Re: [mailop] Protection Outlook..
> If you see this ... > > X-Forefront-Antispam-Report: SFV:SPM > (Specifically, the "SFV:SPM") > > That means we thought it was spam grep SFV:SPM spam/* | wc -l 56 Thank you Michael, that contribution to the community will be useful to us. Bryan Bradsby 512.936.2248 Texas State Government Network Network Security Operations Center Department of Information Resources ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
> On Sep 15, 2015, at 12:34 PM, Michael Wise wrote: > > About the only way to report it that won't get ignored (presupposing this > didn't wind up in the mailbox of a HotMail, AOL, Yahoo, or similar service > that we have an ARF-based Feedback Loop with) is via SpamCop. Yes, this is what Hotmail told me a couple of years ago. Now if I could just get SpamCop to correctly detect some of the outlook.com headers….. But that’’s not your problem. All told, I get more spam from Google than MS. —Chris ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
I am not ab...@microsoft.com I do not get those emails. You will get *ZERO* satisfaction by complaining at them because their job is not to handle those kinds of complaints. I do not have any control over what happens over there at all. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of l...@lena.kiev.ua Sent: Monday, September 14, 2015 2:36 PM To: mailop@mailop.org Subject: Re: [mailop] Protection Outlook.. > From: Michael Wise > The account has probably already been killed. I doubt that. I quoted entire header and the one-line body, but: == Date: Fri, 4 Sep 2015 22:03:03 +0300 From: l...@lena.kiev.ua To: ab...@microsoft.com Subject: Spam complaint Spam: > Return-path: <> > Received: from > https://na01.safelinks.protection.outlook.com/?url=mail-sg2apc01hn0234.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c28bd9cd1d3dc4cd6b9c708d2bd90ca46%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=idgnkZ44BHDRgExXOv0PqLByVirAZHTvY4FZzsxjlE0%3d ... > Subject: YOU HAVE BEEN ANNOUNCED AS ONE OF THE FUND BENEFICIARY!!! ... > X-Originating-IP: [116.202.38.142] ... > X-Forefront-Antispam-Report: SFV:SPM;... == From: Microsoft Online Safety Subject: SRX1303257687ID - FW: Spam complaint Date: Wed, 9 Sep 2015 20:47:10 + ... Please forward a copy of the questionable message, including the full message headers... == Date: Wed, 9 Sep 2015 23:51:40 +0300 From: l...@lena.kiev.ua To: Microsoft Online Safety Subject: Re: SRX1303257687ID - FW: Spam complaint > Please forward a copy of the questionable message, including the full > message headers. Specifically, we need an unedited copy of the message > that includes the X-originating IP. I already quoted full message headers. I repeat: Return-path: <> ... == From: Microsoft Online Safety To: Subject: RE: SRX1303257687ID - FW: Spam complaint Date: Thu, 10 Sep 2015 21:45:15 + ... Please forward a copy of the questionable message, including the full message headers... == Date: Fri, 11 Sep 2015 03:00:06 +0300 From: l...@lena.kiev.ua To: Microsoft Online Safety Subject: Re: SRX1303257687ID - FW: Spam complaint Do you read? I already sent you the full message headers TWICE. > Please forward a copy of the questionable message, including the full > message headers. Specifically, we need an unedited copy of the message > that includes the X-originating IP. == From: Microsoft Online Safety To: Subject: RE: SRX1303257687ID - FW: Spam complaint Date: Fri, 11 Sep 2015 16:54:36 + Hello I can understand your frustration. Unfortunately we cannot take action on e-mail accounts that are not part of the Microsoft network... == Date: Fri, 11 Sep 2015 20:10:45 +0300 From: l...@lena.kiev.ua To: Microsoft Online Safety Subject: Re: SRX1303257687ID - FW: Spam complaint Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.4.2.3i > I can understand your frustration. Unfortunately we cannot take action > on e-mail accounts that are not part of the Microsoft network. Read the header again, attentively this time. The spam came from: Received: from https://na01.safelinks.protection.outlook.com/?url=mail-sg2apc01hn0234.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c28bd9cd1d3dc4cd6b9c708d2bd90ca46%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=idgnkZ44BHDRgExXOv0PqLByVirAZHTvY4FZzsxjlE0%3d ([104.47.125.234] helo=APC01-SG2-obe.outbound.protection.outlook.com) by https://na01.safelinks.protection.outlook.com/?url=lena.kiev.ua&data=01%7c01%7cmichael.wise%40microsoft.com%7c28bd9cd1d3dc4cd6b9c708d2bd90ca46%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=yRCh8CTpAvNXBG1TVyzHM7XaBWXgL9y7AVobM7l05Bs%3d with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA384:256) (Exim 4.86 (FreeBSD)) id 1ZXwD5-000Id2-HP for l...@lena.kiev.ua; Fri, 04 Sep 2015 21:59:48 +0300 Is 104.47.125.234 part of the Microsoft network? The spam had empty MAIL FROM (envelope-from, Return-Path), is it throwing you off? == Silence so far. ___ mailop mailing list mailop@mailop.org https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2
Re: [mailop] Protection Outlook..
