Re: [mailop] Strange Behavior from Microsoft IP Address

2024-05-08 Thread Gellner, Oliver via mailop 
On 07.05.2024 at 17:12 Vitali Quiering via mailop wrote:

> We've identified an IP address, notably tied to Microsoft (20.203.218.75), 
> executing thousands of hits on our URLs almost immediately after dispatching 
> a newsletter. However, the peculiar part is the variation in the hash 
> segments they're accessing. The URL queries we've seen look something like 
> https://sub.customerdomain.tld/info/Mjl2Y3N6ej, which, upon decoding, starts 
> off with a familiar segment 29vcsz% but diverges significantly right after.

This is most likely an attempt to use an email server as some sort of web 
scanner to rate URIs in incoming messages. In order to not trigger any actions 
when visiting the websites, they replace identifiers with hashed values, 
encrypt the identifiers with ROT13 or similar stuff.

--
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Strange Behavior from Microsoft IP Address

2024-05-07 Thread Mark Milhollan via mailop 

On Tue, 7 May 2024, Vitali Quiering wrote:

We've identified an IP address, notably tied to Microsoft 
(20.203.218.75), executing thousands of hits on our URLs almost 
immediately after dispatching a newsletter. However, the peculiar part 
is the variation in the hash segments they're accessing. The URL 
queries we've seen look something like 
https://sub.customerdomain.tld/info/Mjl2Y3N6ej, which, upon decoding, 
starts off with a familiar segment 29vcsz% but diverges significantly 
right after.


Microsoft performs link scanning.  This seems like they are attempting 
to check for mutated patterns as well, something like John the Ripper.



/mark
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Strange Behavior from Microsoft IP Address

2024-05-07 Thread Atro Tossavainen via mailop 
> To give you a bit of context, we operate as an ESP, facilitating our 
> customers in sending out newsletters.

If you want anybody to have an opinion on this stuff why don't you
identify yourself, the domain names and the IPs involved.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Strange Behavior from Microsoft IP Address

2024-05-07 Thread Vitali Quiering via mailop 
Hello everyone,

I hope you're all doing well! I'm reaching out to the community because we've 
encountered some weird behavior from a source connected to Microsoft, and 
despite our attempts, haven't yet received an explanation from their end. I'm 
curious if anyone here, perhaps from Microsoft or those with similar 
experiences, might shed some light on this matter.

To give you a bit of context, we operate as an ESP, facilitating our customers 
in sending out newsletters. Each email includes tracking URLs with unique 
hashes for analytics. For instance, a typical URL hash on our end appears as 
follows: https://sub.customerdomain.tld/info/29vcszz10k40z1y0c2yqz3.

We've identified an IP address, notably tied to Microsoft (20.203.218.75), 
executing thousands of hits on our URLs almost immediately after dispatching a 
newsletter. However, the peculiar part is the variation in the hash segments 
they're accessing. The URL queries we've seen look something like 
https://sub.customerdomain.tld/info/Mjl2Y3N6ej, which, upon decoding, starts 
off with a familiar segment 29vcsz% but diverges significantly right after.

This pattern strikes us as odd and raises questions regarding the nature of 
these requests. Has anyone observed similar traffic patterns, or can anyone 
from Microsoft provide some clarity on these unusually patterned requests?

Thanks a lot for your time!

Best,
Vitali
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop