Jump to content

Massive spams from Microsoft


spamkiller

Recommended Posts

I see that others have mentioned spam from Microsoft on this forum back in 2022 but no real resolution.  I've been reporting spam to spamcop.net for over 10 years.  I've always thought that it seemed to be helping to reduce my spam.  When I first started I was getting several hundred spams per month and after a few months and for several years I was seeing an average of 50 per month.

However......... Things have changed since early December 2023.  I'm now at over 300 per month and most of them are from <random chars>.onmicrosoft.com.  The IP address of the originating spam is a microsoft IP.  All spams have been reported to spamcop.net and I've been forwarding the spams to:
abuse@frontbridge.com
abuse@messaging.microsoft.com
abuse@microsoft.com
junk@office365.microsoft.com


I received one reply from Microsoft stating to send spams to Cert@Microsoft.com which I have done and added to the list.  As of today, I've sent them 55 notifications of spam.
I have a PowerShell scri_pt that I wrote to compile stats on current spams, ordered by spam reporting email address, and they are at the top of the list.  Here's the first few rows of the report:
spam reporting email addresses and count:
abuse@microsoft.com:313
abuse@apple.com:7
tech@salki.my.id:6
network-abuse@google.com:3

Any suggestions on what to do next?

Edited by spamkiller
Link to comment
Share on other sites

So, I believe in the forums that there are two types of Microsoft spams. One is from the IPv6 issue where Microsoft is using millions of addresses internally, but I believe SpamCop mailhosts only remembers fifteen. The other, is where they are actually coming from microsoft as you have listed. I believe the *.onmicrosoft.com might be their cloud setup. For some reason, I seem to have very little spam the past week for some reason. The only suggestion I have (after you are attempted the reporting to them) is to report as many as you can to feed the blocking list. Edited by gnarlymarley
Link to comment
Share on other sites

@gnarlymarley Thanks for the reply.  I will continue to report all spams to spamcop.

I've searched the internet on the proper method to report spam to Microsoft and almost 100% of hits are an explanation on how to configure your "Microsoft" email app to block or ignore spam!  Really??  Microsoft needs to wake up to the fact that not everyone uses a Microsoft email app.  Also, why should everyone have to configure their email app to block spam originating from Microsoft?  I think that Microsoft should configure their mail host to stop the spam in the first place.

 

Link to comment
Share on other sites

7 hours ago, spamkiller said:

@gnarlymarley Thanks for the reply.  I will continue to report all spams to spamcop.

I've searched the internet on the proper method to report spam to Microsoft and almost 100% of hits are an explanation on how to configure your "Microsoft" email app to block or ignore spam!  Really??  Microsoft needs to wake up to the fact that not everyone uses a Microsoft email app.  Also, why should everyone have to configure their email app to block spam originating from Microsoft?  I think that Microsoft should configure their mail host to stop the spam in the first place.

"Abuse at microsoft com" will get you a Auto ack telling you where to send spam
I don't believe they know how to deal with spammers free email accounts?
Usually its 
phish[AT]office365[DOT]microsoft[DOT]com
this week?
But they must get millions of abuse reports, most of the clue'y automate by using a web page
This criminal redirection links using Gmail Google cloud are reported here for instance
https://support.google.com/code/contact/cloud_platform_report 
I send the .eml attachment as a file attachment with it in "chose file" button
But they seem getting bogged down now also?

Edited by petzl
Link to comment
Share on other sites

@petzl Thanks for the info.

I did receive a reply from Microsoft on Jan 4 that I had sent them on Dec 23.  It seemed to be an real reply rather than an auto reply.  This is the 2nd reply that I got from them.  I always put "spam Report # xx" in the subject because when they reply, there is no reference as to which email they are replying to.  They replied to email report # 31 and I'm up to report # 55, so they are really slow or running about 2 weeks behind.

Link to comment
Share on other sites

10 hours ago, spamkiller said:

@petzl Thanks for the info.

I did receive a reply from Microsoft on Jan 4 that I had sent them on Dec 23.  It seemed to be an real reply rather than an auto reply.  This is the 2nd reply that I got from them.  I always put "spam Report # xx" in the subject because when they reply, there is no reference as to which email they are replying to.  They replied to email report # 31 and I'm up to report # 55, so they are really slow or running about 2 weeks behind.

the best way IMO is to charge a small fee US$10 (for life) via Credit card or PayPal for what was once free email accounts, this stops the bots. Twitter is anti-bot, and have hoops and jumps to get through.

