Sorry... I think it might actually be a problem this end. There are some additional parameters that can be added to the URL which means it doesn't require a POST request. I'm not sure how, but the scanner appears to be adding these. I can't see the parameters in a list email anywhere, so I'm not sure where it's getting them from, but that's our problem not yours. Sorry for the noise.
Andy On Wed, 8 Aug 2018 22:57:37 +0000 Michael Wise <michael.w...@microsoft.com> wrote: > > > "Hmm...[tm]" > > > > Making inquiries. > > Aloha, > Michael. > -- > Michael J Wise > Microsoft Corporation| Spam Analysis > "Your Spam Specimen Has Been Processed." > Got the Junk Mail Reporting > Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ? > > > > -----Original Message----- > From: Andrew Beverley <a...@simplelists.com> > Sent: Wednesday, August 8, 2018 3:55 PM > To: Michael Wise <michael.w...@microsoft.com> > Cc: mailop@mailop.org > Subject: Re: [mailop] Unsubscription requests from O365 > > > > Thanks for the quick reply Michael, > > > > > Does the URL include the user identifier as part of the domain or path? > > > > No, it's in the query string, e.g. > > > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.simplelists.com%2Fconfirm.php%3Fu%3DQzwKTj9iXcEWOT1I5MQObv4l7aPma9tN&data=02%7C01%7CMichael.Wise%40microsoft.com%7C7bbb4374adfa43bdee9708d5fd81cf97%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636693656336439282&sdata=%2BlJKT00gN7bqsgTUyhU0QO2CCR2HAXLneSNFNFEz%2FW8%3D&reserved=0 > > > > > This is our SONAR system testing if the URL is malicious. > > > > But surely it shouldn't be doing POST requests to test the URL? It's only the > last 24 hours or so that this has suddenly become a problem - it was okay > before that. > > > > > Or, you could just block the IP ranges that you see this behavior > > > coming from, as I recall they’re all in a /24 or thereabouts. > > > > Thanks, that's a good option - I guess genuine requests will be from a > different IP range. It looks like a bit more than a /24 but not much more > (about 40.107.194.0 - 40.107.248.99 or so). > > > > Thanks, > > > > Andy -- Andrew Beverley <a...@simplelists.com> _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop