Fink 
Wtf, just got a wave of mails from various ticket systems that they got my request (vever heard of any of them). All delivered via google MXes 🙄
Jan Wildeboer 😷
Seems my spam reports are upsetting a spammer who tries to subscribe me to weird mailing lists and swinger groups. LOL. Good thing is that EU regulations require a double opt-in so I just ignore the "please confirm" mails.
AntonHot Take: E-Mail-Weiterleitungen sind immer Grütze. Egal, ob mit oder ohne SRS, DKIM oder ähnlichem.
Der Mailserver, der die Mails weiterleitet, handelt sich nur Probleme ein.
#mailadmin #postmaster
Der Mailserver, der die Mails weiterleitet, handelt sich nur Probleme ein.
#mailadmin #postmaster
A few months ago it was sendgrid as mail service (and also cloudflare for the phishing sites). Sendgrid has promptly reacted to every report I sent them and I now rarely see them in my log files.
Observation: Google is currently the biggest spreader of phishing mails, Cloudflare hides/hosts the phishing sites these mails link to. That's the simple truth on my mailserver since a few weeks. And yes, I manually report every single one of them to no visible avail.
My mailserver is very German. When your mailserver tries to send a message, it does a reverse lookup on the IP address. If that doesn't deliver a valid hostname, you're out. But we are not done yet. If it gets a valid hostname, it does an A (IPv4) or AAAA (IPv6&) lookup on that hostname. And if it doesn't deliver back the same IP address, you are still out. It is fascinating to observe how often that uncovers that even big names get their DNS wrong. Hello, Spamcop ;)
Because a few people asked how I block the IP ranges from hostgnome:
- Mailserver detects IP address trying to to deliver spam: 91.237.124.193
- Via `whois` I find the corresponding AS: 201579 (picture 1)
- Then I find all IP ranges associated with with this AS (picture 2)
- Then I go through the ranges and add them to my firewall.
Rinse, repeat.
Hostgnome uses a simple tactic. They rent/buy IPv4 address pools, send spam via all allocated addresses in that space for a few days and then get rid of the pool, replacing it with a fresh one. So it makes sense to have a cronjob that checks their ASes and immediately block all pools on the firewall.
Noticeable trend on my mailserver: Spam that comes via IPv6 is 90% from Google servers and the rest is Amazon or Microsoft servers. So far no other senders of IPv6 spam. 95% of spam attempts are still IPv4 from various Chinese, US, pacific country sources. The most annoying spam sender stays hostgnome from UK. (All of these attempts are blocked by my mail server, so never make it past the initial HELO part).
A noticeable uptick in phishing mail coming from Google's mail servers. Trying to report them has turned out to be fruitless. If anyone know where to best send reports so that the Google geniuses take a look and action, please do tell me!