Link to comment
Share on other sites

On 1/5/2024 at 12:45 AM, spamkiller said:

However......... Things have changed since early December 2023.  I'm now at over 300 per month and most of them are from <random chars>.onmicrosoft.com.  The IP address of the originating spam is a microsoft IP.  All spams have been reported to spamcop.net and I've been forwarding the spams to:
abuse@frontbridge.com
abuse@messaging.microsoft.com
abuse@microsoft.com
junk@office365.microsoft.com

Previously I was getting microsoft does not accept reports so sent to abuse at hotmail but SP is sending the same reports listed above from the same spammer since the start of year with IP error discarded forgery. Can we see an example of a parsing header?

Link to comment
Share on other sites

Here's the header of the latest Microsoft spam received on Jan 6, 2024
Note: My email and domain have been removed.

Return-Path: <norevenhfd47_BRSuCNjlwKn@AZx2u2kc5.onmicrosoft.com>
Authentication-Results:  perfora.net; dkim=none
Received: from NAM11-DM6-obe.outbound.protection.outlook.com
 ([40.107.223.128]) by mx.perfora.net (mxeueus005 [74.208.5.3]) with ESMTPS
 (Nemesis) id 1MWB7u-1rgHQL1Zve-00Vfv1 for <REMOVED>; Sat,
 06 Jan 2024 04:41:51 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=WH5Fl6oIMs9UCI5HL7Jx1GEQeddJQpSpEBrpfdoU7Kmqxdpg8/YMGsfm/LRdUSMshIr3PmL7MWf5JmGOwb/ymRrhX/eMeDDY6oFpq/fCnK7gX6POHdFTLZtgtDxMbyTfVJPTFhqNU0uNbNGrZtwsd7htSAQxD7wJLvPqMXdpY75helChsPwR7ROrs5Ox0+e9HwGQfQNvkxRdr3Iuppa1rW2+nH/jya0ZnvDUNRffIWuwV31GRl/jmhBWgg1ExMO3oZc3qx6zOmcoLJLz9kMc5AXSoO0VlXuYtEgffN7HTykUeX65lGx4OqiaLjPGY7WxH5Bb6tUBrX/euNCaLgU65w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=8koqciwTQQ9NBa8XbTaJbbGVvpjlOMLF/IyfHTjyI/s=;
 b=QHN7bRJ2DPwEHWSCu8G/RQGHmXtzWxTRYOdAH/SN6jmQgiW9apOqGw7kNkkrdRAk6avTtBKTaFrD8tCYErl50kGN8jSmFRYvqSH52AH0O/DCkeTYZyOCW2W6eQMOUjDhfVc2gtppm29Ks37Wx0kdA778nyZQDlsmTAIDuXWTvtKEbVC7xz3bf0s6RpudvZw/G7drM/jtIODwUdHb4QsoTVIVpjyJesRUM7YK8iPfzKEbOpLkWq09PRMJ9W2oX3JvbAUiayUrg+SkPE9lwu8mHh9YdntlLjHuDSbCXux/fPjA0irDWCOzr9PAyRlMiw1uY8rXzlACano6vz+SCd284A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is
 185.139.230.132) smtp.rcpttodomain=REMOVED
 smtp.mailfrom=azx2u2kc5.onmicrosoft.com; dmarc=none action=none
 header.from=azx2u2kc5.onmicrosoft.com; dkim=none (message not signed);
 arc=none (0)
X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 185.139.230.132)
 smtp.mailfrom=AZx2u2kc5.onmicrosoft.com; dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=AZx2u2kc5.onmicrosoft.com;
Date: Sat, 06 Jan 2024 04:40:40 +0100
CC: REMOVED
From: YETI Department <norevenhfd47_BRSuCNjlwKn@AZx2u2kc5.onmicrosoft.com>
To: REMOVED
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
In-Reply-To: <norevenhfd47_BRSuCNjlwKn@AZx2u2kc5.onmicrosoft.com>
Content-Transfer-Encoding: 7bit
Importance: high
Subject: Adventure-Ready: YETI 30 oz Travel Mug for On-the-Go Excellence
Message-ID:
 <ee0f5bb7-ee44-4c91-928c-186e94101ec5@BN8NAM12FT110.eop-nam12.prod.protection.outlook.com>
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN8NAM12FT110:EE_|BL3PR07MB8900:EE_
X-MS-Office365-Filtering-Correlation-Id: 532e6f5b-21fe-45a3-aa98-08dc0e696a8b
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
    Zoa/QW9woIDHTjVe+8JLFFLEZ6DdlVo3RSz26E++wlAm5joc1MvAMkpENSfH7Ze+aTbkDEJjTsQIbtvwBmVXCgNHm5G2/HGEHFiO9b/Ge84buDeFKgOtL59lCsWRMz1V6GQixBgG7mpjuG9eL5VKf5YprOXFRnofk7wJePc8MCgS4y0XZdLoNaWnBdSa7tmxtXjzGFdNqIYTYyhK3bcS2BYIYytZL1pCf7aGklvsItCVFaaXPErIEidmcftXFpcGr8bpt1ugCIj4p8uu+ws6sslzYtq69lPiY44SM/H4YH68NJf1v16y1egAQcxDPlkMvbV6Y7qR9CGjjB2wpBYMxusrRTRE1B516uzKoOxponDTaKlmw8GblzWmrzDnIboZZ0YCVg48rozAA9HkOJf9GgMQsP5MtNnjofQpn5YsI3SufzzGsRzpmWlmM3VJr4Cklm5CdThLhKFMzhLxT1z3VYP69Vzho0DPYoQh3GZrqO79KmNQjhI6x1Ovv0W6nBYg9pK1uUjVylUDSmT5vJjxF42v2+InQNc0nMNf48H82GFc7GiwYV12l7Ir+g7hSBR0y3mj7Zvb6YZz8JcUQrNnhA==
X-Forefront-Antispam-Report:
    CIP:185.139.230.132;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.beatty.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(39860400002)(396003)(346002)(376002)(136003)(230922051799003)(82310400011)(186009)(7200799017)(451199024)(1690799017)(64100799003)(61400799012)(46966006)(40470700004)(36840700001)(8400799017)(41320700001)(40460700003)(31686004)(40480700001)(26005)(336012)(9686003)(478600001)(82740400003)(31696002)(558084003)(86362001)(81166007)(166002)(2906002)(41300700001)(36860700001)(47076005)(34020700004)(70586007)(6916009)(42186006)(316002)(786003)(70206006)(67280400001)(5660300002)(8936002)(4326008)(8676002)(176363001)(36900700001);DIR:OUT;SFP:1102;
X-OriginatorOrg: AZx2u2kc5.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jan 2024 03:41:49.9473
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 532e6f5b-21fe-45a3-aa98-08dc0e696a8b
X-MS-Exchange-CrossTenant-Id: b38bbb7a-f829-4fb9-92d4-c9db4665139c
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b38bbb7a-f829-4fb9-92d4-c9db4665139c;Ip=[185.139.230.132];Helo=[mail.beatty.com]
X-MS-Exchange-CrossTenant-AuthSource:
    BN8NAM12FT110.eop-nam12.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR07MB8900
Envelope-To: <REMOVED>
X-spam-Flag: YES
UI-InboundReport: junk:10;M01:P0:68neQLHhk2A=;0YLRXB0aKdbu+ZuaJB/FgSb0GK4TM6
 Ge/isjgYeqCr3eyDLUMI8tqWpLeP5tjeoT65GFYJzO/ZIYgFhMurSMfJ3PjdTlNmtlg+dAnFx
 C8p+EPLw3KrdZS3l/Gpj0ukZ/L1xrWCM6ay6hDPbYZIvp8cMSB1WP51t0vT2cexY5vBpIUswh
 5MrXs1bEzeZkA6QCuQh/t3kN83eUg2xs5sOgiQooFKxmMYZe83GLK4X6HdWmZYtkAUuOZwWwH
 Xf2uqvnhar3D9XHNLTTzwxQZyHBy6bZmjU5KxCh8RfvWrHaNNpNtpnR7bJn/m5ikkMrBpSTnc
 H5nhidvPDzFI874q5obnBI3LTIMZoXRlgNL2RWo0lKobq0Px4Xxb+Tz1zN/EQf/wxpURaL8P7
 Afz6ndUgCOOYoSPgGbK9si3xztNQqW8FpK5qj+2C2T39gHdVEZgq8utZCsddLXnYRGLoTnw/w
