On 15/09/2015 06:54, Franck Martin wrote:
> On Mon, Sep 14, 2015 at 12:00 PM, Michael Peddemors <mich...@linuxmagic.com> > wrote: > >> Monitoring from ISP's and Telco's has always shown a lot of leakage from the >> servers called.. >> >> mail-pu1apc01hn0200.outbound.protection.outlook.com [1] >> >> And over the last week, those numbers substantially increased.. >> >> However, while caught by our filtering systems, you have to look at some >> simple obvious issues.. >> >> (Maybe someone can explain how this traffic is relayed, and why it is so >> hard to stop at the source?) >> >> Return-Path: <> >> >> ^^^^ (We wrote a 'fake bounce' rule specifically for protection.outlook.com >> [2] servers) >> Much of the spam shows up with no Return-Path, I am sure that can be >> prevented, no? >> >> Delivered-To: mich...@linuxmagic.com >> Received: (qmail 29387 invoked from network); 14 Sep 2015 17:13:15 -0000 >> Received: from mail-pu1apc01hn0200.outbound.protection.outlook.com [1] (HELO >> APC01-PU1-obe.outbound.protection.outlook.com [3]) (104.47.126.200) >> by be.cityemail.com [4] with SMTP >> (e1fa336e-5b03-11e5-8599-5bc0ef165c91); Mon, 14 Sep 2015 10:13:15 -0700 >> Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; >> >> ^^^^^ Could this be a clue? No Sender IP? No MailFrom? > > the HELO hostname does not have an SPF record: > https://dmarcian.com/spf-survey/APC01-PU1-obe.outbound.protection.outlook.com > [6] > > cf http://trac.tools.ietf.org/html/rfc7208#section-10.1.3 [7] > >> Received: from [106.223.20.123] (106.223.20.123) by >> SG2PR0201MB0984.apcprd02.prod.outlook.com [5] (10.162.202.155) with Microsoft >> SMTP Server (TLS) id 15.1.268.17; Mon, 14 Sep 2015 17:13:03 +0000 >> Content-Type: multipart/alternative; boundary="===============0365285247==" >> MIME-Version: 1.0 >> Subject: I Have An Urgent Matter To Discuss With You >> To: recipie...@wizard.ca >> From: v...@wizard.ca, hol...@wizard.ca, k...@wizard.ca >> >> ^^^^ None of the above exist of course.. actually sent to different addresses >> >> Date: Mon, 14 Sep 2015 22:42:56 +0530 >> Reply-To: <verahollinkv...@gmail.com> >> >> ^^^^^ Isn't this suspicious? > > seems someone can get outlook.com [8] to do some backscatter or inject a fake > bounce and have it routed by outlook.com [8] ? It is becoming rather annoying :) Links: ------ [1] http://mail-pu1apc01hn0200.outbound.protection.outlook.com [2] http://protection.outlook.com [3] http://APC01-PU1-obe.outbound.protection.outlook.com [4] http://be.cityemail.com [5] http://SG2PR0201MB0984.apcprd02.prod.outlook.com [6] https://dmarcian.com/spf-survey/APC01-PU1-obe.outbound.protection.outlook.com [7] http://trac.tools.ietf.org/html/rfc7208#section-10.1.3 [8] http://outlook.com
_______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
