Microsoft/MSN Mailhosts missing IP addresses

[HN Support 0]

Hi there for a couple weeks now I noticed most reporting was going to report_spam@hotmail.com.  I started to get suspicious and so started looking into it.  It seems as though there's some Microsoft IPv6 addresses which aren't in our "Hotmail / MSN" drop-down list of the Mailhosts section our account and every time the parser hits on one of those it decides that's the source of the spam instead of continuing through the headers to the actual origin.

Case in point: www.spamcop.net/sc?id=z6456858877zb5f21cf2fa16ca99611a32e08c680ae7z  As you can see in this case it stopped at 2a01:111:e400:c47c:0:0:0:49 instead of realizing that was not the sender IP and continuing on to the more likely candidate.  Here's some more failures of this type:

http://www.spamcop.net/sc?id=z6456858879z4145dd35d533293621e90955a03d735bz

http://www.spamcop.net/sc?id=z6456858881z5f2552c0a0b58982773dc4351afcbf34z

http://www.spamcop.net/sc?id=z6456858882zaf7ea911350a7960e8187700288a3ff8z

I tried deleting my Hotmail/ MSN mailhost entry from within our "Mailhosts" section and recreating it didn't help.  Also here's a sample of some of the IPv6 addresses that have been incorrectly identified as the source of the spam messages in some of our submissions:

2a01:111:e400:5a6b:0:0:0:40
2a01:111:e400:5a6c:0:0:0:36
2a01:111:e400:5311:0:0:0:11
2a01:111:e400:5311:0:0:0:30
2a01:111:e400:5311:0:0:0:32
2a01:111:e400:5311:0:0:0:42
2a01:111:e400:c47c:0:0:0:49
2a01:111:e400:c47c:0:0:0:52
2603:10b6:300:2c:0:0:0:28
2603:10b6:301:0:0:0:0:27
2603:10b6:403:0:0:0:0:22
2603:10b6:403:0:0:0:0:32
2603:10b6:403:0:0:0:0:33
2603:10b6:404:109:0:0:0:18
2603:10b6:404:109:0:0:0:21
2603:10b6:405:1:0:0:0:11
2603:10b6:406:bc:0:0:0:25
2603:10b6:406:bc:0:0:0:29
2603:10b6:910:3d:0:0:0:39

Also please note that whenever all the Microsoft / MSN IPv6 addresses in the message header ARE listed in the current Microsoft / MSN dropdown those messages are correctly parsed and the source of the spam message positively identified.  However this seems to be only 1 out of every 10 submissions which means I'm cancelling the reporting of 9 / 10 submissions at this point.

Please advise.

 

 

Edited April 3 by HN Support

[Kewl 0]

https://www.spamcop.net/sc?id=z6456935238zc9f4b8319848eaa131eed78bd3aadf85z

Wants to erroniously send report to report_spam@hotmail.com

[petzl 0]

4 hours ago, Kewl said:

https://www.spamcop.net/sc?id=z6456935238zc9f4b8319848eaa131eed78bd3aadf85z

Wants to erroniously send report to report_spam@hotmail.com

spam needs submitting report_spam address has been requested by hotmail for SpamCop reports

There is a problem that a lot of these are legacy issues and just go to a bit-bin.

You can submit spam to "abuse [ at ] microsoft [ dot ] com" from your email account where you actually received that spam

[HN Support 0]

The problem, petzl is not that the parser is generating a report addressed to the report_spam@hotmail.com address but that it is doing so INSTEAD of creating a report addressed to the actual ISP where the reported spam message came from, making the whole exercise relatively pointless.

What's Microsoft going to do about a spam that originally came from somewhere not in their control?  Nothing.  And then at the same time the ISP of the spammer isn't getting the notification it needs to take action.  That's the real issue here.

For example in the link you put into your reply the origination IP address of that spam message was most likely the 74.202.231.63 IP address listed in the headers.  When spamcop is parsing correctly it would most likely have found that it should address the report to security@level3.com, the abuse email address on file for the ISP in charge of that IP address.  As you can see at the bottom of that parse job that's NOT where it's addressed to and that's a fail.  Microsoft is not in charge of that IP address and therefore has no jurisdiction to correct the issue.

Edited April 4 by HN Support
Add supporting information

[Kewl 0]

HN Support... exactly right.  It's a parser error.  

The parser discarded the most important header...
Chain error HE1EUR02FT053.mail.protection.outlook.com not equal to last sender received line discarded

Hotmail changed its handling of incoming email about a week or two ago.   It is messing up the parser.
Now every spam I report goes to report_spam @ hotmail.com.

That's worse than useless, it wastes the time of abuse dept at hotmail.

Until the parser is fixed, there is no point in me reporting the spam I get in my hotmail account.
 

