Wandering Thoughts archives

Outlook.com now has collected some SBL listings

I mentioned on Twitter that portions of outlook.com are now on the SBL. At the moment there are two listings for protection.outlook.com hosts; SBL272953 from October 11th and SBL273948 from October 21st. Both spam samples quotes by Spamhaus show the signs of a null sender, so clearly these people are as entrenched as I thought. Microsoft also has a Hotmail SBL listing, SBL268930, from September 10th.

(All Microsoft SBL listings can be found here, which is a link I want to keep for my own reference if nothing else.)

Clearly Microsoft doesn't care enough about these SBL listings to do anything about them. It's not clear why this is so, though. Perhaps the Microsoft abuse system is undermanned and overwhelmed. Perhaps a SBL listing doesn't affect delivery to enough places for Microsoft to care (especially a SBL listing for just one or two IPs out of the many that protection.outlook.com hosts use). Perhaps Microsoft simply hasn't noticed the SBL listings.

Locally we've seen connections from one of these IPs in the past week, and all of the deliveries were for null sender address so they were almost certainly spam. This means that I don't currently have to worry about the effects on our users of outlook.com getting more widely listed in the SBL (which is a concern, since some of the university's own email comes from there).

(Only some users subscribe to SBL-based rejection, but in the past SBL listings have clearly been a significant input to the spam score our commercial anti-spam system computes for messages. My unscientific belief is that a great many people filter their email based on that score, so widespread SBL listings for outlook.com could well push the scores for outlook.com email into 'filter away' territory. If this happened, there would be basically nothing we could do about it.)

When setting up per-thing email addresses, make sure you can turn them off

One of the reasonably good weapons in the war against spam is never giving companies your real, core email address but instead creating different individualized email addresses for each place that requires an email address from you. When email addresses inevitably leak or get abused, you can immediately finger the culprit simply by what email address the crud is coming in to. If you start getting spam email to 'you.vendor1@...', well, you know who to blame.

There are a lot of ways to do this, depending on exactly where you have your email; some email providers let you add arbitrary suffixes to your email address after a special character, for example. But however you do this, there is an obvious but important feature you should try to have if at all possible: you should be able to turn off such addresses. Generally such turned off addresses should be rejected during the SMTP transaction, although in some circumstances you might want to turn them into spamtraps instead.

The reason why is pretty straightforward. As I can say from personal experience, after a while at least some of your addresses will become so contaminated that the spam they get is no longer at all interesting. Once an address gets leaked badly enough that the advance fee spammers and the phish spammers and so on get their hands on it, well, there's no end to them.

(I don't recommend that you immerse yourself in the (anti-)spam world, not unless it's your profession. Trying to track advance fee fraud and phish spam is an endless task.)

Most systems for individualized addresses can probably already do this, but if you're building one (for yourself or for a general population), remember to include this. It may take some extra work, but you'll thank yourself in the long run.

(The simple approach is to make the address not exist any more, so it's rejected at SMTP time the same as any other nonexistent local address. The more advanced one is to still reject at SMTP time but to keep track of things like how many attempts to mail it there were recently and so on, and let people see this. Although, honestly, I'm not sure how many people will really care about that. You probably do want to keep track of old turned off addresses so that people get a warning if they're recreating them by accident.)