Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

In article you write: >To me that this smells of mis-using SMTP as an authentication backend. Badly. No, it's probably some bug that makes it think that it has a message to send but it fails and keeps retrying. Once upon a time, I though it would be fun to have a content farm, so I set one up w

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

On 9 Feb 2018, at 18:49 (-0500), Carl Byington wrote: > On Fri, 2018-02-09 at 14:56 -0700, Dave Warren via mailop wrote: >> For those seeing this, is it hitting the same account more than once, >> or just once per account? > > 3 or 4 AUTH attempts per second over port 25 for the same account. 50K+

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, 2018-02-09 at 14:56 -0700, Dave Warren via mailop wrote: > For those seeing this, is it hitting the same account more than once, > or just once per account? 3 or 4 AUTH attempts per second over port 25 for the same account. 50K+ attempts ove

Re: [mailop] Issues With the way Google Groups unsubscribe is used in headers..

On Fri, Feb 9, 2018 at 1:41 PM Philip Paeps wrote: > On 2018-02-09 20:46:41 (+0100), Brandon Long wrote: > > On Fri, Feb 9, 2018 at 6:13 AM Philip Paeps wrote: > >> On 2018-02-07 17:05:59 (-0800), Michael Peddemors wrote: > >>> Spammers are abusing Google Groups lists of course, and I am sure >

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

We have, just not here. 😊 It's being ... investigated. Sorry for the delay. Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Got the Junk Mail Reporting Tool ?

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

Its hitting a set of accounts over and over and over at least on my “older” system. On the newer system, Im blocking them for too many connections today so its hard to tell. Strangely enough the MS contacts on this list haven’t chimed in…. > On Feb 9, 2018, at 2:56 PM, Dave Warren via mailop

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

On 2018-02-09 14:20, John Levine wrote: In article you write: I'm confused, the first post said valid credentials, is that what everyone else is seeing? Nearly all valid creds seems weirder than mostly invalid... modulo whatever amount of hijacked or reused creds there are. Remember that Ou

Re: [mailop] Issues With the way Google Groups unsubscribe is used in headers..

On 2018-02-09 20:46:41 (+0100), Brandon Long wrote: On Fri, Feb 9, 2018 at 6:13 AM Philip Paeps wrote: On 2018-02-07 17:05:59 (-0800), Michael Peddemors wrote: Spammers are abusing Google Groups lists of course, and I am sure they are working on it It would be nice if the Google Groups would

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

In article you write: >I'm confused, the first post said valid credentials, is that what everyone >else is seeing? > >Nearly all valid creds seems weirder than mostly invalid... modulo whatever >amount of hijacked or reused creds there are. Remember that Outlook does account consolidation like G

Re: [mailop] Issues With the way Google Groups unsubscribe is used in headers..

On Fri, Feb 9, 2018 at 6:13 AM Philip Paeps wrote: > On 2018-02-07 17:05:59 (-0800), Michael Peddemors wrote: > >Spammers are abusing Google Groups lists of course, and I am sure they > >are working on it > > It would be nice if the Google Groups would "confirm opt-in" like other > mailing lists.

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

Sorry for the noise... Also from EHLO's of Feb 9 09:29:13 fe1 msd[20338]: EHLO command received, args: MWHPR22MB0798.namprd22.prod.outlook.com On 18-02-09 11:23 AM, Michael Peddemors wrote: Two separate issues I believe... Aggressive Valid AUTH attempts... EHLO/STARTTLS/AUTH LOGIN/QUIT A

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

Two separate issues I believe... Aggressive Valid AUTH attempts... EHLO/STARTTLS/AUTH LOGIN/QUIT All from MWHPR01MB2336.prod.exchangelabs.com Feb 9 10:06:09 fe1 msd[4699]: AUTH success: [] (40.97.117.181) Feb 9 10:06:10 fe1 msd[4709]: AUTH success: [] (40.97.117.181) Feb 9 10:06:11 fe1 ms

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

I'm confused, the first post said valid credentials, is that what everyone else is seeing? Nearly all valid creds seems weirder than mostly invalid... modulo whatever amount of hijacked or reused creds there are. Brandon On Fri, Feb 9, 2018, 10:59 AM Rich Kulawiec wrote: > On Fri, Feb 09, 2018

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

On Fri, Feb 09, 2018 at 09:56:43AM +0100, Dan Malm wrote: > I'm seeing an extreme amount of SMTP authentications (over 600/s) [snip] I wouldn't characterize what I've seen as "extreme" at any of the observation points I'm monitoring, but I have seen a moderate number of repeated attempts to authen

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

Within the last 2 weeks I've had several ISP customers in CA ask me about enacting policy that tracks and blocks this kind of behavior. It's something they've seen an increase of as of late and when considering the uptick in spam coming from these same ranges, the attitude seems to be "just block i

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

Even worse... For a single email account.. 133 AUTH attempts per minute.. Fail2ban or something similar can also be a quick remedy, but looks like it is something to actually build a ruleset around.. On 18-02-09 08:41 AM, Michael Peddemors wrote: Not just those ranges... 40.97.117.181 EHLO

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

Not just those ranges... 40.97.117.181 EHLO MWHPR01MB2336.prod.exchangelabs.com Strange that it is on Port 25, and not the submission port.. Uses STARTTLS.. AUTH, then QUIT.. Rather than blocking the IP(s) you could block connections from that EHLO to port 25.. But of course, the question i

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

NetRange: 40.74.0.0 - 40.125.127.255 CIDR: 40.124.0.0/16, 40.74.0.0/15, 40.120.0.0/14, 40.125.0.0/17, 40.80.0.0/12, 40.76.0.0/14, 40.112.0.0/13, 40.96.0.0/12 NetName:MSFT NetHandle: NET-40-74-0-0-1 Parent: NET40 (NET-40-0-0-0-0) That, plus NetRange: 13

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

It could be the outlook/Acompli app infrastructure which is now hosted in Azure. The What specific IPs are you seeing? -David -Original Message- From: mailop On Behalf Of Brotman, Alexander Sent: Friday, February 9, 2018 8:00 AM To: Dan Malm ; mailop@mailop.org Subject: Re: [mailop]

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

On both systems I run, I would definitely call it extreme. To the point that I am about to block the 12+ ranges the traffic is coming from. We had a 10 fold increase in auth’s the past three days. I am unsure whats exactly being done with the auth attempts but its not normal. > On Feb 9, 201

Re: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

Not sure if I'd call it extreme, but a marked increase beginning Feb 6th. -- Alex Brotman Sr. Engineer, Anti-Abuse Comcast -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Dan Malm Sent: Friday, February 09, 2018 3:57 AM To: mailop@mailop.org Subject: [ma

Re: [mailop] Issues With the way Google Groups unsubscribe is used in headers..

On 2018-02-07 17:05:59 (-0800), Michael Peddemors wrote: Spammers are abusing Google Groups lists of course, and I am sure they are working on it It would be nice if the Google Groups would "confirm opt-in" like other mailing lists. I know there is a global "opt-out" for being added to Googl

[mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

Hi I'm seeing an extreme amount of SMTP authentications (over 600/s) from the microsoft owned 40.101.0.0/16 range on my customer SMTP servers. It's just auth, with valid credentials, and then it disconnects right after so no attempts to send any mails have been done for the vast majority of these