Microsoft IP being blocked

[jwolpiuk]

Hello,

Our company uses microsoft exchange online and lately a lot of our customers are bouncing our emails due to spamcop blacklist. I've tried disputing it through the standard form but the captcha is broken, I tried multiple browsers.
The IP is 40.107.8.93 (40.107.8.93 IP Address Details - IPinfo.io) . If there was spam coming from the IP please report it to Microsoft instead of blocking a huge service. 

The issue seems to be going on for a few days/week already. 
EDIT: I've checked what users sent me and there were other IP's previously but it keeps happening.
January 8th - 40.107.21.135

January 4th - 40.107.21.106

December 19th - 2603:10a6:150:149::16 though this I'm not 100%  

2nd Edit: Just got info another address got blocked 40.107.6.114

Edited January 15 by jwolpiuk
Wanted to show it's an ongoing issue

[Engin Acar]

Hi,

We are getting the same problem with the emails from almost all our suppliers.

This is the failmessage;

"JunkMail rejected - mail-vi1eur04on2113.outbound.protection.outlook.com (EUR04-VI1-obe.outbound.protection.outlook.com) [40.107.8.113]:13093 is in an RBL: Blocked - see https://www.spamcop.net/bl.shtml?40.107.8.113"

Almost all the ip adresses which begins with 40.107.XXX.XXX ends up in Junk mail.

This should be fixed ASAP.

 

[petzl]

4 hours ago, Engin Acar said:

Hi,

We are getting the same problem with the emails from almost all our suppliers.

This is the failmessage;

"JunkMail rejected - mail-vi1eur04on2113.outbound.protection.outlook.com (EUR04-VI1-obe.outbound.protection.outlook.com) [40.107.8.113]:13093 is in an RBL: Blocked - see https://www.spamcop.net/bl.shtml?40.107.8.113"

Almost all the ip adresses which begins with 40.107.XXX.XXX ends up in Junk mail.

This should be fixed ASAP.

 

Seems SpamCop Blocklist  to be working well.
Microsoft are the only ones to fix it, too many BOT spammers hitting spamtraps (fictitious email addresses)
https://www.spamcop.net/w3m?action=checkblock&ip=40.107.8.113

40.107.8.113 listed in bl.spamcop.net (127.0.0.2)
If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 6 hours.
Causes of listing
System has sent mail to SpamCop spam traps in the past week 
Other hosts in this "neighborhood" with spam reports
40.107.7.114 40.107.7.115 40.107.7.117 40.107.7.118 40.107.7.119 40.107.7.120 40.107.7.121 40.107.7.122 40.107.7.123 40.107.7.124 40.107.7.125 40.107.7.127 40.107.7.128 40.107.7.129 40.107.7.130 40.107.7.131 40.107.7.132 40.107.7.133 40.107.7.134 40.107.7.135 40.107.7.137 40.107.7.138 40.107.7.139 40.107.8.40 40.107.8.41 40.107.8.42 40.107.8.43 40.107.8.44 40.107.8.45 40.107.8.47 40.107.8.48 40.107.8.49 40.107.8.50 40.107.8.51 40.107.8.52 40.107.8.53 40.107.8.54 40.107.8.55 40.107.8.57 40.107.8.58 40.107.8.59 40.107.8.70 40.107.8.71 40.107.8.72 40.107.8.73 40.107.8.74 40.107.8.75 40.107.8.77 40.107.8.78 40.107.8.79 40.107.8.80 40.107.8.81 40.107.8.82 40.107.8.83 40.107.8.84 40.107.8.85 40.107.8.87 40.107.8.88 40.107.8.89 40.107.8.90 40.107.8.91 40.107.8.92 40.107.8.93 40.107.8.94 40.107.8.95 40.107.8.97 40.107.8.98 40.107.8.99 40.107.8.100 40.107.8.101 40.107.8.102 40.107.8.103 40.107.8.104 40.107.8.105 40.107.8.107 40.107.8.108 40.107.8.109 40.107.8.110 40.107.8.111 40.107.8.112 40.107.8.114 40.107.8.115 40.107.8.117 40.107.8.118 40.107.8.119 40.107.8.120 40.107.8.121 40.107.8.122 40.107.8.123 40.107.8.124 40.107.8.125 40.107.8.127 40.107.8.128 40.107.8.129 40.107.8.130 40.107.8.131 40.107.8.132 40.107.8.133 40.107.8.134 40.107.8.135 40.107.8.137 40.107.8.138 40.107.8.139 40.107.9.54 40.107.9.73 40.107.9.80 40.107.9.82 40.107.9.88 40.107.9.89 40.107.9.102 40.107.9.108

