Microsoft spam reports go to the sewer?

[sc_aswglo]

For about the past week whenever I try to report a message that originates from Microsoft's Office365 handle it sends the message to  some weird sewr [at] senpluspluseop.onmicrosoft.com

See: https://www.spamcop.net/sc?id=z6881814572z9bfd276bec188cdd562eea85191f1b37z

It seems almost like Microsoft is hijacked because if you do a whois on the IP 40.107.244.53 the address for reporting spam should be abuse@microsoft.com

[Lking]

I am no expert at parsing email headers. 

at the top of the reported spam I see 

Quote

Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2053.outbound.protection.outlook.com [40.107.244.53]) by mxgw.aswglobal.net with ESMTP id h3BymdFGCx9OhXbA (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <x>; Tue, 16 Jan 2024 07:43:00 -0500 (EST)

When I plug the ip 40.107.244.53 into the "Blocking List" tab at the top of Reporting URL page I see  sewr [AT] senpluspluseop [DOT] onmicrosoft [DOT] com 

[Steve]

On 1/16/2024 at 8:20 AM, sc_aswglo said:

For about the past week whenever I try to report a message that originates from Microsoft's Office365 handle it sends the message to  some weird sewr [at] senpluspluseop.onmicrosoft.com

See: https://www.spamcop.net/sc?id=z6881814572z9bfd276bec188cdd562eea85191f1b37z

It seems almost like Microsoft is hijacked because if you do a whois on the IP 40.107.244.53 the address for reporting spam should be abuse@microsoft.com

Even SC's parser redirects reports from abuse AT microsoft DOT com to report_spam AT hotmail DOT com. Well, at least until it was recently changed to sewr [AT] senpluspluseop [DOT] onmicrosoft [DOT] com. 

[sam_nospam]

Still the same issue: 

Finding IP block owner:

Routing details for 40.107.244.53
[refresh/show] Cached whois for 40.107.244.53 : abuse@microsoft.com
Using best contacts sewr@senpluspluseop.onmicrosoft.com

If reported today, reports would be sent to:

Re: 40.107.244.53 (Administrator of IP block - statistics only)
sewr@senpluspluseop.onmicrosoft.com

[ninth]

abuse at microsoft dot com is too busy and full of self importance to accept abuse reports from SC or anyone else. Use the online form to manually report and forums for Q and A. Onmicrosoft is a microsoft domain for schools or companies for office not for personal accounts so useraccount at companyname dot onmicrosoft dot com. No company in the world is big enough to hijack microsoft. Stop blaming the messenger.

[sc_aswglo]

Well whatever it is it doesn't seem to be working. I just received a spam message that I have been receiving for two weeks and I have reported numerous times.

[ninth]

The app runs on auto and is designed to block the spammer at IP level like any other blocklist - they do all run the same way contrary to popular beliefs of new members. Stop using free services including forums for helpdesk support. The technical staff are not often here during discussions because this space is generally for the members. Read the forum rules and find your manners and the search button.

[lartingyou]

Months ago, when I could no longer POP messages from a Microsoft server (because MFA was imposed, and that doesn't work over POP), I was only left with the option to forward to a Gmail account. Reporting spam doesn't work because the origin looks to Spamcop like the forwarding server. The solution is to set up Mailhosts properly in SpamCop. But with the complexity of the Office365 cloud, I couldn't get it to work (there are just too many servers and Spamcop couldn't grok the configuration). So, I suspect others have the same problem (if they even knew or tried to configure Mailhosts).

Astonishingly, sometimes the Office365 server will send me failure emails that it refused to send a message because it was suspected to be spam. This happens when automatic forwarding kicks in for a spam that was RECEIVED by the server. Those are also technically spam. I don't understand why the filters that refuse to send (forward) spams are not the same as the ones that accept emails that are spam -- perhaps it happens when the filters are updated between the receiving and the sending? I'm not the admin of the server; these are hypotheses on my part.

In any case, Spamcop doesn't seem to work well with emails forwarded outside of an Office365 domain, and so I suspect a lot of false reports are sent, which may explain why they are going to "sewr".

[ninth]

Apologies to the author for my last reply...it was rude.

