aws servers that don’t seem to have dkim verification

Consider this extract from an aws (my blog) dmarc log we received.

<policy_evaluated><disposition
>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>.

Although the email came from the zoo and was signed . – not my problem there’s since dkim is being signed here in the zoo and everybody else is fine with it.

rfc ignorant email servers and software things

I am constantly reminded of bad email servers since i get a report each detailing the unclued  and dumb who think email is easy.

Your email server may kind of work but it does has to worry about non email things too as they can reek havoc.   Somebody had all the right things but the sending server screwed up the header, so our spam bot decided to not deliver the email.  I had no issues with that.

The dmarc report sent (my blog) might say we got it but it never hit a human,

Commercial list software is also odd with dmarc two ‘signed up marketing message’ lists also added the dmarc reporing address to them.

Quite how the dmarc address got on the list is something i’d love to know

Since our virus bot is working unlike those email lists and knows a bad header i was happy to accept its judgement as to not being seen by a human, dmarc is working correctly too

So if you think you email is getting through and it is 100% human signed up for it may not be so and if you wish to send the email to the dmarc user or reject dmarc mail because of the compressed file well that’s your choice.

Your still an idiot..

shit at dmarc: belgacom.be

Since i like to name those awful at dmarc (my blog) and many of those already mentioned retain there status. I feel it necessary to add belgacom.be to that list.

Why they use Microsoft software, (my blog) no wonder gchq and the nsa hacked them.which made the newspapers until reporting spies became a non reportable thing (my blog).

I look forward to belgacom.be informing me that there dmarc inbox is ‘full’ once again.  Oh yes

fdmarc@proximus.com
#554-5.2.2 mailbox full 554 5.2.2 STOREDRV.Deliver.Exception:QuotaExceededException.MapiExceptionShutoffQuotaExceeded; Failed to process message due to a permanent exception with message Cannot open mailbox /o=BelgacomGroup/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=A04071/cn=Microsoft System Attendant. 16.55847:C2000000,

A feedback loop!

 

 

Governments and dmarc feedback loops [nsandi.com]

hello hello hello hello

If you have never heard of nsandi they are a government saving bank – interest is low and a lottery like prize is offered – kind of like an old  war bond, mostly an interest free loan for the government.

Somebody here in the zoo registered with a zoo address and as we have dmarc (my blog) along with nsandi a curous feedback loop has started – it begins when they send an email, dmarc sends one back, and then the pfishing address sends another automated reply to our dmarc user meaning another dmarc message from us rinse and repeat.

Imagine your not just us but google getting lots of these autoreplies i bet they must consider this autoreply bot a sign of retardation at nsandi

I guess one day it will stop when i do a kernel upgrade and ‘forget’ to keep the dmarc import file, or block the reporting to them or something else.

Ignoring the domain: nsinvest.core.int seems to stop the feedback loop which does make dmarc useless for them but hey some retarded public schooled civil servant should not auto reply dmarc messages.

Oh well. Idle bots like to keep busy.  Nice to know they got the message!

 

dmarc retard for September is latinnewsmail.us

It is a bit early since it is still september but this is clearly an exceptional case which deserves this special award.

the domain  latinnewsmail . us apparently sent something to the zoo (could have been spam) , its mail handler did not like the standard opendmarc attachment rejected as

eforward3.registrar-servers.com[162.255.118.61] said: 550 We do not accept
.zip attachments here. (in reply to end of DATA command)

So if your thinking of using registrar-servers.com clearly your an retard as to the domain well they also deserve to be associated with retards since they setup the email aggregate@latinnewsmail.us to be sent to that address.  The good news is that latinnewsmail . us wont be getting any more dmarc email from the zoo despite them requesting it.

I pass on just to show that the clueless seem to have found dmarc and what could possibly go wrong.

I like spotting idiots wth dmarc

atps and adsp records (featuring asl too) and dmarc reporting

Sisyphus is still a role model

Sisyphus is still a role model

Yes i am doing dmarc today once again,exciting stuff this.and i have finally figured out opendmarc-reports which for the zoo atps is apparently needed.

These records are fun and once you do one domain, the others also need doing ala.

