On 9/18/2020 6:38 AM, Loren Wilton wrote:
>> https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
>>
>> also sheds light on the issue too.
>
> <shrug>. SendGrid knows (or should konw) that it has compromised
> accounts. It could find out what some of them are for free by
> downloading Rob's list of 25 or so compromised accounts.
I strongly suspect that many of those accounts on our 2 Sendgrid lists
are just plain 'ol spammers, NOT compromised. So some are compromised,
some are spammers. And the list has grown to 594 SendGrid IDs
(currently, as I type this) - much more than 25! Also, the list of
domains found at the end of the SMTP-FROM that we're also deeming as
spam or malicous has likewise grown to 87 domains
SEE:
https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt AND:
https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl.txt https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl-rbldnsd.txt (2nd one formatted for rbldnsd)
I'm seeing evidence/reports that Sendgrid is likely using this data to
greatly improve their system, and that this (maybe combined with their
other efforts?) is finally starting to improve things? So that is good
news. But I'm also shocked at how many hours go by where certain
egregious accounts on our Sendgrid DNSBLs STILL stay in circulation
while continuing to send spams, sometimes criminal phishing spams. But I
also understand that they have to be careful about overly trusting 3rd
party data, to ensure that they don't overreact to what might be an
occasional false positive. It shouldn't be too long before they figure
out that False Positives in those two Sendgrid lists are very very
rare... practically non-existent. They probably should at least PAUSE
campaigns pending further investigation. They should at least do that
much, imo.
(They MIGHT also be suffering from the increasingly common and flawed
view in the ESP industry - that not-illegal and CAN-SPAM-compliant mail
is always legit and not spam - mistakenly not understanding that spam
doesn't have to be illegal and malware, in order to be unsolicited and
undesired by the recipient (aka "spam"). Maybe them seeing those types
of accounts in our data is confusing them? I don't know - but much of
the ESP industry is in great need of a "reset" - and this data is a good
first step towards that!)
I was planning to spend much time this past week (1) adding this data to
my own customer's direct query and rsync feeds, and (2) improving the
instructions, including providing more specific instructions for adding
this free version to various MTAs - but all that time got put into
performance and effectiveness enhancements instead. Therefore, the data
has greatly improved in just the past few days. New data sources were
added into the mix - and many others of these spams these that were
previously getting missed, are now getting caught - and the time from
such a spam being first received - to that data getting into the list -
has improved from about 1/2 a minute, to just a few seconds!
-- Rob McEwen invaluement.com