About the only way to report it that won't get ignored (presupposing this didn't wind up in the mailbox of a HotMail, AOL, Yahoo, or similar service that we have an ARF-based Feedback Loop with) is via SpamCop. Seriously, the days of one-off reports ... when you're handling billions of messages a day for hundreds of millions of mailboxes ... have ended. They ended some time ago. We have a system that filters out the largest trends in the 100's of thousands of sender submissions we get each day for triage, and we handle the top ~70% of them ... the ones that are one-off samples pretty much always get ignored because they're in error, or they are a small enough sample of the whole problem space that we are dealing with that they are almost always eclipsed by the larger issues. It allows us to deal with the biggest issues fastest. One sample gets lost in the noise, as ... some would argue, it should be. As I said previously, chances are, these samples have already been dealt with by the time you see them. I tried to act to forestall this long ago by advocating for a sort of Open Feedback Loop system, but my efforts were ignored. Welcome to the desert of the real. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Rich Kulawiec Sent: Tuesday, September 15, 2015 5:15 AM To: mailop@mailop.org Subject: Re: [mailop] Protection Outlook.. On Mon, Sep 14, 2015 at 12:00:01PM -0700, Michael Peddemors wrote: > Monitoring from ISP's and Telco's has always shown a lot of leakage > from the servers called.. > > https://na01.safelinks.protection.outlook.com/?url=mail-pu1apc01hn0200.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cffbff41a17e24404b09008d2bdc8418b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=oecCQ9QICA9k0oa%2fKDx5oZtm7I6K%2bh6%2fIqBpZhI3Htg%3d I've seen a noticeable uptick in (obvious) spam from the following similarly-named servers in the last 60 days: 65.55.169.251 https://na01.safelinks.protection.outlook.com/?url=mail-bl2un0251.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cffbff41a17e24404b09008d2bdc8418b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=TAOhTL0mWKHS28%2fa9oUGd1%2bZfV27i5C%2fDmVn8MXXihc%3d 104.47.124.213 https://na01.safelinks.protection.outlook.com/?url=mail-hk2apc01hn0213.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cffbff41a17e24404b09008d2bdc8418b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=NYqDqdl%2fBwDiYsOUT37czTTq2v4kubVOsBZJ%2f3RzyqY%3d 104.47.124.216 https://na01.safelinks.protection.outlook.com/?url=mail-hk2apc01hn0216.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cffbff41a17e24404b09008d2bdc8418b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=l8m1CWRVmPU38Ava8VtPtOYQ98jxM9TTyVEXEOVOLis%3d 104.47.125.218 https://na01.safelinks.protection.outlook.com/?url=mail-sg2apc01hn0218.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cffbff41a17e24404b09008d2bdc8418b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=NXOsSN%2fBz%2bI3OERNL8WLiYpJ5lLZsL4SPS%2b%2bpblKUz8%3d 104.47.125.235 https://na01.safelinks.protection.outlook.com/?url=mail-sg2apc01hn0235.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cffbff41a17e24404b09008d2bdc8418b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=tssNhjNgOKZxczncEnnRyAx7ntnEV1GhPzd7UToXCBI%3d 104.47.126.202 https://na01.safelinks.protection.outlook.com/?url=mail-pu1apc01hn0202.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cffbff41a17e24404b09008d2bdc8418b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5RUV8qMIewPnME%2fSamkwt0L9qAJYSYTCV2REzEl3VTk%3d 104.47.126.240 https://na01.safelinks.protection.outlook.com/?url=mail-pu1apc01hn0240.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cffbff41a17e24404b09008d2bdc8418b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=JgDLpwP0QPL8vKIDMae8vNhKDD0THC5VBx7GS%2bcIuKc%3d 134.170.140.253 https://na01.safelinks.protection.outlook.com/?url=mail-hk1hn0253.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cffbff41a17e24404b09008d2bdc8418b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=4WAENiP0rY%2b8g%2fPtAumLaDMZaW%2fdqwzQdKmzkR0XGno%3d 157.55.234.144 https://na01.safelinks.protection.outlook.com/?url=mail-db3on0144.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cffbff41a17e24404b09008d2bdc8418b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sda
Re: [mailop] Protection Outlook..
Um, No.[tm] I pointed out the header and value to safely write a rule for the traffic way down thread, and you've chosen to ignore my advice. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Carl Byington Sent: Tuesday, September 15, 2015 8:36 AM To: mailop@mailop.org Subject: Re: [mailop] Protection Outlook.. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2015-09-15 at 08:50 -0500, Chris Boyd wrote: > You left off mail-bn1hn0247.outbound.protection.outlook.com > Return-Path: > Received: from na01-bn1-obe.outbound.protection.outlook.com (mail- > bn1hn0247.outbound.protection.outlook.com [157.56.110.247]) > by pennzoil.gizmopartners.com (8.14.4/8.14.4) with ESMTP id > t8FCEUw3031966 > (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=OK) > for ; Tue, 15 Sep 2015 07:14:33 -0500 > Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; Does this /etc/mail/spamassassin/local.cf segment look correct? # 2015-09-15 kill outbound.protection.outlook.com (opoc) leaking spam header OPOC Authentication-Results =~ /spf=none.