Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Massive spam from protection.outlook.com

Daniel Nashed  15 February 2022 18:39:16
This is bugging me for a couple of days.

The messages are coming from many different hosted domains with valid SPF record pointing to

v=spf1 include:spf.protection.outlook.com -all

The content is really bad SPAM in my case. And my AntiSpam settings are not preventing them to come in, because most of the elements in those mails are OK.
Beside the content itself ...

I will probably change some key words and I also noticed that all those mails have no Mailer set. But this is also true for other e-mail I receive.

It is even worse! The messages are properly DKIM singed by Microsoft.

Grey listing and other techniques will not help. The mails are properly send and will be resent if delayed.

Asking someone at Microsoft will probably not help. I am not even sure they would take my call or read my mail.

I can't block outbound.protection.outlook.com completely. That's an issue with a large provider...

So I am looking into options monitoring my SMTP traffic very carefully ..

Is anyone else seeing spam like this?
Does your antispam catch it?

-- Daniel


Received: from CHE01-GV0-obe.outbound.protection.outlook.com ([52.100.1.208])
         by notes.nashcom.de (HCL Domino Release 12.0.1)
         with ESMTP id 2022021517062021-365 ;
         Tue, 15 Feb 2022 17:06:20 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=IerYTU3cWysfGyYtnUDlxy+IJOlBUzPw3q0yqWAhZ2vzL9KKDw27Sx0fXkmiqqgBmtdTbH/gL7PxdbuTGmO/xanQSDUIGDGcNg/LJSS8YOCzs82YZwqt0wprLBd7Zc5F0fLDwDq3BQrZ0XxrRcr1p4lJKN6LSS6fRI0mMwoBNYaz5GHlg8cI+ZlcL9CMa1TgwvP9LtkGYi8DpJ75Z4sDaDVQZwvbqjD9U1ir2kwuMOG7azQCfI5VElP5QOnVCZ4RBOqsl0NlG/M385IVavtPmTEXtn2mp+a861LmZVzl/LWS4MzKu+9wo3s/uWuTTs42WNCgBG+256O415l8m2Jg0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=vTtpajShdz8mtJihnscvo2NSt0psoksSv0NqQjaN2qA=;
b=FzOzo0vCfjugObOPMmYBeWWZYbP3/SZa87Z0iaXeFy867530qf/ja5Gu+prpTIpTszzPrxpl1nlARzeYYjbKF+3s5Q2F86IKG/dozToktcIT0xuLKxnVjN1B3RxvR0qWZ5/iOPbrMCFAG+oWzif95IyX+kaKlhvFafWAUFEFSdCjzWhdO3P1sliw2bOsktPUOB5JW3mN60kZ/Ve2eGiCVLB9qkF9RMzWTEv31VUk8AUEK1UzGt2oduxFe8aI4TAeFyeuuKPfQ6L4b/bbUbYYbjM263HqtEHpzTiqFtT+NxR/PkvRkDrP+w8gCC1h+sT2/cQ6qNeE0xe4j/oW3nKBvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=campussek.onmicrosoft.com; s=selector1-campussek-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

bh=vTtpajShdz8mtJihnscvo2NSt0psoksSv0NqQjaN2qA=;
b=YhBwZcBFAxoXMrP736Lw8vLGsuQhThIDs8Ejzz8PDVow3GBLwteX3fR4xFE7eSqe+YNC6K7fM0Ocqn7/bzEd7Z//jWqe+5o6yAyQ975urMTZTCffzMeBt29uGv/MPVzE93f0BvYjfEX74hY4xykgsVJbM56wsnxTWid1Cr1RJbJqSjFf4wMmt+lkHxsRoTXWfuSXffM2qbyHBa7Nf3gNyQx/LwCaPw7ASGmNrpZOv9iNnxEk1n8eZMLCf3OyWoswHZnrtAFZ7GHu1SkjkWvgAgcRETs9Jypiz+W3D8CZPF3mmJjZy9mI80qfCh+G4MV2M6r+/++hQVeeeKnkvvJj2w==
Authentication-Results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=XXX;
Received: from ZRAP278MB0771.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:4b::11)
by GVAP278MB0469.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:3e::11) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4975.11; Tue, 15 Feb
2022 16:06:19 +0000
Received: from ZRAP278MB0771.CHEP278.PROD.OUTLOOK.COM
([fe80::142:5a2f:da74:9a98]) by ZRAP278MB0771.CHEP278.PROD.OUTLOOK.COM
([fe80::142:5a2f:da74:9a98%9]) with mapi id 15.20.4975.019; Tue, 15 Feb 2022
16:06:19 +0000
Message-ID: <05d06c383308ddd6f0d56337c3159f94b4765e63@XXX>
From: XXX
Subject: Die bequemste Dating-Site
Date: Tue, 15 Feb 2022 19:03:52 +0300
To:
X-ClientProxiedBy: FR0P281CA0059.DEUP281.PROD.OUTLOOK.COM
(2603:10a6:d10:49::7) To ZRAP278MB0771.CHEP278.PROD.OUTLOOK.COM
(2603:10a6:910:4b::11)
Return-Path: xxxxx
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0fe21474-6dec-4fc0-4abf-08d9f09cc43c
X-MS-TrafficTypeDiagnostic: GVAP278MB0469:EE_
X-Microsoft-Antispam-PRVS:
               
X-MS-Oob-TLC-OOBClassifiers: OLM:136;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:

Comments

1Beat  16.02.2022 0:17:19  Massive spam from protection.outlook.com

Hello Daniel

TrendMicro ScanMail for Notes filters them all.

LG B

2Manfred W.  16.02.2022 9:48:49  Massive spam from protection.outlook.com

64 of them in the last 7 days. Proofpoint blocks them all.

3Oliver Regelmann  16.02.2022 10:24:36  Massive spam from protection.outlook.com

None here at all. Neither in the quarantine nor within the few that came through our spam filter.

4Jason Ferber  17.02.2022 13:43:33  Massive spam from protection.outlook.com

Daniel,

I have been having this exact issue for Months and sadly our organization has decided to become an O365 shop. So I guess we will be in the same Microsoft bucket... I will miss HCL...

5Bob Voith  18.02.2022 8:49:41  Massive spam from protection.outlook.com

Hi Daniel,

I do have some of them too, and I am a huge fan of SpamGeek. I filter most of them out with bad subjects and bad words. Some slip through.

6Andreas  20.02.2022 4:04:10  Massive spam from protection.outlook.com

Hello Daniel,

having the same issue unfortunately, loads of spam mails starting about a week ago.

Coming from many different hosted exchange/o365 customers.

i already gave the Microsoft servers a 3 points malus in spamassassing but even that isn't enough for many of the spam mails.

Regards

Andreas

7Andreas  21.02.2022 1:46:29  Massive spam from protection.outlook.com

Me again:

maybe i managed to handle it for now by adding body filter rules which match the domains that are in the body using the schema which i can't post here due to comment-spam-filtering.

8BobVoith  23.02.2022 21:46:47  Massive spam from protection.outlook.com

Just an update - The amount of has increased dramatically today from protection.outlook.com.

9Kai G├╝lzau  12.06.2022 13:29:45  Massive spam from protection.outlook.com

are there some good SpamAssassin rules to block this?

10Will  07.08.2022 13:38:09  Massive spam from protection.outlook.com

I have been getting the same issues in the past 3 months. Currently I penalise email coming from outlook and reverse the score for domains that we know use them. Luckily not that many domains in our correspondence are with MS.

11Carolyn  06.09.2023 9:32:08  Massive spam from protection.outlook.com

I just received one allegedly from the hospital where I was recently a patient. The sender was using Outlook and I use Gmail. It passed Google inspection and my trusted anti virus app, but I could tell something was odd.

12Carolyn  06.09.2023 9:35:36  Massive spam from protection.outlook.com

OOPS. Another email from the source was legit.

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]