Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Jared Hall via users]

On 1/2/2024 5:24 PM, Thomas Cameron via users wrote:


The problem is, when I send email to presid...@myassociation.org, 
gmail rejects the forwarded email because it appears to come from my 
personal domain, not the mythical myassociation.org domain. DKIM, 
DMARC, and SPF all fail, which I totally understand.


How can I make this work? Is there a good way to use something like 
/etc/aliases to forward emails to the domain I manage to another 
recipient? Or is there something better I can do?




You will probably find that forwarding Emails to most systems, including 
MSN/Live/Hotmail/Outlook and Yahoo/AOL works OK (for now).  But if you 
want Vacation/Out-Of-Office/Autoresponders to work to Gmail addresses, 
you MUST run DKIM on your managed domain.  Even valid SPF alone will NOT 
do.


Implementing DKIM w/ DMARC is a good, if not the best, practice. 
Considering present trends, SPF/DKIM/DMARC Auth-neutral will become the 
new "bad".


I apologize this isn't strictly SA related, I am just hoping someone 
can give me advice or provide I link to follow on how to make this work.


package: opendkim + access to your managed domain's DNS records.


$0.02,

-- Jared Hall

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Greg Troxel]

"Thomas Cameron via users"  writes:

> I built email servers for a non-profit I volunteer for. If email comes
> into the server for presid...@myassociation.org, I would normally just
> create an alias in /etc/aliases so that emails to president@ get
> forwarded to the president's "real" email address, say
> presidents_real_em...@gmail.com.
>
> The problem is, when I send email to presid...@myassociation.org,
> gmail rejects the forwarded email because it appears to come from my
> personal domain, not the mythical myassociation.org domain. DKIM,
> DMARC, and SPF all fail, which I totally understand.

Why does DKIM fail?  You said there is an /etc/aliases alias, but you
did not say that you modified the message.  Basically you should never
modify messages.

> How can I make this work? Is there a good way to use something like
> /etc/aliases to forward emails to the domain I manage to another
> recipient? Or is there something better I can do?

I think the advice to set up IMAP and submission is wise.  I realize
this may be a small non-profit, but company mail belongs on company
servers, and personal mail on personal servers.  With IMAP and
submission, your president can have their outgoing email be
presid...@myassociation.org, DKIM signed, with an SPF record, and even
DMARC.  If someone writes and gets a reply from a random gmail account,
that is at best confusing.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Andy Smith]

Hi Thomas,

On Tue, Jan 02, 2024 at 04:24:37PM -0600, Thomas Cameron via users wrote:
> I built email servers for a non-profit I volunteer for. If email comes into
> the server for presid...@myassociation.org, I would normally just create an
> alias in /etc/aliases so that emails to president@ get forwarded to the
> president's "real" email address, say presidents_real_em...@gmail.com.

This causes your server to pass on email without changing envelope
sender, so your server is purporting to be whoever the email is
originally from. Any email authentication measure working on the
envelope sender, such as SPF, will then fail, as your server is
indistinguishable from a random host forging the original sender's
domain.

> How can I make this work? Is there a good way to use something like
> /etc/aliases to forward emails to the domain I manage to another recipient?
> Or is there something better I can do?

You need to give up on /etc/aliases for external routing of email
unless you control all the original sender domains and can for
example add your server IPs to its authentication mechanisms (e.g.
SPF).

Since you probably can't do that for any recipient domain that
expects to receive Internet email, you need to either:

- Implement Sender Rewriting Scheme (SRS) so that your server takes
  responsibility for forwarded emails with its own envelope sender.
  https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme

Or:

- Have your users collect their your-org email by some means other
  than SMTP, such as running an IMAP server and having them view
  both their gmail mailbox and their your-org inbox in one place (I
  have no idea if that is feasible with gmail).

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron via users]

Howdy, all -

This is not strictly SpamAssassin related, but y'all probably know where 
to point me to make this work.


I built email servers for a non-profit I volunteer for. If email comes 
into the server for presid...@myassociation.org, I would normally just 
create an alias in /etc/aliases so that emails to president@ get 
forwarded to the president's "real" email address, say 
presidents_real_em...@gmail.com.


The problem is, when I send email to presid...@myassociation.org, gmail 
rejects the forwarded email because it appears to come from my personal 
domain, not the mythical myassociation.org domain. DKIM, DMARC, and SPF 
all fail, which I totally understand.


How can I make this work? Is there a good way to use something like 
/etc/aliases to forward emails to the domain I manage to another 
recipient? Or is there something better I can do?


I apologize this isn't strictly SA related, I am just hoping someone can 
give me advice or provide I link to follow on how to make this work.


Thanks,
Thomas

Re: MS-relayed spam

[Shawn Iverson]

On Tue, Jan 2, 2024 at 3:11 PM Torpey List  wrote:

> I started forwarding full headers and text to "ab...@outlook.com" and
> they
> blocked my IP.
>
>
ab...@outlook.com is for reporting abuse on the freemail
Outlook/Hotmail/MSN platforms, not Microsoft tenants.

https://msrc.microsoft.com/report/

Re: MS-relayed spam

[Torpey List]

I started forwarding full headers and text to "ab...@outlook.com" and they 
blocked my IP.