*smtp\.mailfrom=<>/ score OPOC 10.0 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlX4Os0ACgkQL6j7milTFsHnUQCdGohMK+gL6kg0ETWJR0lO3pbJ Y5kAnilfaqtdZsdmcSGMGol6XE7hcgHR =29kh -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2015-09-15 at 08:50 -0500, Chris Boyd wrote: > You left off mail-bn1hn0247.outbound.protection.outlook.com > Return-Path: > Received: from na01-bn1-obe.outbound.protection.outlook.com (mail- > bn1hn0247.outbound.protection.outlook.com [157.56.110.247]) > by pennzoil.gizmopartners.com (8.14.4/8.14.4) with ESMTP id > t8FCEUw3031966 > (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=OK) > for ; Tue, 15 Sep 2015 07:14:33 -0500 > Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; Does this /etc/mail/spamassassin/local.cf segment look correct? # 2015-09-15 kill outbound.protection.outlook.com (opoc) leaking spam header OPOC Authentication-Results =~ /spf=none.*smtp\.mailfrom=<>/ score OPOC 10.0 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlX4Os0ACgkQL6j7milTFsHnUQCdGohMK+gL6kg0ETWJR0lO3pbJ Y5kAnilfaqtdZsdmcSGMGol6XE7hcgHR =29kh -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
> On Sep 15, 2015, at 7:14 AM, Rich Kulawiec wrote: > > I've seen a noticeable uptick in (obvious) spam from the following > similarly-named servers in the last 60 days: You left off mail-bn1hn0247.outbound.protection.outlook.com Return-Path: Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1hn0247.outbound.protection.outlook.com [157.56.110.247]) by pennzoil.gizmopartners.com (8.14.4/8.14.4) with ESMTP id t8FCEUw3031966 (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=OK) for ; Tue, 15 Sep 2015 07:14:33 -0500 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; Received: from [100.74.187.43] (101.59.64.219) by BLUPR18MB0258.namprd18.prod.outlook.com (10.162.236.149) with Microsoft SMTP Server (TLS) id 15.1.268.17; Tue, 15 Sep 2015 10:53:26 + Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Content-Description: Mail message body Subject: Dear Beneficiary, Kindly read this message and get back to me. To: recipie...@pennzoil.gizmopartners.com From: <> Date: Tue, 15 Sep 2015 16:23:09 +0530 Reply-To: X-Antivirus: avast! (VPS 150915-0, 09/15/2015), Outbound message X-Antivirus-Status: Clean X-Originating-IP: [101.59.64.219] X-ClientProxiedBy: HKNPR06CA0035.apcprd06.prod.outlook.com (10.141.16.25) To BLUPR18MB0258.namprd18.prod.outlook.com (25.162.236.149) Message-ID: X-Microsoft-Exchange-Diagnostics: 1;BLUPR18MB0258;2:zzwkLiNoaaLdB6v5/6xRmRYRXo6iJoLqmVUJGqlxW9hr3NFgSAEKvQvFS7KGd56oBg11lB5ZkXWK/QfUZ5TeK+gfCkgzQXh5f3jTv0zba49QpWMyUPl1U5SJfiv0NLrsPtl1U6xZqknrW0htXn++r0H198iXBbE5hsfrbs8sjsg=;3:j6rDFZfNz/qGwAouI58oBo1pA4qcPNsMcvc1nBMublTSq0KGLSlaRhqEEAYWmLo2reTmEX4ff6bWZKeCKe6iCATblXMCaNW3MLPBDviKinZvNDJKcEwZFHGsJ3bKLFLxxjgpV3nqv8I7k2tBXa6VTQ==;25:BqGKFDPgfLAO7LWFW3/u1jmkjxvnqOtWcShZAIdH7fGO8ATqF3dXJx3xqPGeVKdhhjgsznBci5U2FodkHypAvPDsXYrApj/nI9NIJn+iUovcG4h2oQVR8a9cxQWYQW1CwKSL+rpVRkoZXW31WK1kwgBpdexoYV5O7fV+zlzecOO/E/+D4K0qtXKESOxjz39mVI2oZA6J8oVXIZ66+kfpWLCtAjCTln0yYu9wTcwRrDYPd5+xLS2/1Shi3PK4j/h9ukTXvFxAkhSnfltirGXftg== X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR18MB0258; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(8121501046)(520075)(5005006)(520078)(3002001);SRVR:BLUPR18MB0258;BCL:0;PCL:0;RULEID:;SRVR:BLUPR18MB0258; X-Microsoft-Exchange-Diagnostics: 1;BLUPR18MB0258;4:AmqptwkWLFaSXQkbeqZ7W5QwCOMe8a8fyt5T1ogzNaDSEGWWhYZ7ZLsPNMeIJ7MzgVDu83GyErjBphaVuiJTqZJVIm91jh04cezF0Mv5xBv5oaTYYFxfuHO/by3QXaGmFGQNzp9KXKkSunxy8AzoE/6uTlwNKM63xbYCqtfWTu+Hn8cwtbWJfAyppjSBvElfvXU+1Gh6uw3zfl+o17gC1NQ4CX6DA63Y2p6u7ebMOrgFVphJR4Yygf+ikYztaOIC7S1XYO5eZdvCV4evkzJGauagndFvYx0b0u1surlZNKX5q0r/BqKhvtgc97ZaCqlFtNzCc81SKkxv9g8zDRpt51gvsQ/4F6Y9aSBZE2yuPfY= X-Forefront-PRVS: 070092A9D3 X-Forefront-Antispam-Report: SFV:SPM;SFS:(10009020)(6049001)(6009001)(199003)(189002)(78352002)(229853001)(400145012)(86362001)(53256004)(19580405001)(50466002)(68736005)(110136002)(500797011)(400160011)(500563011)(25011)(74316001)(97736004)(400154011)(500196012)(189998001)(76576001)(77096005)(500183011)(77156002)(122386002)(109986003)(500473012)(81156007)(107886002)(62966003)(4013)(19580395003)(500192011)(33656002)(325944007)(105586002)(500186011)(66066001)(64706001)(43066003)(47776003)(42186005)(86152002)(50986999)(42382002)(101416001)(85782001)(106356001)(46552002)(53806999)(46102003)(54356999)(23756003)(87976001)(525674003);DIR:OUT;SFP:1501;SCL:5;SRVR:BLUPR18MB0258;H:[100.74.187.43];FPR:;SPF:None;PTR:InfoNoRecords;A:0;MX:0;LANG:en; Received-SPF: None (protection.outlook.com: [100.74.187.43] does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?iso-8859-1?Q?1;BLUPR18MB0258;23:oEpMtwrJjWFoyfL3olrMLZAKg94RJrOg4bzbC7c?= =?iso-8859-1?Q?Gzjc+kDgUOvEVJVnv9NEJraq8vz38N6HbXWuViU+zANaAuQp60XIOxaUKF?= =?iso-8859-1?Q?sUVYr6Yb3eFvK2PN3aA47cC4bcolbuSXDt0UC/jYCnXaQYaSb3ive9DvpD?= =?iso-8859-1?Q?jlQm3hO065IOdMwTywib50UVpK9k1+B94vfcDR3XQ1binaNPqED6ZJO4OG?= =?iso-8859-1?Q?6osuPOf+oKQEg88tA7TVBBce46K/2R1M2o1dI+MkIkT26rNS5p/Si/WycA?