[petzl]

11 hours ago, lartingyou said:

n any case, Spamcop doesn't seem to work well with emails forwarded outside of an Office365 domain, and so I suspect a lot of false reports are sent, which may explain why they are going to "sewr".

That is the address the owner of reported IP requested it to be sent to!
If SpamCop has been banned from sending reports it goes to BitBin [AT]spamcop 
I suspect your problem is Microsoft 365 is having a spamer's delight with free trail!
I'm in Australia but you might want American English not Oxford English to see the free trail?
https://www.microsoft.com/en-au/microsoft-365/try?ocid=AID_ema_PRO_SE19097^FY24_Jan_M365^en_AU

[ninth]

By using reputation to block SC has low rates of false positives.

[petzl]

12 hours ago, ninth said:

By using reputation to block SC has low rates of false positives.

SpamCop blocklist was designed to be a spam radar.
Once it detects a algorithm ratio for spam volume going through a IP it trips and blocks.
spam stops IP is freed.
 

Edited January 31 by petzl

[lartingyou]

On 1/30/2024 at 3:12 AM, petzl said:

That is the address the owner of reported IP requested it to be sent to!

I realize that -- my comment was that it's a way for MS to ignore the reports. 

Quote

I suspect your problem is Microsoft 365 is having a spamer's delight with free trail!
I'm in Australia but you might want American English not Oxford English to see the free trail?
https://www.microsoft.com/en-au/microsoft-365/try?ocid=AID_ema_PRO_SE19097^FY24_Jan_M365^en_AU

I didn't realize trial in Australian English is written as trail? 😉 

Ribbing aside, I did some Web searching. SEWR is some Microsoft component relating to spam. Check out slide 8 of this presentation: https://www.slideserve.com/yoshe/understanding-microsoft-forefront-online-protection-for-exchange (lower right corner).

Also: https://todojosevaldez.files.wordpress.com/2013/08/08-o365-smb-js-exchangeonline-fope.pdf (dark gray box below NDR Pool).

So, maybe the OP's assumption that these emails are being ignored is totally flawed?

[nhraj700]

FWIW, something positive I have noticed with this change in spam reporting address.  I was averaging 300+ spam messages a week on my 25+ year old hotmail account. It's been really bad for the last 6 months.  Since this change of reporting to the new "SEWR" address, my spam has dropped to around 4 to 5 spam emails a week. I am hoping Microsoft is finally getting a handle on it now.

[petzl]

4 hours ago, lartingyou said:

Ribbing aside, I did some Web searching. SEWR is some Microsoft component relating to spam. Check out slide 8 of this presentation: https://www.slideserve.com/yoshe/understanding-microsoft-forefront-online-protection-for-exchange (lower right corner).

 

OK still trial not trail
I find that Microsoft do close spammers, but takes time, then it's easy for spammer to open another fake account to repeat.
There are plenty of free email account choices out there, Microsoft IP's are high volume so it takes a LOT of spam hits before the radar 
SpamCop blocklist activate, The SEWR address I only see SpamCop using, I no longer report by SpamCop but do have a number of Microsoft abuse addresses to submit email as attachment to. 
NANAE (usenet) many loved hating and criticizing  (criticising) SpamCop for not having a abuse at address.
But logistically not practical to deal with the volume of mainly rubbish complaints, although it can or could be be done by WEB or the link in a spam report!
I would guess that Microsoft would have the same  logistic problem, IMO the need to legitimize (legitimise) users.
Twitter/X tried to remove the BOT users seems to have worked a bit but still needs working on.

[petzl]

5 hours ago, lartingyou said:

I didn't realize trial in Australian English is written as trail? 😉 

Good comedy video about it

 

[ninth]

11 hours ago, petzl said:

NANAE (usenet) many loved hating and criticizing  (criticising) SpamCop for not having a abuse at address.

Not sure why it is needed unless you are referring to the email service ? They can be contacted and you don't need to be a member or have an email account to get help. Ciscosystems has reporting emails for ironport depending on the type of abuse. How can I contact SC through the link in a spam report...if you mean my submit report address I thought that was not monitored?

Edited February 3 by ninth

[petzl]

12 hours ago, ninth said:

Not sure why it is needed unless you are referring to the email service ?

