You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Jones <dj...@ena.com> on 2018/01/23 15:17:38 UTC
Receiving a lot of junk from Office 356
First, if anyone from Microsoft is on this list, please setup proper
outbound spam filtering, rate limiting, and compromised account
detection with locking to prevent junk like this.
I have seen a recent increase in the number of outbound junk and
phishing emails that I keep reporting to SpamCop who reports it to
Microsoft.
https://pastebin.com/c2c2ETYi
Any ideas other than maintaining a complex regex on body matches? I
have tried this with good success but it's creating a few FPs. I could
limit it to O365 servers but that is a lot these days.
--
David Jones
Re: Receiving a lot of junk from Office 356
Posted by David Jones <dj...@ena.com>.
On 01/23/2018 12:36 PM, Alex wrote:
> Hi,
>
> On Tue, Jan 23, 2018 at 10:17 AM, David Jones <dj...@ena.com> wrote:
>> First, if anyone from Microsoft is on this list, please setup proper
>> outbound spam filtering, rate limiting, and compromised account detection
>> with locking to prevent junk like this.
>>
>> I have seen a recent increase in the number of outbound junk and phishing
>> emails that I keep reporting to SpamCop who reports it to Microsoft.
>>
>> https://pastebin.com/c2c2ETYi
>>
>> Any ideas other than maintaining a complex regex on body matches? I have
>> tried this with good success but it's creating a few FPs. I could limit it
>> to O365 servers but that is a lot these days.
>
> We address these with a series of meta rules involving "target market"
> combined with a few meta rules involving "Title, Company name, Phone
> number" etc...
>
> My "list acquire" rule looks like
> /(list\b|target\b|contacts|database|acquire\b|acquiring|campaign|verified
> email|leads)/i which is required to start.
>
Mine looks very similar but I have 3 word combinations that need to be
near each other with ".{1,30}" between them to try to be a little
flexible on the sentences without FPs. I think my problem was the word
"info" was in the middle of the 3 words and that was matching way too
much so I removed that.
Now I have used a meta rule to limit it to O365 outbound servers and
will let this ride a while to make sure it's a little more conservative
with fewer FPs.
--
David Jones
Re: Receiving a lot of junk from Office 356
Posted by Alex <my...@gmail.com>.
Hi,
On Tue, Jan 23, 2018 at 10:17 AM, David Jones <dj...@ena.com> wrote:
> First, if anyone from Microsoft is on this list, please setup proper
> outbound spam filtering, rate limiting, and compromised account detection
> with locking to prevent junk like this.
>
> I have seen a recent increase in the number of outbound junk and phishing
> emails that I keep reporting to SpamCop who reports it to Microsoft.
>
> https://pastebin.com/c2c2ETYi
>
> Any ideas other than maintaining a complex regex on body matches? I have
> tried this with good success but it's creating a few FPs. I could limit it
> to O365 servers but that is a lot these days.
We address these with a series of meta rules involving "target market"
combined with a few meta rules involving "Title, Company name, Phone
number" etc...
My "list acquire" rule looks like
/(list\b|target\b|contacts|database|acquire\b|acquiring|campaign|verified
email|leads)/i which is required to start.
Re: Receiving a lot of junk from Office 356
Posted by Vincent Fox <vb...@ucdavis.edu>.
O365 has many very large tenant ponds now. Rules inside a tenant may be very lax about trusting other users inside the tenant. So one compromised account, easily leads to tens/hundreds of others. So their 2nd round of phish, nets Black Hats enough compromised accounts to blast out a campaign. Then they move on to the next pond.
It's the next hot wave. Microsoft should really ramp up the mandatory settings on tenants.
________________________________
From: David Jones <dj...@ena.com>
Sent: Tuesday, January 23, 2018 7:17:38 AM
To: 'users@spamassassin.apache.org'
Subject: Receiving a lot of junk from Office 356
First, if anyone from Microsoft is on this list, please setup proper
outbound spam filtering, rate limiting, and compromised account
detection with locking to prevent junk like this.
I have seen a recent increase in the number of outbound junk and
phishing emails that I keep reporting to SpamCop who reports it to
Microsoft.
https://pastebin.com/c2c2ETYi
Any ideas other than maintaining a complex regex on body matches? I
have tried this with good success but it's creating a few FPs. I could
limit it to O365 servers but that is a lot these days.
--
David Jones
Re: Receiving a lot of junk from Office 356
Posted by Pedro David Marco <pe...@yahoo.com>.
>I've had somewhat better success with hand-maintained rules focusing on
>their "unsubscribe" phrases, since those have tended to be more
>consistent, and the same phrases are found in other types of spam.
>
>-kgd
this is good idea... unsubscribe instructions without X-List-Unsubscribe header? obviously not impossible but worth to score...
The sender IP is in Spamhaus as well... probably it would be a good idea to put x-originating-ip into RBLs checks...
-------PedroD
Re: Receiving a lot of junk from Office 356
Posted by Kris Deugau <kd...@vianet.ca>.
David Jones wrote:
> First, if anyone from Microsoft is on this list, please setup proper
> outbound spam filtering, rate limiting, and compromised account
> detection with locking to prevent junk like this.
>
> I have seen a recent increase in the number of outbound junk and
> phishing emails that I keep reporting to SpamCop who reports it to
> Microsoft.
>
> https://pastebin.com/c2c2ETYi
>
> Any ideas other than maintaining a complex regex on body matches? I
> have tried this with good success but it's creating a few FPs. I could
> limit it to O365 servers but that is a lot these days.
For that particular "class" of spam I add the domain to my local DNSBL
(if one is available; about 25% of the ones I see use
Hotmail/Yahoo/GMail accounts and don't include a domain in the body),
file the message in a content-specific folder, and feed it through the
rest of the IP/URI extraction processing and Bayes feeding. That
particular domain has already made my local list, and I see it's on
uribl.com as well. I've also added rules checking the From: domain
against DNSBLs; it seems to have helped some generally.
I've been generating a number of sets of more content-specific rules
using the SOUGHT code in the SA source tree, but that set doesn't seem
to be consistent enough to generate anything. I intermittently check
and (re)write a couple of rules but I don't see enough volume to do more
than say "Oh, another one of those" by eye. :/
I've had somewhat better success with hand-maintained rules focusing on
their "unsubscribe" phrases, since those have tended to be more
consistent, and the same phrases are found in other types of spam.
-kgd