Re: [mailop] How to address Microsoft if spaming Office365 customers cause collateral damage for other Office365 customers sharing the same IP?
On 3/31/23 21:05, Simon Arlott via mailop wrote: On 30/03/2023 16:48, Michael Peddemors via mailop wrote: Now, if you could get EVERYONE to block them for a day, or find some other way to hit their pocket books, maybe we could see some relief. Co-ordinate deferring all email from them for a 30 hour period (UTC 00:00 to UTC 32:00, so that it covers a full day in the US) on specific days of the week? By not blocking email you avoid causing too much collateral damage, Microsoft will just appear to be slow at delivery some of the time. That should have a visible impact on their outgoing mail queue, right? Too frequent retries might be a bit of a problem, but that'll affect them too. I made this suggestion at a M3AAWG session last year, but people seemed to enjoy still having their jobs too much to jump on the idea... ;) -- BR/Mvh. Dan Malm, Systems Engineer, one.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to address Microsoft if spaming Office365 customers cause collateral damage for other Office365 customers sharing the same IP?
On 30/03/2023 16:48, Michael Peddemors via mailop wrote: > Now, if you could get EVERYONE to block them for a day, or find some > other way to hit their pocket books, maybe we could see some relief. Co-ordinate deferring all email from them for a 30 hour period (UTC 00:00 to UTC 32:00, so that it covers a full day in the US) on specific days of the week? By not blocking email you avoid causing too much collateral damage, Microsoft will just appear to be slow at delivery some of the time. That should have a visible impact on their outgoing mail queue, right? Too frequent retries might be a bit of a problem, but that'll affect them too. -- Simon Arlott ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to address Microsoft if spaming Office365 customers cause collateral damage for other Office365 customers sharing the same IP?
Hi > My recommendation is to recognize that 1-bit binary blocklistings > aren't granular enough to account for shared environments without > causing false positives. Agreed, the blacklist scores adds to the SpamAssassin score. That is why not every email sent from that IP is rejected as spam but some are. Result: Sender complains to recipient (who uses our anti-spam services) that some of his emails bounce and microsoft not providing any help to address the issue. Recipient asks us to please solve the issue, caused by another microsoft customer using that shared ip. Even worse, I start suspecting that microsoft uses regionally grouped shared ip addresses. Maybe somebody could confirm? The spam received which caused the listing was from an organisation based in Geneva Switzerland (and as I recall it's not the first time that organisation 'acquires email-address lists in good faith') and this (still under investigation) seemed to cause problems mainly for other Switzerland based Office365 customers. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to address Microsoft if spaming Office365 customers cause collateral damage for other Office365 customers sharing the same IP?
> On 3/30/23 07:37, Benoit Panizzon via mailop wrote: > > > What would be the best way to address such issues for Office365 > > customers? My recommendation is to recognize that 1-bit binary blocklistings aren't granular enough to account for shared environments without causing false positives. Some call that a feature, some call it a bug. That is probably why some reputation engines (Gmail) don't stop there and look at the domain and other markers, too. Even SpamAssassin helps me block some of that kind of stuff based on Spamhaus DBL listings and content matching. -- Al Iverson / Deliverability blogging at www.spamresource.com Subscribe to the weekly newsletter at wombatmail.com/sr.cgi DNS Tools at xnnd.com / (312) 725-0130 / Chicago (Central Time) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to address Microsoft if spaming Office365 customers cause collateral damage for other Office365 customers sharing the same IP?
On 3/30/23 18:36, Hans-Martin Mosner via mailop wrote: I try to tackle this by analyzing domains present in mail headers and rejecting mails accordingly. As you've experienced, talking the Office365 customers into leaving their crappy host isn't working, so I will have to accept that a significant part of the traffic from O365 sources is legit, and blocking their IPs is not an option. I'm not asking for these people to leave Office365, I just wish Micrsoft would not take months to remove domains that were created just to send spams. One of my issue here is french laws are requiring us to stay neutral. There is something equivalent in Europe regulations : « REGULATION (EU) 2015/2120 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL » of 25 November 2015 Article 3 - Safeguarding of open internet access [...] Providers of internet access services shall not engage in traffic management measures going beyond those set out in the second subparagraph, and in particular shall not block, slow down, alter, restrict, interfere with, degrade or discriminate between specific content, applications or services, or specific categories thereof, except as necessary, and only for as long as necessary, in order to: (a) comply with Union legislative acts, or national legislation that complies with Union law, to which the provider of internet access services is subject, or with measures that comply with Union law giving effect to such Union legislative acts or national legislation, including with orders by courts or public authorities vested with relevant powers; (b) preserve the integrity and security of the network, of services provided via that network, and of the terminal equipment of end-users; (c) prevent impending network congestion and mitigate the effects of exceptional or temporary network congestion, provided that equivalent categories of traffic are treated equally. From what I understand, if I set rules on my reputation system to block servers whose traffic is abnormal, these rules must be applied to all those matching servers, not just to most of them but the biggest ones. François ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to address Microsoft if spaming Office365 customers cause collateral damage for other Office365 customers sharing the same IP?
