Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
On 2024-01-14 15:28, Alexander Huynh via mailop wrote: From a spam point of view, signing up for a domain is a barrier of entry which some may consider too much trouble. This may play into why there's a larger distribution of unwanted mail on the freely-provided `*.onmicrosoft.com` subdomains. It may be useful to add that I administer a MS365 tenant, having migrated to it recently at $DAYJOB. I don't consider myself particularly skilled, so consider this a very "low-hanging-fruit" assessment. These are the situations where you'll need the onmicrosoft moniker: 1) Brand new tenant, as others have mentioned. It starts with account@.onmicrosoft.com. You're supposed to set up your domain and take it from there. 2) Forward e-mail from on-premise to cloud. When your domain points to your on-premise SMTP, you can then relay it to .mail.onmicrosoft.com. Notice that it then generates the same identifier under .*mail*.onmicrosoft.com. As far as I recall, this one is not even set up for outbound e-mail, just for inbound. 3) You *can* disable outbound for .onmicrosoft.com, and you should after you set it up - for example, our organization has bilingual domains, and as soon as I enable the option for our members to pick the domain when sending through Outlook on the Web, onmicrosoft also showed up there. Confusing and unnecessary. 4) You can NOT remove the onmicrosoft.com domain from the account, nor you can change the one you pick when creating the tenant. It is an internal reference, but that's it. This is all to say: there's no valid reason I can see for anyone to use their onmicrosoft.com domain for outbound e-mail. Even if you're relaying, you'll use .mail.onmicrosoft.com, and that's inbound only. Spammers rely on the ease of creating a 365 trial account, and .onmicrosoft.com being there and ready for action, and the fact that all e-mail admins hesitate to block the big providers. As a result, thanks to this discussion, that'll be my first thing to do on Monday. Kind regards, Alberto Abrao ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
On 2024-01-19 at 07:03:35 UTC-0500 (Fri, 19 Jan 2024 12:03:35 +) Simon Arlott via mailop is rumored to have said: On 19/01/2024 00:33, Randolf Richardson, Postmaster via mailop wrote: The blacklists seem to be blocking mostly the ones that send directly from @.onmicrosoft.com addresses, which should make filtering easy if we can confirm for certain that no legitimate eMail has these as the sender -- that is, not in the "Return-Path:" header and not in the "From:" header. I have a legitimate email today from @example.onmicrosoft.com (both envelope sender and From: header) that is a cross-organisation meeting invite. Normally all of their email uses their domain but some Microsoft software is using this internal domain for meeting invites. Indiscriminate blocking is going to unexpectedly reject real email. There are some very well-known major corporations who have had policies of rejecting any meeting invites with .ics files unless the sender is whitelisted. Too many people do not expect random strangers "inviting" them to meetings and have their settings configured to auto-accept invites. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
> On Wed, 17 Jan 2024 15:35:42 +0100, Hans-Martin Mosner via mailop > wrote: > > >Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop: > >> With this in mind, did somebody compile a block list yet? Or should I just > >> create a whitelist? > > > >A block list does not make sense, as new domains are added continuously. > >It's just too simple. > > I have noticed the predominance of "x.onmicrosoft.com" domains in the spam > sump here. In many cases, the envelope from and the "friendly" from contain > different x- domains, and these rotate rapidly. They are either created > algorithmically, or by persons diddling their fingers on a keyboard. The well-known acronym of "YMMV" (Your Mileage May Vary) - or the Canadian alternative of "YKMV" (Your Kilometerage May Vary) - comes to mind as the effects seem to be somewhat inconsistent. For example, I'm not seeing names of farm animals and vehicle brands intermixed in the third level of the hostnames anymore, and I wonder how long the pattern you're encountering will last. > Twelve years back, when I was on the team that theoretically combated > electronic used food both entering and exiting the Office 365 system, we saw > the same evolving set of tricks that some of us had encountered back in the > Dialup Epoch. I wrote the front end for a lights-out dialup account creation > and provisioning system, and before long the volume of code designed to > prevent new accounts far exceeded that devoted to establishing new accounts. > After the Company changed hands, this focus was removed from the system that > replaced mine. > > All of this is to say, you must have an active rather than reactive response > to hostile usage of your system, whether there is definite and immediate > revenue loss, or not. I agree. Any system that shows consistency is eventually going to be countered by spammers, so it's a constant uphill battle. :( > My diagnosis of MSFT's problem in doing anything effective is that the > fundamental model of the service does not entertain the notion of a strong > focus on being a constructive member of the net.community. I don't know the > current situation, but our quest to discover who actually reads and acts upon > messages to postmas...@microsoft.com or ab...@microsoft.com eventually > returned the answer "nobody, really". > > mdr They're no longer bouncing from those addresses? I guess that's progress of a sort. I agree with your diagnosis -- it does seem like they really don't care, and that they have an exploitive attitude about internet mail. -- Postmaster - postmas...@inter-corporate.com Randolf Richardson, CNA - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Vancouver, British Columbia, Canada https://www.inter-corporate.com/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
