We're seeing hundreds of entries like these in our logs for their
internet domain name:
2023-12-29T07:42:08.028521-08:00 mail01
postfix/policy-spf[118254]: Policy action=PREPEND Received-SPF: none
(csw31.besmartforgoodlife.com: No applicable sender policy available)
receiver=mail01.inter-corporate.com; identity=mailfrom;
envelope-from="alfa4+SRS=X10ap=II=intbl.co.uk=zmciyzxtdk20...@csw31.besmartforgoodlife.com";
helo=DEU01-BE0-obe.outbound.protection.outlook.com; client-ip=52.100.3.205
The SPF records don't exist at all:
https://www.openspf.ca/why.perl?id=nobody%40csw31.besmartforgoodlife.com&ip=52.100.3.205&s=mfrom&r=
The IP address of 52.100.3.205 belongs to Microsoft according to a
query to WHOIS.ARIN.NET, and it's blacklisted in multiple DNSBLs,
including BACKSCATTER, MAILSPIKE, SOLID, and SORBS-IP:
https://www.lumbercartel.ca/tools/rblcheck.pl?q=52.100.3.205
Spamhaus.org has their internet domain name blacklisted, and I
support their decision because it's a spam sewer that's trying to
send to a wide variety of eMail users on different internet domain
names for whom we're providing the hosting eMail:
2023-12-29T07:42:09.772483-08:00 mail01 postfix/smtpd[118253]:
NOQUEUE: reject: RCPT from
mail-be0deu01hn2205.outbound.protection.outlook.com[52.100.3.205]: 554 5.7.1
Service unavailable; Sender address
[alfa4+SRS=X10ap=II=intbl.co.uk=zmciyzxtdk20...@csw31.besmartforgoodlife.com]
blocked using dbl.spamhaus.org;
https://www.spamhaus.org/query/domain/besmartforgoodlife.com;
from=<alfa4+SRS=X10ap=II=intbl.co.uk=zmciyzxtdk20...@csw31.besmartforgoodlife.com>
to=<various-recipie...@example.com> proto=ESMTP
helo=<DEU01-BE0-obe.outbound.protection.outlook.com>
I suspect it will just be a matter of time before Microsoft finds
their whole network blacklisted by multiple DNSBLs. At the present
time I have many users who receive legitimate eMail from their users,
but so far the major DNSBLs are doing a great job of keeping most of
the problem areas at bay.
(Sadly, Microsoft's "DEU01-BE0-obe.outbound.protection.outlook.com"
system isn't providing "outbound protection" even though their
systems' hostname seems to be alluding to this.)
> I think we've finally reached the point where more spam comes from
> Office 365 customers than legitimate and desirable email. Here's just
> ONE spam campaign from Office 365 we pulled logs for today:
> https://mxbin.io/piaQqm
>
> Notice the different subdomains they send from:
>
> *@csw11.besmartforgoodlife.com
> *@csw12.besmartforgoodlife.com
> *@csw13.besmartforgoodlife.com
> *@csw14.besmartforgoodlife.com
> *@csw15.besmartforgoodlife.com
> *@csw16.besmartforgoodlife.com
> *@csw17.besmartforgoodlife.com
> *@csw18.besmartforgoodlife.com
> *@csw19.besmartforgoodlife.com
> *@csw20.besmartforgoodlife.com
> *@csw21.besmartforgoodlife.com
> *@csw22.besmartforgoodlife.com
> *@csw23.besmartforgoodlife.com
> *@csw24.besmartforgoodlife.com
> *@csw25.besmartforgoodlife.com
> *@csw26.besmartforgoodlife.com
> *@csw27.besmartforgoodlife.com
> *@csw28.besmartforgoodlife.com
> *@csw29.besmartforgoodlife.com
> *@csw30.besmartforgoodlife.com
> *@csw31.besmartforgoodlife.com
> *@csw36.besmartforgoodlife.com
> *@csw37.besmartforgoodlife.com
>
> And that's just one campaign, for just one day. At this point, we've
> blacklisted Microsoft IP ranges and we now consider email from them to
> more likely be spam than ham. Our blacklist isn't an outright block, but
> if Microsoft can't get their act together maybe a block is what we all
> need to do collectively. This is worse than the last few years of Gmail
> SEO spam.
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
--
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
