Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?

Thu, 18 Jan 2024 16:37:43 -0800 

        I'm seeing in today's logs plenty of blocking of hosts ending with 
".onmicrosoft.com" but also plenty of SMTP connections not being 
blocked.

        Those MS-Miscreants seem to have moved on from mixing names of farm 
animals and car brands to names that seem like they could be for 
professional firms like "jlrlawcorp.onmicrosoft.com" ... and none of 
the names like that - but in the form of "jlrlawcpro.com" - are even 
registered, so they might just be figments of some spammer's 
imagination, or made up by an algorithm (AI would be overkill, but 
someone's probably wasting resources on that too).

        So far, the spot checks I've done include quite a bit of legitimate 
eMail -- some from schools, health/medical service providers, various 
government agencies, and a smattering of different businesses that 
are providing professional services and which I don't believe are 
using spam to do marketing.

        The common thing I'm noticing with all of these senders is that 
they're sending from their own domain names, even though the 
HELO/EHLO string ends with .onmicrosoft.com.

        The blacklists seem to be blocking mostly the ones that send 
directly from @<something-strange>.onmicrosoft.com addresses, which 
should make filtering easy if we can confirm for certain that no 
legitimate eMail has these as the sender -- that is, not in the 
"Return-Path:" header and not in the "From:" header.

> I see in today's logs that Spamhaus is now blocking (for us) hundreds of 
> these onmicrosoft.com subdomains.
> 
> Regards, 
> Mark 
> _________________________________________________________________ 
> L. Mark Stone, Founder 
> North America's Leading Zimbra VAR/BSP/Training Partner 
> For Companies With Mission-Critical Email Needs
> 
> ----- Original Message -----
> From: "Hans-Martin Mosner via mailop" <mailop@mailop.org>
> To: "mailop" <mailop@mailop.org>
> Sent: Thursday, January 18, 2024 5:13:30 PM
> Subject: Re: [mailop] Anyone else noticing an increase in spam from Office365 
> distribution lists?
> 
> Am 17.01.24 um 15:35 schrieb Hans-Martin Mosner via mailop: 
> 
> 
> 
> Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop: 
> 
> BQ_BEGIN
> With this in mind, did somebody compile a block list yet? Or should I just 
> create a whitelist? 
> 
> 
> 
> A block list does not make sense, as new domains are added continuously. It's 
> just too simple. 
> BQ_END
> 
> 
> Maybe it's still a possible approach, I've noticed a number of domains which 
> were used multiple times yesterday and today, so that could be a start. 
> 
> Cheers, 
> Hans-Martin 
> akwvsldz.onmicrosoft.com
> bekoduwa.onmicrosoft.com
> btowk.onmicrosoft.com
> calmaa.onmicrosoft.com
> cwonvkes.onmicrosoft.com
> elimf.onmicrosoft.com
> es01ms.onmicrosoft.com
> exlzbuch.onmicrosoft.com
> hwmaevdc.onmicrosoft.com
> icloudwater.onmicrosoft.com
> jymmgqxbugfoo.onmicrosoft.com
> kalinzo.onmicrosoft.com
> lnhvu.onmicrosoft.com
> lxebaifv.onmicrosoft.com
> muvzwtns.onmicrosoft.com
> nmvukcow.onmicrosoft.com
> nrhhwdliwprctsbbugfoo.onmicrosoft.com
> nwvakomb.onmicrosoft.com
> oemdxabu.onmicrosoft.com
> ohzxuawl.onmicrosoft.com
> okawas220.onmicrosoft.com
> omvehxsk.onmicrosoft.com
> or02ms.onmicrosoft.com
> or03ms.onmicrosoft.com
> or05ms.onmicrosoft.com
> oxzdtluw.onmicrosoft.com
> skdwbmot.onmicrosoft.com
> skeeepur.onmicrosoft.com
> sp001ms.onmicrosoft.com
> sp003ms.onmicrosoft.com
> svnvb.onmicrosoft.com
> t021ms.onmicrosoft.com
> t024ms.onmicrosoft.com
> troggue.onmicrosoft.com
> tszlrhwn.onmicrosoft.com
> us01ms.onmicrosoft.com
> vknhsutl.onmicrosoft.com
> vlaucbde.onmicrosoft.com
> vocldbut.onmicrosoft.com
> wuleu.onmicrosoft.com
> x24m2v2.onmicrosoft.com
> x337i94.onmicrosoft.com
> x6472u0.onmicrosoft.com
> x6m471q.onmicrosoft.com
> xbyybto.onmicrosoft.com
> xcoulsth.onmicrosoft.com
> xjuj241.onmicrosoft.com
> xpfyc9f.onmicrosoft.com
> xx31656.onmicrosoft.com
> xxkm2i6.onmicrosoft.com
> xyl9v2y.onmicrosoft.com
> zeusshow.onmicrosoft.com 
> 
> 
> _______________________________________________ 
> mailop mailing list 
> mailop@mailop.org 
> https://list.mailop.org/listinfo/mailop 
> 
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop


-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/


_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to