Since exim_mainlog rolled over Saturday night, I see 332 successful incoming emails from onmicrosoft.com and 52 spam rejects. Based on the subject lines, all of the successes were spam. So I've added "blacklist from *.onmicrosoft.com" to spamassassin. I just hope people won't be too disappointed about missing out on their Dewalt Power Stations and their YETI 30-Oz. travel mugs.
On Mon, Jan 15, 2024 at 10:30 AM Randolf Richardson, Postmaster via mailop < mailop@mailop.org> wrote: > > FWIW, after a log file review we are contemplating blocking " > azurewebsites.net" as well as "@onmicrosoft.com". > > Our logs are showing small quantities of SMTP traffic from > "azurewebsites.net" that are usually being blocked due to SPF > failures, and usually sending to weird, nonsencial non-existent eMail > addresses where the local-part is a series of randomly-selected > letters and digits, sometimes intermixed with names of birds, > furniture, food, vehicles, colours, etc., all of which are recipient > addresses that don't exist and have never existed. > > I'm assuming it's a source of eMail debris from broken systems. > I'm > almost tempted to set up a honeypot to see whatever trash it's trying > to spew out, but I'd rather do something more productive (like > flossing my teeth). > > > Curious if others are coming to the same conclusion? > > I'm currently leaning in a block-on-sight direction since I'm > seeing > zero legitimate eMail coming from hosts self-identifying as hosts in > the "azurewebsites.net" domain name in the HELO and EHLO commands. > > > Regards, > > Mark > > _________________________________________________________________ > > L. Mark Stone, Founder > > North America's Leading Zimbra VAR/BSP/Training Partner > > For Companies With Mission-Critical Email Needs > > > > ----- Original Message ----- > > From: "Mark Alley via mailop" <mailop@mailop.org> > > To: "Andrew C Aitchison" <and...@aitchison.me.uk> > > Cc: "mailop" <mailop@mailop.org> > > Sent: Sunday, January 14, 2024 6:30:22 PM > > Subject: Re: [mailop] Anyone else noticing an increase in spam from > Office365 distribution lists? > > > > > > > > Ah, yep, thanks for catching that typo. > > On 1/14/2024 4:56 PM, Andrew C Aitchison wrote: > > > > > > On Sun, 14 Jan 2024, Mark Alley via mailop wrote: > > > > > > BQ_BEGIN > > This is anecdotal, but I think it illustrates even at a smaller scale > the persistent problem Microsoft currently has with their tenancy. > > > > I did some quick perusal of the last month's data from our email logs, > and out of a total of 22,473 external emails that contain a . > onmicrosoft.com subdomain in the RFC5322.FROM field -- 22,086 were > blocked because of various reasons: > > > > * 21,228 spam > > * 1 malware > > * 759 phishing > > * 5 impostor > > * 93 "hard" failed SPF without a DMARC record since onmicrosoft.com > > doesn't have one. (probably forwarded) > > > > 387 "clean" emails were delivered successfully initially, and 151 of > those initial delivers were then later retroactively classified as being > spam or phishing. > > > > So even at this scale, we're left with a minutia of ~0.01% > > > > > > > > 236/22473 ~= 1% > > > > > > BQ_BEGIN > > "legitimate" emails, most of which are from misconfigured Exchange > Online mailboxes or Office365 groups from various businesses. > > > > So, YMMV widely, but for most organizations, as John said, definitely > not going to be missing /too /much. Most of what I see that's legitimate in > our traffic would be 3 or 4 specific subdomain additions to a safelist from > the hypothetical block rule, and that would be it. > > > > - Mark Alley > > > > BQ_END > > > > > > BQ_END > > > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > > > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > > > -- > Postmaster - postmas...@inter-corporate.com > Randolf Richardson, CNA - rand...@inter-corporate.com > Inter-Corporate Computer & Network Services, Inc. > Vancouver, British Columbia, Canada > https://www.inter-corporate.com/ > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- =============================================== Russell Clemings <rclemi...@gmail.com <russ...@clemings.com>> ===============================================
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
