Discussion:
phishing spam
(too old to reply)
jei
2023-03-11 21:28:41 UTC
Permalink
A while back, my Yahoo email account became inundated with phishing spam messages.

I accessed the raw messages. Most of the spams had a X-Originating-Ip assigned to Microsoft. So I sent an email message to ***@Microsoft.com describing my experience.

In response, I received a message saying:
“Based on the information you provided, it appears to have originated from an Office 365 or
Exchange Online tenant account.

“To report junk mail from Office 365 tenants, send an email to ***@office365.microsoft.com
and include the junk mail as an attachment.”

So I did that.

For a few days, the torrent seemed to be reducing. But then the stream of trash increased again.

How can I free myself of this plague?

What’s an Office 365 tenant anyhow? Is that a realm where a Microsoft customer is in charge, rather than Microsoft itself?

Does somebody know about a contact in Microsoft that can help?

Is there a contact in Yahoo that can help?

Any fruitful lead is appreciated.

Thanks,
jei
Andreas Kohlbach
2023-03-12 00:47:33 UTC
Permalink
Post by jei
A while back, my Yahoo email account became inundated with phishing spam messages.
“Based on the information you provided, it appears to have
originated from an Office 365 or Exchange Online tenant
account.
“To report junk mail from Office 365 tenants, send an email to
attachment.”
So I did that.
For a few days, the torrent seemed to be reducing. But then the stream of trash increased again.
How can I free myself of this plague?
Show the spams a pattern? Subject line or something? And can a Yahoo user
apply filters? Then I would try that. Spam then should end up in Yahoo's
"spam" box you just ignore.
Post by jei
What’s an Office 365 tenant anyhow? Is that a realm where a Microsoft customer is in charge, rather than Microsoft itself?
No idea. Customer might be hacked.

Could you provide a sample of the header and body (XXX your own email
address and other personal stuff).
Post by jei
Does somebody know about a contact in Microsoft that can help?
Is there a contact in Yahoo that can help?
I don't think either company is interested in removing spammers.
--
Andreas
jei
2023-03-12 21:33:40 UTC
Permalink
It’s impossible to detect a pattern in the spam phishing messages.

The “From” Field and the “Subject” field are long incomprehensible strings of text. Each spam message is different.

The way I narrow things down is to use ARIN Whois/RDAP - American Registry for Internet Numbers to identify the owner of the originating IP address in the raw message. The offending messages are from Microsoft networks. Yahoo email can filter on several fields, but not the owner of the IP address.

Even if it could filter by the originating IP address in the raw message, it wouldn’t be helpful, because I sometimes get useful email messages from Microsoft.

Does anybody have a suggestion for dealing with this situation?

Thanks,
jei
David Ritz
2023-03-13 00:09:37 UTC
Permalink
On Sunday, 12 March 2023 21:33 -0000, jei wrote:

<headers>
User-Agent: Rocksolid Light 0.7.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.org
</headers>
It’s impossible to detect a pattern in the spam phishing messages.
The “From” Field and the “Subject” field are long incomprehensible
strings of text. Each spam message is different. The way I narrow
things down is to use ARIN Whois/RDAP - American Registry for
Internet Numbers to identify the owner of the originating IP address
in the raw message. The offending messages are from Microsoft
networks. Yahoo email can filter on several fields, but not the
owner of the IP address.
Even if it could filter by the originating IP address in the raw
message, it wouldn’t be helpful, because I sometimes get useful
email messages from Microsoft.
Microsoft (and a number of other mail services) hides originating IP
addresses in their email headers, in order to protect (hide) the
identity of the sender. Right or wrong, this is the state of affairs
with which you are attempting to deal.
Does anybody have a suggestion for dealing with this situation?
You are attempting to respond to a highly complex issue, where the bad
guys are taking extreme measures to circumvent detection. You
describe actions using very minimal tools, expecting to find a
panacea. No such single attribute universal solution exists.

If you are running a commercial, inbound SMTP server, there are a wide
variety of tools and resources available. These include IP based
block lists and spam filtering appliances available.

Some of the DNS block lists are available and free, to individuals in
non-commercial settings. By itself, this, too, is insufficient to
deal with the 500 pound gorillas which are too big to recommend
blocking outright.

There are DNSBLs, URIBLs, HashBLs and more, which may be used in
tandem, and may provide some relief from the constant onslaught of
unsolicited bulk junk. There are tools available, which are designed
to use these and other shared data, to mitigate, not solve, the flood
of junk.

