For whatever reason, email spam has been at an all time high the last month or two. The majority that I am getting is coming directly from outlook.com via fake domains, complete with novel length headers proclaiming how much it could not be spam because it somehow passed all their spam checks. I tried forwarding some to abuse@outlook.com but they promptly blocked my IP range (imagine that).
I do not ever receive legitimate email from anyone using outlook.com, so blocking them was both easy and satisfying. They might decide to do something if they see a few thousand “500” errors in a log somewhere, but they certainly do not care about abuse reports, or respect their own whitelisting of my server.
I use Postfix, so I simply added the following header checks:
/^X-Microsoft/ REJECT OPEN SPAM RELAY. BLOCKED AND REPORTED. /^X-MS-Exchange/ REJECT OPEN SPAM RELAY. BLOCKED AND REPORTED.
It is a simple regexp: If the email header contains a line that starts with “X-Microsoft” or “X-MS-Exchange”, reject it with the added text. All the emails relayed through outlook.com contain several of these X header entries, all proclaiming how the email was scanned and found to be legitimate. I have included a sample below, its quite long, but you can see just from the Subject that its spam. The domain is always 100% fake, and does not exist in DNS. Somehow they still manage to get through and be cleared by outlook.coms anti spam measures…
Return-Path: <ven14037@hdd.univalle.me>
X-Original-To: lily@xxxx
Delivered-To: lily@xxxx
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=52.100.175.217; helo=eur05-vi1-obe.outbound.protection.outlook.com; envelope-from=ven14037@hdd.univalle.me; receiver=<UNKNOWN>
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.xxxx 8C8E4301059B
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05hn2217.outbound.protection.outlook.com [52.100.175.217])
by mail.xxxx (Postfix) with ESMTPS id 8C8E4301059B
for <lily@xxxx>; Fri, 29 Sep 2023 02:53:15 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Mv7MtjBpWXEOllFDMtg4sI3+HQVYQbQuCzCTvcqWDu0PwIWdX8rhfUKrNu+WyL5V44AxmsDm56sfPFa7ftmSuqxqWDDvG5dwW4LoK1yLROKXjRZqF0duKkyf0sNRFFWfYid/Og8nApBbfSmGKXvq6XtaHnaRgquyOd9q0/mFSzgaWCe2wZMSrLoA+JgXpmrhPxU5W8nO+ro7H2pqrFGTmqbfp2kQBp9urIL2ffnRZ6z5CJ++y4eH39JooVRZEn4hHooHXktzijlK6Sb8gOnH09eszqwtEF0s6jRugaukU6y/gnVNWeJejfa/bBUCgn1XyeTQjjsweAhTXgeNgXpiXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=ui5deztfcihSl/4/Cb0fnG83o0POLmACn6+gdz82XY8=;
b=obpAKeW6GA5i26KVToDDZuKk+o45VOopmnqYWhruc0ZBfSox6+A9JXRf4f0DrXl6t1UkUSGbZWR2SgjE0308xnreD4vYKyXK1jwF77LlIboUOudbN9Vq/2iv7HJJ2sgRVNjhW2FHPkqiKj1ro4ndbvBLorWMJf7F851qkheYSUZgpLKiRvBj246rHXlTave7nv2+WIibr5ZDCxkmiFuKJgZXivrZfk9AxOmhOLAeUpDQ8/j+zK8uevldnPQlCg6PpmZBZAUizFustTPfF8EGna1H8dsG7tvP3bEYj5cbla4rGx0jSyvlOK/kojh59syUBGQ4DrMBTuqx7ABpUYzMfw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=hdd.univalle.me; dmarc=pass action=none
header.from=hdd.univalle.me; dkim=pass header.d=hdd.univalle.me; arc=none