  • example.com
  • example.net
  • etc
_adsp._domainkey.example.com IN TXT "dkim=all; atps=y; asl=example.net;"
YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps.example.com IN TXT "v=atps01; d=example.net;"

The YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ is sha1 hashed example.net.  opendkim-atpszone can make this with

opendkim-atpszone -h sha1 -u example.com -A example.net -vvv

The rest of the dns lines from above  is where your on your own

YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps TXT 86400 "v=ATPS1; d=example.net"

Eagle eyed readers will note that v=ATPS1; and v=atps01; differ and no adsp record is made.

The has found that atps01 works and is unwilling to test the capital variant.

The only reason i have this is for opendmarc-report which for some reason if i do not have them i get a dmarc error of no.

postfix/smtp[*]: *:
status=bounced (host aspmx.l.google.com[74.125.71.26] 
said: 550-5.7.1 Unauthenticated email from example is not accepted 
due to 550-5.7.1 domain's DMARC policy. 
Please contact the administrator of 550-5.7.1 example domain if this 
was a legitimate mail.

That’s it which is what brought me to this vague corner of dns and email

The dmarc report i received back the next day was interesting.

<source_ip>munged .com</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.net</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>example.net</domain>
<result>pass</result>
<selector>mail2</selector>
</dkim>
<dkim>
<domain>example.net</domain>
<result>pass</result>
<selector>mailxx</selector>
</dkim>
<spf>
<domain>example.net</domain>
<result>pass</result>
</spf>
</auth_results>

rubberduckSo perhaps more evidence that atps is needed when its a dead duck considered to say spf .

Maybe the zoo’s way of doing things is weird to openmarc-reports which is good at keeping secrets on our live mail server, so it is happy with adsp and human emaail gets sent properly with aligned spf,dkim and dmarc i will say no more.

So that fixes opendmarc-reporting.  Yay

 

 

 

 

opendmarc reporting and extended thoughts

thxI decided to install some very crappy software to get dmarc reporting (my blog) working and adapted a script to suit from a blog,  it works you import, report and expire the db.

This is week long plus blog post so i may contradict myself the longer i document stuff.

However with stuff inbound to the database i got no email reports out which i can assume is due to either an error on my part, the policy not to bother them with strict compliance or the software is broken.

A brainwave I had on exploring this was that as a low traffic host (the zoo is not gmail) that email we do get is strictly controlled by rules where gmail i guess might be lax on say spam where as we are not.

So most of the email dealt with needs no dmarc action.

I will run the import , report and expire once a day and see if dmarc reporting via opendmarc is worthwhile.

Later on with reports being sent i observed some issues…

Dmarc can be abused by marketing people, and it depends on who runs the report address they specified take pure360.com.

(host x.GOOGLE.com[74.125.x.x] said:
450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 – gsmtp (in reply to RCPT TO command))
dmarcreporting@pure360.com

minion

It is amusing to note that they also use gmail.

So dmarc might mismanaged by some who might know better.  Does this mean pure360.com dmarc should be ignored? what do you think.

Another retard with dmarc did the below humorous issue – Please note this was collected by dmarc, and sent by dmarc it is not a typo error by a human.

opendmarc-reports: sent report for email3.telegraph.co.uk 
to craig.millar@telegraph.co.uk (2.0.0 Ok: queued as 5F1F4BD6315)

<craig.millar@telegraph.co.uk>: host <host>.google.com[74.125.x.x] said:
550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient’s email address for typos

Plenty of other idiots exist.

(host eu-smtp-inbound-1.mimecast.com[91.220.42.241] said: 451 IP temporarily blacklisted – https://community.mimecast.com/docs/DOC-1369#451 (in reply to RCPT TO command))
dmarc@communicatorcorp.com

mindreaderNot sure they want dmarc although they request it.

(host eu-smtp-inbound-2.mimecast.com[91.220.42.241] said: 451 IP temporarily blacklisted – https://community.mimecast.com/docs/DOC-1369#451 (in reply to RCPT TO command))
rua@rac.co.uk

These appear to go hours and hours later that is getting the dmarc report back (rac do send spam) and piss off hosts when it reports back – Oh to be a mind reader.