While it may be a bit much for the average user, you may be able to
get SpamAssassin, which is quite suitable to bother the single user or
small to mid-sized user-base. The current version is Apache
SpamAssassin 4.0.0, released 2022-12-17.

https://spamassassin.apache.org/

- --
David Ritz <***@mindspring.com>
When dealing with any spammer, one must always keep in mind that you
are dealing with someone who makes their living through forgery, fraud,
theft, subterfuge and obfuscation. Stated simply, spammers lie.
Grant Taylor
2023-03-13 01:17:07 UTC
Permalink
Post by David Ritz
Microsoft (and a number of other mail services) hides originating
IP addresses in their email headers, in order to protect (hide)
the identity of the sender. Right or wrong, this is the state of
affairs with which you are attempting to deal.
I have long configured MSAs to hide the IP that is connecting and
authenticating to send a message.

Received: from Contact-TNet-Consulting-Abuse-for-assistance
by ...

I have the information in my mail server logs and can provide it as
necessary.
Post by David Ritz
If you are running a commercial, inbound SMTP server, there are a
wide variety of tools and resources available. These include IP
based block lists and spam filtering appliances available.
These tools are available for non-commercial SMTP servers too.
Post by David Ritz
There are DNSBLs, URIBLs, HashBLs and more, which may be used in
tandem, and may provide some relief from the constant onslaught of
unsolicited bulk junk. There are tools available, which are designed
to use these and other shared data, to mitigate, not solve, the flood
of junk.
When used correctly, they can be quite effective and remove most of the
spam.
--
Grant. . . .
unix || die
David Ritz
2023-03-13 18:45:39 UTC
Permalink
On Sunday, 12 March 2023 19:17 -0600,
[...]
Post by Grant Taylor
Post by David Ritz
If you are running a commercial, inbound SMTP server, there are a wide
variety of tools and resources available. These include IP based block
lists and spam filtering appliances available.
These tools are available for non-commercial SMTP servers too.
I was thinking along the lines of installing an Barracuda appliance,
which is not what I would expect is an appropriate solution for a
random Y! user.
Post by Grant Taylor
When used correctly, they can be quite effective and remove most of the spam.
I quite agree. That SpamAssassin relies on and combines these tools
is one or the primary reasons I suggested it, for single user through
mid-sized SMTP providers. (I would not expect MS, the GOOG or Y! to
seek this for spam mitigation, inbound nor outbound.)

- --
David Ritz <***@mindspring.com>
"The Zen nature of a spammer resembles a cockroach,
except that the cockroach is higher up on the evolutionary chain."
- Peter Olson, Delphi Information Engineer; 27-AUG-1998
Grant Taylor
2023-03-13 18:50:48 UTC
Permalink
Post by David Ritz
I was thinking along the lines of installing an Barracuda appliance,
which is not what I would expect is an appropriate solution for a
random Y! user.
I think the more important difference is if you run your own server or
not; e.g. receive SMTP from the world.

I don't know if it's possible to have a Barracuda in play for something
where you don't host your own SMTP inbound from the world. -- I'm
ignoring something like fetchmail -> SMTP -> Barracuda -> etc.

I would be somewhat surprised if there isn't someone running a Barracuda
for a single user SMTP server.
--
Grant. . . .
unix || die
tjoen
2023-03-13 05:08:17 UTC
Permalink
On 3/12/23 22:33, jei wrote:
..
Post by jei
Even if it could filter by the originating IP address in the raw
message, it wouldn’t be helpful, because I sometimes get useful email
messages from Microsoft.
MS has an abuse address. I have reported a few cases and the spam
stopped
Scott Dorsey
2023-03-13 14:56:46 UTC
Permalink
Post by jei
Does anybody have a suggestion for dealing with this situation?
1. yahoo basically isn't mantained. There's no way to contact a human being
there that actually knows anything. If you are unable to get off of yahoo
and on to a competently-managed system, your only choice is to deal with
Microsoft.

2. You haven't actually shown any headers of this stuff. Seeing the headers
probably would be very helpful for people who would like to help you figure
out what is going on.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
Grant Taylor
2023-03-12 07:18:57 UTC
Permalink
Post by jei
What’s an Office 365 tenant anyhow?
Office 365 is a service from Microsoft.

A tenant is someone subscribing to / renting a service.

So an Office 365 tenant is someone subscribing to Microsoft's Office 365
service.
--
Grant. . . .
unix || die
Loading...