Outlook.com now has collected some SBL listings

November 4, 2015

I mentioned on Twitter that portions of outlook.com are now on the SBL. At the moment there are two listings for protection.outlook.com hosts; SBL272953 from October 11th and SBL273948 from October 21st. Both spam samples quotes by Spamhaus show the signs of a null sender, so clearly these people are as entrenched as I thought. Microsoft also has a Hotmail SBL listing, SBL268930, from September 10th.

(All Microsoft SBL listings can be found here, which is a link I want to keep for my own reference if nothing else.)

Clearly Microsoft doesn't care enough about these SBL listings to do anything about them. It's not clear why this is so, though. Perhaps the Microsoft abuse system is undermanned and overwhelmed. Perhaps a SBL listing doesn't affect delivery to enough places for Microsoft to care (especially a SBL listing for just one or two IPs out of the many that protection.outlook.com hosts use). Perhaps Microsoft simply hasn't noticed the SBL listings.

Locally we've seen connections from one of these IPs in the past week, and all of the deliveries were for null sender address so they were almost certainly spam. This means that I don't currently have to worry about the effects on our users of outlook.com getting more widely listed in the SBL (which is a concern, since some of the university's own email comes from there).

(Only some users subscribe to SBL-based rejection, but in the past SBL listings have clearly been a significant input to the spam score our commercial anti-spam system computes for messages. My unscientific belief is that a great many people filter their email based on that score, so widespread SBL listings for outlook.com could well push the scores for outlook.com email into 'filter away' territory. If this happened, there would be basically nothing we could do about it.)

Comments on this page:

By David at 2016-02-23 16:32:59:

Hi Chris,

I've been reading your spam-related posts with interest lately, especially ones about Outlook/Hotmail originated spam. Thank you for writing about it.

The Outlook.com NULL-sender spam appears (from here) to have ceased on 12/29/2015. Wondering if it looks that way to you too.

In addition, haven't seen spam coming from Outlook/Hotmail here in something like 10 days. Possibly this is the result of Microsoft eliminating (for the moment) the ability of the spammers to abuse their systems. Another possibility is that the one particular troublemaker that hits us has taken a break (to regroup) or has washed our domains from his list (have 100.00000% SMTP rejection against black-hat spam for more than a year now; hopeful but remain skeptical on this possibility).

I'm curious how it looks from where you are.



By cks at 2016-02-28 02:36:19:

This is a good question, so you got me to do some digging. The long answer is in OutlookNullSenderStatus; the short answer is that the null sender spam seems to have vanished, but general spam from outlook.com is still there at significant volume.

(I didn't look at hotmail.com email, which uses different MTAs, just stuff coming from machines in .outlook.com.)

Written on 04 November 2015.
« When setting up per-thing email addresses, make sure you can turn them off
SELinux's usability, illustrated once again »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Nov 4 00:29:26 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.