> On 19/01/2024 00:33, Randolf Richardson, Postmaster via mailop wrote: > > The blacklists seem to be blocking mostly the ones that send > > directly from @.onmicrosoft.com addresses, which > > should make filtering easy if we can confirm for certain that no > > legitimate eMail has these as the sender -- that is, not in the > > "Return-Path:" header and not in the "From:" header. > > I have a legitimate email today from @example.onmicrosoft.com (both > envelope sender and From: header) that is a cross-organisation meeting > invite. Normally all of their email uses their domain but some Microsoft > software is using this internal domain for meeting invites. > > Indiscriminate blocking is going to unexpectedly reject real email. This is an important observation -- thanks for sharing it. Unfortunately, this ultimately means that there's one less avenue of defense for mail server operators, and it almost feels like an effort on Microsoft's part to make their onmicrosoft.com domain gradually immune to filters. :( -- Postmaster - postmas...@inter-corporate.com Randolf Richardson, CNA - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Vancouver, British Columbia, Canada https://www.inter-corporate.com/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
On 19/01/2024 00:33, Randolf Richardson, Postmaster via mailop wrote: > The blacklists seem to be blocking mostly the ones that send > directly from @.onmicrosoft.com addresses, which > should make filtering easy if we can confirm for certain that no > legitimate eMail has these as the sender -- that is, not in the > "Return-Path:" header and not in the "From:" header. I have a legitimate email today from @example.onmicrosoft.com (both envelope sender and From: header) that is a cross-organisation meeting invite. Normally all of their email uses their domain but some Microsoft software is using this internal domain for meeting invites. Indiscriminate blocking is going to unexpectedly reject real email. -- Simon Arlott ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
I'm seeing in today's logs plenty of blocking of hosts ending with ".onmicrosoft.com" but also plenty of SMTP connections not being blocked. Those MS-Miscreants seem to have moved on from mixing names of farm animals and car brands to names that seem like they could be for professional firms like "jlrlawcorp.onmicrosoft.com" ... and none of the names like that - but in the form of "jlrlawcpro.com" - are even registered, so they might just be figments of some spammer's imagination, or made up by an algorithm (AI would be overkill, but someone's probably wasting resources on that too). So far, the spot checks I've done include quite a bit of legitimate eMail -- some from schools, health/medical service providers, various government agencies, and a smattering of different businesses that are providing professional services and which I don't believe are using spam to do marketing. The common thing I'm noticing with all of these senders is that they're sending from their own domain names, even though the HELO/EHLO string ends with .onmicrosoft.com. The blacklists seem to be blocking mostly the ones that send directly from @.onmicrosoft.com addresses, which should make filtering easy if we can confirm for certain that no legitimate eMail has these as the sender -- that is, not in the "Return-Path:" header and not in the "From:" header. > I see in today's logs that Spamhaus is now blocking (for us) hundreds of > these onmicrosoft.com subdomains. > > Regards, > Mark > _ > L. Mark Stone, Founder > North America's Leading Zimbra VAR/BSP/Training Partner > For Companies With Mission-Critical Email Needs > > - Original Message - > From: "Hans-Martin Mosner via mailop" > To: "mailop" > Sent: Thursday, January 18, 2024 5:13:30 PM > Subject: Re: [mailop] Anyone else noticing an increase in spam from Office365 > distribution lists? > > Am 17.01.24 um 15:35 schrieb Hans-Martin Mosner via mailop: > > > > Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop: > > BQ_BEGIN > With this in mind, did somebody compile a block list yet? Or should I just > create a whitelist? > > > > A block list does not make sense, as new domains are added continuously. It's > just too simple. > BQ_END > > > Maybe it's still a possible approach, I've noticed a number of domains which > were used multiple times yesterday and today, so that could be a start. > > Cheers, > Hans-Martin > akwvsldz.onmicrosoft.com > bekoduwa.onmicrosoft.com > btowk.onmicrosoft.com > calmaa.onmicrosoft.com > cwonvkes.onmicrosoft.com > elimf.onmicrosoft.com > es01ms.onmicrosoft.com > exlzbuch.onmicrosoft.com > hwmaevdc.onmicrosoft.com > icloudwater.onmicrosoft.com > jymmgqxbugfoo.onmicrosoft.com > kalinzo.onmicrosoft.com > lnhvu.onmicrosoft.com > lxebaifv.onmicrosoft.com > muvzwtns.onmicrosoft.com > nmvukcow.onmicrosoft.com > nrhhwdliwprctsbbugfoo.onmicrosoft.com > nwvakomb.onmicrosoft.com > oemdxabu.onmicrosoft.com > ohzxuawl.onmicrosoft.com > okawas220.onmicrosoft.com > omvehxsk.onmicrosoft.com > or02ms.onmicrosoft.com > or03ms.onmicrosoft.com > or05ms.onmicrosoft.com > oxzdtluw.onmicrosoft.com > skdwbmot.onmicrosoft.com > skeeepur.onmicrosoft.com > sp001ms.onmicrosoft.com > sp003ms.onmicrosoft.com > svnvb.onmicrosoft.com > t021ms.onmicrosoft.com > t024ms.onmicrosoft.com > troggue.onmicrosoft.com > tszlrhwn.onmicrosoft.com > us01ms.onmicrosoft.com > vknhsutl.onmicrosoft.com > vlaucbde.onmicrosoft.com > vocldbut.onmicrosoft.com > wuleu.onmicrosoft.com > x24m2v2.onmicrosoft.com > x337i94.onmicrosoft.com > x6472u0.onmicrosoft.com > x6m471q.onmicrosoft.com > xbyybto.onmicrosoft.com > xcoulsth.onmicrosoft.com > xjuj241.onmicrosoft.com > xpfyc9f.onmicrosoft.com > xx31656.onmicrosoft.com > xxkm2i6.onmicrosoft.com > xyl9v2y.onmicrosoft.com > zeusshow.onmicrosoft.com > > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Postmaster - postmas...@inter-corporate.com Randolf Richardson, CNA - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Vancouver, British Columbia, Canada https://www.inter-corporate.com/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
