> FWIW, after a log file review we are contemplating blocking
> "azurewebsites.net" as well as "@onmicrosoft.com".
Our logs are showing small quantities of SMTP traffic from
"azurewebsites.net" that are usually being blocked due to SPF
failures, and usually sending to weird, nonsencial non-existent eMail
addresses where the local-part is a series of randomly-selected
letters and digits, sometimes intermixed with names of birds,
furniture, food, vehicles, colours, etc., all of which are recipient
addresses that don't exist and have never existed.
I'm assuming it's a source of eMail debris from broken systems. I'm
almost tempted to set up a honeypot to see whatever trash it's trying
to spew out, but I'd rather do something more productive (like
flossing my teeth).
> Curious if others are coming to the same conclusion?
I'm currently leaning in a block-on-sight direction since I'm seeing
zero legitimate eMail coming from hosts self-identifying as hosts in
the "azurewebsites.net" domain name in the HELO and EHLO commands.
> Regards,
> Mark
> _________________________________________________________________
> L. Mark Stone, Founder
> North America's Leading Zimbra VAR/BSP/Training Partner
> For Companies With Mission-Critical Email Needs
>
> ----- Original Message -----
> From: "Mark Alley via mailop" <mailop@mailop.org>
> To: "Andrew C Aitchison" <and...@aitchison.me.uk>
> Cc: "mailop" <mailop@mailop.org>
> Sent: Sunday, January 14, 2024 6:30:22 PM
> Subject: Re: [mailop] Anyone else noticing an increase in spam from Office365
> distribution lists?
>
>
>
> Ah, yep, thanks for catching that typo.
> On 1/14/2024 4:56 PM, Andrew C Aitchison wrote:
>
>
> On Sun, 14 Jan 2024, Mark Alley via mailop wrote:
>
>
> BQ_BEGIN
> This is anecdotal, but I think it illustrates even at a smaller scale the
> persistent problem Microsoft currently has with their tenancy.
>
> I did some quick perusal of the last month's data from our email logs, and
> out of a total of 22,473 external emails that contain a .onmicrosoft.com
> subdomain in the RFC5322.FROM field -- 22,086 were blocked because of various
> reasons:
>
> * 21,228 spam
> * 1 malware
> * 759 phishing
> * 5 impostor
> * 93 "hard" failed SPF without a DMARC record since onmicrosoft.com
> doesn't have one. (probably forwarded)
>
> 387 "clean" emails were delivered successfully initially, and 151 of those
> initial delivers were then later retroactively classified as being spam or
> phishing.
>
> So even at this scale, we're left with a minutia of ~0.01%
>
>
>
> 236/22473 ~= 1%
>
>
> BQ_BEGIN
> "legitimate" emails, most of which are from misconfigured Exchange Online
> mailboxes or Office365 groups from various businesses.
>
> So, YMMV widely, but for most organizations, as John said, definitely not
> going to be missing /too /much. Most of what I see that's legitimate in our
> traffic would be 3 or 4 specific subdomain additions to a safelist from the
> hypothetical block rule, and that would be it.
>
> - Mark Alley
>
> BQ_END
>
>
> BQ_END
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
--
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
