• Reporting Spam from Microsoft

    From David E. Ross@nobody@nowhere.invalid to alt.comp.microsoft.windows,alt.windows7.general on Thu Feb 26 09:15:09 2026
    From Newsgroup: alt.windows7.general

    NO! This is not spam. I try to report spam to the spammer's host.
    Spam from Microsoft, however, requires that I know which Microsoft
    service is the origin (e.g., Azure, 360). Each service has a different reporting process.

    How can I tell which Microsoft service is the source of spam?
    --
    David E. Ross
    <http://www.rossde.com/>
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Paul@nospam@needed.invalid to alt.comp.microsoft.windows,alt.windows7.general on Thu Feb 26 15:58:01 2026
    From Newsgroup: alt.windows7.general

    On Thu, 2/26/2026 12:15 PM, David E. Ross wrote:
    NO! This is not spam. I try to report spam to the spammer's host.
    Spam from Microsoft, however, requires that I know which Microsoft
    service is the origin (e.g., Azure, 360). Each service has a different reporting process.

    How can I tell which Microsoft service is the source of spam?


    When you look at the raw email with all of its fancy header text,
    is there anything that resembles a Microsoft domain in there ?

    *******

    Please note, that you are the second person in a few days,
    to be phished... while presenting a real-email address in
    a USENET message. The other poster, he does not use that
    email address for official Microsoft related purposes,
    making the attempted phish easy to detect.

    Looks like there is a campaign underway
    feeding off recent USENET usage and some harvested email
    addresses. It's OK to use a real email... if you have
    the skillz to handle the incoming phish. It would
    not be a good idea to use your posted email address, as
    part of registering for a Microsoft MSA for W10/W11 usage.
    As then the phish could be believable.

    Paul
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From David E. Ross@nobody@nowhere.invalid to alt.comp.microsoft.windows,alt.windows7.general on Thu Feb 26 14:59:59 2026
    From Newsgroup: alt.windows7.general

    On 2/26/2026 12:58 PM, Paul wrote:
    On Thu, 2/26/2026 12:15 PM, David E. Ross wrote:
    NO! This is not spam. I try to report spam to the spammer's host.
    Spam from Microsoft, however, requires that I know which Microsoft
    service is the origin (e.g., Azure, 360). Each service has a different
    reporting process.

    How can I tell which Microsoft service is the source of spam?


    When you look at the raw email with all of its fancy header text,
    is there anything that resembles a Microsoft domain in there ?

    [snipped]

    Paul


    When I view the raw source, I see
    Received: from TYPPR03CU001.outbound.protection.outlook.com ([52.101.126.89])
    by cmsmtp with ESMTP
    id tZmEvnrCkG1vutZmFvdrxB; Fri, 20 Feb 2026 23:19:16 +0000
    and
    ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;...
    and
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
    and
    Content-Type: multipart/alternative; boundary="XtbYproQFDqr7Z2Z91H6ahOZLQg4moK9MZiUnYsSZZJIzVx"
    X-ClientProxiedBy: PR3P189CA0057.EURP189.PROD.OUTLOOK.COM

    When I complained to <junk@office365.microsoft.com>, they replied that
    this was from Azure and required a different way to complain.
    --
    David E. Ross
    <http://www.rossde.com/>
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Shimon@invalid@invalid.invalid to alt.comp.microsoft.windows,alt.windows7.general on Thu Feb 26 23:05:42 2026
    From Newsgroup: alt.windows7.general

    On 26/02/2026 22:59, David E. Ross wrote:
    On 2/26/2026 12:58 PM, Paul wrote:
    On Thu, 2/26/2026 12:15 PM, David E. Ross wrote:
    NO! This is not spam. I try to report spam to the spammer's host.
    Spam from Microsoft, however, requires that I know which Microsoft
    service is the origin (e.g., Azure, 360). Each service has a different
    reporting process.

    How can I tell which Microsoft service is the source of spam?

    When you look at the raw email with all of its fancy header text,
    is there anything that resembles a Microsoft domain in there ?