On Wed, 17 Jan 2024 15:35:42 +0100, Hans-Martin Mosner via mailop wrote: >Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop: >> With this in mind, did somebody compile a block list yet? Or should I just >> create a whitelist? > >A block list does not make sense, as new domains are added continuously. It's >just too simple. I have noticed the predominance of "x.onmicrosoft.com" domains in the spam sump here. In many cases, the envelope from and the "friendly" from contain different x- domains, and these rotate rapidly. They are either created algorithmically, or by persons diddling their fingers on a keyboard. Twelve years back, when I was on the team that theoretically combated electronic used food both entering and exiting the Office 365 system, we saw the same evolving set of tricks that some of us had encountered back in the Dialup Epoch. I wrote the front end for a lights-out dialup account creation and provisioning system, and before long the volume of code designed to prevent new accounts far exceeded that devoted to establishing new accounts. After the Company changed hands, this focus was removed from the system that replaced mine. All of this is to say, you must have an active rather than reactive response to hostile usage of your system, whether there is definite and immediate revenue loss, or not. My diagnosis of MSFT's problem in doing anything effective is that the fundamental model of the service does not entertain the notion of a strong focus on being a constructive member of the net.community. I don't know the current situation, but our quest to discover who actually reads and acts upon messages to postmas...@microsoft.com or ab...@microsoft.com eventually returned the answer "nobody, really". mdr -- Ad finem pugnabo. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
I see in today's logs that Spamhaus is now blocking (for us) hundreds of these onmicrosoft.com subdomains. Regards, Mark _ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs - Original Message - From: "Hans-Martin Mosner via mailop" To: "mailop" Sent: Thursday, January 18, 2024 5:13:30 PM Subject: Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists? Am 17.01.24 um 15:35 schrieb Hans-Martin Mosner via mailop: Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop: BQ_BEGIN With this in mind, did somebody compile a block list yet? Or should I just create a whitelist? A block list does not make sense, as new domains are added continuously. It's just too simple. BQ_END Maybe it's still a possible approach, I've noticed a number of domains which were used multiple times yesterday and today, so that could be a start. Cheers, Hans-Martin akwvsldz.onmicrosoft.com bekoduwa.onmicrosoft.com btowk.onmicrosoft.com calmaa.onmicrosoft.com cwonvkes.onmicrosoft.com elimf.onmicrosoft.com es01ms.onmicrosoft.com exlzbuch.onmicrosoft.com hwmaevdc.onmicrosoft.com icloudwater.onmicrosoft.com jymmgqxbugfoo.onmicrosoft.com kalinzo.onmicrosoft.com lnhvu.onmicrosoft.com lxebaifv.onmicrosoft.com muvzwtns.onmicrosoft.com nmvukcow.onmicrosoft.com nrhhwdliwprctsbbugfoo.onmicrosoft.com nwvakomb.onmicrosoft.com oemdxabu.onmicrosoft.com ohzxuawl.onmicrosoft.com okawas220.onmicrosoft.com omvehxsk.onmicrosoft.com or02ms.onmicrosoft.com or03ms.onmicrosoft.com or05ms.onmicrosoft.com oxzdtluw.onmicrosoft.com skdwbmot.onmicrosoft.com skeeepur.onmicrosoft.com sp001ms.onmicrosoft.com sp003ms.onmicrosoft.com svnvb.onmicrosoft.com t021ms.onmicrosoft.com t024ms.onmicrosoft.com troggue.onmicrosoft.com tszlrhwn.onmicrosoft.com us01ms.onmicrosoft.com vknhsutl.onmicrosoft.com vlaucbde.onmicrosoft.com vocldbut.onmicrosoft.com wuleu.onmicrosoft.com x24m2v2.onmicrosoft.com x337i94.onmicrosoft.com x6472u0.onmicrosoft.com x6m471q.onmicrosoft.com xbyybto.onmicrosoft.com xcoulsth.onmicrosoft.com xjuj241.onmicrosoft.com xpfyc9f.onmicrosoft.com xx31656.onmicrosoft.com xxkm2i6.onmicrosoft.com xyl9v2y.onmicrosoft.com zeusshow.onmicrosoft.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
Am 17.01.24 um 15:35 schrieb Hans-Martin Mosner via mailop: Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop: With this in mind, did somebody compile a block list yet? Or should I just create a whitelist? A block list does not make sense, as new domains are added continuously. It's just too simple. Maybe it's still a possible approach, I've noticed a number of domains which were used multiple times yesterday and today, so that could be a start. Cheers, Hans-Martin akwvsldz.onmicrosoft.com bekoduwa.onmicrosoft.com btowk.onmicrosoft.com calmaa.onmicrosoft.com cwonvkes.onmicrosoft.com elimf.onmicrosoft.com es01ms.onmicrosoft.com exlzbuch.onmicrosoft.com hwmaevdc.onmicrosoft.com icloudwater.onmicrosoft.com jymmgqxbugfoo.onmicrosoft.com kalinzo.onmicrosoft.com lnhvu.onmicrosoft.com lxebaifv.onmicrosoft.com muvzwtns.onmicrosoft.com nmvukcow.onmicrosoft.com nrhhwdliwprctsbbugfoo.onmicrosoft.com nwvakomb.onmicrosoft.com oemdxabu.onmicrosoft.com ohzxuawl.onmicrosoft.com okawas220.onmicrosoft.com omvehxsk.onmicrosoft.com or02ms.onmicrosoft.com or03ms.onmicrosoft.com or05ms.onmicrosoft.com oxzdtluw.onmicrosoft.com skdwbmot.onmicrosoft.com skeeepur.onmicrosoft.com sp001ms.onmicrosoft.com sp003ms.onmicrosoft.com svnvb.onmicrosoft.com t021ms.onmicrosoft.com t024ms.onmicrosoft.com troggue.onmicrosoft.com tszlrhwn.onmicrosoft.com us01ms.onmicrosoft.com vknhsutl.onmicrosoft.com vlaucbde.onmicrosoft.com vocldbut.onmicrosoft.com wuleu.onmicrosoft.com x24m2v2.onmicrosoft.com x337i94.onmicrosoft.com x6472u0.onmicrosoft.com x6m471q.onmicrosoft.com xbyybto.onmicrosoft.com xcoulsth.onmicrosoft.com xjuj241.onmicrosoft.com xpfyc9f.onmicrosoft.com xx31656.onmicrosoft.com xxkm2i6.onmicrosoft.com xyl9v2y.onmicrosoft.com zeusshow.onmicrosoft.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
On Wed, Jan 17, 2024 at 20:13:13 +, L. Mark Stone via mailop wrote: > Nonetheless, to be conservative, we've taken to blocking just > @onmicrosoft.com emails for the moment (no subdomains). It's strange you'd see anything from @onmicrosoft.com at all, as the domain itself has no MX nor A or records, so mail shouldn't be accepted anyway with any "reject_unknown_sender_domain" style policy. At least we don't see @onmicrosoft.com at all in our logs, bemidst tons of @*.onmicrosoft.com crap. Geert ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
Seen some weird tenant.onmicrosoft.com in delivery/read receipts in from headers so that I believe Microsoft is using the domain itself for send/receive functionality inside exchange tenant config Colin Sent from my iPod > On 17 Jan 2024, at 14:28, Paul Menzel via mailop wrote: > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
Am 17.01.24 um 15:20 schrieb Paul Menzel via mailop: With this in mind, did somebody compile a block list yet? Or should I just create a whitelist? A block list does not make sense, as new domains are added continuously. It's just too simple. I've had good experience with a whitelist, but that requires quite some manual work, as there are a number of onmicrosoft.com subdomains from which our users get legit mail. So we're handling them with temp reject codes, and I check the logs regularly (several times per day) to whitelist domains that look valid (which is most often possible in our case by just looking at the domain name). False positives and false negatives do happen, but they are rare enough to make this a workable approach. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