On 3/30/23 07:37, Benoit Panizzon via mailop wrote: What would be the best way to address such issues for Office365 customers? Leave it in the DNSBL until Microsoft reaches out to you with a satisfactory explanation of what they have done to address their spam problem or your normal timeout, if any, whichever is shorter. The purpose of DNSBLs is to allow their users to reject mail from known spam sources. You have identified a known spam source and properly listed it. If you get complaints from users of SWINOG, refer them to the source of the spam, which would be Microsoft. -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to address Microsoft if spaming Office365 customers cause collateral damage for other Office365 customers sharing the same IP?
Am 30.03.23 um 18:11 schrieb Francois Petillon via mailop: On 3/30/23 16:37, Benoit Panizzon via mailop wrote: Unfortunately, this massively affects other Office365 customers. But they complaint because we (operating the SWINOG blacklist) block them, they don't complaint to Microsoft for being the source of the issue and find it hard to address such issues with Microsoft. What would be the best way to address such issues for Office365 customers? ... In other words, there are 15 spamming domains that generated 90% of the mail traffic on this IP a,d Microsoft does nothing while they have had the information for months. But I would also love to hear from anyone that had to deal with the subject. François I try to tackle this by analyzing domains present in mail headers and rejecting mails accordingly. As you've experienced, talking the Office365 customers into leaving their crappy host isn't working, so I will have to accept that a significant part of the traffic from O365 sources is legit, and blocking their IPs is not an option. Of course I would love to see the big providers keep the spam at bay on their egress, but I realize that this wish won't be granted unless there is massive financial incentive to do so. These are profit-oriented corporations after all, ethical behavior doesn't generate income in their market. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] How to address Microsoft if spaming Office365 customers cause collateral damage for other Office365 customers sharing the same IP?
On 2023-03-30 07:37, Benoit Panizzon via mailop wrote: Hi all Received: from mail-vi1eur04on0730.outbound.protection.outlook.com ([IPv6:2a01:111:f400:fe0e::730]:47502) from new...@news-science-travel.com Auth: by a Spamtrap on 2001:4060:dead:beef::1907:2 25 pretending to be an open relay for jodyyw...@blacklist.woody.ch; Mon, 27 Mar 2023 07:22:56 +0200 (CEST) jodyyw...@blacklist.woody.ch is a spamtrap. I can guarantee, that this email address is not being used for any other purposes and has never been subscribed to any newsletters or similar. From the 'username' i more suspect that this was generated and verified 'valid' by some script checking my spamtrap to accept emails to this destination. Such a 'confirmed' spamtrap hit immediately causes the sending IP to get listed in the SWINOG blacklist. I also looked at the email content. It is spam, sent via PHPMailer relaying it's payload via Office365 submission servers. Unfortunately, this massively affects other Office365 customers. But they complaint because we (operating the SWINOG blacklist) block them, they don't complaint to Microsoft for being the source of the issue and find it hard to address such issues with Microsoft. What would be the best way to address such issues for Office365 customers? Mit freundlichen Grüssen -Benoît Panizzon- I think everyone on the defense side shares your frustration, and I guess you can see why they are in the class of 'too big to block'. Of course, they don't care if you block them, only your customers care. Which is WHY we have to resort to content filtering as the main line of defense for gmail/o365 spammers, and a few ESP's. Now, if you could get EVERYONE to block them for a day, or find some other way to hit their pocket books, maybe we could see some relief. Outbound security will never be a priority for them, despite their size. They do have a few good people there, but their hands are either tied, or they are too short staffed. Sad to say, until maybe the FTC steps in and starts fining them, don't expect anything to change. Worst thing, if WE (inbound filtering and threat detection) can identify it, it is SO much easier for them to catch it on egress. It's costing the public millions of dollars in damages, from malware, phishing, and BEC Compromise.. But it is what it is. All we can do is pray is that they implement their GPT technology and copilot on egress content filtering ;) At least with honeypots like yours, you can improve on 'training' As others had said, unfortunately it is a bit of 'us against them', and we do have to work together as a community. Speaking up is the first step.. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] How to address Microsoft if spaming Office365 customers cause collateral damage for other Office365 customers sharing the same IP?
Hi all Received: from mail-vi1eur04on0730.outbound.protection.outlook.com ([IPv6:2a01:111:f400:fe0e::730]:47502) from new...@news-science-travel.com Auth: by a Spamtrap on 2001:4060:dead:beef::1907:2 25 pretending to be an open relay for jodyyw...@blacklist.woody.ch; Mon, 27 Mar 2023 07:22:56 +0200 (CEST) jodyyw...@blacklist.woody.ch is a spamtrap. I can guarantee, that this email address is not being used for any other purposes and has never been subscribed to any newsletters or similar. From the 'username' i more suspect that this was generated and verified 'valid' by some script checking my spamtrap to accept emails to this destination. Such a 'confirmed' spamtrap hit immediately causes the sending IP to get listed in the SWINOG blacklist. I also looked at the email content. It is spam, sent via PHPMailer relaying it's payload via Office365 submission servers. Unfortunately, this massively affects other Office365 customers. But they complaint because we (operating the SWINOG blacklist) block them, they don't complaint to Microsoft for being the source of the issue and find it hard to address such issues with Microsoft. What would be the best way to address such issues for Office365 customers? Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop