The Microsoft Problem

Problem reported by Douglas Foster - 3/26/2024 at 1:48 PM

Submitted

Here is a list of the ways that Microsoft practices are complicating my efforts to disposition messages correctly. It seems like others should be aware of the problems as well.

Onmicrosoft.* parent domains are not listed in the Public Suffix List used for DMARC. This can allow one Office365 client to impersonate another, if a DMARC policy is published with relaxed alignment. Fortunately, SmarterTools has corrected this omission in the list that they embed within SmarterMail.
Microsoft ARC Sets cannot be trusted indicators of message verification status. They sometimes report false PASS, and sometimes false FAIL. In one recent example, the message actually failed SPF, had no signature, and no DMARC policy, but Microsoft asserted pass for SPF, DKIM, and DMARC.
Onmicrosoft.com domains, using Microsoft servers, are regularly used to send spam. Often the From domain name is obviously computer generated. Microsoft seems to have no controls in place to prevent this abuse of their servers.
Outlook.com DMARC reports are inaccurate, because they send reports based on the message state AFTER going through the client’s spam filter (which breaks SPF). If the spam filter also adds annotations, the process also breaks DKIM. If the DMARC policy is “reject”, their report says that the message was rejected. In my experience, they do not act on the reject result that they report, since the client is configured with a non-Microsoft spam filter. But getting a “reject” result from an important business partner set off alarms when I saw it.
Blind Carbon Copies are supposed to be truly blind, in both the user-visible and internal versions of a message. To ensure this, organizations are expected to remove the bcc information to prevent unauthorized information disclosure. (Since BCC should be removed, BCC is not allowed in a DKIM signature’s header list.) However, Microsoft copies the BCC information into a custom header named X-MS-Exchange-CrossPremises-BCC. This causes leakage of information that should not be leaked, albeit only in the internal version of the message. I have contacted two Office365 client organizations to make them aware of the problem, but have received no follow-up from them.
Some Microsoft servers submit a message and then disconnect without waiting for an SMTP response code, but assume that the message was accepted. Standards-compliant servers will treat the disconnect as a network glitch, discard the message, and wait for the transmission to be repeated. As a result, the message is lost. The workaround is for the receiving server to process the message as if the SMTP result code had been sent. For situations where the problem is a true network glitch, a standards-compliant sender will retransmit the message, and because of the Microsoft workaround, the recipient will receive a duplicated message.
Cell-phone versions of Outlook always connect to a Microsoft server instead of connecting to the clients' autodiscover server. This routing is not explained to the application user. This pass-through process means that both credentials and message content are presumably leaked to Microsoft.

17 Replies

Reply to Thread

John C. Reid Replied

4/1/2024 at 11:14 AM

I don't know if you have seen this or not Douglas, but we have also observed more than one of their IP addresses on RBL lists. I can't remember which one off the top of my head, but it was a large list like Spamcop. We have seen this recently and multiple times.

Of course end users just can't understand why they don't get the email from the sender using MS365. I mean Microsoft can't be doing anything wrong, so it must me my provider doing something wrong in not delivering the message, right? (I would have tagged the previous sentence sarcasm, except that is actually, exactly what the perception from end users tends to be.)

John C. Reid / Technology Director John@prime42.net / (530) 691-0042 1300 West Street, Suite 206, Redding, CA 96001

Linda Pagillo Replied

4/1/2024 at 11:18 AM

Hey guys!

I have been seeing a lot of what John is seeing. Spam coming from MS IPs.

Also Doug, I have reached out to our Microsoft specialists to see if I can get any further info about these things.

Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

Douglas Foster Replied

4/1/2024 at 12:04 PM

All of the spam coming from computer-generated *.onmicrosoft.com domains should put their addresses on the RBL lists. I block everything from *.onmicrosoft.com except for two domains that are known business partners.

AWRData Replied

4/1/2024 at 5:35 PM

It seems to me there should be no emails coming from onmicrosoft.com domains, as these are tenant internal AD aliases. Therefore, I see no problem blocking them.

Linda Pagillo Replied

4/2/2024 at 5:33 AM

AWR.. I have seen plenty MS customers actually use the onmicrosoft.com domain as their main email domain. This is why I'm not blocking them. Should they be using it? Not really. But they do :(

Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

Curtis Kropar www.HawaiianHope.org Replied

4/2/2024 at 7:05 PM

@Douglas, I would consider sending that list, especially #5, over to "Bleeping Computer" and have them write up a little article about it. THAT might get MS attention.

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

Douglas Foster Replied

4/3/2024 at 8:06 AM

Update Weds April 3, 2024

Added bullet points 6 and 7 to the list, for completeness, even though they have been discussed previously on this forum:

#6: Microsoft servers do not always wait for SMTP result code when submitting a message

#7: Some Outlook implementations leak credentials and data to Microsoft.

John C. Reid Replied

4/3/2024 at 8:39 AM

Microsoft announced at least a couple years ago that #7 would be for all clients in the future. I think this may have already happened. There was a blog post here on the SmarterTools website about it. I have seen some behavior from a few of my clients that use the MS365 version of Outlook that would suggest it is already doing a proxy through Microsoft servers rather than directly connect to the mail server. In fact is was just a few months back I noticed Microsoft owned IPs connecting via POP3 and IMAP to my server.

John C. Reid / Technology Director John@prime42.net / (530) 691-0042 1300 West Street, Suite 206, Redding, CA 96001

AWRData Replied

4/3/2024 at 10:30 AM

John is correct. While I have not seen these blog posts, I can confirm that over the past couple of months, all autodiscover traffic (mostly EAS) I have been troubleshooting for customers, and my family's Windows Mail/New Outlook IMAP traffic has been coming from Microsoft. I have not yet seen this with Outlook proper (2016-2021,) but I suspect it is coming.

I am encouraging my customers' IT to look into K9 Mail for Android and alternative IMAP clients for Windows, such as Thunderbird.

It has been 20 years since the Microsoft Love In of the 2000s, with which came free copies of dotNet development kits, Windows XP, Office 2003, and Server 2003, free TS2 seminars, TechNet subs and MAPS. We all got on-board the Microsoft train and here we are: Governor Tarkin now runs the rails of technology and the grasp is tightening.

Montague WebWorks Replied

5/8/2024 at 8:47 AM

Here are the headers. I'm now getting these in threes and fours a day for "services."

Really wish I could set a server-wide Content Filter on these people.

Mik

Return-Path: <bounces+SRS=ACEEK=ML@Hayesinternational.onmicrosoft.com>
Received: from GBR01-CWX-obe.outbound.protection.outlook.com (mail-cwxgbr01on2109.outbound.protection.outlook.com [40.107.121.109]) by mail.montaguewebworks.com with SMTP
	(version=TLS\Tls12
	cipher=Aes256 bits=256);
   Wed, 8 May 2024 11:23:45 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=f+8E+JG5CJ1WT4m6hMiGBSnyyynCHG+D4MOzkqPiV/8mODBNUU8CFx+hCsB4Bi99598LN4tbNKJiNaW+bXeoGvlKHO20pjtmAVTtXFVRGMZQRTkedjhagJvFA1OH361ZZMSV2e+GZVOprigURMTP4VvYJ3rkpyd/l67o1yO72S8eolxPkd+v0lI2hspNSPz4LkFIYZkvpIPh+CxQx1yGLBt6oTmAg2GC2SchpuPhB0d08WKftn8lM/rG285MBVTIsrbrUsnwdJthjY2ap+5lwX51HAbVjLtbFWueGrh8cAR0ktC7/RTIsJTtTt/iPXSCOnwFPPC4gBh483v2tyBKdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=0GlIR2rpA4/IST6O40GppvMoCehRRkzKNMD755tTN/U=;
 b=jkW468Yjb6GV5nQd1oOj2dkxZqNCnTaZEAVmnenPs0k2VdEEidiZ3Yz/lG9iVNxjokwCmCsPhtjuEOPXN3XMbdfsRdZ3eJHPPY0HIqbUVB9GAYPnXpaRoGKWrHuRBUJuSqJ3sZHKJIDs7llgsiAHfnh5QOTHkedd9vKpAotc7jMVAxxfiqeel7x8pioit+eSnXcOficrWnuBaZN843JQ39lbh68lEZQPWwvVFTXSBOXyaa4PJIfpM1wu7YmqhVpxQ7X0kr//YSqW3Sl3jZzJcM52lLgYuwm/6ap1lk9bM33ejTwUQbEZuqd4cU5LcommmaIYXH0z9fS0xiJKTODHZA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 104.130.122.55) smtp.rcpttodomain=hayesinternational.onmicrosoft.com
 smtp.mailfrom=post.xero.com; dmarc=pass (p=reject sp=none pct=100)
 action=none header.from=post.xero.com; dkim=pass (signature was verified)
 header.d=post.xero.com; arc=none (0)
Received: from LO6P123MB6552.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:2b8::5)
 by LO9P123MB8045.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:3e8::12) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.45; Wed, 8 May
 2024 15:23:41 +0000
Received: from CWXP123MB4791.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:122::8)
 by LO6P123MB6552.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:2b8::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.45; Wed, 8 May
 2024 15:21:38 +0000
Received: from CWXP123MB4791.GBRP123.PROD.OUTLOOK.COM
 ([fe80::cbe4:667a:8b80:42c7]) by CWXP123MB4791.GBRP123.PROD.OUTLOOK.COM
 ([fe80::cbe4:667a:8b80:42c7%3]) with mapi id 15.20.7544.041; Wed, 8 May 2024
 15:21:38 +0000
Received: from LO2P265CA0400.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:f::28) by
 LO0P123MB6878.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:30b::9) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7544.42; Wed, 8 May 2024 15:20:10 +0000
Received: from LO1PEPF000028CD.GBRP265.PROD.OUTLOOK.COM
 (2603:10a6:600:f:cafe::53) by LO2P265CA0400.outlook.office365.com
 (2603:10a6:600:f::28) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.41 via Frontend
 Transport; Wed, 8 May 2024 15:20:10 +0000
Authentication-Results: spf=pass (sender IP is 104.130.122.55)
 smtp.mailfrom=post.xero.com; dkim=pass (signature was verified)
 header.d=post.xero.com;dmarc=pass action=none header.from=post.xero.com;
Received-SPF: Pass (protection.outlook.com: domain of post.xero.com designates
 104.130.122.55 as permitted sender) receiver=protection.outlook.com;
 client-ip=104.130.122.55; helo=a5.email.post.xero.com; pr=C
Received: from a5.email.post.xero.com (104.130.122.55) by
 LO1PEPF000028CD.mail.protection.outlook.com (10.167.240.37) with Microsoft
 SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7544.18
 via Frontend Transport; Wed, 8 May 2024 15:20:10 +0000
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=post.xero.com; q=dns/txt; s=mailo; t=1715181610; x=1715188810;
 h=Message-Id: reply-to: To: To: From: From: Subject: Subject: Content-Type: Mime-Version: Date: Sender: Sender;
 bh=0GlIR2rpA4/IST6O40GppvMoCehRRkzKNMD755tTN/U=;
 b=XV6oSHM3Vj95MStGpmUgZ+p6HtLB/b8ahPTYJ1MGACCatusowDCqerxqF+LDc8A/n5C/sI7eADdANQnobvPMlIzALjpo4eNMQs5HT/F4mb8shPrJGo5/4oIuHtq3h6xSm+IwPHK+8cegb/LM1E9O9DRy4qO8oQf29cwKDnlPg10=
X-Mailgun-Sending-Ip: 104.130.122.55
X-Mailgun-Sid: WyJlOGZmYiIsImNvbmZpcm1hdGlvbkBoYXllc2ludGVybmF0aW9uYWwub25taWNyb3NvZnQuY29tIiwiMTc4ODMiXQ==
Received: from <unknown> (<unknown> []) by 686bd7cb36ed with HTTP id
 663b9824d475713b1d046a17; Wed, 08 May 2024 15:20:04 GMT
Sender: messaging-service@post.xero.com
Date: Wed, 08 May 2024 15:20:04 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="e4ea0882fe0348a0f12b93d2619cf9d7a6c37905668269c1dc98e4782abd"
Subject: Your Order Confirmation is Here!
From: Hayes Lotus <messaging-service@post.xero.com>
To: Confirmation@hayesinternational.onmicrosoft.com
X-Mailgun-Tag: xeromailenvironment-live
X-Mailgun-Tag: invoices-invoice
X-Mailgun-Track-Opens: true
X-Mailgun-Track-Clicks: false
X-Mailgun-Variables: {"xero-messageId":"2831710785","xero-parentMessageId":""}
Reply-To: HayesLotus@hayesinternational.onmicrosoft.com
X-Mailgun-Sending-Ip-Pool: 6371656ed503704fb71db430
Message-ID: <20240508152004.d40ea3f64456e56c@post.xero.com>
Return-Path: bounce+862f50.17883-Confirmation=hayesinternational.onmicrosoft.com@post.xero.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 55181bd0-5664-478f-b303-f9229d9c388d:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: LO1PEPF000028CD:EE_|LO0P123MB6878:EE_|LO6P123MB6552:EE_|LO9P123MB8045:EE_
X-MS-Office365-Filtering-Correlation-Id: f0b1850a-b93a-4fdd-a1b3-08dc6f7259fd
X-Moderation-Data: 5/8/2024 3:21:37 PM
X-LD-Processed: 55181bd0-5664-478f-b303-f9229d9c388d,ExtAddr,ExtAddr
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|34036007|7416005|48200799009|41320700004|61400799018|586008|102250200017;
X-Microsoft-Antispam-Message-Info: =?utf-8?B?N3VOZVJ5OUEzSXFpbEVUOWpIdEVRSmRmTGtQbEpUc0NqOVB4N2lBSUtRa0Ns?=
 =?utf-8?B?M2JzNngrWmtUZTY2SUVPKytlMDlXNHpWZXBGY0JlM1pPSWRXcFYzM2NOeERN?=
 =?utf-8?B?MDR4L2RmOHJrVXBGQUZtNE11NVdiN2JFZUZRbFVFQWQvdHREMVRvSGtHa05x?=
 =?utf-8?B?TUJqL01wOWI3cEN6bGFWUEEyYWx6RG1JZXVOaytURlBYL3ZoQi9aV2pSNWZQ?=
 =?utf-8?B?Q1BXY2VUOHRUdUpNcmJvam83MmNoVzdEa2UyTU10QStWeXllcVJ2b01SY3RT?=
 =?utf-8?B?U3I1M3loV2xZYllrUExsaUg2WUdHMkFlUmh3QjdGLzdkN0ZKUW91VDVwQWU4?=
 =?utf-8?B?RUNjMXhBOEdBbnMrbGZLYmVmQW5uT29UOWt5cTQ3LzROVHZuVm9XVzl5UndW?=
 =?utf-8?B?UHhqWUhmMUJyeXQyaGdYOEdvUmFGUlVkaXN5bmVMRXZtcWE3TlVrL0FqcHds?=
 =?utf-8?B?UXdtUTY5eTltOTlTRXlyT2Vua09mejlrVGhTQzNScEVkOFp3QXl0a3doVkxK?=
 =?utf-8?B?LzU5SXF3ZUhCeU51S1Z3UlowUVNsRW1JYWhTQjQ2S1hUSm9zc21lWFVwZmxE?=
 =?utf-8?B?djk5U2Q1cW8yWXlDMzFpaU9lUEVoekdiOEtsSzBkUnEwU0ZGTCtlUmJhU214?=
 =?utf-8?B?SWVtam9XclZmK2FaVFI0SG9GY3lXenRiVDdxUUdSek5UL0hTRDZEaGZxc3o4?=
 =?utf-8?B?aHpuM04zR3laRkVUYkFvNXZJUHE4ZWs5ZG0rbGtpa2JJMFBOcXBLUVZ0c3Fm?=
 =?utf-8?B?Qm42dCt0eDM3cDhBTktMMU56TW5WMG9rRG1WVHpjZWtvNXJYQWdGQll2bUVW?=
 =?utf-8?B?U2ZBQVIwc3pBU1FHdW5oUlE4YVBEUExsMDF5QXh4cjJiMnQ3TDA1dmxtYjRz?=
 =?utf-8?B?Qy90ajJYZ2RvNDhCT3dnZ2oxeE1sNVdWMUtqdHZ4SXduVDhkb0JpWGpEM3FM?=
 =?utf-8?B?VFAwc3JJeGltVEkzR2VCSnE0aGRLdElyZzdidENWQ0RtT256a01pQ3hCSWJn?=
 =?utf-8?B?VTQ5L2o3alduZEZySitaV0duMzlzOEF3MnA0Tjlpa3VXUktnOStUN2Ztc0Qz?=
 =?utf-8?B?aEx5UnZ6U3JaZkJTZ240MW1hNEh2aDNQZTdXZG1aeVRDZlgyanN0VER2THdY?=
 =?utf-8?B?TjVnUEVsbUhpakFvLzA1Y0cwSWthOHBJdVJJRC95RVh3ZzdEU3BDV3Q4aEFC?=
 =?utf-8?B?SFhKaVNIUTllaDFJZ1N2VmR4SzEwTXArSGNHbUdKUStBQnJuZFIvc1Y2dEJC?=
 =?utf-8?B?K1EwM3ZBV1pjUm0vLzFJakFGRURYdWRUMytXT0Nub05JOHNaNHVOMVBZbFg2?=
 =?utf-8?B?ZitXR2tQcU5NYnl3ZWhaYlM0aUhlZHl3VFlRUU1PaWhBUHNIcllzd1J2dGI3?=
 =?utf-8?B?QjMvTHhDQTdRY1VjZHVmZnloUzJkSEF0Rmk2eXJ3VUpMa0ZsVHA0WlEwbU1y?=
 =?utf-8?B?OHFOQUFocG9nR1NkWmE2b2Z0NnNpdXhxR0Vwd2hpU2JrTFVGeldiTzJ1bjE0?=
 =?utf-8?B?czhZMHlVdGdnSG5DazBDRkZKTi9ZNUlBRitiSytJYlhwRWM2QmRXVDFyYy94?=
 =?utf-8?B?YkNBMS81bWdKUCtKK2tpTCtsNDNub2tSdG9KRGp4dkJIamJmSXpkaGc5R3NJ?=
 =?utf-8?B?dkhyZ0Zqbnd1Sk5TTDFlNmNOdlpOeXpQb2NiTnh3ZEtXTFZkSEhWcE1hd2lx?=
 =?utf-8?B?bkFaZVVvYkl2Rnl4RGFZQXh2bHcrTnUvM293dzR6dmNuMXNsdW1USDQxa2Y5?=
 =?utf-8?Q?K3hd/gs770+LcLA5L2s3Pt+xO3UbPWsVmpB+MiV?=
X-Forefront-Antispam-Report: CIP:104.130.122.55;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:a5.email.post.xero.com;PTR:a5.email.post.xero.com;CAT:NONE;SFS:(13230031)(376005)(34036007)(7416005)(48200799009)(41320700004)(61400799018)(586008)(102250200017);DIR:OUT;SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: Hayesinternational.onmicrosoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f0b1850a-b93a-4fdd-a1b3-08dc6f7259fd
X-MS-Exchange-CrossTenant-Id: 55181bd0-5664-478f-b303-f9229d9c388d
X-MS-Exchange-CrossTenant-AuthSource: LO1PEPF000028CD.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 May 2024 15:21:38.4483
 (UTC)
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: LLJga7yqmvoUpeCBabcBKKQ9Su6ZObQ2RmqEBLK6NmRbCQyGGoBMzFUBPQzdD/7LEoLgx6jAX7Gc/7onrqB57+JvJYL6WlVJpljj5xG83UMP+w5NTOOtHzKh7SRFbvbmKk/9j2MYDK/v1MeEQKTERE2I+A5GVN0GC1DVBGH6MAkZ8gvjacHUeozq/JAHYHuZ+C94djLky+Tgq1Rid80ZRrNXr7KTnDw9y8xc5XyAJndnGC9ici6eqjOVMdb36fum
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO9P123MB8045
X-Declude-Sender: bounces+SRS=ACEEK=ML@Hayesinternational.onmicrosoft.com [40.107.121.109]
X-Declude-Spoolname: 71128434.eml
X-Declude-RefID: 
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Incoming Score [-2] at 11:23:57 on 08 May 2024
X-Declude-Tests: MAILSPIKE-H2 [-2], DNSWL [-5], SPFPASS [-1], FROMNOMATCH [2], HAM-INDICATOR [-3], FILTER-BULK [4], ISP-HOTMAIL [3]
X-Country-Chain: UNITED STATES->destination
X-Declude-Code: f
X-HELO: GBR01-CWX-obe.outbound.protection.outlook.com
X-Identity: 40.107.121.109 | mail-cwxgbr01on2109.outbound.protection.outlook.com | Hayesinternational.onmicrosoft.com
X-ForwardingAddress: info@montaguewebworks.com
X-OriginalSender: bounces+SRS=ACEEK=ML@Hayesinternational.onmicrosoft.com
X-Rcpt-To: <info@montaguewebworks.com>
X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: -2, SURRIEL: 0, HOSTKARMA-BLACK: 0, BARRACUDA: 0, GBUDB: 0, SPAMCOP: 0, MCAFEE: 0, MAILSPIKE: 0, ZEN: 0, DMARC [skipped - DMARC Disabled]: 0, Message Sniffer [code:0]: 0, ISpamAssassin [raw:0.4]: 1, DKIM [Pass]: 0, Declude: -2
X-SmarterMail-FoundTracker: mailgun | Mailgun
X-SmarterMail-TotalSpamWeight: -3
X-SmarterMail-SpamAction: None | NoAction

Mik MullerMontague WebWorks

kevind Replied

5/9/2024 at 1:28 PM

Reading this thread and have a question regarding point #3 -- onmicrosoft.com domains are regularly used to send spam. Agree 100% -- we see hundreds of these spam messages per day.

Some posts say they block everything from *.onmicrosoft.com. So my question: How do you do that? We can add points to these messages so they go into Junk folder, but is there a way to block them at the SMTP level?

Thanks in advance!

Douglas Foster Replied

5/9/2024 at 1:53 PM

Depends on your toolkit. I embraced Declude a long time ago and use it instead of SmaterMail features.

The beauty of Declude (and its successor Declude Reboot) is that it provides a rules engine. Even better, it is nearly free. I don't say entirely free because I encourage use of MailsBestFriend services as needed to be successful.

To generalize Declude slightly, I can create a test defintion of this form:

MSTEST =True if filter score = 3

where filter score is computed using a text file like this:

MAILFROM 1 ENDSWITH onmicrosoft.com

MAILFROM 1 NOTCONTAINS client1.onmicrosoft.com

MAILFROM 1 NOTCONTAINS client2.onmicrosoft.com

Declude also allows me to compute a test result without acting on it, which is a powerful tool for data collection on new ideas, without risking ones job when the idea turns out to be flawed.

As a second step, you optionally define an action, such as one of the following:

if MSTEST = True, then Delete the message
If MSTEST = True then Copy the message to a special quarantine folder for manual review
If MSTEST = True then Add a header to the message (so that a downstream program can put it into quarantine)

I mostly use the Add Header option to send the message to my downstream Barracuda appliance. The Barracuda product is imperfect, but it has a pretty good message review tool, good content filtering, and it is relatively inexpensive. I also use Declude custom scripts to store message attributes data into a SQL database. My database provides more flexible analysis than what Barracuda provides.

kevind Replied

5/10/2024 at 6:29 AM

@Douglas, thanks for the detailed reply! Not currently running Declude, but might need to give it a try.

In the meantime, does anyone know how to block spam from *.onmicrosoft.com using SmarterMail?

If there was a way to score "No DMARC record found" that would be helpful as you could assign points.

Brian Bjerring-Jensen Replied

5/10/2024 at 7:00 AM

IN Antispam settings.

Brian Bjerring-Jensen Replied

5/10/2024 at 7:03 AM

I use this for blocking domains.

Douglas Foster Replied

5/10/2024 at 7:20 AM

This solution uses Custom Filter rules based on the "FROM address CONTAINS". I think it will be sufficient for the current attack patterns. We don't seem to have a way to do a custom filter on the SMTP Mail From address.

Bad Guys Filter:

Custom Filter, using Header, Header Name = From,

match type = contains

match multiple = off (not that it matters, since there is only one value)

value = "onmicrost.com",

weight = 100, Spool Filtering ON.

Good Guys Filter:

Custom Filter, using Header, Header Name = From,

match multiple = off (match one and add the weight, then move on without evaluating other lines)

value = "goodguy1.onmicrosoft.com", "goodguy2.onmicrosoft.com","goodguy3.onmicrosoft.com"

weight -100, Spool Filtering ON.

(Plan for exceptions, even if you don't have any right now.)

kevind Replied

5/10/2024 at 1:40 PM

@Brian, thanks for the screenshots. Yes, I see the DMARC setting, but think it needs to be more flexible, like assign points if "No DMARC record found" which is the case with much of this spam.

@Douglas, thanks for the custom filters. We're doing something similar now, but with low scores. As you said, there's a decent amount of legit email that comes thru these .onmicrosoft.com domains.

Have a nice weekend,

Kevin

Back to Community Threads

Please leave this box unchecked

17 Replies

Reply to Thread

Tags

Related Knowledge Base Articles