Re: MS-relayed spam

Tue, 02 Jan 2024 12:11:08 -0800

I started forwarding full headers and text to "ab...@outlook.com" and they blocked my IP.
-----Original Message----- From: David Jones via users 
Sent: Tuesday, January 2, 2024 1:07 PM
To: Charles Sprickman
Cc: SA Mailing list
Subject: Re: MS-relayed spam
I would report this to Microsoft Abuse and setup local rules that add a point or two something like this: 

header BAD_O365_SENDER  X-OriginatorOrg =~ /.*\.onmicrosoft\.com$/
With a threshold of 6.2, you might want to consider either lowering that a little or bumping up some default scores for some of the "worse" rules.
Most legit senders should not be using their onmicrosoft.com for their primary address but there are a few that I have seen over the years so I also have a counter rule to subtract a point or two for specific onmicrosoft.com subdomains.
On 1/1/24, 3:29 PM, "Charles Sprickman" <sp...@bway.net <mailto:sp...@bway.net>> wrote:
EXTERNAL EMAIL: This message originated outside of ENA. Use caution when clicking links, opening attachments, or complying with requests. Click the "Phish Alert Report" button above the email, or contact MIS, regarding any suspicious message. 

Hi all,
Full headers are here as well: https://pastebin.com/wHNmnvtE <https://pastebin.com/wHNmnvtE> 

I'm not really following what's going on here - a few things confuse me...

- the empty from envelope, which I thought was more of a "bounce" thing
- that it does seem formatted like a bounce
- across multiple servers I'm seeing a ton more spam just like this the past few weeks coming in via MS - I had assumed that MS (or gmail, or any large provider) would be a bit more tuned to this kind of abuse 

Anyone else seeing this and if so, what mitigations are you doing in SA?
To me, it appears that a company with some kind of on-prem email server is using MS' inbound/outbound filtering/relaying for their email, and I'm assuming that the company (acquiretm dot com) has compromised account(s) being used for spam, and that this type of account is valuable since it's relayed through a somewhat "trusted" entity (MS). Stumped on the empty envelope from though... 

Thanks,
Charles

Full headers inline:


Return-Path: <MAILER-DAEMON>
Delivered-To: myem...@mydomain.com <mailto:myem...@mydomain.com>
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for <myem...@mydomain.com <mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:33 -0500 (EST) 
X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024) with ESMTP id y8UwjrBjDDCO for <myem...@mydomain.com <mailto:myem...@mydomain.com>>; 
Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245]) 
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for <myem...@mydomain.com <mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:31 -0500 (EST) 
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com; 
dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=x1r862t.onmicrosoft.com; s=selector1-x1r862t-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=R1X4dpKSgryTH6OLmMzRy/tDWLnQEV8mHOEEtjH+lXKLhUWP1IcSU7ti48ZJoXOksGz7A4+ZbSb5s1wNp2A4dGS+psXMeDNERbCeNVeGFRy/0AfJX4BSO52imrh48OaXFvTjmcrwSondZQkeC2plLlatu2jWPXn+a48T+gCuUZtFOpy6+1OlQqtOhQd5Ork4w7yD6nIicaXcQ4GhpDX1YM6zU02EUOSl+pxEgJj5/WuHvXNbtuTmdsGid1JhRnmIyvR15jGzXHkyrD/KYHw3evZSOV8pJ8EMpUPDEiwdHjDGYt38j/Wwiho5yVfR/zNZa5wELOq9bYgLK0G91JywQA==
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 193.176.158.140) 
smtp.helo=mail.acquiretm.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=x1r862t.onmicrosoft.com;
Date: Mon, 01 Jan 2024 20:19:49 +0100
Importance: high
Subject: Your iCloud Storage Is Full. Receive 50 GB for FREE
X-TOI-MSGID: <1660898088.4bdab4ab9e89d.1704136789...@acquiretm.com <mailto:1660898088.4bdab4ab9e89d.1704136789...@acquiretm.com>> In-Reply-To: <952htcjgcsdxt5hydix5kfocgsan34o2gphcyv...@egw.x1r862t.onmicrosoft.com <mailto:952htcjgcsdxt5hydix5kfocgsan34o2gphcyv...@egw.x1r862t.onmicrosoft.com>> 
Content-Type: text/html; charset="UTF-8"
CC: myem...@mydomain.com <mailto:myem...@mydomain.com>
To: myem...@mydomain.com <mailto:myem...@mydomain.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Storage Notice <info_qwzrlpcp...@x1r862t.onmicrosoft.com <mailto:info_qwzrlpcp...@x1r862t.onmicrosoft.com>> 
Message-ID:
<0e3b3785-6682-4c22-b6d7-87286c342...@cy4pepf0000ee34.namprd05.prod.outlook.com <mailto:0e3b3785-6682-4c22-b6d7-87286c342...@cy4pepf0000ee34.namprd05.prod.outlook.com>> 
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE34:EE_|CO6PR20MB3698:EE_
X-MS-Office365-Filtering-Correlation-Id: 3b787f74-e97d-4744-853e-08dc0aff1ea0 
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:


iCzQWJ07Pkvdn8gTGxmT6VSZBHnP6M4JvFEye6phLeBazoMicRP+n8Frj4I9QfVf8WmFZWPRNg978JVG7BDaqn4bxfC0shO0mBk5itJtr3ZRYKiFIMx+NVO8t79WCu7UZJdf5LjDih1sTt+noqH2CGSPWsRE96PG8UNfGoWJzkMS0AuY1CjhHfjpwbklk+QzQ985nESwb7Ozb1+o/yfzzFtq41ta6WcUp5s8ksM2nqTUwdf972ZCOgy6ctn0sJ9r3illogeg+K31zzwq2Xqd0Vvg6H2kJfjDZX6zLUHzmVvjYpX6RX65FU0EigndAzHHhGwPpJrPf4pUCCtB7NP80Rz0Ab4sKj48wAaiZHnJVEwEvbBw+sRP4FO3eIj6WnKBQ24yedrXW6i2nsoH5sWkO1OYq9tNi+1OCMgdVO7ZdJdkmCpZxc5yC0IK8aXOGUEGBhXTCJY/UWwnnfkYh4a6p4p12+lKfAmlhkMrFLR1GxXlukfPi6rLJGiwHUawX6hE4mS4BqHQJllk3wTRVrRK0sTgqJvVf/4wT/7pbAelOBBjANVObgm5V5PtBNuM+EMPSpqOJz/pAK+8mxjdlbZRLQ==
X-Forefront-Antispam-Report:
CIP:193.176.158.140;CTRY:FR;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.acquiretm.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(136003)(346002)(376002)(396003)(39860400002)(230922051799003)(61400799012)(1690799017)(451199024)(7200799017)(64100799003)(82310400011)(46966006)(8400799017)(3082699003)(40480700001)(336012)(42882007)(26005)(41320700001)(31696002)(81166007)(558084003)(166002)(82740400003)(17440700003)(35950700001)(34020700004)(47076005)(4326008)(67280400001)(19625305002)(5660300002)(9686003)(8936002)(8676002)(70206006)(70586007)(786003)(78352004)(316002)(6916009)(42186006)(2906002)(41300700001)(498600001)(84603001)(42472002)(38122002);DIR:OUT;SFP:1501;
X-OriginatorOrg: x1r862t.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jan 2024 19:23:21.7479
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3b787f74-e97d-4744-853e-08dc0aff1ea0 
X-MS-Exchange-CrossTenant-Id: aae3bce2-b5e6-4c64-9336-2909094ee8c9
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=aae3bce2-b5e6-4c64-9336-2909094ee8c9;Ip=[193.176.158.140];Helo=[mail.acquiretm.com] 
X-MS-Exchange-CrossTenant-AuthSource:
CY4PEPF0000EE34.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR20MB3698

Reply via email to