Mailing List Archive

>On Thursday, September 17, 2020, 12:44:52 PM GMT+2, Marc Roos <m.roos@f1-outsourcing.eu> wrote:
>For what it is worth. I was always under the impression that most of >hose companies that are using these networks known for 'harassing'
>here just ignorant. I used to do business with the 'idiots' of
>ucows/opensrs, trying to explain to them that it is not really wise to
>end password reset emails via the same mail servers that their 'cheap
>cients' are using for spamming.

+1
We see quite oftnely companies sending valid invocies via free sendgrid accounts.... 

--------Pedreter

sendgrid has seriously fallen from grace this year despite numerous
attempts to contact them and assist.

https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
also sheds light on the issue too.

> https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
> also sheds light on the issue too.

<shrug>. SendGrid knows (or should konw) that it has compromised accounts.
It could find out what some of them are for free by downloading Rob's list
of 25 or so compromised accounts. It could find out what some of the other
400 are for $15 each, and could find out what some of the major offenders
are for $400 each. Let's see, 400 compromised accounts times $400 is $16,000
dollars. SendGrid or Twillio can't afford a $16,000 cash outlay to find the
account names of the major compromised accounts? Their head of security
probably gets that much a month in salary and bonuses. It would be a trivial
expense.

So what could they do once they knew which acocunts are compromised?
Are they helpless, and can only wring their hands and issue press releases
saying They Have A Plan?

No. They can SHUT THE DAMN ACCOUNTS DOWN. Issue refunds to the owners if
they feel generous. Tell the owners to open new accounts with 2FA.

But they won't do this, because they get their money from sending spam.

Loren

But now it is Sendgrid tomorrow it is some other company, fact is were
stuck with this trend of spammers outsourcing their spam trying to mix
it with legitimate email.

Legitimate clients are not aware of this and use these companies because
of whatever ill advised reason. I am thinking about documenting this
behaviour on 'my' hosting pages so people can read and be aware of this.
I think if everyone does this, legitimate clients will stay away from
these businesses. And if they stay away from these businesses, it is for
'smaller' providers easier to manage (eg. blanket block the whole owned
range)





-----Original Message-----
To: users@spamassassin.apache.org
Subject: Re: blacklisting the likes of sendgrid, mailgun, mailchimp etc.

> https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-a
> ccounts/
> also sheds light on the issue too.

<shrug>. SendGrid knows (or should konw) that it has compromised
accounts.
It could find out what some of them are for free by downloading Rob's
list of 25 or so compromised accounts. It could find out what some of
the other 400 are for $15 each, and could find out what some of the
major offenders are for $400 each. Let's see, 400 compromised accounts
times $400 is $16,000 dollars. SendGrid or Twillio can't afford a
$16,000 cash outlay to find the account names of the major compromised
accounts? Their head of security probably gets that much a month in
salary and bonuses. It would be a trivial expense.

So what could they do once they knew which acocunts are compromised?
Are they helpless, and can only wring their hands and issue press
releases saying They Have A Plan?

No. They can SHUT THE DAMN ACCOUNTS DOWN. Issue refunds to the owners if
they feel generous. Tell the owners to open new accounts with 2FA.

But they won't do this, because they get their money from sending spam.

Loren

On 9/18/2020 6:38 AM, Loren Wilton wrote:
>> https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
>>
>> also sheds light on the issue too.
>
> <shrug>. SendGrid knows (or should konw) that it has compromised
> accounts. It could find out what some of them are for free by
> downloading Rob's list of 25 or so compromised accounts.


I strongly suspect that many of those accounts on our 2 Sendgrid lists
are just plain 'ol spammers, NOT compromised. So some are compromised,
some are spammers. And the list has grown to 594 SendGrid IDs
(currently, as I type this) - much more than 25! Also, the list of
domains found at the end of the SMTP-FROM that we're also deeming as
spam or malicous has likewise grown to 87 domains

SEE:
https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt

AND:
https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl.txt
https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl-rbldnsd.txt
(2nd one formatted for rbldnsd)

I'm seeing evidence/reports that Sendgrid is likely using this data to
greatly improve their system, and that this (maybe combined with their
other efforts?) is finally starting to improve things? So that is good
news. But I'm also shocked at how many hours go by where certain
egregious accounts on our Sendgrid DNSBLs STILL stay in circulation
while continuing to send spams, sometimes criminal phishing spams. But I
also understand that they have to be careful about overly trusting 3rd
party data, to ensure that they don't overreact to what might be an
occasional false positive. It shouldn't be too long before they figure
out that False Positives in those two Sendgrid lists are very very
rare... practically non-existent. They probably should at least PAUSE
campaigns pending further investigation. They should at least do that
much, imo.

(They MIGHT also be suffering from the increasingly common and flawed
view in the ESP industry - that not-illegal and CAN-SPAM-compliant mail
is always legit and not spam - mistakenly not understanding that spam
doesn't have to be illegal and malware, in order to be unsolicited and
undesired by the recipient (aka "spam"). Maybe them seeing those types
of accounts in our data is confusing them? I don't know - but much of
the ESP industry is in great need of a "reset" - and this data is a good
first step towards that!)

I was planning to spend much time this past week (1) adding this data to
my own customer's direct query and rsync feeds, and (2) improving the
instructions, including providing more specific instructions for adding
this free version to various MTAs - but all that time got put into
performance and effectiveness enhancements instead. Therefore, the data
has greatly improved in just the past few days. New data sources were
added into the mix - and many others of these spams these that were
previously getting missed, are now getting caught - and the time from
such a spam being first received - to that data getting into the list -
has improved from about 1/2 a minute, to just a few seconds!

-- Rob McEwen invaluement.com

On Thu, 17 Sep 2020, Kevin A. McGrail wrote:

> sendgrid has seriously fallen from grace this year despite numerous
> attempts to contact them and assist.
>
> https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
> also sheds light on the issue too.

There's also a RBL for compromised sendgrid user IDs. See the thread
starting at:

https://marc.info/?l=spamassassin-users&m=159803815425176&w=2


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
All I could think about was this bear is so close to me I can
see its teeth. I could have kissed it. I wished I had a gun.
-- Alyson Jones-Robinson
-----------------------------------------------------------------------
Tomorrow: Talk Like a Pirate day