Re: MS-relayed spam

2024-01-02 Thread Torpey List 
I started forwarding full headers and text to "ab...@outlook.com" and they 
blocked my IP.


-Original Message- 
From: David Jones via users

Sent: Tuesday, January 2, 2024 1:07 PM
To: Charles Sprickman
Cc: SA Mailing list
Subject: Re: MS-relayed spam

I would report this to Microsoft Abuse and setup local rules that add a 
point or two something like this:


header BAD_O365_SENDER  X-OriginatorOrg =~ /.*\.onmicrosoft\.com$/

With a threshold of 6.2, you might want to consider either lowering that a 
little or bumping up some default scores for some of the "worse" rules.


Most legit senders should not be using their onmicrosoft.com for their 
primary address but there are a few that I have seen over the years so I 
also have a counter rule to subtract a point or two for specific 
onmicrosoft.com subdomains.


On 1/1/24, 3:29 PM, "Charles Sprickman" > wrote:



EXTERNAL EMAIL: This message originated outside of ENA. Use caution when 
clicking links, opening attachments, or complying with requests. Click the 
"Phish Alert Report" button above the email, or contact MIS, regarding any 
suspicious message.


Hi all,

Full headers are here as well: https://pastebin.com/wHNmnvtE 



I'm not really following what's going on here - a few things confuse me...

- the empty from envelope, which I thought was more of a "bounce" thing
- that it does seem formatted like a bounce
- across multiple servers I'm seeing a ton more spam just like this the past 
few weeks coming in via MS
- I had assumed that MS (or gmail, or any large provider) would be a bit 
more tuned to this kind of abuse


Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is 
using MS' inbound/outbound filtering/relaying for their email, and I'm 
assuming that the company (acquiretm dot com) has compromised account(s) 
being used for spam, and that this type of account is valuable since it's 
relayed through a somewhat "trusted" entity (MS). Stumped on the empty 
envelope from though...


Thanks,
Charles

Full headers inline:


Return-Path: 
Delivered-To: myem...@mydomain.com 
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 
14:23:33 -0500 (EST)

X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 
10024)
with ESMTP id y8UwjrBjDDCO for >;

Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])

(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 
14:23:31 -0500 (EST)

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; 
d=microsoft.com;

s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM 
smtp.helo=mail.acquiretm.com;

dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=n

Re: Help me waste spammers resources

2015-06-22 Thread Torpey List 

What if I am already using mxbackup1.junkemailfilter.com?

From: Marc Perkel 
Sent: Friday, June 19, 2015 2:41 PM
To: users@spamassassin.apache.org 
Subject: Help me waste spammers resources


I found a great trick for wasting spammer's resources and getting them 
blacklisted that I'd like to share will all of you.


On my main spam filtering servers I advertise authenticated login even 
though I don't actually have any authenticated users. Anyone who tries 
to authenticate is a spammer.


I accept all passwords as good and we accept the email which is then 
added to my black list and I then ship copies of the spam off to all my 
spam filtering partners who use it to add to their black lists. And I'm 
wasting a lot of their resources absorbing spam that just isn't being 
delivered.


Just last week on my main good email processing server I accepted 
37,232,709 spams.


So - this works. I encourage others to do the same thing. Or - you can 
just help me do it.


If you have domains you are filtering just add this as your highers 
numbered MX record.


tarbaby.junkemailfilter.com

or you can CNAME to it if you want.

And I'll absorb the spam for you as they hack mt servers and that's spam 
you don't have to process.


--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400