Yet another brainwave i had was that there is no way to block ‘pfishing’ emails via opendkmarc unless there is a strict policy setup.  Unless you search headers for dmarc rules but thats down to the mta or spambotter not opendmarc.  There is an example below.

Routing loops could be a problem – ala i send mail, they send mail, we mail back etc.  Have to see on that one.  I guess you could turn off reporting which kind of makes dmarc reporting an odd idea to start with.

In the real world i found out:

If you do not import messages into sql and then close down opendmarc (say for an kernel upgrade) then opendmarc deletes the text file is one bug i noticed – not an end of the world issue but occasional one.

Another bug i noticed in 1.3.0 release (1.3.2 is debian experimental) is that opendmarc-reports will still send email out even if you had a typo in the address or email set in script (the zoo has four domains)

I noticed as our dkim signing did not initiate when it should have (my typo).

The sql data is stored although its not designed for humans to read, the xml reports which it makes and we also get from others as the zoo has dmarc are more human readable.

Microsoft (microshit) are pretty crap at dmarc -there reports leave a lot to be desired due to \n issues.

They also bounce failure – this is pure microshit in action. I perceive this as bit spammy.  It took a little time to sanitize here.

Subject x has left you a private message
From No signature information staff@hotmail.com
To technical_dmarc@zoo
Date Thu 07:46 PM
This is an email abuse report for an email message received from IP 201.217.243.222 on Thu, 19 Jan 2017 11:xx:40 -0800.
The message below did not meet the sending domain’s authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.
Subject x has left you a private message
From Signature is not valid ! verified by VMessage
Sender notification+bingxia006@zoo
To REDACTED
Date Thu 04:44 PM
You have 1 new message
Crook

Crook

Typical crap from microsoft, it was spamcop proof too

Criminals also have odd dmarc setups an good example is quantumaccountingservices . net which is scammy* returned at time of wtiting

Host not found, try again

So i guess your going to get a lot of domains to ignore.

A problem i have is with multiple domain reporting (say mail.zoo mail.zoo1 etc). In the debian 1.3.0 version the first report run for mail.zoo has all the fun the other opendmarc report scripts run but have nothing to report on.  That might be a level of complexity most with one domain and one host never get to see or care about and might be down to the shit sql server it uses.

My adsp and atps lines in dns needed some tweaking since reporting uses port 25 and i use the other port for outbound mail which for over a week i failed to comprehend so this might be a postfix / amavis or some other issue i cannot resolve currently.

The zoo will not be sending reports until we figure out adsp (my blog) even though the sql import and expire work

opendmarc-spam looks interesting although a thought experiment needing a look at source code to guess how it works

That’s about it for opendmarc reporting. Tomorrow I will be delving into the science of mind reading** after all it appears to be a required skill with dmarc.

*the hint is in the name. ** i joke

Dead letter abuse boxes (or an end to dmarc probers)

boredOne day they just stopped and since most of them are in China*  its been boring on the dmarc (my blog) front ever since.

However since reporting abuse to china does not work except for ‘special’ people it can be said that many Chinese isps colluded.  Any american reading this should comprehend that china is not russia

Of other countries Vietnam has one attempt, the us a couple so either there spoofing somebody without dmarc which is something i would have done months ago or the thing that controlled it is down rather the look an idiot to the once a day like China did.

I still have the data and can firewall it in seconds, the dmarc records still exist and are permanent and so I will only now report on the latest attempts and correlate with previous behaviour.

Latterly I have also caught amazon (yes the big retailer)  trying 24 attempts in one day via ec2 (my blog) – so maybe this year will be the year that the us wins the gold medal in dmarc probes over china with quantity from single hosts.

I am sure you are all looking forward to these posts.  Exciting stuff

*both HK and mainland.

Exploring opendmarc in debian jessie

clownbootUses horrible mysql (my blog) for a database so i just looked at the milter.

Spf needs an ar header so you need to read a man page although that seems to be a bit buggy in debian stable although amavis (my blog) does ar.

It lives on 127.0.0.1:8893 and it appears all those it bloggers do not run opendmarc so there are not many blogs with bad information like for dkim although to call some bloggers technical is perhaps stretching things and many just rehashing not there content only for the advert views.

