
+1, I for one have personally seen leakage from one of their servers,
albeit over a year ago.. No matter what your opinion of how UCE has a
fee for expedited removal, (it's their choice on how to monitize) there
is usually a reason someone gets listed.. compromises happen to the
best.. but you
On 2021-02-16 3:45 a.m., Vittorio Bertola via mailop wrote:
Il 14/02/2021 07:42 André Peters via mailop ha
scritto:
Hi,
Have you guys already read this?
https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html
I have seen the discussion and found it fits. Will you remove UCL fro
You know.. yes, the 'Too Big to Block' (TBTB) providers say they can't
effectively handle the abuse complaints, which of course I have a
problem respecting given the amount of revenue they have, they simply
don't want to allocate the funds.. and the few guys left to do the job,
they have to end
FYI, you might want to check your outbound spam filter ;)
X-Spam: Yes
One thing to note, and maybe should be something to actually take up
with RFC's, but wonder if flags like this should some how become trace
headers..
Eg, which system put that header into the header list..
Especially now
On 2021-02-16 4:26 p.m., Vsevolod Stakhov via mailop wrote:
On 16/02/2021 21:25, Michael Peddemors via mailop wrote:
FYI, you might want to check your outbound spam filter ;)
X-Spam: Yes
One thing to note, and maybe should be something to actually take up
with RFC's, but wonder if flags
I have an idea.. (No Pitching your own service)
We always post the bad things about bad hosting providers..
I mean of course, often the old adage is you get what you pay for..
But maybe it would be good to point out hosting companies that have a
GOOD reputation for hosting email servers, or hos
On 2021-02-19 11:00 a.m., Simon Arlott via mailop wrote:
On 19/02/2021 16:45, Michael Peddemors via mailop wrote:
For instance, have to shout out to the Linode guys for really improving
their reputation, over the last couple of years.. (still wish they
provided 'rwhois' entries, a
I think that gets off point..
Hosting Providers all provide 'different' services and limitations..
Other than the fact that their 'automated' systems are geared for ext4,
are they a 'good' hosting company?
I believe the criteria is meant to be things like..
* Good and Timely Support
* Mainta
+1, not only are they one of the most reported IP Spaces, but their
abuse teams are slow to respond, and they don't assist customers with
reputation problems. AS well, they don't keep up their SWIP/rwhois very
well. And when a snowshoe spammer lights up, it is usually very high
volume that the
On 2021-02-25 8:59 a.m., Ignacio García via mailop wrote:
Thanks for your recommendation on Vultr. Any others you can also
recommend are also appreciated.
Personal recommendation? Always think transparency...
If the hosting company won't offer you SWIP or 'rwhois' for your IP(s),
you always r
My weekend thought isn't on spam this time ..
They don't wrap the DKIM, but they SURE wrap the X-YMail-OSG header, can
any one guess why they need THAT much data in the email header?
And of course anyone looking at how BIG DNS results are getting lately?
Seems everyone wants to add a verifica
On 2021-03-12 4:58 a.m., Hans-Martin Mosner via mailop wrote:
Am 12.03.21 um 11:53 schrieb Arne Allisat via mailop:
* Ensure that the following email headers included in your message are
syntactically correct: Date, From, Sender, To.
From: User
Subject: Re: topic
To: =?UTF-8?Q?Recipien
Never get enough chance to look at logs anymore but this one jumped out
while checking something out..
89.248.169.12 -> 587 GeoIP = [GB] PTR = security.criminalip.com
hehehe.. wonder if we should help them fix their broken bot..
inetnum:89.248.169.0 - 89.248.169.255
netname:NE
s' are white hats..
On 2021-03-17 11:47 p.m., Peter Nicolai Mathias Hansteen wrote:
17. mar. 2021 kl. 23:46 skrev Michael Peddemors via mailop :
Never get enough chance to look at logs anymore but this one jumped out while
checking something out..
89.248.169.12 -> 587 GeoIP = [
Want to talk to someone off list, as we see a surge in inbound traffic
that isn't completing correct.. After the EHLO it is timing out..
Something maybe broke on their end?
(Note: this is after the second EHLO, after TLS negotiation completes)
--
"Catch the Magic of Linux..."
---
Again, you would save everyone time if you actually posted the ranges
you are having trouble with..
On 2021-04-12 2:35 p.m., Zachary Sverdrup via mailop wrote:
Hi All,
We are running into an issue where two of our IP ranges are being
randomly(we believe) listed at Proofpoint for the last 3-4 w
Well, in better news, I get my vaccine shot tomorrow ;)
Havent' posted one of these in a while, but last couple of weeks has
spam auditors very busy..
* Huge amounts of reports from Azure IP(s), Hit and Run
(If you are seeing the same, and frustrated, reach out, we can post one
days report,
On 2021-04-27 8:31 a.m., Rob McEwen via mailop wrote:
On 4/27/2021 11:00 AM, Michael Peddemors via mailop wrote:
New Google Groups style spam outbreak..
