Outlook.com spoofed e-mail blocking

Topic

New Reply

Has anyone had a sudden increase in spoofing e-mails of legit/name brand companies (noreply@lowes.com), etc.? The password has not been compromised.

I’ve researched this issue as best I can, but I have not found a solution. If you look at the header of these spoofed e-mails, you will find they routed from fake/spam websites, but Hotmail/Outlook’s web version will only allow you to set a rule to send keywords found in the header to the junk mail folder; there is no option for blocking websites or keywords in the header (which is ridiculous and would solve a lot of spam issues), so that it never arrives to your junk mail folder.

I’m hoping maybe someone has found an alternative for spam/spoofed email blocking? I don’t know if anything can be done through uBlock or not, though I kinda doubt it.

I would love to hear any suggestions. Thanks!

 

Reply | Quote

Replies

Unfortunately there is nothing you can do – the net is awash with spam.
Rely on your email spam filters and do your best not to be too annoyed by it.  🙂

cheers, Paul

Reply | Quote

CaliaRose wrote:

If you look at the header of these spoofed e-mails, you will find they routed from fake/spam websites, but Hotmail/Outlook’s web version will only allow you to set a rule to send keywords found in the header to the junk mail folder; there is no option for blocking websites or keywords in the header (which is ridiculous and would solve a lot of spam issues), so that it never arrives to your junk mail folder.

Select “Delete” instead of “Mark as junk” as the rule action?

Reply | Quote

Paul T wrote:

Unfortunately there is nothing you can do – the net is awash with spam.
Rely on your email spam filters and do your best not to be too annoyed by it.  🙂

cheers, Paul

Well, it’s more of that it’s been a flood lately that wasn’t happening before. And they’re using legit domain names as the return address. I normally do not get flooded with Outlook.

Reply | Quote

b wrote:

CaliaRose wrote:

If you look at the header of these spoofed e-mails, you will find they routed from fake/spam websites, but Hotmail/Outlook’s web version will only allow you to set a rule to send keywords found in the header to the junk mail folder; there is no option for blocking websites or keywords in the header (which is ridiculous and would solve a lot of spam issues), so that it never arrives to your junk mail folder.

Select “Delete” instead of “Mark as junk” as the rule action?

Won’t that just put it in the Deleted folder? Instead of blocking it from coming to my mailbox?

Reply | Quote

CaliaRose wrote:

it’s been a flood lately

Someone has a leaky (mail) server and it has been discovered by the miscreants. Make sure it is not your server.

You can find the source by dropping the headers into https://www.whatismyip.com/email-header-analyzer/

cheers, Paul

Reply | Quote

Paul T wrote:

CaliaRose wrote:

it’s been a flood lately

Someone has a leaky (mail) server and it has been discovered by the miscreants. Make sure it is not your server.

You can find the source by dropping the headers into https://www.whatismyip.com/email-header-analyzer/

cheers, Paul

I use Outlook.com, not the desktop version, so it’s definitely on Microsoft’s end. I’m just trying to find any way to block something that’s in the header?

Reply | Quote

The spam is not coming from outlook.com (most likely). MS spam filters are not up to snuff for some reason and you will have to wait for them to catch up.

In the meantime you can analyze the mail headers to find the spam source and let us know. We may have more ideas. 🙂

cheers, Paul

Reply | Quote

CaliaRose wrote:

Won’t that just put it in the Deleted folder? Instead of blocking it from coming to my mailbox?

Rules only affect messages which have already arrived in a mailbox folder.

To prevent messages arriving, use Block Sender:

How to block someone

To block someone, select the messages or senders you want to block.

From the top toolbar, select … then Block > Block sender.

Select OK. The messages you select will be deleted and all future messages will be blocked from your mailbox.

Block senders (or mark email as junk) in Outlook.com (or Outlook on the web)

If you analyze the headers as Paul suggested, you can add correct sender domains:

Blocking someone stops their email from coming to your mailbox.

If email from a blocked sender still appears in your Inbox, the sender might be:

Changing their email address. Create an Inbox rule to pick up common words in your Inbox email and move them to the Deleted Items folder. Learn how to use Inbox rules in Outlook.com.

Hiding the real email address. View internet message headers to check if the email address shown is different from the sender’s real address and add it to your blocked senders list.

Receiving email from blocked senders in Outlook.com

You can have up to 1,024 addresses or domains in the Blocked senders and Safe senders lists. If you want to add more than that, try blocking domains instead of individual email addresses.

