[PreInternet01]

Yes, Microsoft is very slow in blocking their customers from sending spam, yet very quick in blocking external senders for that reason (same for Google, Salesforce, Amazon, etc. BTW). Funny how that works...

But, if you can, record the `X-MS-Exchange-CrossTenant-Id` header value for the spam you receive. If it ends in 'aaaa', that means it comes from the public outlook.com/hotmail.com service, and you'll need to do text content/from-address filtering to get rid of spam.

But otherwise, deny-listing the GUID you get, will do wonders to eliminate future spam from that source...

[X-Istence]

For anyone interested, here's the list for the last month or so:

https://gist.github.com/digitalresistor/03ea1b8798c519a71f06...

Edit: moved list to Gist.

[PreInternet01]

You... seem to get a lot of spam! Just out of interest, across how many unique local recipient addresses is this, and how did you determine these messages were illegitimate?

[X-Istence]

Single user... me. My email address is used on all my git commits/mailing lists across the web.

I check my junk folder every other day to make sure that legitimate mail does not go through because I've set my rspamd config pretty tight.

So all of these are classified correctly as spam by human eyes.

[PreInternet01]

Interesting, thanks! For what it's worth: my multiple-thousands-of-users mail server hasn't seen any of these Azure tenants in the past 14 days.

[johnklos]

That doesn't seem too surprising. While my account just gets three or so "digital marketing" or "mobile app" spam a day from Outlook, Mom was getting dozens of Apple / Home Depot / Harbor Freight / Lowes phishing spam a day from Outlook. Reporting them did absolutely nothing, and there were no identifying patterns beyond the painfully obvious fact that they were all from the same campaign, so I'd wager that creating unique accounts on Outlook is trivial.

[PreInternet01]

The 'digital marketing' and 'mobile app' spam is, in my experience, mostly sent via 'retail' outlook/gmail/aol/yahoo/hotmail.com accounts, and mostly by actual people pasting the address list into the BCC field.

These are not that easy to filter due to the risk of false positives, but in general, a sender with a From: header matching '.*\d{1,}@(outlook|gmail|aol|yahoo|hotmail)\.com`, no To: header matching the actual recipient, and a number of keywords in the message text can be safely rejected as bizdev/SEO spam.

The big-brand spam is actually pretty easy to filter, as there are always 'tells' in the message structure. Even just requiring a match between From: display names and domains yields pretty good results, especially if you normalize the display name to eliminate homoglyphs and nearly-similar spellings.

[X-Istence]

That's interesting to say the least... it means that there are MANY MANY more azure tenants that are used to send spam :/