    [snipped]
    Paul

    When I view the raw source, I see
    Received: from TYPPR03CU001.outbound.protection.outlook.com ([52.101.126.89])
    by cmsmtp with ESMTP
    id tZmEvnrCkG1vutZmFvdrxB; Fri, 20 Feb 2026 23:19:16 +0000
    and
    ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;...
    and
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
    and
    Content-Type: multipart/alternative; boundary="XtbYproQFDqr7Z2Z91H6ahOZLQg4moK9MZiUnYsSZZJIzVx"
    X-ClientProxiedBy: PR3P189CA0057.EURP189.PROD.OUTLOOK.COM
    When I complained to <junk@office365.microsoft.com>, they replied that
    this was from Azure and required a different way to complain.

    <https://www.abuseipdb.com/check/52.101.126.89>


    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Paul@nospam@needed.invalid to alt.comp.microsoft.windows,alt.windows7.general,alt.comp.os.windows-10,alt.comp.os.windows-11 on Thu Feb 26 20:48:34 2026
    From Newsgroup: alt.windows7.general

    On Thu, 2/26/2026 12:15 PM, David E. Ross wrote:
    NO! This is not spam. I try to report spam to the spammer's host.
    Spam from Microsoft, however, requires that I know which Microsoft
    service is the origin (e.g., Azure, 360). Each service has a different reporting process.

    How can I tell which Microsoft service is the source of spam?
    When I view the raw source, I see
    Received: from TYPPR03CU001.outbound.protection.outlook.com ([52.101.126.89])
    by cmsmtp with ESMTP
    id tZmEvnrCkG1vutZmFvdrxB; Fri, 20 Feb 2026 23:19:16 +0000

    ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;...

    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

    Content-Type: multipart/alternative; boundary="XtbYproQFDqr7Z2Z91H6ahOZLQg4moK9MZiUnYsSZZJIzVx"
    X-ClientProxiedBy: PR3P189CA0057.EURP189.PROD.OUTLOOK.COM

    When I complained to <junk@office365.microsoft.com>, they replied that
    this was from Azure and required a different way to complain.

    *******

    Forwarded from alt.windows7.general to W10/W11 for comments...

    I can see in some discussion threads, that Azure tenant takeover is a thing, and while the emails coming out may look half-legit, there should be a way
    to determine they're spoofed.

    Then the next step would be reporting a tenant issue perhaps. That's about
    all I'm finding by looking at discussions with outbound.protection.outlook.com .

    Paul

    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Daniel70@daniel47@nomail.afraid.org to alt.comp.microsoft.windows,alt.windows7.general on Fri Feb 27 20:22:33 2026
    From Newsgroup: alt.windows7.general

    On 27/02/2026 9:59 am, David E. Ross wrote:
    On 2/26/2026 12:58 PM, Paul wrote:
    On Thu, 2/26/2026 12:15 PM, David E. Ross wrote:
    NO! This is not spam. I try to report spam to the spammer's host.
    Spam from Microsoft, however, requires that I know which Microsoft
    service is the origin (e.g., Azure, 360). Each service has a different
    reporting process.

    How can I tell which Microsoft service is the source of spam?

    When you look at the raw email with all of its fancy header text,
    is there anything that resembles a Microsoft domain in there ?

    [snipped]

    Paul

    When I view the raw source, I see
    Received: from TYPPR03CU001.outbound.protection.outlook.com ([52.101.126.89])
    by cmsmtp with ESMTP
    id tZmEvnrCkG1vutZmFvdrxB; Fri, 20 Feb 2026 23:19:16 +0000
    and
    ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;...
    and
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
    and
    Content-Type: multipart/alternative; boundary="XtbYproQFDqr7Z2Z91H6ahOZLQg4moK9MZiUnYsSZZJIzVx"
    X-ClientProxiedBy: PR3P189CA0057.EURP189.PROD.OUTLOOK.COM

    When I complained to <junk@office365.microsoft.com>, they replied that
    this was from Azure and required a different way to complain.

    Did they actually tell you what this "different way to complain" was??
    --
    Daniel70
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From David E. Ross@nobody@nowhere.invalid to alt.comp.microsoft.windows,alt.windows7.general on Fri Feb 27 08:24:33 2026
    From Newsgroup: alt.windows7.general

    On 2/27/2026 1:22 AM, Daniel70 wrote:
    On 27/02/2026 9:59 am, David E. Ross wrote:
    On 2/26/2026 12:58 PM, Paul wrote:
    On Thu, 2/26/2026 12:15 PM, David E. Ross wrote:
    NO! This is not spam. I try to report spam to the spammer's host.
    Spam from Microsoft, however, requires that I know which Microsoft
    service is the origin (e.g., Azure, 360). Each service has a different >>>> reporting process.

