You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Axb <ax...@gmail.com> on 2013/11/01 18:11:31 UTC
Onmicrosoft Leak Party
Although I'll put this for SA masschecks to publish it may take while.
He're a preview.. :)
header __FROM_ONMS From =~ /\.onmicrosoft\.com/
header __TO_ONMS To =~ /\.onmicrosoft\.com/
header __TO_ONMS_RCPTS To:name =~ /bRecipients\b/
meta AXB_ONMS_LEAKS (__FROM_ONMS && __TO_ONMS && __TO_ONMS_RCPTS)
describe AXB_ONMS_LEAKS Onmicrosoft Leak Party
score AXB_ONMS_LEAKS 0.5
As always, you can score this as high or low as you want..
I'd score it HIGH! YMMV
Re: Onmicrosoft Leak Party
Posted by Axb <ax...@gmail.com>.
On 11/01/2013 06:38 PM, Alex wrote:
> Hi,
>
>> Although I'll put this for SA masschecks to publish it may take while.
>>
>> He're a preview.. :)
>>
>> header __FROM_ONMS From =~ /\.onmicrosoft\.com/
>> header __TO_ONMS To =~ /\.onmicrosoft\.com/
>> header __TO_ONMS_RCPTS To:name =~ /bRecipients\b/
>
> ... where "Recipients" is user@dom.com"?
From: owenfinane <ZG...@web561688.onmicrosoft.com>
To: Recipients <ZG...@web561688.onmicrosoft.com>
That should "explain" the meta
> Thankfully mine are all greylisted (thousands of them) and never come
> back. The one or two that have made it through were quarantined with
> bayes99 and appear to now be blocked by bl.spamcop anyway.
I wouldn't count on a BL block for long - these are legitimate
outlook.com outbound.
> Is this a compromise of their service, do you think, or just an account, or?
Abused Office365 test accounts.
MS is working on mitigation but till then...
Re: Onmicrosoft Leak Party
Posted by Alex <my...@gmail.com>.
Hi,
> Although I'll put this for SA masschecks to publish it may take while.
>
> He're a preview.. :)
>
> header __FROM_ONMS From =~ /\.onmicrosoft\.com/
> header __TO_ONMS To =~ /\.onmicrosoft\.com/
> header __TO_ONMS_RCPTS To:name =~ /bRecipients\b/
... where "Recipients" is user@dom.com"?
Thankfully mine are all greylisted (thousands of them) and never come
back. The one or two that have made it through were quarantined with
bayes99 and appear to now be blocked by bl.spamcop anyway.
Is this a compromise of their service, do you think, or just an account, or?
Thanks,
Alex
Re: Onmicrosoft Leak Party
Posted by Benny Pedersen <me...@junc.eu>.
Axb skrev den 2013-11-01 18:11:
> Although I'll put this for SA masschecks to publish it may take while.
>
> He're a preview.. :)
>
> header __FROM_ONMS From =~ /\.onmicrosoft\.com/
> header __TO_ONMS To =~ /\.onmicrosoft\.com/
> header __TO_ONMS_RCPTS To:name =~ /bRecipients\b/
>
> meta AXB_ONMS_LEAKS (__FROM_ONMS && __TO_ONMS && __TO_ONMS_RCPTS)
> describe AXB_ONMS_LEAKS Onmicrosoft Leak Party
> score AXB_ONMS_LEAKS 0.5
>
> As always, you can score this as high or low as you want..
>
> I'd score it HIGH! YMMV
rpz'ed in bind9 :=)
blacka.localhost. 3 record(s)
blackns.localhost. 2 record(s)
blacknsip.localhost. 2 record(s)
multi.localhost. 54 record(s)
rpz.localhost. 572 record(s)
uribl.com got me started on this :)
Re: Onmicrosoft Leak Party
Posted by Axb <ax...@gmail.com>.
On 11/01/2013 06:11 PM, Axb wrote:
> Although I'll put this for SA masschecks to publish it may take while.
>
> He're a preview.. :)
>
> header __FROM_ONMS From =~ /\.onmicrosoft\.com/
> header __TO_ONMS To =~ /\.onmicrosoft\.com/
> header __TO_ONMS_RCPTS To:name =~ /bRecipients\b/
>
> meta AXB_ONMS_LEAKS (__FROM_ONMS && __TO_ONMS && __TO_ONMS_RCPTS)
> describe AXB_ONMS_LEAKS Onmicrosoft Leak Party
> score AXB_ONMS_LEAKS 0.5
>
was missing the backslash for the boundary
correction
header __TO_ONMS_RCPTS To:name =~ /\bRecipients\b/