 COGdd0y1u8LEeaBgaat4c6BlHHbPvn8XaywBup2VSm3RdnBRouwXq4VZ/YuKUuugMfnIbPomZ
 um7XybXNbW5dfNP2Bz/w2S0yeYiMQsSIYsFQj1WFvhEyzkQTk0V6wxi2euoEF10SHd5T4GoQh
 uUGWtY+QzfgUW5lznKpTo5VG+2cGmcpELiC+lqRUIM/riqgsk5325HAYTaymJgGx4HpnWZNX/
 E+p5dZ9hpbvbmr5vXuEIaOiYq3TRq7ZbbhtlExk/YiIm0ADOfhQVQQCF7LQS36j4TX6mGIzLq
 5lmgsUCaUYN57zj4j6EXRwYiYg30C+R6hEsnaaLdgvohtf7cZjW8Q7Obx/zU2lV53OJ4Ad+LR
 ErQtv8hmg0IV7xzniVyot9dIpCzg58zIetdzM5X57eV50TaWJwC3uBs38vvzaWKWxHorytx5e
 3b2canqtH5q+MpeafIrjQQYUdK8XEZggHm9bCNwgUHxcFx8uOteNvewwIEZAHqTH4QV24F9qY
 8Qh83wTsHcHrAiwCgd7fZXcMJ1BvtIAr0rSREVbuznRTsArWqX7TehYZBOfnfM5HrtVSSGZr5
 cWiud3lpitHODvh5NgOGndh3Gj9q6BPvB+t5RXyE2u61w7M4ujvrdVkxY3vOASxZ1QKeRhAjO
 hWUogDndFj6XEYJF6RDcJ3ABubCPBOsqVW25bIqIgfvWIRxa1Js4W3mbtd9X8Od3t7E/3mXiw
 7GjvOQ3+PON6kz6SnTII6pYalhjOvNCvh+LwGdOPC9Z282v27SD/rwGQwMxKg8bhUjb2LlBpb
 vs5v1HEfS0/h2kI5Kwv02YyJe9LVqxS3/cyPgYxYUp7LIhQikGYN5vVIhXRwEehgkPFiwFXhq
 ipU26I/HTXJe9GLZcyh6dHrxOVO00S9PJZqIY591rPmi9sCsun2slgizg+6kMVgdvENXdtsud
 uFhQK0EwwA3Xclbyl1hlznBKoMIa/NUCnU1XcB65HbI4wDnYlrkUSTTheRlSX0OhX8vmxMw4L
 cMWI64u6qr3LdtftWpqhWD63huUkWn95jyiVjB0DHiP1/QHOoozCrJSdW8/SLjmrAWWmnhwMA
 45qERLP0OQQYUdK8XEZggHm9bCNwgUHxahtrgyHQ91hqndiDdHaz/KygMcfB19KfIMAV0sTtc
 CPrC4hR0+v4zoVQvn4Tqzpc1DCYgzAu8ln6ECTiyxZI1+YJmhcAfp5qEtbv+c7LXTx2xn686P
 MdQ3uwQKnB821uOcErFHoaNBkGQJRSRr7gPJem/CN+6rdcZ8d8LISjeGSvqR2BXMWdhhYOQ7g
 L9/LOxRFCYJ06eAn5+AGWlDZ2kZGHzDCt6iu4viNtTZlrL9WZASDVoxJs4aWTX+oZMxPwwzWK
 +NUY+41VNFaU22YhRDOv+jpq5PQwgSbK/8eDv0nzkWTKqzlUML4qsr4GlxHl4Tklyje9B+lzr
 hNVzpzEGKi20kyIdBgn7Gz5aMa2BIJJN8di6oeSIZnPd5I/cXnuqVFcWMnC3hPY3KE2QeG0Wk
 i2tQ3twP6U1+/gxBLY41nNrsgknxpsnVcr8yCUxNw9/x6z8W3F+Z0azLQ9Uzh9+BxOAbx/rM7
 O4CXxZ9HCgOjgjJsKk4Aao6Eu1XAAzEA+hw4ySxQ3YNKKjau/cxwtCE6XzEjQ3ITk/5NuuTG9
 U8RemtC7QhYfpXzOCbPCQdHm79Cyf3LEDhEqTsBmjVVCGAZq8Iya2DS16EpMH0to4+DOJn/Bg
 mB6kbKcrfRL0LbX+RxD3F9rxamDZeSgpCUtaAYP4n6rWR9Pzc4QDQlbcnSzfdnIQaeq2oCJao
 cYMBx3ViXkMF3wHT5m1wgQs2VZiwtlrWYEtpBfobiGkTqEL9DYqQlN3C6Z3xR6QqfySl2NRpK
 TnnvfSqaUmIBERXa/rBUKeMQQYUdK8XEZggHm9bCNwgUHxR98LAv6whDxaqPpF9RGLc3mnrKY
 x2hbSzKDmJ2WbYWq7irP0McFzT0+zZtJltyiGynUMC8vAOChrBMbu7D1ph6zzgNhn2jiVYBpz
 1UIR99NbjsjiMo2YxLB2A2MWVK/YNWC20DmAjYpyETebJNTf6TMz161vew34Q0xrga71+ebGy
 f1yl3Myx7oQlDbJNZ9MjgDj1feSMIAdUWErtabVPB6FeQcyM4qwz/BTV2XXyarrOWl+ye3api
 A+hOLbY4e8ltsYYIvQQYUdK8XEZggHm9bCNwgUHxg8FcIrJp4GbdV7qeOX0TPeJ4nVsoEUIOo
 FvT0fK293GeJqvpgIgypwnyWcg6Pa4JgEDpa8YMmYuhSEdDlh4pwuDYhNf+xxyu4HdWFckjO+
 OhCI8EwvyKtXhIE0qeJLLSa5AvzXZcLn6INnFooCyIh7mGgdACCzInCH2fq9kHGNi6iRVDrrd
 B2blYcx8/CfvUxRKtETe1G3q80vprBa4HkReASnp7077BPFfdPjaHW5dIIFwR7VWPta9uKU3s
 QQYUdK8XEZggHm9bCNwgUHxSqTvgAA5N3HDhZZhqQSNCBUTVOWdAT2m4jQPxTwI4qkf1dhlrH
 0pHUTI/g5ZUk7NWO7WMcBrbuB9KgkgXv3eVncVdO1/svWsQU/
X-Antivirus: AVG (VPS 240106-0, 1/5/2024), Inbound message
X-Antivirus-Status: Clean

Link to comment
Share on other sites

11 hours ago, spamkiller said:

uthentication-Results:  perfora.net; dkim=none
Received: from NAM11-DM6-obe.outbound.protection.outlook.com
 ([40.107.223.128]) by mx.perfora.net (mxeueus005 [74.208.5.3]) with ESMTPS
 (Nemesis) id 1MWB7u-1rgHQL1Zve-00Vfv1 for <REMOVED>; Sat,
 06 Jan 2024 04:41:51 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=WH5Fl6oIMs9UCI5HL7Jx1GEQeddJQpSpEBrpfdoU7Kmqxdpg8/YMGsfm/LRdUSMshIr3PmL7MWf5JmGOwb/ymRrhX/eMeDDY6oFpq/fCnK7gX6POHdFTLZtgtDxMbyTfVJPTFhqNU0uNbNGrZtwsd7htSAQxD7wJLvPqMXdpY75helChsPwR7ROrs5Ox0+e9HwGQfQNvkxRdr3Iuppa1rW2+nH/jya0ZnvDUNRffIWuwV31GRl/jmhBWgg1ExMO3oZc3qx6zOmcoLJLz9kMc5AXSoO0VlXuYtEgffN7HTykUeX65lGx4OqiaLjPGY7WxH5Bb6tUBrX/euNCaLgU65w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=8koqciwTQQ9NBa8XbTaJbbGVvpjlOMLF/IyfHTjyI/s=;
 b=QHN7bRJ2DPwEHWSCu8G/RQGHmXtzWxTRYOdAH/SN6jmQgiW9apOqGw7kNkkrdRAk6avTtBKTaFrD8tCYErl50kGN8jSmFRYvqSH52AH0O/DCkeTYZyOCW2W6eQMOUjDhfVc2gtppm29Ks37Wx0kdA778nyZQDlsmTAIDuXWTvtKEbVC7xz3bf0s6RpudvZw/G7drM/jtIODwUdHb4QsoTVIVpjyJesRUM7YK8iPfzKEbOpLkWq09PRMJ9W2oX3JvbAUiayUrg+SkPE9lwu8mHh9YdntlLjHuDSbCXux/fPjA0irDWCOzr9PAyRlMiw1uY8rXzlACano6vz+SCd284A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is
 185.139.230.132) smtp.rcpttodomain=REMOVED
 smtp.mailfrom=azx2u2kc5.onmicrosoft.com; dmarc=none action=none
 header.from=azx2u2kc5.onmicrosoft.com; dkim=none (message not signed);
 arc=none (0)
X-MS-Exchange-Authentication-Results: spf=fail (sender IP is 185.139.230.132)
 smtp.mailfrom=AZx2u2kc5.onmicrosoft.com; dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=AZx2u2kc5.onmicrosoft.com;
Date: Sat, 06 Jan 2024 04:40:40 +0100
CC: REMOVED
From: YETI Department <norevenhfd47_BRSuCNjlwKn@AZx2u2kc5.onmicrosoft.com>
To: REMOVED
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
In-Reply-To: <norevenhfd47_BRSuCNjlwKn@AZx2u2kc5.onmicrosoft.com>
Content-Transfer-Encoding: 7bit
Importance: high
Subject: Adventure-Ready: YETI 30 oz Travel Mug for On-the-Go Excellence
Message-ID:
 <ee0f5bb7-ee44-4c91-928c-186e94101ec5@BN8NAM12FT110.eop-nam12.prod.protection.outlook.com>
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN8NAM12FT110:EE_|BL3PR07MB8900:EE_
X-MS-Office365-Filtering-Correlation-Id: 532e6f5b-21fe-45a3-aa98-08dc0e696a8b
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:

