On 1 Dec 2016, at 18:40, Matt Vernhout wrote:
Our DMARC reports from work are a significant spike in spoofing as
well:
104.47.36.206 (mail-sn1nam02hn0206.outbound.protection.outlook.com)
MAIL FROM domain 4444444444444.onmicrosoft.com does not match the from
domain
DKIM Issue: message does not contain a DKIM signature
Mail From Domain: 4444444444444.onmicrosoft.com
From: Indigo Platinum MasterCard <marketing@redacted>
Subject: Pre-Qualify for the Indigo Platinum MasterCard
Count is running at 204 IPs sending this same message...
Also seeing a ton from this Mail From Domain:
workexact.onmicrosoft.com
FWIW, systems I help run reject the overwhelming majority of mail with
envelope senders or DKIM signatures of *.onmicrosoft.com domains,
largely because of that spamsign. In 1-3 years (varying by site) no
customer has ever reported an FP that was caught by that rule, despite
the fact that these are customers who don't shrug off FPs and have come
to expect fastidious support. A tiny number of messages containing
*.onmicrosoft.com in headers do get delivered, but every one of them has
been deleted or moved into an "uncaught spam" IMAP folder that gets
swept into the Bayesian filters. Some years ago Terry Zink of MS made a
blog post revealing some useful information about how MS segregates
outbound mail, and between that, flow analysis, and the unpleasant
experience of being tasked with the O365 Admin role for one customer
(ugh) to fill in some details, it became clear that *.onmicrosoft.com
was extremely unlikely to appear in anything worth keeping.
Also: the 'h' in that MS hostname is a tag for their "high risk"
outbound pool. Basically all spam and backscatter.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