= =?iso-8859-1?Q?dxrO+OjARs6+kJpWAhKzgoaLZf9XwRn4haOkdF4WwoLflASRlkVNHTVEzI?= =?iso-8859-1?Q?MHA2muHRJF/jlf1/uII5MrnxiMqtllC/Vy3El2WonTyJCh+/pjLijaprJL?= =?iso-8859-1?Q?Wk8uAhZ0eaU9x2uU3kmxul+DM+DHJLCAdcj02J7IOQD8TfeVgLr2lY4/He?= =?iso-8859-1?Q?iKe7cZDjkKwRML481ZK/3cWaX1hwcZK1bshxQQc+tjMxKJ9jaIqZk+CISN?= =?iso-8859-1?Q?4Zc1XmPVDmdcbPpHX1BCp+hjftZoCkFz0PCs9zt2QCOvocaVeYLS+Ztlgq?= =?iso-8859-1?Q?/zMPIGEZ4gXuvYjFRWO2PNofJ2I0z5OKVHeSEwMAPOj7GnZgQOnImwJzgj?= =?iso-8859-1?Q?+tdfKYsmz9ECV9TsQm81zFgsItUN/7eyuqfoVNpCULJXCfa1/gng0g0klq?= =?iso-8859-1?Q?kjQJiU1ucBiMuX5QeHAxG/plVbEL9EjW7934CItmCwkYnmN3jhcJSQnMoD?= =?iso-8859-1?Q?gVxAUSzt0PnyN4asGkY4Ajdr9lf1dZTgimE955vrIIdPHrtAyqOiDU1R2h?= =?iso-8859-1?Q?vz6TYiqSCjVtp/rmIVD0y965LDaB34y/S9+f2/8O+1ruq3Eox7dy45ghbH?= =?iso-8859-1?Q?sOiPBY01bnU/QjZMS8P/k5JQLEpLbwHbL8Pz2oDvQnj7xDSwNgVUeuefV7?= =?iso-8859-1?Q?WtULI5Sr
Re: [mailop] Protection Outlook..
On Mon, Sep 14, 2015 at 12:00:01PM -0700, Michael Peddemors wrote: > Monitoring from ISP's and Telco's has always shown a lot of leakage > from the servers called.. > > mail-pu1apc01hn0200.outbound.protection.outlook.com I've seen a noticeable uptick in (obvious) spam from the following similarly-named servers in the last 60 days: 65.55.169.251 mail-bl2un0251.outbound.protection.outlook.com 104.47.124.213 mail-hk2apc01hn0213.outbound.protection.outlook.com 104.47.124.216 mail-hk2apc01hn0216.outbound.protection.outlook.com 104.47.125.218 mail-sg2apc01hn0218.outbound.protection.outlook.com 104.47.125.235 mail-sg2apc01hn0235.outbound.protection.outlook.com 104.47.126.202 mail-pu1apc01hn0202.outbound.protection.outlook.com 104.47.126.240 mail-pu1apc01hn0240.outbound.protection.outlook.com 134.170.140.253 mail-hk1hn0253.outbound.protection.outlook.com 157.55.234.144 mail-db3on0144.outbound.protection.outlook.com 157.55.234.249 mail-db3hn0249.outbound.protection.outlook.com 157.55.234.251 mail-db3hn0251.outbound.protection.outlook.com 157.56.110.247 mail-bn1hn0247.outbound.protection.outlook.com 157.56.110.248 mail-bn1hn0248.outbound.protection.outlook.com 157.56.110.251 mail-bn1hn0251.outbound.protection.outlook.com 157.56.112.250 mail-am1hn0250.outbound.protection.outlook.com 157.56.112.251 mail-am1hn0251.outbound.protection.outlook.com 157.56.112.253 mail-am1hn0253.outbound.protection.outlook.com 157.56.112.254 mail-am1hn0254.outbound.protection.outlook.com 207.46.100.245 mail-by2hn0245.outbound.protection.outlook.com 207.46.100.248 mail-by2hn0248.outbound.protection.outlook.com I haven't bothered reporting any of it because I'm not convinced that anyone there will actually do anything meaningful about it. But if there is someone there with the baseline professionalism to individually and completely investigate every single specimen (with an eye toward identifying root cause(s) and fixing same), I would be happy to package them all up and forward them along. ---rsk ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
> From: Michael Wise > The account has probably already been killed. I doubt that. I quoted entire header and the one-line body, but: == Date: Fri, 4 Sep 2015 22:03:03 +0300 From: l...@lena.kiev.ua To: ab...@microsoft.com Subject: Spam complaint Spam: > Return-path: <> > Received: from mail-sg2apc01hn0234.outbound.protection.outlook.com ... > Subject: YOU HAVE BEEN ANNOUNCED AS ONE OF THE FUND BENEFICIARY!!! ... > X-Originating-IP: [116.202.38.142] ... > X-Forefront-Antispam-Report: SFV:SPM;... == From: Microsoft Online Safety Subject: SRX1303257687ID - FW: Spam complaint Date: Wed, 9 Sep 2015 20:47:10 + ... Please forward a copy of the questionable message, including the full message headers... == Date: Wed, 9 Sep 2015 23:51:40 +0300 From: l...@lena.kiev.ua To: Microsoft Online Safety Subject: Re: SRX1303257687ID - FW: Spam complaint > Please forward a copy of the questionable message, including the full > message headers. Specifically, we need an unedited copy of the message > that includes the X-originating IP. I already quoted full message headers. I repeat: Return-path: <> ... == From: Microsoft Online Safety To: Subject: RE: SRX1303257687ID - FW: Spam complaint Date: Thu, 10 Sep 2015 21:45:15 + ... Please forward a copy of the questionable message, including the full message headers... == Date: Fri, 11 Sep 2015 03:00:06 +0300 From: l...@lena.kiev.ua To: Microsoft Online Safety Subject: Re: SRX1303257687ID - FW: Spam complaint Do you read? I already sent you the full message headers TWICE. > Please forward a copy of the questionable message, including the full > message headers. Specifically, we need an unedited copy of the message > that includes the X-originating IP. == From: Microsoft Online Safety To: Subject: RE: SRX1303257687ID - FW: Spam complaint Date: Fri, 11 Sep 2015 16:54:36 + Hello I can understand your frustration. Unfortunately we cannot take action on e-mail accounts that are not part of the Microsoft network... == Date: Fri, 11 Sep 2015 20:10:45 +0300 From: l...@lena.kiev.ua To: Microsoft Online Safety Subject: Re: SRX1303257687ID - FW: Spam complaint Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.4.2.3i > I can understand your frustration. Unfortunately we cannot take action > on e-mail accounts that are not part of the Microsoft network. Read the header again, attentively this time. The spam came from: Received: from mail-sg2apc01hn0234.outbound.protection.outlook.com ([104.47.125.234] helo=APC01-SG2-obe.outbound.protection.outlook.com) by lena.kiev.ua with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA384:256) (Exim 4.86 (FreeBSD)) id 1ZXwD5-000Id2-HP for l...@lena.kiev.ua; Fri, 04 Sep 2015 21:59:48 +0300 Is 104.47.125.234 part of the Microsoft network? The spam had empty MAIL FROM (envelope-from, Return-Path), is it throwing you off? == Silence so far. ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
As I said ... we are compelled. And we're working on that for Hotmail as well, but it's not gonna happen, "Tomorrow". Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Noel Butler Sent: Monday, September 14, 2015 3:16 PM To: mailop@mailop.org Subject: Re: [mailop] Protection Outlook.. On 15/09/2015 05:34, Michael Wise wrote: > > We are compelled to deliver it; talk to the senders who wander around > wondering what the heck happened to a message that they handed off to > a given mailhost and it was never delivered. > We've all been seeing that for over a decade with hotmail, we succeed in the send, and recipient never gets it :) ___ mailop mailing list mailop@mailop.org https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fchilli.nosignal.org%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c459f7c5df942456b5a2308d2bd52ff66%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=d%2fP5k5JZ0RQnPHZbgsmdaG8EVbKVCIQoQrLmnZmDcmg%3d ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
On 15/09/2015 05:34, Michael Wise wrote: We are compelled to deliver it; talk to the senders who wander around wondering what the heck happened to a message that they handed off to a given mailhost and it was never delivered. We've all been seeing that for over a decade with hotmail, we succeed in the send, and recipient never gets it :) ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
On 15/09/2015 06:54, Franck Martin wrote: > On Mon, Sep 14, 2015 at 12:00 PM, Michael Peddemors > wrote: > >> Monitoring from ISP's and Telco's has always shown a lot of leakage from the >> servers called.. >> >> mail-pu1apc01hn0200.outbound.protection.outlook.com [1] >> >> And over the last week, those numbers substantially increased.. >> >> However, while caught by our filtering systems, you have to look at some >> simple obvious issues.. >> >> (Maybe someone can explain how this traffic is relayed, and why it is so >> hard to stop at the source?) >> >> Return-Path: <> >> >> (We wrote a 'fake bounce' rule specifically for protection.outlook.com >> [2] servers) >> Much of the spam shows up with no Return-Path, I am sure that can be >> prevented, no? >> >> Delivered-To: mich...@linuxmagic.com >> Received: (qmail 29387 invoked from network); 14 Sep 2015 17:13:15 - >> Received: from mail-pu1apc01hn0200.outbound.protection.outlook.com [1] (HELO >> APC01-PU1-obe.outbound.protection.outlook.com [3]) (104.47.126.200) >> by be.cityemail.com [4] with SMTP >> (e1fa336e-5b03-11e5-8599-5bc0ef165c91); Mon, 14 Sep 2015 10:13:15 -0700 >> Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; >> >> ^ Could this be a clue? No Sender IP? No MailFrom? > > the HELO hostname does not have an SPF record: > https://dmarcian.com/spf-survey/APC01-PU1-obe.outbound.protection.outlook.com > [6] > > cf http://trac.tools.ietf.org/html/rfc7208#section-10.1.3 [7] > >> Received: from [106.223.20.123] (106.223.20.123) by >> SG2PR0201MB0984.apcprd02.prod.outlook.com [5] (10.162.202.155) with Microsoft >> SMTP Server (TLS) id 15.1.268.17; Mon, 14 Sep 2015 17:13:03 + >> Content-Type: multipart/alternative; boundary="===0365285247==" >> MIME-Version: 1.0 >> Subject: I Have An Urgent Matter To Discuss With You >> To: recipie...@wizard.ca >> From: v...@wizard.ca, hol...@wizard.ca, k...@wizard.ca >> >> None of the above exist of course.. actually sent to different addresses >> >> Date: Mon, 14 Sep 2015 22:42:56 +0530 >> Reply-To: >> >> ^ Isn't this suspicious? > > seems someone can get outlook.com [8] to do some backscatter or inject a fake > bounce and have it routed by outlook.com [8] ? It is becoming rather annoying :) Links: -- [1] http://mail-pu1apc01hn0200.outbound.protection.outlook.com [2] http://protection.outlook.com [3] http://APC01-PU1-obe.outbound.protection.outlook.com [4] http://be.cityemail.com [5] http://SG2PR0201MB0984.apcprd02.prod.outlook.com [6] https://dmarcian.com/spf-survey/APC01-PU1-obe.outbound.protection.outlook.com [7] http://trac.tools.ietf.org/html/rfc7208#section-10.1.3 [8] http://outlook.com ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