In debian the conf file is simple and examples can be found however while the software works not all options work.

Using jessie defaults seem to want one host one email server so if like the zoo you have five mta’s hanging off one piece of hardware your doing to need to do some work.

In an hour i got a working opendkim instance and plumbed it in and checking the plumbing was able to get messages in and out as before so i left it like that and see what happens in a weeks time.

Examples include auth and forensicreports Here is one error line

postfix/smtpd[17677]: warning: connect to Milter service inet:127.0.0.1:8893: Connection refused

I also notice with Header_Type = AR you get no spf line appended in the email that’s an unrelated problem with postfix-policyd-spf (my blog) probably that hinders opendmarc.

One site suggested you use the backports repo a suggestion i did not take up and some changes to postfix with extra headers (not ar).

I also created a history file and enabled it and that stubbornly recorded nothing even with a restart.

failI will take a another look at opendmarc in the future but it strikes me as  not worth the bother inbound and the mysql is off-putting.  Could be wrong but that was what a weeks worth of activity recorded.

Email was signed with dkim and was sent and received so our email server was working during the time with the new milter.

This might be a compile it yourself thing for all i know at this stage in Debian or maybe i do not need it.

Chinese botnets in the mist

minionIs not a film about Rwanda and apes but  a specific Chinese isp  who pretends to be the zoo

In this (my blog) i first noticed them, then caught up with them again here and one more time i decided to update you all on Huashu media&Network Limited.

After all this is fun, and most of this report is now generated by a computer so these blog entries take very little time to create.