-Original Message- 
From: David Jones via users

Sent: Tuesday, January 2, 2024 1:07 PM
To: Charles Sprickman
Cc: SA Mailing list
Subject: Re: MS-relayed spam

I would report this to Microsoft Abuse and setup local rules that add a 
point or two something like this:


header BAD_O365_SENDER  X-OriginatorOrg =~ /.*\.onmicrosoft\.com$/

With a threshold of 6.2, you might want to consider either lowering that a 
little or bumping up some default scores for some of the "worse" rules.


Most legit senders should not be using their onmicrosoft.com for their 
primary address but there are a few that I have seen over the years so I 
also have a counter rule to subtract a point or two for specific 
onmicrosoft.com subdomains.


On 1/1/24, 3:29 PM, "Charles Sprickman" > wrote:



EXTERNAL EMAIL: This message originated outside of ENA. Use caution when 
clicking links, opening attachments, or complying with requests. Click the 
"Phish Alert Report" button above the email, or contact MIS, regarding any 
suspicious message.


Hi all,

Full headers are here as well: https://pastebin.com/wHNmnvtE 



I'm not really following what's going on here - a few things confuse me...

- the empty from envelope, which I thought was more of a "bounce" thing
- that it does seem formatted like a bounce
- across multiple servers I'm seeing a ton more spam just like this the past 
few weeks coming in via MS
- I had assumed that MS (or gmail, or any large provider) would be a bit 
more tuned to this kind of abuse


Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is 
using MS' inbound/outbound filtering/relaying for their email, and I'm 
assuming that the company (acquiretm dot com) has compromised account(s) 
being used for spam, and that this type of account is valuable since it's 
relayed through a somewhat "trusted" entity (MS). Stumped on the empty 
envelope from though...


Thanks,
Charles

Full headers inline:


Return-Path: 
Delivered-To: myem...@mydomain.com 
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 
14:23:33 -0500 (EST)

X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 
10024)
with ESMTP id y8UwjrBjDDCO for >;

Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])

(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 
14:23:31 -0500 (EST)

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; 
d=microsoft.com;

s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM 
smtp.helo=mail.acquiretm.com;

dmarc=none action=none header.from=x1r862t.onmicrosoft.com; 

Re: MS-relayed spam

[Bill Cole]

On 2024-01-01 at 16:28:04 UTC-0500 (Mon, 1 Jan 2024 16:28:04 -0500)
Charles Sprickman 
is rumored to have said:


Hi all,

Full headers are here as well: https://pastebin.com/wHNmnvtE

I'm not really following what's going on here - a few things confuse 
me...


 - the empty from envelope, which I thought was more of a "bounce" 
thing


Yes. You can safely reject mail with a null sender that does not meet 
norms for mail-system-generated mail.



 - that it does seem formatted like a bounce


Not in the headers... No one legit sends bounces with "Content-Type: 
text/html" or with In-Reply-To headers without a References header or Cc 
headers.


 - across multiple servers I'm seeing a ton more spam just like this 
the past few weeks coming in via MS


Everyone's spam is unique.

I see some similar stuff at various sites but nothing in the places 
where I can really dig into details. I don't see much null sender spam 
at all. I do see a few cases of $jjunk@$ggarbage.onmicrosoft.com senders 
similar to the From: header in your example, but they are all getting 
caught by SA.


 - I had assumed that MS (or gmail, or any large provider) would be a 
bit more tuned to this kind of abuse


By their own customers? Have you been paying any attention this century?

MS could kill this particular flavor of spam (identifiable by 
correlating patterns in From and other headers) if they wanted to. They 
CHOOSE as a corporation to be a bad neighbor as a matter of unstated 
policy and unconscious strategy. In the same way a junkie chooses their 
dope...


Anyone else seeing this and if so, what mitigations are you doing in 
SA?


In the one place where I save SA-rejected mail, I see nothing with 
"onmicrosoft.com" anywhere except in mail talking about this garbage. On 
a larger system with less retained info I see some similar-ish messages 
but nothing similar with null senders.


I don't see an obvious pattern of SA rule matches in the similar 
messages that are being rejected on the systems I have access to. I also 
see no null senders from MS hosts associated with UUID-like message-Id 
local parts. Hmmm... that might be an interesting rule.


To me, it appears that a company with some kind of on-prem email 
server is using MS' inbound/outbound filtering/relaying for their 
email, and I'm assuming that the company (acquiretm dot com) has 
compromised account(s) being used for spam,


Not sure how you got there...

Everywhere in those headers that I see that domain I also see it 
attributed as the HELO from IP address 193.176.158.140, which has no 
obvious connection to the domain. That IP address is allocated via RIPE, 
but it might be in Russia, Estonia, Hong Kong, or France depending on 
which registration records you think are relevant.


I'd bet that you could get a perfect score sniping that IP address in 
the various MS attribution headers, but that probably will not be useful 
for long.


and that this type of account is valuable since it's relayed through a 
somewhat "trusted" entity (MS). Stumped on the empty envelope from 
though...


I assume that your system is turning <> into ...


Full headers inline:


My first-glance thoughts are embedded below.



Return-Path: 

[internal stuff snipped]
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 
bits))

(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; 
cv=none;

b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; 
d=microsoft.com;

s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender 
ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM 
smtp.helo=mail.acquiretm.com;

dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none
(message not signed); arc=none (0)


Weird that this says the message wasn't signed 

Re: MS-relayed spam

[Matus UHLAR - fantomas]

On 01.01.24 16:28, Charles Sprickman wrote:

Full headers are here as well: https://pastebin.com/wHNmnvtE


neither indicate that the mail was relayes by microsoft.
Isn't this just backscatter, non-delivery notice on fake mail?


I'm not really following what's going on here - a few things confuse me...

- the empty from envelope, which I thought was more of a "bounce" thing
- that it does seem formatted like a bounce
- across multiple servers I'm seeing a ton more spam just like this the past 
few weeks coming in via MS
- I had assumed that MS (or gmail, or any large provider) would be a bit more 
tuned to this kind of abuse

Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is using MS' 
inbound/outbound filtering/relaying for their email, and I'm assuming that the company 
(acquiretm dot com) has compromised account(s) being used for spam, and that this type of 
account is valuable since it's relayed through a somewhat "trusted" entity 
(MS). Stumped on the empty envelope from though...

Thanks,

Charles


Full headers inline:

Return-Path: 
Delivered-To: myem...@mydomain.com
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for ; Mon, 1 Jan 2024 14:23:33 -0500 (EST)
X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024)
with ESMTP id y8UwjrBjDDCO for ;
Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com;
dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=x1r862t.onmicrosoft.com; s=selector1-x1r862t-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=R1X4dpKSgryTH6OLmMzRy/tDWLnQEV8mHOEEtjH+lXKLhUWP1IcSU7ti48ZJoXOksGz7A4+ZbSb5s1wNp2A4dGS+psXMeDNERbCeNVeGFRy/0AfJX4BSO52imrh48OaXFvTjmcrwSondZQkeC2plLlatu2jWPXn+a48T+gCuUZtFOpy6+1OlQqtOhQd5Ork4w7yD6nIicaXcQ4GhpDX1YM6zU02EUOSl+pxEgJj5/WuHvXNbtuTmdsGid1JhRnmIyvR15jGzXHkyrD/KYHw3evZSOV8pJ8EMpUPDEiwdHjDGYt38j/Wwiho5yVfR/zNZa5wELOq9bYgLK0G91JywQA==
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 193.176.158.140)
smtp.helo=mail.acquiretm.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=x1r862t.onmicrosoft.com;
Date: Mon, 01 Jan 2024 20:19:49 +0100
Importance: high
Subject: Your iCloud Storage Is Full. Receive 50 GB for FREE
X-TOI-MSGID: <1660898088.4bdab4ab9e89d.1704136789...@acquiretm.com>
In-Reply-To: 
<952htcjgcsdxt5hydix5kfocgsan34o2gphcyv...@egw.x1r862t.onmicrosoft.com>
Content-Type: text/html; 

Re: MS-relayed spam

[David Jones via users]

I would report this to Microsoft Abuse and setup local rules that add a point 
or two something like this:

header BAD_O365_SENDER  X-OriginatorOrg =~ /.*\.onmicrosoft\.com$/

With a threshold of 6.2, you might want to consider either lowering that a 
little or bumping up some default scores for some of the "worse" rules.

Most legit senders should not be using their onmicrosoft.com for their primary 
address but there are a few that I have seen over the years so I also have a 
counter rule to subtract a point or two for specific onmicrosoft.com 
subdomains. 

On 1/1/24, 3:29 PM, "Charles Sprickman" mailto:sp...@bway.net>> wrote:


EXTERNAL EMAIL: This message originated outside of ENA. Use caution when 
clicking links, opening attachments, or complying with requests. Click the 
"Phish Alert Report" button above the email, or contact MIS, regarding any 
suspicious message.

Hi all,

Full headers are here as well: https://pastebin.com/wHNmnvtE 


I'm not really following what's going on here - a few things confuse me...

- the empty from envelope, which I thought was more of a "bounce" thing
- that it does seem formatted like a bounce
- across multiple servers I'm seeing a ton more spam just like this the past 
few weeks coming in via MS
- I had assumed that MS (or gmail, or any large provider) would be a bit more 
tuned to this kind of abuse

Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is 
using MS' inbound/outbound filtering/relaying for their email, and I'm assuming 
that the company (acquiretm dot com) has compromised account(s) being used for 
spam, and that this type of account is valuable since it's relayed through a 
somewhat "trusted" entity (MS). Stumped on the empty envelope from though...

Thanks,
Charles

Full headers inline:


Return-Path: 
Delivered-To: myem...@mydomain.com 
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 
14:23:33 -0500 (EST)
X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024)
with ESMTP id y8UwjrBjDDCO for mailto:myem...@mydomain.com>>;
Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 
14:23:31 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com;
dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=x1r862t.onmicrosoft.com; s=selector1-x1r862t-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;