On Mon, Sep 14, 2015 at 12:00 PM, Michael Peddemors wrote: > Monitoring from ISP's and Telco's has always shown a lot of leakage from > the servers called.. > > mail-pu1apc01hn0200.outbound.protection.outlook.com > > And over the last week, those numbers substantially increased.. > > However, while caught by our filtering systems, you have to look at some > simple obvious issues.. > > (Maybe someone can explain how this traffic is relayed, and why it is so > hard to stop at the source?) > > Return-Path: <> > > (We wrote a 'fake bounce' rule specifically for > protection.outlook.com servers) > Much of the spam shows up with no Return-Path, I am sure that can be > prevented, no? > > Delivered-To: mich...@linuxmagic.com > Received: (qmail 29387 invoked from network); 14 Sep 2015 17:13:15 - > Received: from mail-pu1apc01hn0200.outbound.protection.outlook.com (HELO > APC01-PU1-obe.outbound.protection.outlook.com) (104.47.126.200) > by be.cityemail.com with SMTP > (e1fa336e-5b03-11e5-8599-5bc0ef165c91); Mon, 14 Sep 2015 10:13:15 > -0700 > Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; > > ^ Could this be a clue? No Sender IP? No MailFrom? > the HELO hostname does not have an SPF record: https://dmarcian.com/spf-survey/APC01-PU1-obe.outbound.protection.outlook.com cf http://trac.tools.ietf.org/html/rfc7208#section-10.1.3 > > Received: from [106.223.20.123] (106.223.20.123) by > SG2PR0201MB0984.apcprd02.prod.outlook.com (10.162.202.155) with Microsoft > SMTP Server (TLS) id 15.1.268.17; Mon, 14 Sep 2015 17:13:03 + > Content-Type: multipart/alternative; boundary="===0365285247==" > MIME-Version: 1.0 > Subject: I Have An Urgent Matter To Discuss With You > To: recipie...@wizard.ca > From: v...@wizard.ca, hol...@wizard.ca, k...@wizard.ca > > None of the above exist of course.. actually sent to different > addresses > > Date: Mon, 14 Sep 2015 22:42:56 +0530 > Reply-To: > > ^ Isn't this suspicious? > > seems someone can get outlook.com to do some backscatter or inject a fake bounce and have it routed by outlook.com ? ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
Heh. Would love to stop using the pipelined metaphor, but alas; I'm not in charge of the design, coding, or anything else... I just try to make sure that the spammy stuff is tagged as spam so y'all can look at it and decide for yourselves, easily. :) There are many, many other types of messages with NUL sender that are not bounces. We are compelled to deliver it; talk to the senders who wander around wondering what the heck happened to a message that they handed off to a given mailhost and it was never delivered. Much screaming if traffic you thought at the moment was spam, and you just drop it on the floor. Many people scream in your face if you get it wrong. There's things that work at the single mailhost level, and there's things that work at the couple of redundant server level, and there stuff that works when you have tens of thousands of servers being one service... and they all have very little to do with each other beyond a set of protocols they are all supposed to speak. Very little at all. I wish it were otherwise, but it's not. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -Original Message- From: Michael Peddemors [mailto:mich...@linuxmagic.com] Sent: Monday, September 14, 2015 12:25 PM To: Michael Wise ; mailop Subject: Re: [mailop] Protection Outlook.. On 15-09-14 12:16 PM, Michael Wise wrote: > If you see this ... > > X-Forefront-Antispam-Report: SFV:SPM > (Specifically, the "SFV:SPM") > > That means we thought it was spam, but due to the pipelined nature of our > service, rather than drop it on the floor as some do, we were compelled to > deliver it. The traffic came in via a TLS connection from Bharti Airtel Ltd. > In India. The account has probably already been killed. > > Aloha, > Michael. > This of course doesn't address the original question of why allowing delivery of messages without the MAIL FROM: that aren't really bounces.. (Time to stop pipelining ;) Thanks for the tip.. But it isn't helping anyone if you keep sending obvious spam out of your networks.. You aren't REALLY compelled to deliver it.. Hard to believe that the infrastructure can't reject known spam.. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.linuxmagic.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cd747489fc87b4aed089208d2bd3a2c22%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=4tY6uZVReK4awovXBVkXKM6t1fhPegHGf5eD4cMV89M%3d @linuxmagic A Wizard IT Company - For More Info https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.wizard.ca&data=01%7c01%7cmichael.wise%40microsoft.com%7cd747489fc87b4aed089208d2bd3a2c22%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=vRmsE8iuy6gyD7c33PSUcA2BXxn0NbRljgtai%2f1AyRw%3d "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
On 15-09-14 12:16 PM, Michael Wise wrote: If you see this ... X-Forefront-Antispam-Report: SFV:SPM (Specifically, the "SFV:SPM") That means we thought it was spam, but due to the pipelined nature of our service, rather than drop it on the floor as some do, we were compelled to deliver it. The traffic came in via a TLS connection from Bharti Airtel Ltd. In India. The account has probably already been killed. Aloha, Michael. This of course doesn't address the original question of why allowing delivery of messages without the MAIL FROM: that aren't really bounces.. (Time to stop pipelining ;) Thanks for the tip.. But it isn't helping anyone if you keep sending obvious spam out of your networks.. You aren't REALLY compelled to deliver it.. Hard to believe that the infrastructure can't reject known spam.. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
Re: [mailop] Protection Outlook..