Edited January 15 by petzl

[jwolpiuk]

I'm not saying it's an issue with spamcop - just that it should be unblocked anyway, banning whole IP range of a huge service because there's a spammer is an overkill. We can't report it to Microsoft because we don't know anything about what sender is the spammer, that's something that only spamcop knows, so this is the only place we can write to do something about it. 

[petzl]

SpamCop block list only blocks a single IP when it hits a span threshold algorithm ratioed to the volume of email going through that IP.
Then releases it when the spam stops for 24 hours, 40.107.8.113 is not presently listed so the flood of spam going though it has presently stopped it's spam flood.
The range of IP's listed may not be blocked but may have been.
For a Microsoft email IP to be blocked would be very high well above the ratio for most IP's!
A lot of other big email providers just block rouge IP's and don't supply figures for doing so.
SpamCop Block releases IP when spam attacks stop.
Microsoft IMO do not seem to of worked out how to stop spammers.
Gmail is pretty good at doing this.
  

Edited January 16 by petzl

[jwolpiuk]

The problem is that the theoretical spammer isn't bound to the IP that gets blocked, Microsoft randomly uses most of them, even if you block one IP, the next email will go through the next one etc. and when that one gets blocked the 1st one might be unblocked already. For a spammer that just sends out stuff non stop and doesn't care that much if it arrives the 1st time this isn't that big of an issue. For a normal user unfortunately it is, not just the one sending but the receiver waiting for a legitimate email as well.

I agree that this is Microsoft's fault but there has to be a saner way to deal with it. Unfortunately the issue is persisting, today I had another user complain about this.

And the spamcop captcha is still broken...

[Russell L]

The ONLY problem here is that Microsoft is not stopping the abuse of their mail servers to send spam.

Take your issue up with Microsoft.  Spamcop is working exactly as it is supposed to.  Only Microsoft can fix this.

[gnarlymarley]

Wow, they finally got blocked. One thing to note is that Microsoft was warned numerous times before their inaction allowed the IP to show up on the blocklist. I have been getting abuse from their IP with a few messages a day from a .shop address trying to immitate some paypal links. Edited January 17 by gnarlymarley

[petzl]

2 hours ago, gnarlymarley said:

Wow, they finally got blocked. One thing to note is that Microsoft was warned numerous times before their inaction allowed the IP to show up on the blocklist. I have been getting abuse from their IP with a few messages a day from a .shop address trying to immitate some paypal links.

I suspect Microsoft's way of handling it's spam blocked IP's is to turn them off, and use another one they have a vast number of them?

Edited January 18 by petzl

[jwolpiuk]

12 hours ago, Russell L said:

The ONLY problem here is that Microsoft is not stopping the abuse of their mail servers to send spam.

Take your issue up with Microsoft.  Spamcop is working exactly as it is supposed to.  Only Microsoft can fix this.

How is it working as supposed to if it's not stoping spam and has broken captcha on the website?

 

6 hours ago, petzl said:

I suspect Microsoft's way of handling it's spam blocked IP's is to turn them off, and use another one they have a vast number of them?

No, it seems like it's relatively random which IP is used to send an email. Most are used at the same time. You can check the volume Reputation Lookup || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence

FYI right now it seems like most ip's are unblocked but I guess it's a matter of time until one gets blocked and it's just going to be annoying for the users.

Edited January 18 by jwolpiuk

[Lking]

As a reminder the function of any block list, SCBL included, is to assist users of a block list segregating unwanted commercial email from their other incoming email.

No block list provider, including SC, has the authority to stop a spammer or block spam at its source.

In addition to the block list, SC uses the header of the reported email, and spam traps to identify the ISP used by the spammer and notifies the ISP that their assets are being used to spread spam.  It is up to the ISP to take whatever action they deem appropriate.

Unfortunately, some ISPs are more concerned about their paying customers senders of email (including spam), than they are concerned about the overall state of the internet. One common result of this $$$ mindset is to shift their clients away from IP that are blocked so the customer's emails will get through.

In this day and time it is hard to realize that the internet email system was designed in a time when "all" internet users were "good members of the community" and expected to act accordingly. I'm guessing that lasted about 26 minutes. Block lists are one answer to that design shortcoming. IMHO to redesign the email system now would be similar to changing the U.S. electrical grid. Somethings may continue to work. Most would not.

The result for those trying to receive email is to work with their incoming ISP and/or use some app to help filter their incoming email. Currently there are 80+ email I have filtered into a trash folder waiting for me to report them.

The result for those trying to send email is to use an ISP that will provide them a fixed IP that no other user can used to send spam, OR use an ISP that does not allow their paying customer to send spam. Either approach should result in an outgoing IP that will not be on a block list. (assuming your email lists are double-op-in lists.)

[Russell L]

11 hours ago, jwolpiuk said:

How is it working as supposed to if it's not stoping spam and has broken captcha on the website?

That's not its only purpose, though trust me, it most definitely is stopping spam.  Spamcop simply lists IP addresses that are actively sending spam, that's it, and it's working perfectly in that regard.  I, personally don't wish to receive mail from systems actively being abused to send spam.  Whether I choose to block communications from them, or just add a warning to an email is up to me.  If you don't want to be impacted by such abusive behavior while sending mail, you can always choose not to put your email on a service that is abused without regard for the rest of the Internet.

[petzl]

On 1/18/2024 at 6:10 PM, jwolpiuk said:

How is it working as supposed to if it's not stoping spam and has broken captcha on the website?

It is not compulsory for a ISP email server to use SpamCop's blocklist.
I just use Gmail nowadays they don't.
 

[ninth]

It is more difficult to navigate the worldwide network to run a business when time is money and every missed email is a missed opportunity for a sale. A business email address phone number is on the website and cannot be hidden from spammers profile databases or worse. It's never been so important to keep up to date with upgrades and fixes or your system becomes vulnerable to hackers...avoid skimping on free services or install the new server using wiki. I know of at least 3 blocklist crooks profiting from charging for the removal of IP addresses.

[petzl]

On 1/18/2024 at 6:10 PM, jwolpiuk said:

How is it working as supposed to if it's not stoping spam and has broken captcha on the website?

 

No, it seems like it's relatively random which IP is used to send an email. Most are used at the same time. You can check the volume Reputation Lookup || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence

FYI right now it seems like most ip's are unblocked but I guess it's a matter of time until one gets blocked and it's just going to be annoying for the users.

Not had a problem with a SpamCop Captcha yet, but others have reported same?
There have been fixes given but can't recall what?
You not using a dodgy IP by any chance?
I know Google will do a BOT check on one sometimes for their Captcha.

Send yourself say 19 minutes apart. Then see if the IP's match?
If they don't it means Microsoft are IP hopping to avoid SpamCop's blocklists spam
threshold algorithm ratioed to the volume of email going through that IP.
Actually I don't often get Microsoft spam, but when it does start it's in the hundreds!
I report everyone. As Gmail will turn off your email account if it is DOS attacked by too much spam!
Gmail don't use SpamCop's Blocklist. But possibly just bit-bin spam sending IP's.
I report all spam, also at a click of a Phishing button which may activate a bit-bin dump (if they have one)? 