Many of them (or all of them?) are doing the following:
(1) sent from legit Google mail servers
(2) the spammer's "payload U
On 2021-04-27 8:32 a.m., Hans-Martin Mosner via mailop wrote:
Am 27.04.21 um 17:00 schrieb Michael Peddemors via mailop:
Well, in better news, I get my vaccine shot tomorrow ;)
Great!
Havent' posted one of these in a while, but last couple of weeks has spam
auditors very busy..
*
tp://go.microsoft.com/fwlink/?LinkID=614866> ?
-Original Message-----
From: mailop On Behalf Of Michael Peddemors
via mailop
Sent: Tuesday, April 27, 2021 9:12 AM
To: mailop@mailop.org
Subject: [EXTERNAL] Re: [mailop] [INFORMATION] What's happening in the
world of spam/email abuse u
Maybe if you do, you can send them a friendly nod..
Seems someone has decided to use their backscatter for sending spam
messages..
From: Mail Delivery System
Subject: Undelivered Mail Returned to Sender
This is the mail system at host pmgd06.wadax.ne.jp.
I'm sorry to have to inform you tha
Replied off-list
On 2021-05-20 9:05 a.m., Anne P. Mitchell, Esq. via mailop wrote:
All,
We've been contacted by Anthony Mitchell, representing Inboxsys.com - they are
brand new in the deliverability space, and yet they claim to have relationships
with all of the ISPs and ESPs; however I can f
With apache, you can use modsecurity quite easily, and you can block all
azure (and other cloud providers ranges) from certain services like
wordpress, or contact forms etc.. (you can even do dns based checks or
rbldnsd) ..
Unless desktop in the cloud becomes more prevalent, you should make su
Some you can check via PTR naming conventions, and others you can do an
ASN lookup.
don't have the URL's handy, but welcome to reach out off list.
On 2021-06-04 4:08 p.m., Scott Mutter via mailop wrote:
On Fri, Jun 4, 2021 at 1:24 PM Michael Peddemors via mailop
mailto:mailop@mai
Start by including the IP(s) you are discussing ;)
Compromised accounts are indeed the bane of the responsible
administrator, and as you can see.. the rate limiting systems ARE
essential, you are unlikely to suffer a reputation issue, if only a few
escape (unless they have REALLY bad content,
And another bad for SendGrid compromises/spammers..
149.72.34.12(S) 19 wrqvnnhc.outbound-mail.sendgrid.net
149.72.34.115(RS) 1 wrqvnntp.outbound-mail.sendgrid.net
149.72.34.116(S) 16 wrqvnntq.outbound-mail.sendgrid.net
149.72.34.124(S)
On 2021-07-08 8:20 a..m., Carl Byington via mailop wrote:
On Thu, 2021-07-08 at 09:31 +0300, Atro Tossavainen via mailop wrote:
That one is Zoom.us itself.
Received: from o5.sg.zoom.us (o5.sg.zoom.us [149.72.199.144])
Received: from o12.ptr3622.sg.zoom.us (o12.ptr3622.sg.zoom.us
[167.89.93
It's been quite a few years, and for those of you on this list as long
in the tooth as I am, you will remember the battles of the 90's and
early 2000's between various RBL's and large telco/cable companies..
Those cable companies did very little about outbound abuse, so several
of the RBL's in
I am sure we have all seen these guys..
Jul 14 09:28:07 be msd[39322]: EHLO command received, args:
smtpout441.sonicleads..io
Jul 14 09:28:07 be msd[39322]: MAIL command received, args:
FROM:
Jul 14 09:28:07 be msd[39322]: RCPT command received (47.74.71.30),
args: TO:
Seems they have moved
Just make it simple, set your DNS servers to be your upstream provider..
You pay them money, use their services if you don't want to run your own
DNS server..
PS, don't even THINK of using DoH ;)
BTW, everyone keeps talking about 1.1.1.1 and 8.8.8.8, but consider that..
'https://download.dnsc
This particular botnet, (and you can tell this strain by the password
list attempted, and the number of attempts from each IP) appears to come
from at least two(2) actors, one which is a windows malware on older
windows machines, and the other uses the gpon/router compromisd botnets.
Interesti
What do you suggest Laura,
Time for a 'block gmail for a day'?
See if we can get their attention?
Side note, this one bothered me..
Return-Path:
(Covid Naysayer spammer, didn't bother to see if attachments had walware
links)
Seems they put in 499 recipients, all in the 'To' field, all to
Years and years ago, we built one.. and pulled it.. It was just helping
the spammers ;)
But seriously, if you are sending billions of emails out, I think you can ..
* Afford a commercial product
* Afford to contribute to an open source product
Even thought of throwing some money at a couple o
You do realize that kind of response probably won't make any friends..
Should SendGrid not simply block obvious malware, no matter who the
client? And 4 weeks is far to long to allow malware to travel around the
internet.. this is getting to be a standard approach that won't endear
you, or hel
208.80.201.171 x1 vx1.email-protect.gosecure.net
208.80.201.172 x1
208.80.201.173 x5
208.80.201.174 x3
208.80.202.5x21 smtp.email-protect.gosecure.net
208.80.202.7x29 smtp.email-protect.gosecure.net
208.80.203.5x30 smtp.email-protect.gosecure.net
Of course you are talking about these.. (yeah, it's a pandemic over
there) and no use reporting them..
