Hi Tarun,
While your mitigation has reduced the amount of authentications I see,
it's only a partial fix. So far today (since 00:00 UTC) I count:
111000 connections deferred before AUTH
554000 successful authentications
712 emails successfully sent
The amount of successful AUTH has been fairly consistent at ~1200-1400
per minute since around 2023-08-16 09:30 UTC
On 2023-08-18 00:53, Tarun Singh via mailop wrote:
Hello,
Thanks for reporting the issue. I can confirm that we are aware of the issue,
and it is mitigated for now. There was a change in SMTP authentication flow
which inadvertently caused excessive retries as a result. The mitigation was
applied yesterday so you should see the traffic going down, if you are seeing
otherwise, please let me know.
Apologies for any false alarms it may have caused on your end.
Please let me know if you have any questions.
Thanks
Tarun Singh
-----Original Message-----
From: mailop <mailop-boun...@mailop.org> On Behalf Of Sebastian Nielsen via
mailop
Sent: Monday, August 14, 2023 3:48 AM
To: 'Mailing List' <mailop@mailop.org>
Subject: [EXTERNAL] Re: [mailop] Abuse AUTH from Microsoft outlook IP space
My tought is that some features are only accessible for authenticated users, so it would
want to authenticate and see what the server have to offer, before it decides "not
fine" and quits.
Or it could be that it always connects and tries that the password is correct
everytime you open the Outlook Mobile client.
So it can inform if the password had been changed.
-----Ursprungligt meddelande-----
Från: Dan Malm via mailop <mailop@mailop.org>
Skickat: den 14 augusti 2023 11:51
Till: mailop@mailop.org
Ämne: Re: [mailop] Abuse AUTH from Microsoft outlook IP space
Could be mobile connections being proxied, yes. But if it was due to not liking
the features (which I'm quite certain has not changed on our end) wouldn't it
be more logical to quit after HELO/EHLO rather than AUTH?
On 2023-08-14 11:08, Sebastian Nielsen via mailop wrote:
Could it also be their outlook for mobile connections, where the connection
fails for some other reason, like the server don't like the features supported?
It seems to use some sort of proxy, where outlook's server connects to the
server in question instead of a direct connection from the phone to server.
-----Ursprungligt meddelande-----
Från: Dan Malm via mailop <mailop@mailop.org>
Skickat: den 14 augusti 2023 11:06
Till: mailop@mailop.org; ab...@microsoft.com
Ämne: [mailop] Abuse AUTH from Microsoft outlook IP space
Hi,
Since Friday I'm seeing a rather extreme amount of SMTP AUTH requeusts
from the same IPv6 IP space that outlook.com uses when sending emails
on behalf of customers that have added an "external" address to sync
and send from to their outlook account. The AUTH uses valid
credentials for the accounts but just hangs up after AUTH. The amount
of connections seems to increase daily.
For the last 24h I have ~11M AUTH requests but only ~5K mails actually
sent from the 2603:1026::/32 range. I also see some similar patterns
from the other ranges that seems to send outlook mail: 2603:1036::/32,
2603:1046::/32, 2603:1056::/32 but the bulk of it is from the 1026 one.
Anyone from MS listening that would like to comment?
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
BR/Mvh. Dan Malm, Systems Engineer, one.com
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