No slowing at all from where I sit. Over the last 24 hours on our platform - 1,070,934 SPAM messages from various *.onmicrosoft.com domains along with many other dodgy domains like ..com I would suggest looking for MSFT IPs - not just an envelope of *.onmicrosoft.com and taking a look at what they are sending. Like us, you may just find a ton more spam from weird domains as described above. This has been happening for months. Various subjects around Antivirus, Gift Cards, Bitcoin, Postal deliveries, Power Drills, Pillows, Doorbell Cameras, clean electricity and even Toothbrushes along with other malicious Phishing emails posing as banks etc... and then some.. Cheers, Brad 17 January 2024 at 09:44, "Jarland Donnell via mailop" wrote: > > Don't forget about Elon's New Heater! > > We're seeing a bit of a reduction of complaints now from this. Are any > > others seeing it start to slow down as well? I'm hoping MS is getting > > better at fighting it, but it may just be that I have. I haven't quite > > gone as far as blocking them but I have added high spam scores, and even > > increased spam scores from all MS IPs. > > On 2024-01-16 16:24, Russell Clemings via mailop wrote: > > > > > Since exim_mainlog rolled over Saturday night, I see 332 successful > > > > incoming emails from onmicrosoft.com [2] and 52 spam rejects. Based on > > > > the subject lines, all of the successes were spam. So I've added > > > > "blacklist from *.onmicrosoft.com [2]" to spamassassin. I just hope > > > > people won't be too disappointed about missing out on their Dewalt > > > > Power Stations and their YETI 30-Oz. travel mugs. > > > > > > > > On Mon, Jan 15, 2024 at 10:30 AM Randolf Richardson, Postmaster via > > > > mailop wrote: > > > > > > > > FWIW, after a log file review we are contemplating blocking > > > > > > > > "azurewebsites.net [1]" as well as "@onmicrosoft.com [2]". > > > > > > > > > > > > Our logs are showing small quantities of SMTP traffic from > > > > > > "azurewebsites.net [1]" that are usually being blocked due to SPF > > > > > > failures, and usually sending to weird, nonsencial non-existent > > > > > > eMail > > > > > > addresses where the local-part is a series of randomly-selected > > > > > > letters and digits, sometimes intermixed with names of birds, > > > > > > furniture, food, vehicles, colours, etc., all of which are recipient > > > > > > > > > > > > addresses that don't exist and have never existed. > > > > > > > > > > > > I'm assuming it's a source of eMail debris from broken > > > > > > systems. I'm > > > > > > almost tempted to set up a honeypot to see whatever trash it's > > > > > > trying > > > > > > to spew out, but I'd rather do something more productive (like > > > > > > flossing my teeth). > > > > > > > Curious if others are coming to the same conclusion? > > > > > > > > I'm currently leaning in a block-on-sight direction since > > > > > > I'm seeing > > > > > > zero legitimate eMail coming from hosts self-identifying as hosts in > > > > > > > > > > > > the "azurewebsites.net [1]" domain name in the HELO and EHLO > > > > > > commands. > > > > > > > Regards, > > > > Mark > > > > _ > > > > L. Mark Stone, Founder > > > > North America's Leading Zimbra VAR/BSP/Training Partner > > > > For Companies With Mission-Critical Email Needs > > > > > > > > - Original Message - > > > > From: "Mark Alley via mailop" > > > > To: "Andrew C Aitchison" > > > > Cc: "mailop" > > > > Sent: Sunday, January 14, 2024 6:30:22 PM > > > > Subject: Re: [mailop] Anyone else noticing an increase in spam > > > > > > > > from Office365 distribution lists? > > > > > > > > > > > > > > > > > > > Ah, yep, thanks for catching that typo. > > > > On 1/14/2024 4:56 PM, Andrew C Aitchison wrote: > > > > > > >
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
I think you have to start blocking them earlier that in Spam Assassin, if you want to make a difference.. If you block them at the SMTP layer, then maybe they give up.. or if you reject with a 4XX, maybe Microsoft might notice an increase in the queues (wishful thinking) Also, if you check earlier, you can save a lot of overhead.. Only advantage of flagging it at the filtering level, is if you aren't 100% certain it's all spam, then you can redirect it to the person's 'spam' folders.. One note.. you say 'from onmicrosoft.com' .. do you mean the subdomain.onmicrosoft.com or @onmicrosoft.com, there is a slight difference... On 2024-01-16 14:24, Russell Clemings via mailop wrote: Since exim_mainlog rolled over Saturday night, I see 332 successful incoming emails from onmicrosoft.com <http://onmicrosoft.com> and 52 spam rejects. Based on the subject lines, all of the successes were spam. So I've added "blacklist from *.onmicrosoft.com <http://onmicrosoft.com>" to spamassassin. I just hope people won't be too disappointed about missing out on their Dewalt Power Stations and their YETI 30-Oz. travel mugs. On Mon, Jan 15, 2024 at 10:30 AM Randolf Richardson, Postmaster via mailop mailto:mailop@mailop.org>> wrote: > FWIW, after a log file review we are contemplating blocking "azurewebsites.net <http://azurewebsites.net>" as well as "@onmicrosoft.com <http://onmicrosoft.com>". Our logs are showing small quantities of SMTP traffic from "azurewebsites.net <http://azurewebsites.net>" that are usually being blocked due to SPF failures, and usually sending to weird, nonsencial non-existent eMail addresses where the local-part is a series of randomly-selected letters and digits, sometimes intermixed with names of birds, furniture, food, vehicles, colours, etc., all of which are recipient addresses that don't exist and have never existed. I'm assuming it's a source of eMail debris from broken systems. I'm almost tempted to set up a honeypot to see whatever trash it's trying to spew out, but I'd rather do something more productive (like flossing my teeth). > Curious if others are coming to the same conclusion? I'm currently leaning in a block-on-sight direction since I'm seeing zero legitimate eMail coming from hosts self-identifying as hosts in the "azurewebsites.net <http://azurewebsites.net>" domain name in the HELO and EHLO commands. > Regards, > Mark > _ > L. Mark Stone, Founder > North America's Leading Zimbra VAR/BSP/Training Partner > For Companies With Mission-Critical Email Needs > > - Original Message - > From: "Mark Alley via mailop" mailto:mailop@mailop.org>> > To: "Andrew C Aitchison" mailto:and...