    How can I tell which Microsoft service is the source of spam?

    When you look at the raw email with all of its fancy header text,
    is there anything that resembles a Microsoft domain in there ?

    [snipped]

    Paul

    When I view the raw source, I see
    Received: from TYPPR03CU001.outbound.protection.outlook.com ([52.101.126.89])
    by cmsmtp with ESMTP
    id tZmEvnrCkG1vutZmFvdrxB; Fri, 20 Feb 2026 23:19:16 +0000
    and
    ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;...
    and
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
    and
    Content-Type: multipart/alternative; boundary="XtbYproQFDqr7Z2Z91H6ahOZLQg4moK9MZiUnYsSZZJIzVx"
    X-ClientProxiedBy: PR3P189CA0057.EURP189.PROD.OUTLOOK.COM

    When I complained to <junk@office365.microsoft.com>, they replied that
    this was from Azure and required a different way to complain.

    Did they actually tell you what this "different way to complain" was??


    They told me the different way, but only after I sent a complaint. They
    did NOT tell me how to distinguish the different sources within Microsoft.
    --
    David E. Ross
    <http://www.rossde.com/>
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Daniel70@daniel47@nomail.afraid.org to alt.comp.microsoft.windows,alt.windows7.general on Sat Feb 28 20:04:33 2026
    From Newsgroup: alt.windows7.general

    On 28/02/2026 3:24 am, David E. Ross wrote:
    On 2/27/2026 1:22 AM, Daniel70 wrote:
    On 27/02/2026 9:59 am, David E. Ross wrote:
    On 2/26/2026 12:58 PM, Paul wrote:
    On Thu, 2/26/2026 12:15 PM, David E. Ross wrote:
    NO! This is not spam. I try to report spam to the spammer's host.
    Spam from Microsoft, however, requires that I know which Microsoft
    service is the origin (e.g., Azure, 360). Each service has a different >>>>> reporting process.

    How can I tell which Microsoft service is the source of spam?

    When you look at the raw email with all of its fancy header text,
    is there anything that resembles a Microsoft domain in there ?

    [snipped]

    Paul

    When I view the raw source, I see
    Received: from TYPPR03CU001.outbound.protection.outlook.com ([52.101.126.89])
    by cmsmtp with ESMTP
    id tZmEvnrCkG1vutZmFvdrxB; Fri, 20 Feb 2026 23:19:16 +0000
    and
    ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;...
    and
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
    and
    Content-Type: multipart/alternative; boundary="XtbYproQFDqr7Z2Z91H6ahOZLQg4moK9MZiUnYsSZZJIzVx"
    X-ClientProxiedBy: PR3P189CA0057.EURP189.PROD.OUTLOOK.COM

    When I complained to <junk@office365.microsoft.com>, they replied that
    this was from Azure and required a different way to complain.

    Did they actually tell you what this "different way to complain" was??


    They told me the different way, but only after I sent a complaint. They
    did NOT tell me how to distinguish the different sources within Microsoft.

    How helpful the Help Desk was ..... NOT!!
    --
    Daniel70
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From VanguardLH@V@nguard.LH to alt.comp.microsoft.windows,alt.windows7.general on Wed May 13 09:58:31 2026
    From Newsgroup: alt.windows7.general

    "David E. Ross" <nobody@nowhere.invalid> wrote:

    NO! This is not spam. I try to report spam to the spammer's host.
    Spam from Microsoft, however, requires that I know which Microsoft
    service is the origin (e.g., Azure, 360). Each service has a different reporting process.

    How can I tell which Microsoft service is the source of spam?