That's all we need better to send a track
Microsoft get worse at every turn then call them "upgrades"
40.107.223.128   abuse[AT]microsoft[DOT]com only one available
which is ignored except for auto ack gleefully telling you to go to some obscure address

Their CERT address is no longer for their phishing DOS attacks!
phishing-report[AT]us-cert[DOT]gov
If they even breathe perhaps need to tell Microsoft for Automatic spam forward as attachment website to sort their DOS attackers out?
Microsoft have forums?
Will faceup to converting to a Google operating system when this gets to slow with Microsoft deliberately bloated "updates" (downgrades)
But won't save the problem with Microsoft spam!

 

Edited by petzl
Link to comment
Share on other sites

MS has an online reporting form for spam and other problems but it is nested and long winded and that is connected to a question and answer service including a complaint about SC blocklist with a very diplomatic reply from MS. Note we are all customers of MS windows and very exe laptops so should get an appropriate level of service even for free email. Should be in the guiness book of records for world's largest monopoly.

Link to comment
Share on other sites

  • 2 weeks later...

Yes, Since about Mid Dec, I've seen a large uptick in e-mail that is from:  x.x.onmicrosoft.com

 

In which the e-mail appears to originate from a microsoft exchange server hosted in their "hybrid environments"

 

i.e.

 

All headers have this in common:

 

X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
 

and all have headers similar to this:

 

X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=25d080a6-ef03-4383-b518-f748034a7c66;Ip=[185.237.12.12];Helo=[mail.saginawpipe.com]
 

Where the TenantId (and of course the ip/Helo server vary)   however.. they don't vary a TON... 

 

Here is my current "HOLD" que for the last few days (that I've captured)

 