Edited January 19 by petzl

[olddog55]

I've been receiving MANY spam messages originating from Microsoft via their protection.outlook.com MTA's.  But on a positive note, it seems to have (hopefully) been resolved.  I haven't seen one since Friday, Jan 19 at 19:06:53

Many of them were using the same address as the sender AND the recipient.  e.g. I'm spamming myself? [humor...]

Most were originating from their 'onmicrosoft.com' services domain

I've tracked all of these spams back to hacked eMail addresses that were used at various online services. ( Marshalls, Zacks, NavellierGrowth, AceHardware, etc. )
(I tend to use unique email addresses for everything.)

A sampling of the Subjects:

"-Re: 2nd_attempt_for MYNAME"
"Celebrating Dicks Sporting Goods anniversary with an Stanley Tumbler"
"Exclusive Product Awaits You: Complete Our Survey"
"Get Rewarded for Your Opinion: Take Our Survey!"
"Get a Dewalt LED Work Light for Your Valuable Input"
"Important for MYNAME!!!!!"
"Important for MYNAME"
"Important_for: MYNAME"
"Jumpstart Your DIY Project with a FREE Pittsburgh Tool Set!"
"Message for MYNAME"
"Re: Your Southwest Reward"
"Shape Our Future: Survey & Win Dewalt LED Work Light Prize"
"Survey Time: Win Big with Our SMEG Bean to Cup Coffee Machine"
"Welcome to Dewalt LED Work Light Reward Panel"

And NONE of these would be considered safe to open in your email client.

All have been reported to both Microsoft and SpamCop.  And remember: The SpamCop Blocking list is only advisory.  It is up to the recipient system as to how any flagged emails should be handled.

If you're curious, one of the IP ranges used by Microsoft is:
NetRange 40.74.0.0-40.125.127.255 NetName: MSFT   abuse@microsoft.com

And all the Microsoft sourced spam I've seen has been coming from the 40.107.xx.xx/16 network.

Edited January 21 by olddog55
nit-picking...

[olddog55]

Darn.

I spoke too soon.  Just got another Microsoft spam from onmicrosoft.com

Guess 'they' just bot another services domain.  Company name 'x783qsi'  Sure looks bogus to me.

Came from the Microsoft protection.outlook.com MTA at 40.107.93.48
From: Dicks Sporting Goods Rewards ! <..snip..@x783qsi.onmicrosoft.com>
Subject: Stanley Tumbler Exclusive Rewards For You !

Sigh.

[petzl]

43 minutes ago, olddog55 said:

Darn.

I spoke too soon.  Just got another Microsoft spam from onmicrosoft.com

Guess 'they' just bot another services domain.  Company name 'x783qsi'  Sure looks bogus to me.

Came from the Microsoft protection.outlook.com MTA at 40.107.93.48
From: Dicks Sporting Goods Rewards ! <..snip..@x783qsi.onmicrosoft.com>
Subject: Stanley Tumbler Exclusive Rewards For You !

Sigh.

Just today I'm getting hammered from Microsoft with Child porn!
AWS is the url link
I also report this to the US FED's
 

phishing-report[AT]us-cert[DOT]gov

Child porn phishing spammer spammer
pictures under 18 or made to look under 18
NO PROOF OF AGE available!
SENT TO MINORS

2257 Regulations (C.F.R. Part 75), part of the United States Code of Federal Regulations, require producers of sexually explicit material to obtain proof of age for every model they shoot, and retain those records. Federal inspectors may at any time launch inspections of these records and prosecute any infraction.

"unless the websites “perform reasonable age verification methods” — in short, requiring users to show government ID to prove they are 18 or older."