    You might want to become a spam reporter at spamcop.net. They will
    parse the headers to determine to where the spam should get reported.
    However, it is still your responsibility to know if they correctly
    parsed the Received headers. Sometimes the chaining of Received headers
    gets confusing, because chaining is not shown for internal servers.
    Also, spammers may add Received headers to confuse spam reporters or
    parsers as to the origin of an e-mail; however, they can only add bogus Received headers to their message which means those are listed first (at
    the bottom of the header section since Received headers are prepended by
    each mail server through which a message passes). You have to ensure
    the 'from' clause in a Received header matches up with the 'by' clause
    in the prior Received header.

    To match up the chaining in the Received headers, I copy the headers
    into, say, Notepad, and reverse the order of the 'from' and 'by' clauses
    in each Received header. Then it is easier to see the 'by' clause in a Received header matches up with the 'from' header in the next (later)
    Received header. I end up with:

    Received:
    by <host5> ------- by is last host
    from <host4> ---.
    Received: |--- from matches prior by
    by <host4> ---'
    from <host3> ---.
    Received: |--- from matches prior by
    by <host3> ---'
    from <host2> ---.
    Received: |--- from matches prior by
    by <host2> ---'
    from <host1> ---.
    Received: |--- from matches prior by (1st host)
    by <host1> ---'

    The chaining gets a bit confusing when the from-host doesn't match the
    prior by-host due to internal routing within an e-mail service, or the
    Received header for an internal host doesn't show a by-host, just the from-host. The from-host won't of a subsequent legit Received header
    won't match a bogus by-host in a Received added by a spammer.

    Then there are the hyperlinks within the message. Usually they point to
    the spammer's/scammer's/phisher's website, but not always. For example,
    if you use Microsoft's Hotmail/Live/Outlook.com e-mail services,
    Microsoft modifies the hyperlinks to point at their own anti-malware
    servers. When clicking on the modified hyperlinks, you first go to the
    MS server that checks their blacklist. If the link is okay, you then
    get redirected by the MS server to the original target. If the target
    website is blacklisted, you are blocked. This is Microsoft's Safe Links "feature" as part of their ATP (Advanced Threat Protection) service. It interferes with spam reporters trying to submit spam reports to both the
    e-mail source, and to the domain owners of the spam websites. If you
    have a freebie account, you have to use their feedback to request ATP be disabled on your account. If you have a school or company account, you
    can ask your e-mail admin to change your account to disable ATP: it's an
    option in the admin control panel on configuring accounts. If you have
    a paid account, maybe you have an option to disable ATP, but I don't
    have a paid MS account to check. I have a free account, so I had to use feedback to get ATP disabled. I requested, they disabled, later it got reenabled, I requested to disable, they disabled, reenabled again, and
    asked again to disable.

    I only know Safe Links got disabled by inspecting the HTML code for the hyperlinks (the href attribute in the <A> tag) within messages to see if
    they point to:

    https://<varHost>.safelinks.protection.outlook.com/<args>

    The <args> contain the original website's URL. I don't know if
    Microsoft is the only asshole modifying hyperlinks in received e-mails.
    The moment Microsoft decides to discontinue ATP means all hyperlinks in
    your e-mails that utilize redirect to MS hosts become unusable; i.e.,
    instant link rot. To avoid the possibility of link rot, I have MS
    disable their Safe Links "feature" in my MS account, but it days several
    days before they respond and act, and repeated requests if and when they
    decide to later reenable ATP.

    While looking at the href attribute in an <A> HTML tag will show the
    target for a hyperlink, nowadays a lot of web pages are using Javascript
    to construct the URLs on-the-fly, or to obfuscate them. I've even seen
    URLs that were split across cells in a row in a table, so they were not
    seen as URLs, and Javascript added the protocol prefix (HTTP[S]://), and
    built the URL from entries in the table. All to hide to where a link
    points. Either from the <A> tag's href attribute, or by walking through
    the Javascript (if you leave it enabled for e-mails -- which I don't),
    you can tell to where the link points.

    I don't if by "origin" you are looking at the headers of an e-mail, or
    at the hyperlinks (or what looks like hyperlinks) within the body of an
    e-mail. For many e-mail client, you can hover the mouse pointer over a hyperlink to see a help bubble appear (usually at the bottom left of the window) that tries to show to where the hyperlink points. However, if
    the link is scripted, what the bubble shows may not be to where the link
    will drop you when you click on what looks like a hyperlink.
    --- Synchronet 3.22a-Linux NewsLink 1.2