FWIW, after a log file review we are contemplating blocking
"azurewebsites.net [1]" as well as "@onmicrosoft.com [2]".
Our logs are showing small quantities of SMTP traffic from
"azurewebsites.net [1]" that are usually being blocked due to SPF
failures, and usually sending to weird, nonsencial non-existent
eMail
addresses where the local-part is a series of randomly-selected
letters and digits, sometimes intermixed with names of birds,
furniture, food, vehicles, colours, etc., all of which are recipient
addresses that don't exist and have never existed.
I'm assuming it's a source of eMail debris from broken
systems. I'm
almost tempted to set up a honeypot to see whatever trash it's
trying
to spew out, but I'd rather do something more productive (like
flossing my teeth).
Curious if others are coming to the same conclusion?
I'm currently leaning in a block-on-sight direction since
I'm seeing
zero legitimate eMail coming from hosts self-identifying as hosts in
the "azurewebsites.net [1]" domain name in the HELO and EHLO
commands.
Regards,
Mark
_________________________________________________________________
L. Mark Stone, Founder
North America's Leading Zimbra VAR/BSP/Training Partner
For Companies With Mission-Critical Email Needs
----- Original Message -----
From: "Mark Alley via mailop" <mailop@mailop.org>
To: "Andrew C Aitchison" <and...@aitchison.me.uk>
Cc: "mailop" <mailop@mailop.org>
Sent: Sunday, January 14, 2024 6:30:22 PM
Subject: Re: [mailop] Anyone else noticing an increase in spam
from Office365 distribution lists?
Ah, yep, thanks for catching that typo.
On 1/14/2024 4:56 PM, Andrew C Aitchison wrote:
On Sun, 14 Jan 2024, Mark Alley via mailop wrote:
BQ_BEGIN
This is anecdotal, but I think it illustrates even at a smaller
scale the persistent problem Microsoft currently has with their
tenancy.
I did some quick perusal of the last month's data from our email
logs, and out of a total of 22,473 external emails that contain a
.onmicrosoft.com [2] subdomain in the RFC5322.FROM field -- 22,086
were blocked because of various reasons:
* 21,228 spam
* 1 malware
* 759 phishing
* 5 impostor
* 93 "hard" failed SPF without a DMARC record since
onmicrosoft.com [2]
doesn't have one. (probably forwarded)
387 "clean" emails were delivered successfully initially, and 151
of those initial delivers were then later retroactively classified
as being spam or phishing.
So even at this scale, we're left with a minutia of ~0.01%
236/22473 ~= 1%
BQ_BEGIN
"legitimate" emails, most of which are from misconfigured Exchange
Online mailboxes or Office365 groups from various businesses.
So, YMMV widely, but for most organizations, as John said,
definitely not going to be missing /too /much. Most of what I see
that's legitimate in our traffic would be 3 or 4 specific subdomain
additions to a safelist from the hypothetical block rule, and that
would be it.
- Mark Alley
BQ_END
BQ_END
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