No working unsubscribe

 

[zscoe]

Not exactly a great situation to be at the mercy of others abuse of a service, but I understand the need to filter this way. I have submitted a support ticket with Microsoft. Any other avenues worth exploring to report this with them?

[AWS03]

We're removing spamcop.net from our real time block lists for the time being, which is unfortunate. It's been nearly a month, and there's just too much legitimate email coming from Microsoft servers that's being blocked. Hopefully Microsoft can get a handle on this, but that I know of spamcop is one of the only ones that's flagging Microsoft for spam currently.

[ninth]

We get plenty of spam from amazon mate.

[ninth]

On 1/23/2024 at 5:17 AM, zscoe said:

Not exactly a great situation to be at the mercy of others abuse of a service, but I understand the need to filter this way. I have submitted a support ticket with Microsoft. Any other avenues worth exploring to report this with them?

Post a link to your latest SC report.

[Admin]

Our company continues to be damaged by this issue. Blocking entire Mail Server IPs as a means to combat spam is like hammering in a push pin. While I acknowledge the importance of addressing spam-related issues, it's crucial to consider the broader implications of such actions.

Currently, Spamcop appears to be the sole service employing this approach, and it's evident that this practice can lead to more than just a disruption in email communication. It has the potential to harm a company's reputation and brand image. I wonder if there might be a point in the future where such actions could lead to legal repercussions, including the possibility of class-action lawsuits. It's important to address these concerns as they have the potential to impact not only email senders but also recipients and businesses as a whole.

Let's find solutions that effectively combat spam while minimizing unintended consequences.

[petzl]

On 1/26/2024 at 5:02 AM, Admin said:

Our company continues to be damaged by this issue. Blocking entire Mail Server IPs as a means to combat spam is like hammering in a push pin. While I acknowledge the importance of addressing spam-related issues, it's crucial to consider the broader implications of such actions.

Currently, Spamcop appears to be the sole service employing this approach, and it's evident that this practice can lead to more than just a disruption in email communication. It has the potential to harm a company's reputation and brand image. I wonder if there might be a point in the future where such actions could lead to legal repercussions, including the possibility of class-action lawsuits. It's important to address these concerns as they have the potential to impact not only email senders but also recipients and businesses as a whole.

Let's find solutions that effectively combat spam while minimizing unintended consequences.

SpamCop members have no control over its blocklist, this is used only by ISP's that choose to use it
You don't have a dedicated IP (ask Microsoft to see what's the deal)?
Assuming you are not part of the problem (not using a double opt-in email list)
You should be OK if you don't. Do this.
Seems you are using a Microsoft shared IP, the main reason they keep getting block by spamtrap hits
which are fictitious email addresses, which are scrapped by bots from websites
where these addresses are put there as a poison.
Spammers buy blocks of non-validated email addresses to do exactly that (end up in many spamtraps)
For a Microsoft IP to end up on SpamCop's conservative spamtrap is beyond belief, it would require hits in the million a minute score?
You suggesting we should swallow this spam with no defense?
If I get spam I do my utmost to send spammers to court, I have had numerous successes!

Edited January 26 by petzl

[ninth]

Top post petzl...keep them coming!

On 1/22/2024 at 8:25 AM, olddog55 said:

Darn.

I spoke too soon.  Just got another Microsoft spam from onmicrosoft.com

Guess 'they' just bot another services domain.  Company name 'x783qsi'  Sure looks bogus to me.

Came from the Microsoft protection.outlook.com MTA at 40.107.93.48
From: Dicks Sporting Goods Rewards ! <..snip..@x783qsi.onmicrosoft.com>
Subject: Stanley Tumbler Exclusive Rewards For You !

Sigh.

Good point and now I noticed it in some recently posted links in both the company name and username up to 41 randomly generated chars. Would be used to stop efforts to block email addresses and makes it faster to send out maillists on mass by fraudsters. Another good reason to report these discrepancies to bill.