@aitchison.me.uk>> > Cc: "mailop" mailto:mailop@mailop.org>> > Sent: Sunday, January 14, 2024 6:30:22 PM > Subject: Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists? > > > > Ah, yep, thanks for catching that typo. > On 1/14/2024 4:56 PM, Andrew C Aitchison wrote: > > > On Sun, 14 Jan 2024, Mark Alley via mailop wrote: > > > BQ_BEGIN > This is anecdotal, but I think it illustrates even at a smaller scale the persistent problem Microsoft currently has with their tenancy. > > I did some quick perusal of the last month's data from our email logs, and out of a total of 22,473 external emails that contain a .onmicrosoft.com <http://onmicrosoft.com> subdomain in the RFC5322.FROM field -- 22,086 were blocked because of various reasons: > > * 21,228 spam > * 1 malware > * 759 phishing > * 5 impostor > * 93 "hard" failed SPF without a DMARC record since onmicrosoft.com <http://onmicrosoft.com> > doesn't have one. (probably forwarded) > > 387 "clean" emails were delivered successfully initially, and 151 of those initial delivers were then later retroactively classified as being spam or phishing. > > So even at this scale, we're left with a minutia of ~0.01% > > > > 236/22473 ~= 1% > > > BQ_BEGIN > "legitimate" emails, most of which are from misconfigured Exchange Online mailboxes or Office365 groups from various businesses. > > So, YMMV widely, but for most organizations, as John said, definitely not going to be missing /too /much. Most of what I see th
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
Don't forget about Elon's New Heater! We're seeing a bit of a reduction of complaints now from this. Are any others seeing it start to slow down as well? I'm hoping MS is getting better at fighting it, but it may just be that I have. I haven't quite gone as far as blocking them but I have added high spam scores, and even increased spam scores from all MS IPs. On 2024-01-16 16:24, Russell Clemings via mailop wrote: Since exim_mainlog rolled over Saturday night, I see 332 successful incoming emails from onmicrosoft.com [2] and 52 spam rejects. Based on the subject lines, all of the successes were spam. So I've added "blacklist from *.onmicrosoft.com [2]" to spamassassin. I just hope people won't be too disappointed about missing out on their Dewalt Power Stations and their YETI 30-Oz. travel mugs. On Mon, Jan 15, 2024 at 10:30 AM Randolf Richardson, Postmaster via mailop wrote: FWIW, after a log file review we are contemplating blocking "azurewebsites.net [1]" as well as "@onmicrosoft.com [2]". Our logs are showing small quantities of SMTP traffic from "azurewebsites.net [1]" that are usually being blocked due to SPF failures, and usually sending to weird, nonsencial non-existent eMail addresses where the local-part is a series of randomly-selected letters and digits, sometimes intermixed with names of birds, furniture, food, vehicles, colours, etc., all of which are recipient addresses that don't exist and have never existed. I'm assuming it's a source of eMail debris from broken systems. I'm almost tempted to set up a honeypot to see whatever trash it's trying to spew out, but I'd rather do something more productive (like flossing my teeth). Curious if others are coming to the same conclusion? I'm currently leaning in a block-on-sight direction since I'm seeing zero legitimate eMail coming from hosts self-identifying as hosts in the "azurewebsites.net [1]" domain name in the HELO and EHLO commands. Regards, Mark _ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs - Original Message - From: "Mark Alley via mailop" To: "Andrew C Aitchison" Cc: "mailop" Sent: Sunday, January 14, 2024 6:30:22 PM Subject: Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists? Ah, yep, thanks for catching that typo. On 1/14/2024 4:56 PM, Andrew C Aitchison wrote: On Sun, 14 Jan 2024, Mark Alley via mailop wrote: BQ_BEGIN This is anecdotal, but I think it illustrates even at a smaller scale the persistent problem Microsoft currently has with their tenancy. I did some quick perusal of the last month's data from our email logs, and out of a total of 22,473 external emails that contain a .onmicrosoft.com [2] subdomain in the RFC5322.FROM field -- 22,086 were blocked because of various reasons: * 21,228 spam * 1 malware * 759 phishing * 5 impostor * 93 "hard" failed SPF without a DMARC record since onmicrosoft.com [2] doesn't have one. (probably forwarded) 387 "clean" emails were delivered successfully initially, and 151 of those initial delivers were then later retroactively classified as being spam or phishing. So even at this scale, we're left with a minutia of ~0.01% 236/22473 ~= 1% BQ_BEGIN "legitimate" emails, most of which are from misconfigured Exchange Online mailboxes or Office365 groups from various businesses. So, YMMV widely, but for most organizations, as John said, definitely not going to be missing /too /much. Most of what I see that's legitimate in our traffic would be 3 or 4 specific subdomain additions to a safelist from the hypothetical block rule, and that would be it. - Mark Alley BQ_END BQ_END ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- Postmaster - postmas...@inter-corporate.com Randolf Richardson, CNA - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Vancouver, British Columbia, Canada https://www.inter-corporate.com/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- === Russell Clemings === Links: -- [1] http://azurewebsites.net [2] http://onmicrosoft.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
Since exim_mainlog rolled over Saturday night, I see 332 successful incoming emails from onmicrosoft.com and 52 spam rejects. Based on the subject lines, all of the successes were spam. So I've added "blacklist from *.onmicrosoft.com" to spamassassin. I just hope people won't be too disappointed about missing out on their Dewalt Power Stations and their YETI 30-Oz. travel mugs. On Mon, Jan 15, 2024 at 10:30 AM Randolf Richardson, Postmaster via mailop < mailop@mailop.org> wrote: > > FWIW, after a log file review we are contemplating blocking " > azurewebsites.net" as well as "@onmicrosoft.com". > > Our logs are showing small quantities of SMTP traffic from > "azurewebsites.net" that are usually being blocked due to SPF > failures, and usually sending to weird, nonsencial non-existent eMail > addresses where the local-part is a series of randomly-selected > letters and digits, sometimes intermixed with names of birds, > furniture, food, vehicles, colours, etc., all of which are recipient > addresses that don't exist and have never existed. > > I'm assuming it's a source of eMail debris from broken systems. > I'm > almost tempted to set up a honeypot to see whatever trash it's trying > to spew out, but I'd rather do something more productive (like > flossing my teeth). > > > Curious if others are coming to the same conclusion? > > I'm currently leaning in a block-on-sight direction since I'm > seeing > zero legitimate eMail coming from hosts self-identifying as hosts in > the "azurewebsites.net" domain name in the HELO and EHLO commands. > > > Regards, > > Mark > > _ > > L. Mark Stone, Founder > > North America's Leading Zimbra VAR/BSP/Training Partner > > For Companies With Mission-Critical Email Needs > > > > ----- Original Message ----- > > From: "Mark Alley via mailop" > > To: "Andrew C Aitchison" > > Cc: "mailop" > > Sent: Sunday, January 14, 2024 6:30:22 PM > > Subject: Re: [mailop] Anyone else noticing an increase in spam from > Office365 distribution lists? > > > > > > > > Ah, yep, thanks for catching that typo. > > On 1/14/2024 4:56 PM, Andrew C Aitchison wrote: > > > > > > On Sun, 14 Jan 2024, Mark Alley via mailop wrote: > > > > > > BQ_BEGIN > > This is anecdotal, but I think it illustrates even at a smaller scale > the persistent problem Microsoft currently has with their tenancy. > > > > I did some quick perusal of the last month's data from our email logs, > and out of a total of 22,473 external emails that contain a . > onmicrosoft.com subdomain in the RFC5322.FROM field -- 22,086 were > blocked because of various reasons: > > > > * 21,228 spam > > * 1 malware > > * 759 phishing > > * 5 impostor > > * 93 "hard" failed SPF without a DMARC record since onmicrosoft.com > > doesn't have one. (probably forwarded) > > > > 387 "clean" emails were delivered successfully initially, and 151 of > those initial delivers were then later retroactively classified as being > spam or phishing. > > > > So even at this scale, we're left with a minutia of ~0.01% > > > > > > > > 236/22473 ~= 1% > > > > > > BQ_BEGIN > > "legitimate" emails, most of which are from misconfigured Exchange > Online mailboxes or Office365 groups from various businesses. > > > > So, YMMV widely, but for most organizations, as John said, definitely > not going to be missing /too /much. Most of what I see that's legitimate in > our traffic would be 3 or 4 specific subdomain additions to a safelist from > the hypothetical block rule, and that would be it. > > > > - Mark Alley > > > > BQ_END > > > > > > BQ_END > > > > ___ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > > > > ___ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > > > -- > Postmaster - postmas...@inter-corporate.com > Randolf Richardson, CNA - rand...@inter-corporate.com > Inter-Corporate Computer & Network Services, Inc. > Vancouver, British Columbia, Canada > https://www.inter-corporate.com/ > > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- === Russell Clemings > === ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
> FWIW, after a log file review we are contemplating blocking > "azurewebsites.net" as well as "@onmicrosoft.com". Our logs are showing small quantities of SMTP traffic from "azurewebsites.net" that are usually being blocked due to SPF failures, and usually sending to weird, nonsencial non-existent eMail addresses where the local-part is a series of randomly-selected letters and digits, sometimes intermixed with names of birds, furniture, food, vehicles, colours, etc., all of which are recipient addresses that don't exist and have never existed. I'm assuming it's a source of eMail debris from broken systems. I'm almost tempted to set up a honeypot to see whatever trash it's trying to spew out, but I'd rather do something more productive (like flossing my teeth). > Curious if others are coming to the same conclusion? I'm currently leaning in a block-on-sight direction since I'm seeing zero legitimate eMail coming from hosts self-identifying as hosts in the "azurewebsites.net" domain name in the HELO and EHLO commands. > Regards, > Mark > _ > L. Mark Stone, Founder > North America's Leading Zimbra VAR/BSP/Training Partner > For Companies With Mission-Critical Email Needs > > - Original Message - > From: "Mark Alley via mailop" > To: "Andrew C Aitchison" > Cc: "mailop" > Sent: Sunday, January 14, 2024 6:30:22 PM > Subject: Re: [mailop] Anyone else noticing an increase in spam from Office365 > distribution lists? > > > > Ah, yep, thanks for catching that typo. > On 1/14/2024 4:56 PM, Andrew C Aitchison wrote: > > > On Sun, 14 Jan 2024, Mark Alley via mailop wrote: > > > BQ_BEGIN > This is anecdotal, but I think it illustrates even at a smaller scale the > persistent problem Microsoft currently has with their tenancy. > > I did some quick perusal of the last month's data from our email logs, and > out of a total of 22,473 external emails that contain a .onmicrosoft.com > subdomain in the RFC5322.FROM field -- 22,086 were blocked because of various > reasons: > > * 21,228 spam > * 1 malware > * 759 phishing > * 5 impostor > * 93 "hard" failed SPF without a DMARC record since onmicrosoft.com > doesn't have one. (probably forwarded) > > 387 "clean" emails were delivered successfully initially, and 151 of those > initial delivers were then later retroactively classified as being spam or > phishing. > > So even at this scale, we're left with a minutia of ~0.01% > > > > 236/22473 ~= 1% > > > BQ_BEGIN > "legitimate" emails, most of which are from misconfigured Exchange Online > mailboxes or Office365 groups from various businesses. > > So, YMMV widely, but for most organizations, as John said, definitely not > going to be missing /too /much. Most of what I see that's legitimate in our > traffic would be 3 or 4 specific subdomain additions to a safelist from the > hypothetical block rule, and that would be it. > > - Mark Alley > > BQ_END > > > BQ_END > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Postmaster - postmas...@inter-corporate.com Randolf Richardson, CNA - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Vancouver, British Columbia, Canada https://www.inter-corporate.com/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