    1    CN    58.101.214.24    58.100.0.0 - 58.101.255.255 WASUHZ CN ipas@cnnic.cn
    1    CN    58.101.213.197    
    1    CN    58.101.211.1    
    1    CN    58.101.208.115    
    1    CN    58.101.149.254    
    1    CN    58.101.149.245    
    3    CN    58.101.149.234    
    2    CN    58.101.149.233    
    1    CN    58.101.149.228    
    1    CN    58.101.149.223    
    1    CN    58.101.149.222    
    1    CN    58.101.149.221    
    1    CN    58.101.149.220    
    1    CN    58.101.149.191    
    1    CN    58.101.149.180    
    2    CN    58.101.149.177    
    1    CN    58.101.149.160    
    1    CN    58.101.149.158    
    1    CN    58.101.149.148    
    1    CN    58.101.149.143    
    1    CN    58.101.149.140    
    1    CN    58.101.149.139    
    1    CN    58.101.149.134    
    1    CN    58.101.107.89    
    1    CN    58.100.7.84    
    1    CN    58.100.7.56    
    1    CN    58.100.7.228    
    1    CN    58.100.7.22    
    1    CN    58.100.7.18    
    1    CN    58.100.7.149    
    1    CN    58.100.7.135    
    1    CN    58.100.7.113    
    1    CN    58.100.7.107    
    1    CN    58.100.6.39    
    1    CN    58.100.6.254    
    1    CN    58.100.6.247    
    1    CN    58.100.6.219    
    1    CN    58.100.6.216    
    1    CN    58.100.6.198    
    1    CN    58.100.6.145    
    1    CN    58.100.6.135    
    1    CN    58.100.6.132    
    1    CN    58.100.6.110    
    1    CN    58.100.6.106    
    1    CN    58.100.5.94    
    1    CN    58.100.5.34    
    1    CN    58.100.5.24    
    1    CN    58.100.5.200    
    1    CN    58.100.5.180    
    1    CN    58.100.5.15    
    1    CN    58.100.5.146    
    1    CN    58.100.5.105    
    1    CN    58.100.4.5    
    1    CN    58.100.4.248    
    1    CN    58.100.4.237    
    1    CN    58.100.4.218    
    1    CN    58.100.4.177    
    1    CN    58.100.4.14    
    1    CN    58.100.3.90    
    1    CN    58.100.3.9    
    1    CN    58.100.3.64    
    1    CN    58.100.3.40    
    1    CN    58.100.3.4    
    2    CN    58.100.3.27    
    1    CN    58.100.3.242    
    1    CN    58.100.3.216    
    1    CN    58.100.3.215    
    1    CN    58.100.3.211    
    2    CN    58.100.3.208    
    1    CN    58.100.3.20    
    1    CN    58.100.3.196    
    2    CN    58.100.3.194    
    1    CN    58.100.3.184    
    1    CN    58.100.3.179    
    1    CN    58.100.3.175    
    1    CN    58.100.3.16    
    1    CN    58.100.3.147    
    1    CN    58.100.3.140    
    1    CN    58.100.3.132    
    2    CN    58.100.3.13    
    1    CN    58.100.3.113    
    1    CN    58.100.3.107    
    1    CN    58.100.3.105    
    2    CN    58.100.3.10    
    1    CN    58.100.24.95    
    1    CN    58.100.24.57    
    1    CN    58.100.24.4    
    1    CN    58.100.24.171    
    1    CN    58.100.24.0    
    1    CN    58.100.201.88    
    1    CN    58.100.201.86    
    1    CN    58.100.201.81    
    1    CN    58.100.201.59    
    1    CN    58.100.201.40    
    1    CN    58.100.201.255    
    1    CN    58.100.201.253    
    1    CN    58.100.201.246    
    1    CN    58.100.201.244    
    1    CN    58.100.201.236    
    1    CN    58.100.201.207    
    1    CN    58.100.201.199    
    1    CN    58.100.201.189    
    2    CN    58.100.201.175    
    2    CN    58.100.201.163    
    1    CN    58.100.201.162    
    1    CN    58.100.201.155    
    1    CN    58.100.201.152    
    1    CN    58.100.201.147    
    1    CN    58.100.201.140    
    2    CN    58.100.201.138    
    1    CN    58.100.201.131    
    1    CN    58.100.201.121    
    1    CN    58.100.201.117    
    1    CN    58.100.201.109    
    2    CN    58.100.201.105    
    1    CN    58.100.201.104    
    1    CN    58.100.201.100    
    1    CN    58.100.2.97    
    1    CN    58.100.2.94    
    1    CN    58.100.2.55    
    1    CN    58.100.2.34    
    1    CN    58.100.2.31    
    1    CN    58.100.2.3    
    1    CN    58.100.2.29    
    1    CN    58.100.2.240    
    1    CN    58.100.2.223    
    1    CN    58.100.2.220    
    1    CN    58.100.2.216    
    1    CN    58.100.2.201    
    1    CN    58.100.2.2    
    1    CN    58.100.2.197    
    1    CN    58.100.2.192    
    2    CN    58.100.2.19    
    1    CN    58.100.2.187    
    1    CN    58.100.2.170    
    1    CN    58.100.2.156    
    1    CN    58.100.2.153    
    1    CN    58.100.2.128    
    1    CN    58.100.2.119    
    1    CN    58.100.2.118    
    1    CN    58.100.2.100    
    1    CN    58.100.182.224    
    1    CN    58.100.180.90    
    1    CN    58.100.180.237    
    1    CN    58.100.180.106    
    1    CN    58.100.1.97    
    1    CN    58.100.1.81    
    1    CN    58.100.1.30    
    1    CN    58.100.1.26    
    1    CN    58.100.1.251    
    1    CN    58.100.1.242    
    1    CN    58.100.1.217    
    1    CN    58.100.1.211    
    1    CN    58.100.1.192    
    1    CN    58.100.1.190    
    1    CN    58.100.1.155    
    1    CN    58.100.1.145    
    1    CN    58.100.0.73    
    1    CN    58.100.0.71    
    1    CN    58.100.0.61    
    2    CN    58.100.0.46    
    1    CN    58.100.0.41    
    1    CN    58.100.0.32    
    1    CN    58.100.0.26    
    1    CN    58.100.0.252    
    1    CN    58.100.0.236    
    1    CN    58.100.0.207    
    1    CN    58.100.0.166    
    1    CN    58.100.0.14    
    1    CN    58.100.0.130    
    2    CN    58.100.0.110    
188 1    CN    58.100.0.105    
(127)
61

Another 61 since i last saw them Impressive! Huashu media&Network Limited keep up the good work.