The status of null-sender spam from outlook.com

February 28, 2016

Recently, David left a comment on my last entry on null sender spam from outlook.com noting that his site had seen a stop of null sender spam from Outlook at the end of December. This made me curious about what we're seeing (and David asked, too), so I've now gone looking.

The short version is that clear null sender spam from outlook.com appears to have stopped at the end of last year (and I mean literally the end of last year, as we have entries from December 31st). We're still getting some amount of email from outlook.com with null sender addresses, but our anti-spam system now scores all of it very low. I can't be sure that this isn't spam, but it's certainly entirely possible that it's real bounces. We continue to get spam from outlook.com in general; at the moment, our 2016 figure is that about 4% of email from outlook.com scores high enough to be considered spam. In December the logs say it came out to be about 11.5% spam, so we clearly saw a significant drop here.

David also reported a lack of general spam from outlook.com. Unfortunately we don't see that. Outlook.com has been consistently sending us some amount of spam (as scored by our systems). In addition, several outlook.com hosts are currently on the SBL; out of microsoft's listings, I can spot more than five listings. However the SBL seems to be doing something odd here, in that they're listing .0 addresses in the /24 instead of the actual IP address they list in the SBL listings. The net effect is that nominal SBL listings won't actually block anything, which kind of irritates me.

(Eg, SBL273948 says 'Spam source @104.47.100.234' but is for 104.47.100.0/32.)

My overall view is that outlook.com continues to have a spam problem, but they have apparently managed to block or otherwise stop one source of their spam. This is progress; it is just not enough progress. Having roughly one in twenty email messages that we receive from you being spam is not a good ratio. For scale, over the same period in 2016, only 0.2% of the email received from Google was scored as spam.

(This includes both GMail email and email from some other things at Google that send out email, since as far as I know you can't tell the email servers apart, assuming there even is different infrastructure for the various different email systems.)


Comments on this page:

By David at 2016-03-01 13:08:02:

Hi Chris,

Seeing your update I looked again at Outlook.

Still seeing a amazing improvement here--virtually no UCE from Outlook+Hotmail in February. It looks like the only spam coming from Microsoft's ESP is either "Artisanal" (i.e. hand written by spammer subcontractors) or submitted in low volume by web-bots simulating humans.

The visible difference in SBL listing samples is that none of the current spam is forwarded. Seems to me that the higher-end spammers were making a point of exploiting legitimate servers that had configured mail delivery through Outlook and had good medium-to-high volume mail flows. The Outlook system was reacting slowly (or not at all) to sudden changes from good-MTA-forwarder to Evil-Firehose. The deficiency now appears corrected.

Hopefully Microsoft will work to catch up to Google in the area of stopping the aforementioned class of non-forwarded spam.

David

By David at 2016-03-13 22:53:42:

Spoke too soon and now must reverse myself. Was luck that Outlook did not spam my MTA in February and it came back with a vengeance in March. No NULL senders though.

I have the luxury of having no correspondents dumb enough to use Outlook (last ham message on that path two years ago, and that was just a reply to a product query). So I put up an ACL that black-holes all traffic from Outlook MTA IP blocks (as a companion to the ones blocking Azure and AWS IPs.) Don't even want to see bounce entries in the MTA log.

Curiously IPs with *.hotmail.com reverse-DNS are clean at present, though this is where Outlook freebie account messages originate.

By David at 2016-06-17 19:18:11:

Outlook.com spam ceased as-of about June 1st.

This is not due to Microsoft fixing anything, but rather is a result of the Necurs botnet going offline. Possibly is due to an arrest of the operators by the Russian FSB. Is apparent that the Necurs crew had some method for making Outlook.com their spam-cannon bitch.

https://www.proofpoint.com/tw/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution

https://motherboard.vice.com/read/one-of-the-worlds-largest-botnets-has-vanished

Written on 28 February 2016.
« Link: A Short History Of Removable Media Behind The Iron Curtain
Sometimes, doing a bunch of programming can be the right answer »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Feb 28 02:33:51 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.