X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bb88edeb-a046-428f-98c7-3007bb21248c;Ip=[212.115.110.66];Helo=[mail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d95b4ed6-8581-423b-8ad8-463ec2ccbee1;Ip=[103.45.246.243];Helo=[cnoleuv.onmicrosoft.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=4ce72b09-0a96-4c16-9523-ffbc3bff0b40;Ip=[113.30.191.125];Helo=[maimail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=9257821f-9efe-407f-b6d9-94893cf45422;Ip=[212.115.110.66];Helo=[mail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=6f231f96-d242-4ad0-add9-fc6d869ee72c;Ip=[45.147.249.183];Helo=[mail.saginawpipe.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=6dd7820f-4e03-45ae-afd6-4607d44326d6;Ip=[45.156.22.112];Helo=[mail.casagalveston.org]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=6dd7820f-4e03-45ae-afd6-4607d44326d6;Ip=[45.156.22.112];Helo=[mail.casagalveston.org]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=618ecb0f-8337-4a0a-9655-b116db11101d;Ip=[103.45.246.243];Helo=[mbmail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=8a4c5404-47f2-41b3-9e84-561ac6b54a66;Ip=[103.45.246.243];Helo=[mbmail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=a6f74299-23c6-49ad-8c8e-b5918189ce47;Ip=[185.139.230.102];Helo=[mail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bdc0a6a4-ed9b-48c8-bced-fa1dafac4046;Ip=[185.237.12.12];Helo=[mail.saginawpipe.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1f91eb0a-349b-4afc-bf08-835f9bc9c21f;Ip=[103.13.211.100];Helo=[mzail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1f91eb0a-349b-4afc-bf08-835f9bc9c21f;Ip=[103.13.211.100];Helo=[mzail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=8a4c5404-47f2-41b3-9e84-561ac6b54a66;Ip=[103.45.246.243];Helo=[mbmail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=87dae739-1d28-42f9-be38-de488936841c;Ip=[49.13.6.93];Helo=[mail.thompson.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=780d7a6b-9777-4d35-beae-3abe0b5b2e60;Ip=[116.202.19.167];Helo=[mail.hudson.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=a1809de0-7062-473e-9b6c-6fa779a503d3;Ip=[185.139.230.102];Helo=[mail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=dbc593c8-9018-4717-99af-997ea9da84bf;Ip=[63.250.60.46];Helo=[mail.hsmo.org]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=a4839f2e-2e84-432f-ba6d-2164d576b41b;Ip=[212.115.110.66];Helo=[mail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=c9d27106-63ff-4a36-9184-dc469ce0e417;Ip=[45.156.26.107];Helo=[mail.elabgids.nl]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d356d2d7-9147-47f4-b046-b40bb7473a90;Ip=[185.47.174.136];Helo=[mail.javierserna.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=c9d27106-63ff-4a36-9184-dc469ce0e417;Ip=[45.156.26.107];Helo=[mail.elabgids.nl]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=c9d27106-63ff-4a36-9184-dc469ce0e417;Ip=[45.156.26.107];Helo=[mail.elabgids.nl]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=87dae739-1d28-42f9-be38-de488936841c;Ip=[49.13.6.93];Helo=[mail.thompson.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1f91eb0a-349b-4afc-bf08-835f9bc9c21f;Ip=[103.13.211.100];Helo=[mzail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=6cde98f4-6ccb-40a0-8ffc-472c1a876764;Ip=[194.120.24.64];Helo=[x2wj8j7.starnow.co.uk]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=a853bf4e-ba9b-42a7-844a-033032491cd3;Ip=[45.156.26.107];Helo=[mail.elabgids.nl]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=a00c03a8-98c4-4144-baaf-bcdb230b8608;Ip=[49.13.137.1];Helo=[mail.lind.org]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=47a25a35-9f33-45df-aca3-f00c7d1b4697;Ip=[45.147.249.183];Helo=[mail.saginawpipe.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=25d080a6-ef03-4383-b518-f748034a7c66;Ip=[185.237.12.12];Helo=[mail.saginawpipe.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=45182031-4598-4780-9a07-909a5f424285;Ip=[116.202.19.167];Helo=[mail.hudson.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=8ba04ecb-5335-41e0-b97c-6849b1c3911d;Ip=[45.91.171.107];Helo=[mail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=49d1a23f-9e64-4a2a-bd0d-63b992c6e9eb;Ip=[31.133.102.250];Helo=[x61ojhg.onmicrosoft.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=6dd7820f-4e03-45ae-afd6-4607d44326d6;Ip=[45.156.22.112];Helo=[mail.casagalveston.org]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=0b3b98e1-318f-48b5-89b4-107ee8eab24f;Ip=[172.234.37.165];Helo=[mail.washingtonpost.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=ff8df580-a9f2-48cd-9593-8b6b4b0b89e3;Ip=[45.156.22.112];Helo=[mail.casagalveston.org]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=618ecb0f-8337-4a0a-9655-b116db11101d;Ip=[103.45.246.243];Helo=[mbmail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=302147f8-5b04-4773-86f4-b1656e5e1299;Ip=[45.91.171.107];Helo=[mail.beatty.com]
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=6d12626b-1004-47e9-b194-7d098193eb54;Ip=[63.250.60.46];Helo=[mail.hsmo.org]
 

 

All of the above are servers that have sent their e-mail out "via" outlook.com  (you'll see a few repeats here)... I've also put in a TON of items into spamcop and to "report_spam@outlook.com"

 

However...

 

I think for the folks at Microsoft are... asleep at the wheel.  (Or trying to fight this battle with their Window ME computers)

 

 

 

 

 

Link to comment
Share on other sites

9 hours ago, Mossspamfight101 said:

I think for the folks at Microsoft are... asleep at the wheel.  (Or trying to fight this battle with their Window ME computers)

My email address I use on Usernet was actually scraped by  Microsoft, or more likely from me reporting their spam to them from that  Gmail account
Achieve more with free Microsoft 365 trial
 Now spamming me, no way I used this address to or for Microsoft, IMO it's expensive broken rubbish more-so than it's ever been?
Unsubscribed from that one, went to their site to find they have me on their multiple product list so had to delist them all.


 

Link to comment
Share on other sites

  • 1 month later...

I'm still getting massive spam from Microsoft.  It will drop down to 1 or 2 per day and then back up to 10 per day.  Since it started in Dec 2023, I've received over 400 spams from a Microsoft email address.  I send every one to spam cop AND to 
junk@office365.microsoft.com
abuse@microsoft.com
abuse@messaging.microsoft.com
abuse@frontbridge.com
Cert@Microsoft.com
sewr@senpluspluseop.onmicrosoft.com

I will get about 5 replies per week from CDOC Case Management (Microsoft) stating the same thing.

Hi, 
Based on the information you provided, it appears to have originated from an Office 365 or Exchange Online tenant account.  
To report junk mail from Office 365 tenants, send an email to junk@office365.microsoft.com and include the junk mail as an attachment.  
This link provides further junk mail education 
https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx.  

