LaserMoon Posted October 24, 2022 Share Posted October 24, 2022 (edited) For several months I've been registering an uptick in spam sent from Microsoft services, both from Azure and from Outlook. Are they vulnerable to exploitation, or are they merely incompetent at handling abuse reports? We literally tell them "here's the user abusing your services", yet the same abuser is allowed to send spam for months on end. Their handling of abuse reports is also unhelpful, the message is always: Quote This message is to notify you that the Computer Emergency Response Team has reviewed your reported issue and has actioned it appropriately. Something like this is never experienced with serious established infrastructure providers. Edited October 24, 2022 by LaserMoon Quote Link to comment Share on other sites More sharing options...
petzl Posted October 24, 2022 Share Posted October 24, 2022 2 hours ago, LaserMoon said: For several months I've been registering an uptick in spam sent from Microsoft services, both from Azure and from Outlook. Are they vulnerable to exploitation, or are they merely incompetent at handling abuse reports? We literally tell them "here's the user abusing your services", yet the same abuser is allowed to send spam for months on end. Their handling of abuse reports is also unhelpful, the message is always: This always happens with "free trials" where they don't ask for a valid credit card As soon as it gets canceled a spam bot opens another. And spammers use their spam list always from abuse[AT]messaging.microsoft[DOT]com - junk[AT]office365.microsoft[DOT]corn Getting hammered from these morons ,myself Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted October 24, 2022 Share Posted October 24, 2022 There is a part of this with the free trials. I think there is also part of this that might be when Microsoft added IPv6, but mailhosts only appears to accept the last 20 IPs. There are more than that on their internal relay server space. Quote Link to comment Share on other sites More sharing options...
LaserMoon Posted November 3, 2022 Author Share Posted November 3, 2022 (edited) This is beyond parody, Microsoft is now openly enabling scammers to send the lowest tier of spam "FBI NOTIFICATION FUND" signed by "CHRISTOPHER A. WRAY" <ksmg@tssolution.ru>. They even give the Russian spammers their own little subdomain for convenience: dig +short MX tssolution.ru 0 tssolution-ru.mail.protection.outlook.com. 10 mx.yandex.net. Amazon EC2 is light years ahead of Microsoft when it comes to pretty much everything. Edited November 3, 2022 by LaserMoon Quote Link to comment Share on other sites More sharing options...
LaserMoon Posted November 6, 2022 Author Share Posted November 6, 2022 And what exactly is "MyCoucheTard.onmicrosoft.com"? smtp.mailfrom=tssolution.ru; dmarc=none action=none header.from=tssolution.ru; dkim=none (message not signed); arc=none\nDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=MyCoucheTard.onmicrosoft.com; s=selector1-MyCoucheTard-onmicrosoft-com; Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 6, 2022 Share Posted November 6, 2022 Yes, this is a problem. Daily now for me also. gnbrandschile.onmicrosoft.com GreenConcreteCJSC.onmicrosoft.com overseasvamani.onmicrosoft.com and more… Any of you guys look at the image hosts for spams too? I tend to look and report the image files. Imgur.com is quick to respond and delete. My spam sender rarely uses this now. Zupimages also VERY quick to respond and delete. ConstantContact.com was interesting. Spammer created dozens of customer accounts and uploaded images. Did not send emails from the accounts but called the images via the URLs. CC acted to close/delete. Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 6, 2022 Share Posted November 6, 2022 6 hours ago, LaserMoon said: And what exactly is "MyCoucheTard.onmicrosoft.com"? smtp.mailfrom=tssolution.ru; dmarc=none action=none header.from=tssolution.ru; dkim=none (message not signed); arc=none\nDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=MyCoucheTard.onmicrosoft.com; s=selector1-MyCoucheTard-onmicrosoft-com; Yeah the sender is using US brand names to try get responses. Any US brand name will do. Couche-Tard is not actually well known but I guess they might think it is. The Couche-Tard business operates convenience stores. Circle K gas stations being one of them. Quote Link to comment Share on other sites More sharing options...
LaserMoon Posted November 12, 2022 Author Share Posted November 12, 2022 On 11/6/2022 at 5:18 PM, Hanco said: Any of you guys look at the image hosts for spams too? I tend to look and report the image files. A bit off-topic, but yes, there are several "extra" things to be reported that are outside of SpamCop's scope: - The entire URL obfuscation chain (to URL shortening providers, or to services used as redirects such as Twitter, Wix, AWS S3, Google Sites) - Image hosting. - Gmail or other email addresses used as the reply-to field. Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 13, 2022 Share Posted November 13, 2022 (edited) Yeah I always report to abuse@gmail.com for the reply to and the requests reply in body (or has call to action button/link to generate reply to gmail address) And report to Imgur, Zupimages, ConstantContact, or other abused provider… I find they are very willing to delete and stop abuse of their services. And all the shortening services including the organized spammer’s in house processes. Not off topic for me. Integral to the fight against these IDIOTS. They can work out who is doing it and remove me. Then they can carry on (unfortunately) Edited November 13, 2022 by Hanco Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted November 15, 2022 Share Posted November 15, 2022 I believe the reason why Spamcop doesn't report the whole chain is it could cause a connection to the spammers server and let the spammer know you got the email. There are so many URL shorteners that keep popping up, I would imagine that SpamCop would have a hard time keeping up with them too. But then one would need to trust the admin of the URL shortening service in order to look up the next chain. Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 21, 2022 Share Posted November 21, 2022 I just reported a Phishing email and a copy was sent to hotmail.com (instead of dev null) report_spam@hotmail.com So that’s a change, right? We were seeing it all go nowhere? Quote Link to comment Share on other sites More sharing options...
Hanco Posted November 22, 2022 Share Posted November 22, 2022 Ignore my last post. That report was sent but this is not… this was a spam about auto insurance sent by: greenconcretecjsc.onmicrosoft.com WTH is greenconcretecjsc? Quote Link to comment Share on other sites More sharing options...
Appleseed Posted November 27, 2022 Share Posted November 27, 2022 Almost all my spam at this year, after the summer, has been from Microsoft and even hosted by them. I could get those messages 40 per day and they all are the same (most of the days only 15 or none). I have reported those to Microsoft and to those image hosting services like a Discord and Zupimages and Github. No matter I do, Microsoft keep sending those and hosting them. Before that they did use other services, but I managed to close all of them. It was tons of work reporting that many spam to different services. Got them sites blacklisted to some Antivirus companies too. I am using spam[DOT]org too, but that seems to be dead. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.