Authentication-Results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=hdd.univalle.me;
Received: from AS5PR06MB8777.eurprd06.prod.outlook.com (2603:10a6:20b:67c::11)
by PAWPR06MB9012.eurprd06.prod.outlook.com (2603:10a6:102:382::19) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.28; Fri, 29 Sep
2023 02:53:13 +0000
Received: from AS5PR06MB8777.eurprd06.prod.outlook.com
([fe80::52d5:425a:f7ae:ab63]) by AS5PR06MB8777.eurprd06.prod.outlook.com
([fe80::52d5:425a:f7ae:ab63%5]) with mapi id 15.20.6813.027; Fri, 29 Sep 2023
02:53:12 +0000
Date: Fri, 29 Sep 2023 02:53:11 +0000
Message-ID: <vuiD_4oh1556666777.1.M0BVAVGP0phnA@vl1.prod.outlook.com>
To: lily@xxxx
From: Neck Massage <ven14037@hdd.univalle.me >
Subject: Neck Massager For Quick & Easy Pain Relief
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: FR0P281CA0046.DEUP281.PROD.OUTLOOK.COM
(2603:10a6:d10:48::23) To AS5PR06MB8777.eurprd06.prod.outlook.com
(2603:10a6:20b:67c::11)
Importance: high
X-Priority: 1
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AS5PR06MB8777:EE_|PAWPR06MB9012:EE_
X-MS-Office365-Filtering-Correlation-Id: 240ff082-5f12-4971-d2a8-08dbc0973854
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
qQv3tztQNF0Hid1oPlOim06+4CahqAP89R4o/9/L4/63BYYRzIhdbX7VgHNlzANrDS01m6YuNIUEy8Blj3mHG4T2WULXREt2F+UnqwLF3B3excrIXeQDJn8X++MZDKmrj+8iKLH1gwCXo7MwOIq5OgggLhDzxg4U7qqf+o+q9Bv+0Rh7kJxigjX3ywpvA9Vl9zgcEE73Oycqd8rfi0CxHOrHZfbqRkwaik23tZFX5ivgoS5tgue9rJT524Uzoe6pzBFjWkZo6yCSHbIqS+vLLQDNbs9DZHZBDySytnBiSvaFRcbqJKgVZn7JjDbPJiYf2t7pIX920f6UdkcaxuzReSlxcEkrfcWbz21GWXKix6OvKx48+XDJiuPds7umW11TcMik7fVKuv7yKIYdLQSJuVbmWX/QRfSOfMLQVPIELa6xRfQ4tYjgDWVVRTRjl8hwNGcLFInUnmYaKDOMnvBzsZHz3vbd/KaGF7zXrzxSPfmwQuKHi8pBb9lvfIuKJ4X5pA0MMJ5amrUru97jrBenAf6N8bOgrVjvlHe6rENCmGS9TZbCBJ/mO7KKbPi9k5JKIWDsqOY3eHXKaGH9xK3TnSGxDddRErWQfXiHnKs5s0D9+J0EY+DSMtDW60SJ1LwUclq+EO/YApy3YpICMdg0eRid5vQu0pSUIt77nBVvKlY=
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS5PR06MB8777.eurprd06.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(136003)(39860400002)(376002)(396003)(346002)(230922051799003)(186009)(1800799009)(1690799017)(451199024)(64100799003)(66946007)(41300700001)(786003)(66556008)(70586007)(38100700002)(316002)(6916009)(478600001)(66476007)(558084003)(2906002)(86362001)(41320700001)(5660300002)(8676002)(26005)(4270600006)(166002)(83170400001)(8936002)(6486002)(6512007)(5004160100008)(197963003)(15519875007)(37730700002);DIR:OUT;SFP:1501;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
=?utf-8?B?OEtlOUh1dUdkdlRPeG0yczBmQWY0STJQcGxPcWdiZUYwaVFYT1hmMW1aNml6?=
=?utf-8?B?d2w5Ri9PajNxeFZRa0NXc0hNajh4clQ0R29KWXliQ2FnZ1M0TXpXdzJsU0pq?=
=?utf-8?B?ZTJWRDNTcjBqT0xDNWtqUmwyYkVJMWhyT3hGbzh4R2NLSEJ0R05wbmxZckhV?=
=?utf-8?B?Q2ZDMDl5SVNFZEkzcUlNQStXaFZyYzhuZDM4OW0wOHR4cExpYzhYR1ZaRnVL?=
=?utf-8?B?dlRpWlgzYkYyd0FST2FTa051bUJQQklsZzJMTVZHYnlCNE1keWV6UWZIL2lh?=
=?utf-8?B?UnY0RFRXTUFQSFJ3c2VOdEd6Vlo3NU9CbGlIbnJwV0dtM0pVUjRhZlpQZmtQ?=