[HN Support 0]

Initially I was cancelling these but I've now realized it's possible to uncheck the report_spam@hotmail report, check the 'user report' option under it, then fill in the abuse address for the ISP who's in charge of that particular IP address.
You can find this by looking in the headers for the point at which a non-Microsoft server has handed off the messaging to a Microsoft server and running a whois on the IP address of that hand-off server. From your link above this is the relevant section:

Received: from mail1.listingbookmail.com (74.202.231.63) by
 HE1EUR02FT053.mail.protection.outlook.com (10.152.11.109) with Microsoft SMTP

Doing a whois 74.202.231.63 | grep Abuse gives us the following results:

OrgAbuseHandle: TWTAD-ARIN
OrgAbuseName:   tw telecom Abuse Desk
OrgAbusePhone:  +1-800-829-0420
OrgAbuseEmail:  abuse@level3.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/TWTAD-ARIN
RAbuseHandle: TWTAD-ARIN
RAbuseName:   tw telecom Abuse Desk
RAbusePhone:  +1-800-829-0420
RAbuseEmail:  abuse@level3.com
RAbuseRef:    https://whois.arin.net/rest/poc/TWTAD-ARIN
network:Abuse-Contact;I:abuse@twtelecom.net

So then you fill in abuse@level3.com into the blank 'user' field and submit that, instead.

 

 

 

Edited April 4 by HN Support
Correcting capitalisation error from grep abuse to grep Abuse

[petzl 0]

15 hours ago, HN Support said:

So then you fill in abuse@level3.com into the blank 'user' field and submit that, instead.

74.202.231.63 seems level3 have been playing games

Routing details for 74.202.231.63
[refresh/show] Cached whois for 74.202.231.63 : abuse@level3.com
Using best contacts abuse@level3.com
I know this ISP's abuse address:level3@admin.spamcop.net
Reports disabled for level3@admin.spamcop.net

Using level3#admin.spamcop.net@devnull.spamcop.net for statistical tracking.

[Kewl 0]

It's open season on Hotmail users until parser gets fixed and can correctly identify source of spam.

Here is another example of mis-directed abuse reports...

https://www.spamcop.net/sc?id=z6457322955zd3ebaf3de822b24885a674cf2ee4be95z
 

Parser mistakenly discards this crucial header line...

Received:  from smtp12-iad-sp1.mta.salesforce.com (13.108.238.139) by AM5EUR02FT049.mail.protection.outlook.com (10.152.9.233) with Microsoft SMTP Server
 

 

[Kewl 0]

petzl,

 

10 hours ago, petzl said:

74.202.231.63 seems level3 have been playing games

 

Sometimes reports get sent thru to abuse@level3.com

About 25% reports get sent, and 75% reports are disabled.
 

I'm not sure why but definitely games are being played by this ISP.

 

[Kewl 0]

On 4/4/2018 at 11:52 AM, HN Support said:

Initially I was cancelling these but I've now realized it's possible to uncheck the report_spam@hotmail report, check the 'user report' option under it, then fill in the abuse address for the ISP who's in charge of that particular IP address.
You can find this by looking in the headers for the point at which a non-Microsoft server has handed off the messaging to a Microsoft server and running a whois on the IP address of that hand-off server. From your link above this is the relevant section:

...

So then you fill in abuse@level3.com into the blank 'user' field and submit that, instead.

 

 

HN Support,

Everyone can uncheck report_spam @ hotmail, but not everyone has the option to fill in user field.  That's a spamcop premium user option.
 

Also, Filling in the optional user report field with the correct abuse email does not contribute to the blacklist for that spammer.

 

 

[Lking 0]

25 minutes ago, Kewl said:

It's open season on Hotmail users until parser gets fixed and can correctly identify source of spam.

Or Hotmail corrects the changes they made

On 4/4/2018 at 9:00 AM, Kewl said:

Hotmail changed its handling of incoming email about a week or two ago.   It is messing up the parser.

It is not feasible for SpamCop to adjust the parser to deal with every change made to other's email software.  Hotmail, among others, are not really too interested in how they affect other applications. Their interest is in providing (free) email service to their clients, so the client data, usage, networks are available to scrape.

[lisati 0]

#metoo - I sometimes have unwanted email arrive at my outlook email account that apparently arrives from yahoo or google, yet the parser decides to use the MSN reporting address. It's annoying having to do so, but when I spot such an email, I uncheck the report to hotmail, and fill in an appropriate abuse address for user submitted reports.

[petzl 0]

9 hours ago, Kewl said:

petzl,

 

Sometimes reports get sent thru to abuse@level3.com

About 25% reports get sent, and 75% reports are disabled.
 

I'm not sure why but definitely games are being played by this ISP.

 

possibly different IP's are run by different owners?

[Kewl 0]

It's been a over a month and since I've been able to report spam arriving in my hotmail account.

All reports would be sent to report_spam@hotmail.com whether they had anything to do with source of spam or not.

I refuse to bother their abuse dept with frivolous reports.