If you see this ... X-Forefront-Antispam-Report: SFV:SPM (Specifically, the "SFV:SPM") That means we thought it was spam, but due to the pipelined nature of our service, rather than drop it on the floor as some do, we were compelled to deliver it. The traffic came in via a TLS connection from Bharti Airtel Ltd. In India. The account has probably already been killed. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Peddemors Sent: Monday, September 14, 2015 12:00 PM To: mailop Subject: [mailop] Protection Outlook.. Monitoring from ISP's and Telco's has always shown a lot of leakage from the servers called.. https://na01.safelinks.protection.outlook.com/?url=mail-pu1apc01hn0200.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c1a87a0f969514cbb021a08d2bd38262e%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xT8Oo5RAGXaMUUw3q8MouTTarYplKxFxww07BluXiFQ%3d And over the last week, those numbers substantially increased.. However, while caught by our filtering systems, you have to look at some simple obvious issues.. (Maybe someone can explain how this traffic is relayed, and why it is so hard to stop at the source?) Return-Path: <> (We wrote a 'fake bounce' rule specifically for protection.outlook.com servers) Much of the spam shows up with no Return-Path, I am sure that can be prevented, no? Delivered-To: mich...@linuxmagic.com Received: (qmail 29387 invoked from network); 14 Sep 2015 17:13:15 - Received: from https://na01.safelinks.protection.outlook.com/?url=mail-pu1apc01hn0200.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c1a87a0f969514cbb021a08d2bd38262e%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xT8Oo5RAGXaMUUw3q8MouTTarYplKxFxww07BluXiFQ%3d (HELO https://na01.safelinks.protection.outlook.com/?url=APC01-PU1-obe.outbound.protection.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c1a87a0f969514cbb021a08d2bd38262e%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5ngeL52kH5mOzaCCyc%2bMRuUYzUj98MxaQJhsYDd5fOc%3d) (104.47.126.200) by https://na01.safelinks.protection.outlook.com/?url=be.cityemail.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c1a87a0f969514cbb021a08d2bd38262e%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=f4UL%2buoHixPSRY%2b2VGwUWHUVOJmZeFAFOcx%2fuebBEXE%3d with SMTP (e1fa336e-5b03-11e5-8599-5bc0ef165c91); Mon, 14 Sep 2015 10:13:15 -0700 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; ^ Could this be a clue? No Sender IP? No MailFrom? Received: from [106.223.20.123] (106.223.20.123) by https://na01.safelinks.protection.outlook.com/?url=SG2PR0201MB0984.apcprd02.prod.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c1a87a0f969514cbb021a08d2bd38262e%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=NxyYuouMdfsVY0CPJvOPIDqfDSDSAeguYT9aFPryjC0%3d (10.162.202.155) with Microsoft SMTP Server (TLS) id 15.1.268.17; Mon, 14 Sep 2015 17:13:03 + Content-Type: multipart/alternative; boundary="===0365285247==" MIME-Version: 1.0 Subject: I Have An Urgent Matter To Discuss With You To: recipie...@wizard.ca From: v...@wizard.ca, hol...@wizard.ca, k...@wizard.ca None of the above exist of course.. actually sent to different addresses Date: Mon, 14 Sep 2015 22:42:56 +0530 Reply-To: ^ Isn't this suspicious? X-Originating-IP: [106.223.20.123] X-ClientProxiedBy: https://na01.safelinks.protection.outlook.com/?url=SIXPR04CA0018.apcprd04.prod.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c1a87a0f969514cbb021a08d2bd38262e%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3EgI%2bPJtwtPhrU1Xt7bwv8OFfz6%2fXbcHMcY8Qvoxo1A%3d (10.141.119.18) To https://na01.safelinks.protection.outlook.com/?url=SG2PR0201MB0984.apcprd02.prod.outlook.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c1a87a0f969514cbb021a08d2bd38262e%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=NxyYuouMdfsVY0CPJvOPIDqfDSDSAeguYT9aFPryjC0%3d (25.162.202.155) Message-ID: X-Microsoft-Exchange-Diagnostics: 1;SG2PR0201MB0984;2:DpA0F2dJRZL6VQXFrQnkB3Z8/ReXskz4pVJY6BUpdjtWEz5zYsOID3dzCAHd/m7G2jqcj3HfWm4M+UP80M0tvmBFCupyYiXxT+XAcCOjMV7q6t5WpubiPtAE7A52cU56yeZkXTOELH4tI3QYE9uj3Zo7fOEwCQOnQz3x2VnVxYM=;3:CFlhH9x7XVpZ3er/tCHX0kQ0voUBhYQfhYZ39lCn879cgWFbKJUmTr2gDRRvg/t/olg7Mw21SmY7TLD/heQWhcRDL9uUFAMRE85v3BZ6tsY7BZshCze6XUh26fzi6vgNxsHLUZso1R6dwBWADvk0ng==;25:HPsyHIWTYwJAG7uHV7YuwGZSPzOzBLA8t3bAqixvK3Abhvo2KTZp5XJiDge4FucBQOtitr0Xb6add8rslohiM46lfcpq473QL1/IMDdbmlDVyyLYskdWxGrhCJld6Zwmxe+386AvZ0biRETlSDxRlbgxZlPtez3Nb9O4gVRBHdc/iI1/4WvKucH9csxdVnRKJc4LRhegEHJu9v5RQxXBAqNangbh6XC6CV16O98R309lbrtJnhbLpLZBxBFyTJAc3OZYjVCrpO+G+NcVbIRUTg==;4:7IT9ANK/iM8i2M
[mailop] Protection Outlook..