=?utf-8?B?YzdPR2ZqVW1QdEVnTk03Z08vK3ZTMTRMWEpuSXh4NGNtakFURzRrV0JUNkpo?=
=?utf-8?B?RVF3Z3lEVmJ0MW14OHIwVkdLOTRjVmJsV3J5OWFCeCtML3dLdTJUaGxFVHFw?=
=?utf-8?B?bG42eGh6cjNvRHhDdkltcmlrdTMxc0o4NW5XeTB0N1FDN0x3WVVIcEhjd2gx?=
=?utf-8?B?R1Y0VkhOd2VDM0Y0UzFLa0pCakE2aFltWmJLcEpjZHVHQlNZSzFyMzBOTURq?=
=?utf-8?B?UFptbWxLbUNNNU12bUFlQ1FLWEQ2SmZhSm05bDMyTXJ0dW4wWnBKenVVUnBJ?=
=?utf-8?B?MUhEUklrZlM0SXZxbitIbW04dXg1NjFjamFtVjM4NVVmT1Y2SUhjYXdhOERO?=
=?utf-8?B?aElEMFZSZ1VycWxZWnVRY1dUUktVRzhlWjF5WVJTcTdPMTF6M3VraUxwWTd0?=
=?utf-8?B?QlBKcVU3UGtxWTYzUnRZUDliTFhyYWc4bGlzWlAyblpzTkZQNW4xOWZJaGMy?=
=?utf-8?B?UmVEeDJOYnJMY0VrbzNRSGNrRW1hYUo3QUMzc0U4Y3B0bnovV2pkY2pVQlhZ?=
=?utf-8?B?SkE3dVpYaGZHbUp2NFhqOEdHeEhvNC9mVHZSMkdOckF3WFQvQ05pQVVaTkVN?=
=?utf-8?B?VkpGcmRWcnREK0lIbWxJSHdGamc4c1dxWHZjRzQrc0l2eG5oUnE1aGVLQWo2?=
=?utf-8?B?UzlycUJRWDNsL1BmUFhxVFhvS1VnNVdvVkovclpJQVRjVWJQSEZJd09OMHcw?=
=?utf-8?B?Y0VPaHN3cWhEVWFKQUJ4ZDdIYlF6cGhZRUd2Q1VWVlNrczhSZ1lyTXU3WHY4?=
=?utf-8?B?QS9zSU5mY0NMWWx3NUxjR1BwcUdvZ2krcjZMSlQzVXY3Zndnb0NkVmRMTlFL?=
=?utf-8?B?MFFZRlVuTTY0bGV3eTNya1JSR2RPdDhCbnlkbmNOaThQQ1liV1pVaG1RVlhq?=
=?utf-8?B?QitrdjBYd3RBZ0FScUdMR2lZUzA4MUxZN3l2TElkYTFlNmF3NUxVckt3Rm5H?=
=?utf-8?B?VWVkbkhLRC9NUWdjbENOSU9CemNkTlVsZVY4VVRERFlsbGhmTUlUTFVSREpq?=
=?utf-8?B?RTlBSFZ5eG9qSERZWnhHNm8ramFWL0pTTmRidjNtUWVGZklJYkxkdUEwZGJ3?=
=?utf-8?B?VkhRM3hQVXN2Qy9RdkJ2V3FWQ1JqNGtSQUY1V3l1RFM4c21lYVVnbGM2Z3ZQ?=
=?utf-8?B?dWUzWlJVdHpHeUx3Q09mVDk5dm90SWhmUW5VbENVU3JkY2RUOXczVUZ1dGJZ?=
=?utf-8?B?WC9JaG51NTdqWk8rQ1dkYUltb0tTNDFkcWcxQkk2UTh6ZTRlOForY1hqaU1x?=
=?utf-8?B?L3pod09YRUQrZysrR2oybDM5blM1UUZ0NHBhWXNNUS9xa0s0bUpzbmpEcGZj?=
=?utf-8?B?RXRiUFNETDFhTXAxVlNhdS9RV0NNTjgyVEJRM2YwaEJVODFFejM5V2VkWnJq?=
=?utf-8?B?V3NYUFVVbEkrTzF4Zm9sSnlUYTBCYmZwMlRrVk9uUVFlbzVkUlJzRzV0OWpP?=
=?utf-8?B?RkFpQnQ5YW1XWmhPbktTdTBGZ201UHpRbytPczN1WWs4dkxLQ0R3TWZpZnRD?=
=?utf-8?B?Y3lhK00yZzAvY1dCZW5qZWI5L3hramFCU09DbjgydFZuV1czRGJ4a3RiQjhU?=
=?utf-8?B?N2lLQ2VzdDJxSTNLZDZ2b3VBcFFnV3FKVzQ0VU9nNGdxa1M2YUVXVEx2emNh?=
=?utf-8?B?TUE5NVFEZXVVWk5lQ2liOHpaREkyalVOdEFhQzR2aGxyNHpWNktkcHVZUWpY?=
=?utf-8?B?Si8vbnFQVzJ5TERUU21FQ1k1UTJRMWRWMjAxbk5Na2hraEFHSVVNUW9kUkRW?=
=?utf-8?B?VEowMWdJRFFXcTlmcys5Nkw0WVlKdVhBMDkwekNHTHZocFdLSEYzMjVFYzdL?=
=?utf-8?B?bVE9PQ==?=
X-OriginatorOrg: hdd.univalle.me
X-MS-Exchange-CrossTenant-Network-Message-Id: 240ff082-5f12-4971-d2a8-08dbc0973854
X-MS-Exchange-CrossTenant-AuthSource: AS5PR06MB8777.eurprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2023 02:53:12.2789
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d9342fd0-f7a5-4e0a-98ec-8df1db4e3a70
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: v1GAN7T3m8i0SV+DAoF2hU0ckU61Gk3T46bpg0ERF9Wr1tU/wEyGL4fKPpLB04GJYbrUxlCFMNHlsWyHOK3UaReuDVh60wJjwm8NOIAy9Sk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR06MB9012
#email #spam #outlook #SpamRelay #postfix #linux #microsoft #MSExchange
@lily “The domain is always 100% fake, and does not exist in DNS.”OR, as in the case shown, the domain has a valid MX record for a MS365 customer.