snork.ca ... making kittens cry since 2001
homeabouttoscanaryrssmansvalidatecontactsearch

Microsoft Spam Detection Sucks 2015-06-24


I have a Hotmail account that I use mostly for testing, and of course I have my own email server that I use for well… email. As it turns out, the spam detection at Hotmail is just awful. I can only assume that the spam detection for all of microsoft, outlook.com, live.com & live.ca, msn.com & msn.ca, any mail server covered by microsoft forefront, any site covered by exchange online protection, any mail server covered by office 365 email anti-spam protection, and any other microsoft based spam detection is just as bad. Here is an example email I received today with some parts highlighted so it should be painfully obvious how much they suck.

X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
x-store-info:sbevkl2QZR7OXo7WID5ZcVBK1Phj2jX/
Authentication-Results: hotmail.com; spf=fail (sender IP is 50.7.255.99; identity alignment result is fail and alignment mode is relaxed) smtp.mailfrom=account-security-noreply@account.microsoft.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=hotmail.com; x-hmca=none header.id=sn0rkasaurus@hotmail.com
X-SID-PRA: sn0rkasaurus@hotmail.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0y
X-Message-Info: NhFq/7gR1vTdXaI/ujcx6Cqf8THvsN5Nkzx/Ytj8d3+Vh/ptH/uFGK6EhA0lyst/tXAEGuEyOqG6vSZtitWuRBS93dvNfZyYKbQUnP6wO23WkgQOrnLPAWuucXXDMBRoglaX3LqGtTAJAJadfyuTKitgDskI+YIblgerM7UIZgcEp7GXBVM+7yy9AL1GRGPz7VJ5nn7s7GDxSbEOkJ0IRZVvKVfMYvaO
Received: from mailin.neelghau.com ([50.7.255.99]) by COL004-MC4F13.hotmail.com with Microsoft SMTPSVC(7.5.7601.23008);
Wed, 24 Jun 2015 07:25:38 -0700
Received: from localhost (127.0.0.1) by mailin.neelghau.com id hhar4g16lt0a for <sn0rkasaurus@hotmail.com>; Wed, 24 Jun 2015 09:53:11 -0400 (envelope-from <account-security-noreply@account.microsoft.com>)
Date: Wed, 24 Jun 2015 09:49:20 -0400
From:=?UTF-8?B?RGlhYmV0ZXMgVHJlYXRtZW50?==?ASCII?B?ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg?=<sn0rkasaurus@hotmail.com><f053d0da4714eb91d07cbd71336e7d44@qq.com>
To: <sn0rkasaurus@hotmail.com>
Subject:Sn0rkasaurus, Learn the Risks, Symptoms, Causes & Treatments! Get the Facts.
MIME-Version: 1.0
Content-Type: Text/Html
Return-Path: 81fbc7b55cbfea42fb287666bd60731e@e.mailin.neelghau.com
List-Unsubscribe: <optout-unsubscribe@mailin.neelghau.com>
Message-ID: <COL004-MC4F13paoG1V0013ae9f@COL004-MC4F13.hotmail.com>
X-OriginalArrivalTime: 24 Jun 2015 14:25:38.0619 (UTC) FILETIME=[A46E50B0:01D0AE89]

SPF or "Sender Policy Framework" is a way of using DNS to determine who can send email from your domain. It works, but a lot of mail administrators don't seem to grasp it and so it is used poorly or not used at all in many cases. Ultimately, what is important here is that the message is supposedly from sn0rkasaurus@hotmail.com and the people who own hotmail.com can't figure out that it is fake (even though it failed the SPF test). Brutal.

hotmailevolution I stole this image from geekwire.

DKIM is "none" which seems odd since this test also depends on the source of the message (which as mentioned previously is supposed to be THEM). Also brutal.

The received line that shows 50.7.255.99 as the origin of the email should also be a clue to their spam detection. That IP address is in the US and I never log in to or check my hotmail email from an email address outside of Canada.

That next "long one" is basically a coded way of saying the message is from sn0rkasaurus@hotmail.com (with a fake email address tacked on at the end as well) which, as previously mentioned twice, microsoft should be able to figure out isn't true.

Next up, the subject has my name in it. Who the fuck sends a message from themselves, to themselves, with their own name in the subject line? Nobody.

Finally, there is a header about this being a mailing list. Who the fuck sends a mailing list email from their own email address instead of a special address for the mailing list? Nobody. The fact that it was also sent to the same address makes it even more suspicious and the fact that my name is in the subject line makes it ridiculously suspicious.

Now maybe they just have a relaxed spam detection system. Perhaps microsoft just figures that they want to ensure there are no false positives. Bullshit. They flag mail from my server as spam all the time even though there has never been a single spam from my IP address in the "I don't know how many years" I have been running my mail server from it. The bottom line is that Microsoft does a really bad job of filtering spam and I would strongly recommend not using any of their email services. You WILL miss legitimate mail and you WILL have spam walk right through their filters.

Made using Notepad++ & FastStone, hosted using nginx & php, search by JRank, and powered by North Korean mushrooms.