Re: MailChimp with link to javascript/zip malware

Thu, 19 Oct 2017 07:51:15 -0700 

Hi,

>> Another email from a whitelisted mailchimp address that contains malware.
>>
>> https://pastebin.com/ay83iWjC
>>
>> It's also not tagged when not whitelisted, and I hoped someone had
>> some ideas on what further can be done to block it.
>>
>> Complicating things, it's in Italian.
>>
>> I've reported it to MailChimp and also removed mailchimp (mcdlv.net
>> and rsgsv.net) from the local whitelist.
>>
>
> How did Mailchimp respond to your abuse report?  If they quickly handled it,
> then I see no need to remove them from the local whitelist.  They have a
> serious interest to keep their reputation intact so they should handle this
> rogue customer of theirs quickly.
>
> IMHO, there is more benefit from the whitelist entry versus all of the FPs
> you will get with it removed.  I wouldn't say this for all senders but there
> are a few major senders like Mailchimp, Sendgrid, Constantcontact, Mailgun,
> etc. that I would leave in since they quickly handle abuse reports.

The problem is that it went to a distribution list of at least 80
people, including senior execs. It remains that this message was spam
and should have been tagged with default SA rules but was not :-(

It certainly represents a significant amount of email. This time
MailChimp said they were investigating. Previously they had said that
it required only the original recipient of the message to file the
report.

My bayes is trained such that most marketing emails are bayes99. I've
also now removed mcsv.net from the whitelist and see it resulted in 70
messages from mcsv.net being caught today, all of which were from
marketing@ or news@ or similar accounts from sites like
news@firma.agency.

I'm also concerned about the SPF record for mcsv.net:

mail89.sea31.mcsv.net.  14742   IN      TXT     "v=spf1
ip4:148.105.11.89 include:spf.mandrillapp.com ?all"

?all ??? Really?

 *  0.5 JMQ_SPF_NEUTRAL_ALL ASKDNS: SPF set to ?all!
 *      [mail37.sea31.mcsv.net TXT:v=spf1]
 [ip4:148.105.11.37 include:spf.mandrillapp.com]
 [?all]

It looks like their rsgsv.net server also has an "i dunno, just
accept" SPF entry:

 0.5 JMQ_SPF_NEUTRAL_ALL    ASKDNS: SPF set to ?all!
                            [mail40.atl51.rsgsv.net TXT:v=spf1]
                            [ip4:205.201.135.40 include:spf.mandrillapp.com]
                            [?all]


How can mailchimp have such a lax SPF record?

Reply via email to