Before usenet (last millennium) was on a news reader not web based and SpamCop was poor.
"news.admin.net-abuse.email" is what nanea stands for in my message.
https://en.wikipedia.org/wiki/News.admin.net-abuse.email

Edited February 3 by petzl

[lisati]

It's been a while since I have posted here, but I'm thankful that I'm not the only one to have noticed that reports to Microsoft seem to have sent to SEWR lately. As near as I can make out based on my own minimal research, and as someone else has noticed in this thread,  it seems to be connected with Microsoft trying to deal with spam.

Now to wander off and catch up with new replies.

[lartingyou]

On 2/3/2024 at 3:34 PM, petzl said:

Before usenet (last millennium) was on a news reader not web based and SpamCop was poor.

I still think it could be vastly improved if it used a browser (e.g. Chrome) as part of a parsing engine for spamvertised links. Many spammers use redirect links via linkedin or t.co or (your favorite spamcop-ignoring service). There are browser plugins that follow the redirects (and log them) and all of that could be evidence for spamvertised links. 

But I fear I'm getting off the pavement/sidewalk/topic

[petzl]

16 minutes ago, lartingyou said:

But I fear I'm getting off the pavement/sidewalk/topic

I don't think that you are.
SpamCop has always been designed to target source of email spam.

If you have mailhosts setup it will only target email server (usually a free throwaway type)
Not websites, why I now do my own reporting which include registrars of websites
SpamCop only targets the IP of websites, unless some criminal intent they are not interested.

Edited February 5 by petzl

[lartingyou]

4 minutes ago, petzl said:

SpamCop only targets the IP of websites, unless some criminal intent they are not interested.

Yes, but a link such as t.co will redirect to some other web site that has the actual payload to be delivered to the user. Often Google's sites are used to perform redirection. 

e.g. https://www.spamcop.net/sc?id=z6884275349za95462586f2f5a6df2082f0a7bd906b6z has a bit.ly link that redirects the browser to some other web site, with a different IP. In the case of bit.ly, the link got invalidated (abuse), but t.co, linkedin.com and tons of others do nothing. If SpamCop followed the other links and also sent reports, perhaps they'd be shut down, too.

The Chrome extension https://chromewebstore.google.com/detail/redirect-path/aomidfkchockcldhbkggjokdkkebmdll will show you when you click on a spamvertised link how many redirects it goes through. I've seen as high as 10 redirects for some spam links that start with t.co, for example. 

Spamcop does some rudimentary attempts to "deobfuscate" links, but AFAIK it doesn't follow redirections. They are heavily used by prolific spammers, precisely because this shields the true spamvertised sites from SC reports.

[ninth]

bit.ly will shutdown the link and quickly which really stuffs up a spammer sending out thousands of mail list emails because the link then goes nowhere. They give the handy option to view where the link goes instead of risk opening it. The SC app has a mission to stop spam using the blocklist and does not have time to clean up dodgy links but we can help by doing this extra work. The links are a distraction from giving spammers a bad enough rep that they need to keep moving on. Not all links redirect but are direct marketing such as a recent message I received with a long list of newspaper links including the guardian. I could not stop laughing that a dying business is making a desperate attempt expecting folks to click and pay for news? We can contact the newspapers to alert them sales and marketing do not have express permission to send these emails and I was advised by RU-Centre to contact the host of websites if I want the spam to stop and they run a very big if not the biggest operation.

Edited February 5 by ninth

[ninth]

2 hours ago, lartingyou said:

I still think it could be vastly improved if it used a browser (e.g. Chrome) as part of a parsing engine for spamvertised links. Many spammers use redirect links via linkedin or t.co or (your favorite spamcop-ignoring service). There are browser plugins that follow the redirects (and log them) and all of that could be evidence for spamvertised links. 

Beware of using chrome edge or any browser to save passwords after breaches going back to 2021 by hackers taking advantage of remote access working from home. Use a private browser to stop tracking but I still would not take the risk. 

[lartingyou]

15 hours ago, ninth said:

Use a private browser to stop tracking but I still would not take the risk. 

Thanks for the advice. Any recommendation of where to store the hundreds of passwords? I don't use the same one for each account - haveibeenpwned.com showed me the error of my ways 10+ years ago.