Monitoring from ISP's and Telco's has always shown a lot of leakage from the servers called.. mail-pu1apc01hn0200.outbound.protection.outlook.com And over the last week, those numbers substantially increased.. However, while caught by our filtering systems, you have to look at some simple obvious issues.. (Maybe someone can explain how this traffic is relayed, and why it is so hard to stop at the source?) Return-Path: <> (We wrote a 'fake bounce' rule specifically for protection.outlook.com servers) Much of the spam shows up with no Return-Path, I am sure that can be prevented, no? Delivered-To: mich...@linuxmagic.com Received: (qmail 29387 invoked from network); 14 Sep 2015 17:13:15 - Received: from mail-pu1apc01hn0200.outbound.protection.outlook.com (HELO APC01-PU1-obe.outbound.protection.outlook.com) (104.47.126.200) by be.cityemail.com with SMTP (e1fa336e-5b03-11e5-8599-5bc0ef165c91); Mon, 14 Sep 2015 10:13:15 -0700 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; ^ Could this be a clue? No Sender IP? No MailFrom? Received: from [106.223.20.123] (106.223.20.123) by SG2PR0201MB0984.apcprd02.prod.outlook.com (10.162.202.155) with Microsoft SMTP Server (TLS) id 15.1.268.17; Mon, 14 Sep 2015 17:13:03 + Content-Type: multipart/alternative; boundary="===0365285247==" MIME-Version: 1.0 Subject: I Have An Urgent Matter To Discuss With You To: recipie...@wizard.ca From: v...@wizard.ca, hol...@wizard.ca, k...@wizard.ca None of the above exist of course.. actually sent to different addresses Date: Mon, 14 Sep 2015 22:42:56 +0530 Reply-To: ^ Isn't this suspicious? X-Originating-IP: [106.223.20.123] X-ClientProxiedBy: SIXPR04CA0018.apcprd04.prod.outlook.com (10.141.119.18) To SG2PR0201MB0984.apcprd02.prod.outlook.com (25.162.202.155) Message-ID: X-Microsoft-Exchange-Diagnostics: 1;SG2PR0201MB0984;2:DpA0F2dJRZL6VQXFrQnkB3Z8/ReXskz4pVJY6BUpdjtWEz5zYsOID3dzCAHd/m7G2jqcj3HfWm4M+UP80M0tvmBFCupyYiXxT+XAcCOjMV7q6t5WpubiPtAE7A52cU56yeZkXTOELH4tI3QYE9uj3Zo7fOEwCQOnQz3x2VnVxYM=;3:CFlhH9x7XVpZ3er/tCHX0kQ0voUBhYQfhYZ39lCn879cgWFbKJUmTr2gDRRvg/t/olg7Mw21SmY7TLD/heQWhcRDL9uUFAMRE85v3BZ6tsY7BZshCze6XUh26fzi6vgNxsHLUZso1R6dwBWADvk0ng==;25:HPsyHIWTYwJAG7uHV7YuwGZSPzOzBLA8t3bAqixvK3Abhvo2KTZp5XJiDge4FucBQOtitr0Xb6add8rslohiM46lfcpq473QL1/IMDdbmlDVyyLYskdWxGrhCJld6Zwmxe+386AvZ0biRETlSDxRlbgxZlPtez3Nb9O4gVRBHdc/iI1/4WvKucH9csxdVnRKJc4LRhegEHJu9v5RQxXBAqNangbh6XC6CV16O98R309lbrtJnhbLpLZBxBFyTJAc3OZYjVCrpO+G+NcVbIRUTg==;4:7IT9ANK/iM8i2MpsuCqymG2VcV0PzYt8VynvZ1fSCktWHq8C3tryqOCf/5PpcKvDkPmHJ/nSegF9C1tM3IlcswzubBhC/H0BKjGO2jo06pgnydkyGSxDbnoIUTxlGHfo6erhlsnVZ+i1t3sbDZLs1WZknBlGXji6V5ZRePXIbxpUARpkA6YHl1ppu6wSUVD+xMZp0nmy7hRahB9wW2ODwiwKUkhZzkxZ7aHcs/bQmsS+GSQ4SxzwkS9HkZ51tHRWLgaQnNu/+anaNssebSzpA8YUvZJR/3J+J7K5zIuT7b5HuamuHj3L13SACVmpV6hh X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SG2PR0201MB0984; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5005006)(8121501046)(3002001);SRVR:SG2PR0201MB0984;BCL:0;PCL:0;RULEID:;SRVR:SG2PR0201MB0984; X-Forefront-PRVS: 0699FCD394 X-Forefront-Antispam-Report: SFV:SPM;SFS:(10019020)(6009001)(6049001)(189002)(199003)(25011)(4013)(43066003)(189998001)(107886002)(84326002)(122386002)(33656002)(77156002)(62966003)(74316001)(325944007)(218543002)(500011)(46102003)(19580405001)(64706001)(19580395003)(53806999)(78352002)(42382002)(110136002)(66066001)(400145012)(500186011)(500196012)(101416001)(46552002)(76576001)(500563011)(500797011)(81956001)(50986999)(54356999)(512934002)(87976001)(500473012)(500183011)(106356001)(109986003)(105586002)(81156007)(400160011)(400154011)(97736004)(229853001)(68736005)(42186005)(77096005)(555904002)(83656004);DIR:OUT;SFP:1501;SCL:5;SRVR:SG2PR0201MB0984;H:[106.223.20.123];FPR:;SPF:None;PTR:InfoNoRecords;MX:0;A:0;LANG:en; Received-SPF: None (protection.outlook.com: [106.223.20.123] does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;SG2PR0201MB0984;23:GTAm4JueC/hCGwJ+QjOszt7FQ0fAfNqkU0FZHXF?= =?us-ascii?Q?Wm8mHoAb67+T48mkbN/hdVQQnEquCmYWTM0oBIBivIlqDDmNBrc0t2Au2zel?= =?us-ascii?Q?VWBeiGuku3GJVD9e7codvzanVV1rB+bLjCDnLuKrrKivk3iN8xYJC25RoFD+?= =?us-ascii?Q?FxUCn7HvCbTFwLD+ChZCJpb2MdMXgg/E5KG99tnV6ImHt7VTonGjIWMt+CLy?= =?us-ascii?Q?datmv0f/2MJ1h/WCNpElwPKv3zyQ4bRAzHyJ281S4dZbMff+J2z7+pVMsoEG?= =?us-ascii?Q?yKYbBT0QZImzIITWDdWcu08nvdheWI+2TpFSJGqNCIGW1CFxkHCyJUwYgMq4?= =?us-ascii?Q?YIxe9xQ+BQVE5ysDZ+yHZX0UDnJVBHDTvT4tqxxAZb54pY2BXWW2EgS6mD6L?= =?us-ascii?Q?2iLXrWQbCy/ZuU7HZy7vG16irbzzzc9vJgnt8frFnH4DDQcouhffLX/rFVYi?= =?us-ascii?Q?7QHUYpS6a6TZwpE2vGVL4g67r+/WEq67oxsFdDnnSYJmDz1/8ZnJ6SZUn9q2?= =?us-ascii?Q?F7yk5B87VOOKS8lPf/XtcA3PLZQjztofSWRFmuqmWCLMN5Iaf81PmwLP6brJ?= =?us-ascii?Q?DeKCzVqg1rScMvKQXwN/2mc53Zow6aBaOF6ALwcXWWmHZslUJSJYM+ZuL+v2?= =?us-ascii?Q?GbTXuFLScarxzAPRg4Yd