I think you have to start blocking them earlier that in Spam Assassin,
if you want to make a difference..
If you block them at the SMTP layer, then maybe they give up.. or if you
reject with a 4XX, maybe Microsoft might notice an increase in the
queues (wishful thinking)
Also, if you check earlier, you can save a lot of overhead..
Only advantage of flagging it at the filtering level, is if you aren't
100% certain it's all spam, then you can redirect it to the person's
'spam' folders..
One note.. you say 'from onmicrosoft.com' .. do you mean the
subdomain.onmicrosoft.com or @onmicrosoft.com, there is a slight
difference...
On 2024-01-16 14:24, Russell Clemings via mailop wrote:
Since exim_mainlog rolled over Saturday night, I see 332 successful
incoming emails from onmicrosoft.com <http://onmicrosoft.com> and 52
spam rejects. Based on the subject lines, all of the successes were
spam. So I've added "blacklist from *.onmicrosoft.com
<http://onmicrosoft.com>" to spamassassin. I just hope people won't be
too disappointed about missing out on their Dewalt Power Stations and
their YETI 30-Oz. travel mugs.
On Mon, Jan 15, 2024 at 10:30 AM Randolf Richardson, Postmaster via
mailop <mailop@mailop.org <mailto:mailop@mailop.org>> wrote:
> FWIW, after a log file review we are contemplating blocking
"azurewebsites.net <http://azurewebsites.net>" as well as
"@onmicrosoft.com <http://onmicrosoft.com>".
Our logs are showing small quantities of SMTP traffic from
"azurewebsites.net <http://azurewebsites.net>" that are usually
being blocked due to SPF
failures, and usually sending to weird, nonsencial non-existent eMail
addresses where the local-part is a series of randomly-selected
letters and digits, sometimes intermixed with names of birds,
furniture, food, vehicles, colours, etc., all of which are recipient
addresses that don't exist and have never existed.
I'm assuming it's a source of eMail debris from broken
systems. I'm
almost tempted to set up a honeypot to see whatever trash it's trying
to spew out, but I'd rather do something more productive (like
flossing my teeth).
> Curious if others are coming to the same conclusion?
I'm currently leaning in a block-on-sight direction since
I'm seeing
zero legitimate eMail coming from hosts self-identifying as hosts in
the "azurewebsites.net <http://azurewebsites.net>" domain name in
the HELO and EHLO commands.
> Regards,
> Mark
> _________________________________________________________________
> L. Mark Stone, Founder
> North America's Leading Zimbra VAR/BSP/Training Partner
> For Companies With Mission-Critical Email Needs
>
> ----- Original Message -----
> From: "Mark Alley via mailop" <mailop@mailop.org
<mailto:mailop@mailop.org>>
> To: "Andrew C Aitchison" <and...@aitchison.me.uk
<mailto:and...@aitchison.me.uk>>
> Cc: "mailop" <mailop@mailop.org <mailto:mailop@mailop.org>>
> Sent: Sunday, January 14, 2024 6:30:22 PM
> Subject: Re: [mailop] Anyone else noticing an increase in spam
from Office365 distribution lists?
>
>
>
> Ah, yep, thanks for catching that typo.
> On 1/14/2024 4:56 PM, Andrew C Aitchison wrote:
>
>
> On Sun, 14 Jan 2024, Mark Alley via mailop wrote:
>
>
> BQ_BEGIN
> This is anecdotal, but I think it illustrates even at a smaller
scale the persistent problem Microsoft currently has with their
tenancy.
>
> I did some quick perusal of the last month's data from our email
logs, and out of a total of 22,473 external emails that contain a
.onmicrosoft.com <http://onmicrosoft.com> subdomain in the
RFC5322.FROM field -- 22,086 were blocked because of various reasons:
>
> * 21,228 spam
> * 1 malware
> * 759 phishing
> * 5 impostor
> * 93 "hard" failed SPF without a DMARC record since
onmicrosoft.com <http://onmicrosoft.com>
> doesn't have one. (probably forwarded)
>
> 387 "clean" emails were delivered successfully initially, and 151
of those initial delivers were then later retroactively classified
as being spam or phishing.
>
> So even at this scale, we're left with a minutia of ~0.01%
>
>
>
> 236/22473 ~= 1%
>
>
> BQ_BEGIN
> "legitimate" emails, most of which are from misconfigured
Exchange Online mailboxes or Office365 groups from various businesses.
>
> So, YMMV widely, but for most organizations, as John said,
definitely not going to be missing /too /much. Most of what I see
that's legitimate in our traffic would be 3 or 4 specific subdomain
additions to a safelist from the hypothetical block rule, and that
would be it.
>
> - Mark Alley
>
> BQ_END
>
>
> BQ_END
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org <mailto:mailop@mailop.org>
> https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org <mailto:mailop@mailop.org>
> https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
--
Postmaster - postmas...@inter-corporate.com
<mailto:postmas...@inter-corporate.com>
Randolf Richardson, CNA - rand...@inter-corporate.com
<mailto:rand...@inter-corporate.com>
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/ <https://www.inter-corporate.com/>
_______________________________________________
mailop mailing list
mailop@mailop.org <mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
--
===============================================
Russell Clemings
<rclemi...@gmail.com <mailto:russ...@clemings.com>>
===============================================
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