Kindly,  

Leo

Microsoft Online Safety 

The name (Leo) is always different.  This may be an autogenerated message from MS before it's sent to the trash.  I have no idea.

It's strange that they always tell me that I should report it to junk@office365.microsoft.com but every report that I send has the list of email address that it's been sent to.  I assume that a real person never reads the email.
As of today (March 3, 2023), I've sent Microsoft 176 reports of spam and it's still coming in.

What can be done to make this stop? 
Is there a legal organization that can help me? 
I don't want to have to spend any money but I'm at wits end on what to do.  I do not want to change my email address.  Why should I have to do that?
I currently have saved 462 spams from Microsoft.  Is there a class action law suite that I can get involved with?  Microsoft is out of control.

 
 
Link to comment
Share on other sites

9 hours ago, spamkiller said:

What can be done to make this stop? 

You need to find out the Registrar of URL link in spam 
I use a free Windows APP to find Registrar.
Whois  program SpamCop only sends to WEB IP which is often ignored unless it's criminal
https://www.gena01.com/win32whois/
Would also help if you could send a SpamCop track, found at top of submission page BEFORE you submit report.

Link to comment
Share on other sites

On 3/8/2024 at 10:02 AM, petzl said:

You need to find out the Registrar of URL link in spam 
I use a free Windows APP to find Registrar.

What happens if the links host is aceville and reg/cert gname are scammer friendly...PTE LTD?

Cloudflare ns brad and anita are hosting gname but they always reckon they are providing security and network services so not responsible for content and bad behavior...all care and no responsibility.

Edited by ninth
Link to comment
Share on other sites

4 hours ago, ninth said:

What happens if the links host is aceville and reg/cert gname are scammer friendly...PTE LTD?

Cloudflare ns brad and anita are hosting gname but they always reckon they are providing security and network services so not responsible for content and bad behavior...all care and no responsibility.

If they don't have a registrar, then the IP owner needs to react, would help if you showed who the registrar is.
Cloudflare though requires a web report for abuse
https://www.cloudflare.com/trust-hub/reporting-abuse/
Also what type of spam, porn/Phishing/no working unsubscribe  or all three.
Then consider adding the countries CERT email to complaint.
https://www.first.org/members/teams/

Edited by petzl
Link to comment
Share on other sites

This is a simbox scam link eurula homes registrar is gname. You posted the first.org address before but I forgot it so thanks for that.

Beware do not click on scam links! This post will self destruct in 30 seconds...

Link to comment
Share on other sites

On 3/7/2024 at 5:02 PM, petzl said:

You need to find out the Registrar of URL link in spam 
I use a free Windows APP to find Registrar.
Whois  program SpamCop only sends to WEB IP which is often ignored unless it's criminal
https://www.gena01.com/win32whois/
Would also help if you could send a SpamCop track, found at top of submission page BEFORE you submit report.

Thanks for the info.

I ran a lot of them through the Win32whois app and it appears that most all show 
Registrar Abuse Contact Email:  mailto:abusecomplaints@markmonitor.com
So I forward all spam email from <randomstring>.onmicrosoft.com to abusecomplaints@markmonitor.com (along with the current email list) and I report them to spam.com and spam.org.

I've not seen any reduction in spams yet.

Once in a while, perhaps once per week I get a reply from MS stating that the email violated their rules and the account has been eliminated (or something like that).

As of today, I'm up to 500 saved spams from MS and 198 spam reports to MS.  

Am I wasting my time? 
The most annoying thing is that I get around 3 replies per day from MS and they all say "Send it to junk@office365.microsoft.com".  EVERY spam from MS goes to that email address!  Are they so stupid that can't determine that?  Grrrrrrr!

 

Link to comment
Share on other sites

Posted (edited)

Here's a link to Mark Monitor webhosting site: "https:// www{DOT}markmonitor{DOT}com/abuse-policy/"
They seem legit and even state that you can file a complaint by phone.

This will probably be my next step.

 

 

Edited by Lking
Not excited by live links to other sites
Link to comment
Share on other sites

  • 1 month later...

@gnarlymarley - The spam from Microsoft to me has suspiciously dropped to a couple per month. However spam from domains that have namecheap as a registrar have taken over my massive daily spam.  I've logged over 100 different domain names that send me spam and have namecheap as the registrar.  Most (currently 84%) are being sent from a salesforce.com email address.  I add new namecheap domains to my list daily.
The war on spammers seems to never end.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...