FWIW, after a log file review we are contemplating blocking "azurewebsites.net" as well as "@onmicrosoft.com". Curious if others are coming to the same conclusion? Regards, Mark _ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs - Original Message - From: "Mark Alley via mailop" To: "Andrew C Aitchison" Cc: "mailop" Sent: Sunday, January 14, 2024 6:30:22 PM Subject: Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists? Ah, yep, thanks for catching that typo. On 1/14/2024 4:56 PM, Andrew C Aitchison wrote: On Sun, 14 Jan 2024, Mark Alley via mailop wrote: BQ_BEGIN This is anecdotal, but I think it illustrates even at a smaller scale the persistent problem Microsoft currently has with their tenancy. I did some quick perusal of the last month's data from our email logs, and out of a total of 22,473 external emails that contain a .onmicrosoft.com subdomain in the RFC5322.FROM field -- 22,086 were blocked because of various reasons: * 21,228 spam * 1 malware * 759 phishing * 5 impostor * 93 "hard" failed SPF without a DMARC record since onmicrosoft.com doesn't have one. (probably forwarded) 387 "clean" emails were delivered successfully initially, and 151 of those initial delivers were then later retroactively classified as being spam or phishing. So even at this scale, we're left with a minutia of ~0.01% 236/22473 ~= 1% BQ_BEGIN "legitimate" emails, most of which are from misconfigured Exchange Online mailboxes or Office365 groups from various businesses. So, YMMV widely, but for most organizations, as John said, definitely not going to be missing /too /much. Most of what I see that's legitimate in our traffic would be 3 or 4 specific subdomain additions to a safelist from the hypothetical block rule, and that would be it. - Mark Alley BQ_END BQ_END ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
Ah, yep, thanks for catching that typo. On 1/14/2024 4:56 PM, Andrew C Aitchison wrote: On Sun, 14 Jan 2024, Mark Alley via mailop wrote: This is anecdotal, but I think it illustrates even at a smaller scale the persistent problem Microsoft currently has with their tenancy. I did some quick perusal of the last month's data from our email logs, and out of a total of 22,473 external emails that contain a .onmicrosoft.com subdomain in the RFC5322.FROM field -- 22,086 were blocked because of various reasons: * 21,228 spam * 1 malware * 759 phishing * 5 impostor * 93 "hard" failed SPF without a DMARC record since onmicrosoft.com doesn't have one. (probably forwarded) 387 "clean" emails were delivered successfully initially, and 151 of those initial delivers were then later retroactively classified as being spam or phishing. So even at this scale, we're left with a minutia of ~0.01% 236/22473 ~= 1% "legitimate" emails, most of which are from misconfigured Exchange Online mailboxes or Office365 groups from various businesses. So, YMMV widely, but for most organizations, as John said, definitely not going to be missing /too /much. Most of what I see that's legitimate in our traffic would be 3 or 4 specific subdomain additions to a safelist from the hypothetical block rule, and that would be it. - Mark Alley ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
On Sun, 14 Jan 2024, Mark Alley via mailop wrote: This is anecdotal, but I think it illustrates even at a smaller scale the persistent problem Microsoft currently has with their tenancy. I did some quick perusal of the last month's data from our email logs, and out of a total of 22,473 external emails that contain a .onmicrosoft.com subdomain in the RFC5322.FROM field -- 22,086 were blocked because of various reasons: * 21,228 spam * 1 malware * 759 phishing * 5 impostor * 93 "hard" failed SPF without a DMARC record since onmicrosoft.com doesn't have one. (probably forwarded) 387 "clean" emails were delivered successfully initially, and 151 of those initial delivers were then later retroactively classified as being spam or phishing. So even at this scale, we're left with a minutia of ~0.01% 236/22473 ~= 1% "legitimate" emails, most of which are from misconfigured Exchange Online mailboxes or Office365 groups from various businesses. So, YMMV widely, but for most organizations, as John said, definitely not going to be missing /too /much. Most of what I see that's legitimate in our traffic would be 3 or 4 specific subdomain additions to a safelist from the hypothetical block rule, and that would be it. - Mark Alley -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
This is anecdotal, but I think it illustrates even at a smaller scale the persistent problem Microsoft currently has with their tenancy. I did some quick perusal of the last month's data from our email logs, and out of a total of 22,473 external emails that contain a .onmicrosoft.com subdomain in the RFC5322.FROM field -- 22,086 were blocked because of various reasons: * 21,228 spam * 1 malware * 759 phishing * 5 impostor * 93 "hard" failed SPF without a DMARC record since onmicrosoft.com doesn't have one. (probably forwarded) 387 "clean" emails were delivered successfully initially, and 151 of those initial delivers were then later retroactively classified as being spam or phishing. So even at this scale, we're left with a minutia of ~0.01% "legitimate" emails, most of which are from misconfigured Exchange Online mailboxes or Office365 groups from various businesses. So, YMMV widely, but for most organizations, as John said, definitely not going to be missing /too /much. Most of what I see that's legitimate in our traffic would be 3 or 4 specific subdomain additions to a safelist from the hypothetical block rule, and that would be it. - Mark Alley On 1/14/2024 12:17 PM, John Levine via mailop wrote: It appears that Russell Clemings via mailop said: "You can keep using the initial onmicrosoft.com domain even after you add your domain. It still works for email and other services, so it's your choice." ... or am I misunderstanding? I'm tempted to block *. onmicrosoft.com completely but I'm very afraid. I concur with the advice to block it. You're not going to miss any mail you care about. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
From a spam point of view, signing up for a domain is a barrier of entry which some may consider too much trouble. This may play into why there's a larger distribution of unwanted mail on the freely-provided `*.onmicrosoft.com` subdomains. -- Alex ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
According to Microsoft, they use the "onmicrosoft.com" domain name
for providing IMAP4 access, and as an SMTP fallback domain for
clients who don't have their own domain name:
Source:
https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-or-replace-your-onmicrosoftcom-domain?view=o365-worldwide
So, I wouldn't block anything other than SMTP ports 25 and 465.
However, there are some other key points in the above-referenced
documents that will likely be of interest, and getting clarification
from Microsoft's techincal support would, I think, be prudent.
"... When you sign up for Microsoft 365, Microsoft provides an
onmicrosoft.com domain - your fallback domain - in case you don't own
a domain, or don't want to connect it to Microsoft 365 ..."
That above excerpt seems to indicate that the "onmicrosoft.com"
domain name is for temporary use, perhaps while a user is in the
process of getting things configured. If this is true, then that's
nothing to worry about since users probably won't care if they're not
intending to be known as "${USERNAME}@onmicrosoft.com" anyway.
"... It serves as a default email routing address for your Microsoft
365 environment. When a user is set up with a mailbox, email is
routed to the fallback domain. Even if a custom domain is used (for
example, tailspintoys.com), if that custom domain is deleted from
your Microsoft 365 environment, the fallback domain ensures that your
user's email is successfully routed. ..."
The above excerpt seems to indicate that the "onmicrosoft.com"
domain name is used for internal routing. However, it doesn't
mention forwarding from this domain name, so that should probably be
discerned before blocking.
The other problem is that if Micorosoft's outbound mail is
identifying with their "onmicrosoft.com" domain instead of their
client's domain name (e.g., their client didn't complete one
particular step in the configuration; or Microsoft just wants to get
their brand stuffed into everyone's log files; etc.), then that could
be a problem. Again, I think it would be prudent to get some
clarification from Microsoft on these particulars prior to blocking
(unless, of course, you only find evidence of "all spam and no ham"
over the past year or whatever timeframe works best for your users).
> But
> https://learn.microsoft.com/en-us/microsoft-365/admin/setup/domains-faq?view=o365-worldwide
> says:
>
> "You can keep using the initial onmicrosoft.com domain even after you add
> your domain. It still works for email and other services, so it's your
> choice."
>
> ... or am I misunderstanding?
>
> I'm tempted to block *. onmicrosoft.com completely but I'm very afraid.
>
> On Sun, Jan 14, 2024 at 5:15AM Graeme Fowler via mailop
> wrote:
>
> > On 13 January 2024 14:07:46 "L. Mark Stone via mailop"
> > wrote:
> >
> >> Is there a list of "legitimate" subdomains of onmicrosoft.com somewhere
> >> that we can leverage?
> >>
> >
> > Wearing my "I have to administer a Microsoft 365 tenancy" hat - no.
> >
> > However, your mention of best practice is bang on. The subdomains of
> > onmicrosoft.com are tenant boundaries and not intended to be used for
> > email. Domains should be added, verified and configured properly for
> > outbound mail.
> >
> > I would personally say that you will lose practically no real email by
> > rejecting those subdomains completely - and if you get complaints from
> > actual M365 tenant customers, point them at the docs.
> >
> > Graeme
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> >
>
>
> --
> ===
> Russell Clemings
> >
> ===
>
--
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
It appears that Russell Clemings via mailop said: >"You can keep using the initial onmicrosoft.com domain even after you add >your domain. It still works for email and other services, so it's your >choice." > >... or am I misunderstanding? > >I'm tempted to block *. onmicrosoft.com completely but I'm very afraid. I concur with the advice to block it. You're not going to miss any mail you care about. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
You can, yes. But would anyone trust it? I wouldn't. Graeme On 14 January 2024 17:49:36 Russell Clemings via mailop wrote: But https://learn.microsoft.com/en-us/microsoft-365/admin/setup/domains-faq?view=o365-worldwide says: "You can keep using the initial onmicrosoft.com domain even after you add your domain. It still works for email and other services, so it's your choice." ... or am I misunderstanding? I'm tempted to block *. onmicrosoft.com completely but I'm very afraid. On Sun, Jan 14, 2024 at 5:15 AM Graeme Fowler via mailop wrote: On 13 January 2024 14:07:46 "L. Mark Stone via mailop" wrote: Is there a list of "legitimate" subdomains of onmicrosoft.com somewhere that we can leverage? Wearing my "I have to administer a Microsoft 365 tenancy" hat - no. However, your mention of best practice is bang on. The subdomains of onmicrosoft.com are tenant boundaries and not intended to be used for email. Domains should be added, verified and configured properly for outbound mail. I would personally say that you will lose practically no real email by rejecting those subdomains completely - and if you get complaints from actual M365 tenant customers, point them at the docs. Graeme ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- === Russell Clemings ===___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
But https://learn.microsoft.com/en-us/microsoft-365/admin/setup/domains-faq?view=o365-worldwide says: "You can keep using the initial onmicrosoft.com domain even after you add your domain. It still works for email and other services, so it's your choice." ... or am I misunderstanding? I'm tempted to block *. onmicrosoft.com completely but I'm very afraid. On Sun, Jan 14, 2024 at 5:15 AM Graeme Fowler via mailop wrote: > On 13 January 2024 14:07:46 "L. Mark Stone via mailop" > wrote: > >> Is there a list of "legitimate" subdomains of onmicrosoft.com somewhere >> that we can leverage? >> > > Wearing my "I have to administer a Microsoft 365 tenancy" hat - no. > > However, your mention of best practice is bang on. The subdomains of > onmicrosoft.com are tenant boundaries and not intended to be used for > email. Domains should be added, verified and configured properly for > outbound mail. > > I would personally say that you will lose practically no real email by > rejecting those subdomains completely - and if you get complaints from > actual M365 tenant customers, point them at the docs. > > Graeme > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- === Russell Clemings > === ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Anyone else noticing an increase in spam from Office365 distribution lists?
On 13 January 2024 14:07:46 "L. Mark Stone via mailop" wrote: Is there a list of "legitimate" subdomains of onmicrosoft.com somewhere that we can leverage? Wearing my "I have to administer a Microsoft 365 tenancy" hat - no. However, your mention of best practice is bang on. The subdomains of onmicrosoft.com are tenant boundaries and not intended to be used for email. Domains should be added, verified and configured properly for outbound mail. I would personally say that you will lose practically no real email by rejecting those subdomains completely - and if you get complaints from actual M365 tenant customers, point them at the docs. Graeme ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
