"Hmm...[tm]"
Making inquiries. Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Got the Junk Mail Reporting Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ? -----Original Message----- From: Andrew Beverley <a...@simplelists.com> Sent: Wednesday, August 8, 2018 3:55 PM To: Michael Wise <michael.w...@microsoft.com> Cc: mailop@mailop.org Subject: Re: [mailop] Unsubscription requests from O365 Thanks for the quick reply Michael, > Does the URL include the user identifier as part of the domain or path? No, it's in the query string, e.g. https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.simplelists.com%2Fconfirm.php%3Fu%3DQzwKTj9iXcEWOT1I5MQObv4l7aPma9tN&data=02%7C01%7CMichael.Wise%40microsoft.com%7C7bbb4374adfa43bdee9708d5fd81cf97%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636693656336439282&sdata=%2BlJKT00gN7bqsgTUyhU0QO2CCR2HAXLneSNFNFEz%2FW8%3D&reserved=0 > This is our SONAR system testing if the URL is malicious. But surely it shouldn't be doing POST requests to test the URL? It's only the last 24 hours or so that this has suddenly become a problem - it was okay before that. > Or, you could just block the IP ranges that you see this behavior > coming from, as I recall they’re all in a /24 or thereabouts. Thanks, that's a good option - I guess genuine requests will be from a different IP range. It looks like a bit more than a /24 but not much more (about 40.107.194.0 - 40.107.248.99 or so). Thanks, Andy
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop