Massive spam from protection.outlook.com
Daniel Nashed – 15 February 2022 17:39:16
This is bugging me for a couple of days. The messages are coming from many different hosted domains with valid SPF record pointing to
v=spf1 include:spf.protection.outlook.com -all
The content is really bad SPAM in my case. And my AntiSpam settings are not preventing them to come in, because most of the elements in those mails are OK.
Beside the content itself ...
I will probably change some key words and I also noticed that all those mails have no Mailer set. But this is also true for other e-mail I receive.
It is even worse! The messages are properly DKIM singed by Microsoft.
Grey listing and other techniques will not help. The mails are properly send and will be resent if delayed.
Asking someone at Microsoft will probably not help. I am not even sure they would take my call or read my mail.
I can't block outbound.protection.outlook.com completely. That's an issue with a large provider...
So I am looking into options monitoring my SMTP traffic very carefully ..
Is anyone else seeing spam like this?
Does your antispam catch it?
-- Daniel
Received: from CHE01-GV0-obe.outbound.protection.outlook.com ([52.100.1.208])
by notes.nashcom.de (HCL Domino Release 12.0.1)
with ESMTP id 2022021517062021-365 ;
Tue, 15 Feb 2022 17:06:20 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=IerYTU3cWysfGyYtnUDlxy+IJOlBUzPw3q0yqWAhZ2vzL9KKDw27Sx0fXkmiqqgBmtdTbH/gL7PxdbuTGmO/xanQSDUIGDGcNg/LJSS8YOCzs82YZwqt0wprLBd7Zc5F0fLDwDq3BQrZ0XxrRcr1p4lJKN6LSS6fRI0mMwoBNYaz5GHlg8cI+ZlcL9CMa1TgwvP9LtkGYi8DpJ75Z4sDaDVQZwvbqjD9U1ir2kwuMOG7azQCfI5VElP5QOnVCZ4RBOqsl0NlG/M385IVavtPmTEXtn2mp+a861LmZVzl/LWS4MzKu+9wo3s/uWuTTs42WNCgBG+256O415l8m2Jg0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=vTtpajShdz8mtJihnscvo2NSt0psoksSv0NqQjaN2qA=;
b=FzOzo0vCfjugObOPMmYBeWWZYbP3/SZa87Z0iaXeFy867530qf/ja5Gu+prpTIpTszzPrxpl1nlARzeYYjbKF+3s5Q2F86IKG/dozToktcIT0xuLKxnVjN1B3RxvR0qWZ5/iOPbrMCFAG+oWzif95IyX+kaKlhvFafWAUFEFSdCjzWhdO3P1sliw2bOsktPUOB5JW3mN60kZ/Ve2eGiCVLB9qkF9RMzWTEv31VUk8AUEK1UzGt2oduxFe8aI4TAeFyeuuKPfQ6L4b/bbUbYYbjM263HqtEHpzTiqFtT+NxR/PkvRkDrP+w8gCC1h+sT2/cQ6qNeE0xe4j/oW3nKBvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=campussek.onmicrosoft.com; s=selector1-campussek-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=vTtpajShdz8mtJihnscvo2NSt0psoksSv0NqQjaN2qA=;
b=YhBwZcBFAxoXMrP736Lw8vLGsuQhThIDs8Ejzz8PDVow3GBLwteX3fR4xFE7eSqe+YNC6K7fM0Ocqn7/bzEd7Z//jWqe+5o6yAyQ975urMTZTCffzMeBt29uGv/MPVzE93f0BvYjfEX74hY4xykgsVJbM56wsnxTWid1Cr1RJbJqSjFf4wMmt+lkHxsRoTXWfuSXffM2qbyHBa7Nf3gNyQx/LwCaPw7ASGmNrpZOv9iNnxEk1n8eZMLCf3OyWoswHZnrtAFZ7GHu1SkjkWvgAgcRETs9Jypiz+W3D8CZPF3mmJjZy9mI80qfCh+G4MV2M6r+/++hQVeeeKnkvvJj2w==
Authentication-Results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=XXX;
Received: from ZRAP278MB0771.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:4b::11)
by GVAP278MB0469.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:3e::11) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4975.11; Tue, 15 Feb
2022 16:06:19 +0000
Received: from ZRAP278MB0771.CHEP278.PROD.OUTLOOK.COM
([fe80::142:5a2f:da74:9a98]) by ZRAP278MB0771.CHEP278.PROD.OUTLOOK.COM
([fe80::142:5a2f:da74:9a98%9]) with mapi id 15.20.4975.019; Tue, 15 Feb 2022
16:06:19 +0000
Message-ID: <05d06c383308ddd6f0d56337c3159f94b4765e63@XXX>
From: XXX
Subject: Die bequemste Dating-Site
Date: Tue, 15 Feb 2022 19:03:52 +0300
To:
X-ClientProxiedBy: FR0P281CA0059.DEUP281.PROD.OUTLOOK.COM
(2603:10a6:d10:49::7) To ZRAP278MB0771.CHEP278.PROD.OUTLOOK.COM
(2603:10a6:910:4b::11)
Return-Path: xxxxx
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0fe21474-6dec-4fc0-4abf-08d9f09cc43c
X-MS-TrafficTypeDiagnostic: GVAP278MB0469:EE_
X-Microsoft-Antispam-PRVS:
X-MS-Oob-TLC-OOBClassifiers: OLM:136;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
- Comments [12]
1Beat 15.02.2022 23:17:19 Massive spam from protection.outlook.com
Hello Daniel
TrendMicro ScanMail for Notes filters them all.
LG B
2Manfred W. 16.02.2022 8:48:49 Massive spam from protection.outlook.com
64 of them in the last 7 days. Proofpoint blocks them all.
3Oliver Regelmann 16.02.2022 9:24:36 Massive spam from protection.outlook.com
None here at all. Neither in the quarantine nor within the few that came through our spam filter.
4Jason Ferber 17.02.2022 12:43:33 Massive spam from protection.outlook.com
Daniel,
I have been having this exact issue for Months and sadly our organization has decided to become an O365 shop. So I guess we will be in the same Microsoft bucket... I will miss HCL...
5Bob Voith 18.02.2022 7:49:41 Massive spam from protection.outlook.com
Hi Daniel,
I do have some of them too, and I am a huge fan of SpamGeek. I filter most of them out with bad subjects and bad words. Some slip through.
6Andreas 20.02.2022 3:04:10 Massive spam from protection.outlook.com
Hello Daniel,
having the same issue unfortunately, loads of spam mails starting about a week ago.
Coming from many different hosted exchange/o365 customers.
i already gave the Microsoft servers a 3 points malus in spamassassing but even that isn't enough for many of the spam mails.
Regards
Andreas
7Andreas 21.02.2022 0:46:29 Massive spam from protection.outlook.com
Me again:
maybe i managed to handle it for now by adding body filter rules which match the domains that are in the body using the schema which i can't post here due to comment-spam-filtering.
8BobVoith 23.02.2022 20:46:47 Massive spam from protection.outlook.com
Just an update - The amount of has increased dramatically today from protection.outlook.com.
9Kai Gülzau 12.06.2022 11:29:45 Massive spam from protection.outlook.com
are there some good SpamAssassin rules to block this?
10Will 07.08.2022 11:38:09 Massive spam from protection.outlook.com
I have been getting the same issues in the past 3 months. Currently I penalise email coming from outlook and reverse the score for domains that we know use them. Luckily not that many domains in our correspondence are with MS.
11Carolyn 06.09.2023 7:32:08 Massive spam from protection.outlook.com
I just received one allegedly from the hospital where I was recently a patient. The sender was using Outlook and I use Gmail. It passed Google inspection and my trusted anti virus app, but I could tell something was odd.
12Carolyn 06.09.2023 7:35:36 Massive spam from protection.outlook.com
OOPS. Another email from the source was legit.