Chris's Wiki :: blog/spam/OutlookNullSenderStatus Commentshttps://utcc.utoronto.ca/~cks/space/blog/spam/OutlookNullSenderStatus?atomcommentsDWiki2016-06-17T23:18:11ZRecent comments in Chris's Wiki :: blog/spam/OutlookNullSenderStatus.By David on /blog/spam/OutlookNullSenderStatustag:CSpace:blog/spam/OutlookNullSenderStatus:c677cf000d4b2a0830ea38cb80936faa02dfee81David<div class="wikitext"><p>Outlook.com spam ceased as-of about June 1st.</p>
<p>This is not due to Microsoft fixing anything, but rather is a result of the Necurs botnet going offline. Possibly is due to an arrest of the operators by the Russian FSB. Is apparent that the Necurs crew had some method for making Outlook.com their spam-cannon bitch.</p>
<p><a href="https://www.proofpoint.com/tw/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution">https://www.proofpoint.com/tw/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution</a></p>
<p><a href="https://motherboard.vice.com/read/one-of-the-worlds-largest-botnets-has-vanished">https://motherboard.vice.com/read/one-of-the-worlds-largest-botnets-has-vanished</a></p>
</div>2016-06-17T23:18:11ZBy David on /blog/spam/OutlookNullSenderStatustag:CSpace:blog/spam/OutlookNullSenderStatus:103f033be708a4438dfbb7e27c2ec0ac0c6c0200David<div class="wikitext"><p>Spoke too soon and now must reverse myself. Was luck that Outlook did not spam my MTA in February and it came back with a vengeance in March. No NULL senders though.</p>
<p>I have the luxury of having no correspondents dumb enough to use Outlook (last ham message on that path two years ago, and that was just a reply to a product query). So I put up an ACL that black-holes all traffic from Outlook MTA IP blocks (as a companion to the ones blocking Azure and AWS IPs.) Don't even want to see bounce entries in the MTA log.</p>
<p>Curiously IPs with *.hotmail.com reverse-DNS are clean at present, though this is where Outlook freebie account messages originate.</p>
</div>2016-03-14T02:53:42ZBy David on /blog/spam/OutlookNullSenderStatustag:CSpace:blog/spam/OutlookNullSenderStatus:0fd265d3d902129088297850aca4b635726fb537David<div class="wikitext"><p>Hi Chris,</p>
<p>Seeing your update I looked again at Outlook.</p>
<p>Still seeing a amazing improvement here--virtually no UCE from Outlook+Hotmail in February. It looks like the only spam coming from Microsoft's ESP is either "Artisanal" (i.e. hand written by spammer subcontractors) or submitted in low volume by web-bots simulating humans.</p>
<p>The visible difference in SBL listing samples is that none of the current spam is forwarded. Seems to me that the higher-end spammers were making a point of exploiting legitimate servers that had configured mail delivery through Outlook and had good medium-to-high volume mail flows. The Outlook system was reacting slowly (or not at all) to sudden changes from good-MTA-forwarder to Evil-Firehose. The deficiency now appears corrected.</p>
<p>Hopefully Microsoft will work to catch up to Google in the area of stopping the aforementioned class of non-forwarded spam.</p>
<p>David</p>
</div>2016-03-01T18:08:02Z