Received: from mail0.crzcompany.com (HELO mail0.crzcompany.com)
(159.65.131.137)
From: E-mail Server
Subject: Password Expiry
(Several variations, all similar, and mail0 or rdns0 is a comm
ccounts, like Linode
does. A major change by linode, which cleaned their IP space quite fast. I
still get the occasional wordpress scan, but those are minor...
On Tue, 10 Aug 2021 07:19:15 -0700 Michael Peddemors via mailop
wrote:
Of course you are talking about these.. (yeah, it's a pandem
lose money :)
Toni.
On Tue, Aug 10, 2021 at 5:01 PM Michael Peddemors via mailop
mailto:mailop@mailop.org>> wrote:
Yeha, OVH is up there, and while they generally have a poor abuse team,
(with maybe one or two notable exceptions) and they do nothing to be
pro-active in prev
Noticed a larger than normal amount of authentication attacks, launched
from systems that appear to be 'StreamHub' systems..
The AUTH attacks are reminiscent of other compromised GPON equipment
attacks, but this looks new(er) or at least the volume jumped greatly.
Standard password spraying a
Not that specific pattern ;)
But definitely, AWS waters getting dirtier and dirtier..
There are several email validator services, AUTH attackers, and
dictionary attacks coming from the IP space, they quickly get added to
RBL's since there isn't much use reporting them, if there is no
motivati
82.165.159.12 x5 mout-xforward.gmx.net
82.165.159.13 x7 mout-xforward.gmx.net
82.165.159.14 x5 mout-xforward..gmx.net
82.165.159.2x66 mout-xforward.web.de
82.165.159.3x62 mout-xforward.web.de
82.165.159.34 x68 mout-xforward.web.de
82.165.159.35 x56
om/?0b5071a4b2cb089d#HYSAYYMSheQbYiXCZHMfjaVoqRM7naZiXKPkAK2UHju6
On 2021-08-26 14:36, Michael Peddemors via mailop wrote:
82.165.159.12 x5 mout-xforward.gmx.net
82.165.159.13 x7 mout-xforward.gmx.net
82.165.159.14 x5 mout-xforward..gmx.net
82.165.159.2 x66 mout-xforward.web.de
Yes, it is unfortunate.. especially given the amount of money they
promised to spend on security. And while we do have to recognize the
sheer size and scope of Gmail, we should also have higher expectations
from them given their size.
While 'filtering' does work at the receiving MTA, there is
There are lots' of companies that do email hosting, but you mentioned
she is 'tech challenged'. In this case, they should NOT be looking for
a large hosting company.
She should find a local hosting provider, someone that she can pick up
the phone and call, but of course you get what you pay f
mailop wrote:
I've got that whole AS46573 on my internal RBL. Just a complete trash
network. You can blindfold yourself and throw a dart at any of their
/24s and every single one looks like this:
https://bgp.he.net/net/23.247.86.0/24#_dns
On 2021-09-07 15:37, Michael Peddemors via mailop
Seems to be trying to send some kind of backlog.. (flood of reports)
Not only are the messages NOT SPAM, but we don't even host the domains
in question any more ;) But again, something is wrong with the way they
do business.. Dec 2019? Really?
This is a OpenSRS Abuse Report for an email mess
Shameless plug..
Need a replacement data set?
https://www.intra2net.com/en/support/antispam/index.php_sort=accuracy_order=desc.html
SpamRats!
On 2021-09-09 7:51 a.m., Brielle via mailop wrote:
On 9/9/21 1:30 AM, Jarland Donnell via mailop wrote:
Domains taken from the envelope senders of a
Seems that for last couple of days, a LOT of reports of suspicious
attachment email coming from the RackSpace servers..
Would like to help them work this out, and confirm it is a threat that
they aren't noticing..
108.166.43.100 x1 smtp100.ord1c.emailsrvr.com
108.166.43.103 x1 smt
The problem with SMTP callbacks, is there is no way for a server to
confirm if this is an SMTP callback, or a malicious script attempting to
harvest email addresses.
And looking at our logs, there are a LOT more connections from email
validator services, list washing services, and malicious us
Use RATS-AUTH to block auth attacks, from known dedicated IP(s) ;)
Block AUTH from Amazon/Gcloud/Azure by default
Consider transparent 2FA like CLIENTID
Fail2Ban is a stop gap mentioned often on the list.. but be careful, as
it might block a large CGNAT range.
Country authentication controls
On 2021-09-21 12:09 p.m., Mark Milhollan via mailop wrote:
Block AUTH from Amazon/Gcloud/Azure by default
Would you include other clouds, like Alibaba, Oracle, OVH, Rackspace,
etc., perhaps especially those that are "too easy" for spammers and
miscreants to get a machine going on? I can unde
More good points..
.. for the record, compromises via SMTP are easier to identify, the
scary ones are IMAP authentication ones, as the hacker can log in simply
once every week, and search your inbox for personal information,
password reset links, services that you use, credit card information,
201 - 300 of 547 matches
Mail list logo
