Re: MS-relayed spam

Tue, 02 Jan 2024 11:26:16 -0800 

On 01.01.24 16:28, Charles Sprickman wrote:

Full headers are here as well: https://pastebin.com/wHNmnvtE


neither indicate that the mail was relayes by microsoft.
Isn't this just backscatter, non-delivery notice on fake mail?


I'm not really following what's going on here - a few things confuse me...

- the empty from envelope, which I thought was more of a "bounce" thing
- that it does seem formatted like a bounce
- across multiple servers I'm seeing a ton more spam just like this the past 
few weeks coming in via MS
- I had assumed that MS (or gmail, or any large provider) would be a bit more 
tuned to this kind of abuse

Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is using MS' 
inbound/outbound filtering/relaying for their email, and I'm assuming that the company 
(acquiretm dot com) has compromised account(s) being used for spam, and that this type of 
account is valuable since it's relayed through a somewhat "trusted" entity 
(MS). Stumped on the empty envelope from though...

Thanks,

Charles


Full headers inline:

Return-Path: <MAILER-DAEMON>
Delivered-To: myem...@mydomain.com
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for <myem...@mydomain.com>; Mon, 1 Jan 2024 14:23:33 -0500 (EST)
X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024)
with ESMTP id y8UwjrBjDDCO for <myem...@mydomain.com>;
Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for <myem...@mydomain.com>; Mon, 1 Jan 2024 14:23:31 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com;
dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=x1r862t.onmicrosoft.com; s=selector1-x1r862t-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=R1X4dpKSgryTH6OLmMzRy/tDWLnQEV8mHOEEtjH+lXKLhUWP1IcSU7ti48ZJoXOksGz7A4+ZbSb5s1wNp2A4dGS+psXMeDNERbCeNVeGFRy/0AfJX4BSO52imrh48OaXFvTjmcrwSondZQkeC2plLlatu2jWPXn+a48T+gCuUZtFOpy6+1OlQqtOhQd5Ork4w7yD6nIicaXcQ4GhpDX1YM6zU02EUOSl+pxEgJj5/WuHvXNbtuTmdsGid1JhRnmIyvR15jGzXHkyrD/KYHw3evZSOV8pJ8EMpUPDEiwdHjDGYt38j/Wwiho5yVfR/zNZa5wELOq9bYgLK0G91JywQA==
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 193.176.158.140)
smtp.helo=mail.acquiretm.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=x1r862t.onmicrosoft.com;
Date: Mon, 01 Jan 2024 20:19:49 +0100
Importance: high
Subject: Your iCloud Storage Is Full. Receive 50 GB for FREE
X-TOI-MSGID: <1660898088.4bdab4ab9e89d.1704136789...@acquiretm.com>
In-Reply-To: 
<952htcjgcsdxt5hydix5kfocgsan34o2gphcyv...@egw.x1r862t.onmicrosoft.com>
Content-Type: text/html; charset="UTF-8"
CC: myem...@mydomain.com
To: myem...@mydomain.com
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Storage Notice <info_qwzrlpcp...@x1r862t.onmicrosoft.com>
Message-ID:
<0e3b3785-6682-4c22-b6d7-87286c342...@cy4pepf0000ee34.namprd05.prod.outlook.com>
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE34:EE_|CO6PR20MB3698:EE_
X-MS-Office365-Filtering-Correlation-Id: 3b787f74-e97d-4744-853e-08dc0aff1ea0
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:

iCzQWJ07Pkvdn8gTGxmT6VSZBHnP6M4JvFEye6phLeBazoMicRP+n8Frj4I9QfVf8WmFZWPRNg978JVG7BDaqn4bxfC0shO0mBk5itJtr3ZRYKiFIMx+NVO8t79WCu7UZJdf5LjDih1sTt+noqH2CGSPWsRE96PG8UNfGoWJzkMS0AuY1CjhHfjpwbklk+QzQ985nESwb7Ozb1+o/yfzzFtq41ta6WcUp5s8ksM2nqTUwdf972ZCOgy6ctn0sJ9r3illogeg+K31zzwq2Xqd0Vvg6H2kJfjDZX6zLUHzmVvjYpX6RX65FU0EigndAzHHhGwPpJrPf4pUCCtB7NP80Rz0Ab4sKj48wAaiZHnJVEwEvbBw+sRP4FO3eIj6WnKBQ24yedrXW6i2nsoH5sWkO1OYq9tNi+1OCMgdVO7ZdJdkmCpZxc5yC0IK8aXOGUEGBhXTCJY/UWwnnfkYh4a6p4p12+lKfAmlhkMrFLR1GxXlukfPi6rLJGiwHUawX6hE4mS4BqHQJllk3wTRVrRK0sTgqJvVf/4wT/7pbAelOBBjANVObgm5V5PtBNuM+EMPSpqOJz/pAK+8mxjdlbZRLQ==
X-Forefront-Antispam-Report:
CIP:193.176.158.140;CTRY:FR;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.acquiretm.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(136003)(346002)(376002)(396003)(39860400002)(230922051799003)(61400799012)(1690799017)(451199024)(7200799017)(64100799003)(82310400011)(46966006)(8400799017)(3082699003)(40480700001)(336012)(42882007)(26005)(41320700001)(31696002)(81166007)(558084003)(166002)(82740400003)(17440700003)(35950700001)(34020700004)(47076005)(4326008)(67280400001)(19625305002)(5660300002)(9686003)(8936002)(8676002)(70206006)(70586007)(786003)(78352004)(316002)(6916009)(42186006)(2906002)(41300700001)(498600001)(84603001)(42472002)(38122002);DIR:OUT;SFP:1501;
X-OriginatorOrg: x1r862t.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jan 2024 19:23:21.7479
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
3b787f74-e97d-4744-853e-08dc0aff1ea0
X-MS-Exchange-CrossTenant-Id: aae3bce2-b5e6-4c64-9336-2909094ee8c9
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
TenantId=aae3bce2-b5e6-4c64-9336-2909094ee8c9;Ip=[193.176.158.140];Helo=[mail.acquiretm.com]
X-MS-Exchange-CrossTenant-AuthSource:
CY4PEPF0000EE34.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR20MB3698


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.






















					Reply via email to