Reply | Quote

b wrote:

CaliaRose wrote:

Won’t that just put it in the Deleted folder? Instead of blocking it from coming to my mailbox?

Rules only affect messages which have already arrived in a mailbox folder.

To prevent messages arriving, use Block Sender:

How to block someone

To block someone, select the messages or senders you want to block.

From the top toolbar, select … then Block > Block sender.

Select OK. The messages you select will be deleted and all future messages will be blocked from your mailbox.

Block senders (or mark email as junk) in Outlook.com (or Outlook on the web)

If you analyze the headers as Paul suggested, you can add correct sender domains:

Blocking someone stops their email from coming to your mailbox.

If email from a blocked sender still appears in your Inbox, the sender might be:

Changing their email address. Create an Inbox rule to pick up common words in your Inbox email and move them to the Deleted Items folder. Learn how to use Inbox rules in Outlook.com.

Hiding the real email address. View internet message headers to check if the email address shown is different from the sender’s real address and add it to your blocked senders list.

Receiving email from blocked senders in Outlook.com

You can have up to 1,024 addresses or domains in the Blocked senders and Safe senders lists. If you want to add more than that, try blocking domains instead of individual email addresses.

I don’t see a screen to edit the quote, to reduce the amount of text in a post. Where am I missing the expanded HTML? The Text tab doesn’t show it. It only shows the post number you’re quoting, not the text.

I didn’t know there was a blocked limit, so thank you for telling me, in case I need to remove some individual ones and block the domain instead.

I just realized what I wasn’t clear about. If I try to block the domain with the spoofed emails, it doesn’t work, because Outlook.com only blocks the domain in the return address line, not the other domains in the header. For example, if the spoof email is @lowes.com, then I can only block @lowes.com, which would also block emails that are genuinely from them. A few of them have also managed to show no return address, which means it doesn’t show any option to block it.

There’s also the issue of some routing from legit MS email servers, but using different combinations of random letters and numbers before the “@”, but if you find a way to block the MS domain, then you could miss important emails.

I’m just wondering if anyone has managed to find a way block other domains or keywords in the header itself. Maybe there’s a loophole to doing it that I’m missing.

 

Reply | Quote

Paul T wrote:

The spam is not coming from outlook.com (most likely). MS spam filters are not up to snuff for some reason and you will have to wait for them to catch up.

In the meantime you can analyze the mail headers to find the spam source and let us know. We may have more ideas. 🙂

cheers, Paul

Waiting on MS is a lost cause, ha.

See my reply below, in my newest post.

Reply | Quote

CaliaRose wrote:

I just realized what I wasn’t clear about. If I try to block the domain with the spoofed emails, it doesn’t work, because Outlook.com only blocks the domain in the return address line, not the other domains in the header. For example, if the spoof email is @lowes.com, then I can only block @lowes.com, which would also block emails that are genuinely from them. A few of them have also managed to show no return address, which means it doesn’t show any option to block it.

There’s also the issue of some routing from legit MS email servers, but using different combinations of random letters and numbers before the “@”, but if you find a way to block the MS domain, then you could miss important emails.

I’m just wondering if anyone has managed to find a way block other domains or keywords in the header itself. Maybe there’s a loophole to doing it that I’m missing.

That’s why you need to paste headers into Paul’s analyser site, to get the true sending domains, before adding those to the blocked senders list.

But ever-changing random users from a legitimate domain are difficult; can’t they be deleted by a rule based on keywords in the body text?

Reply | Quote

b wrote:

CaliaRose wrote:

I just realized what I wasn’t clear about. If I try to block the domain with the spoofed emails, it doesn’t work, because Outlook.com only blocks the domain in the return address line, not the other domains in the header. For example, if the spoof email is @lowes.com, then I can only block @lowes.com, which would also block emails that are genuinely from them. A few of them have also managed to show no return address, which means it doesn’t show any option to block it.

There’s also the issue of some routing from legit MS email servers, but using different combinations of random letters and numbers before the “@”, but if you find a way to block the MS domain, then you could miss important emails.

I’m just wondering if anyone has managed to find a way block other domains or keywords in the header itself. Maybe there’s a loophole to doing it that I’m missing.

That’s why you need to paste headers into Paul’s analyser site, to get the true sending domains, before adding those to the blocked senders list.

But ever-changing random users from a legitimate domain are difficult; can’t they be deleted by a rule based on keywords in the body text?

I previously did some research on the domain routing in the headers, to see where it’s actually coming from, and I found enough to know what to block (I did use one analyzer before, and it matched the domains I found just by looking), but when I tried to block those domains, it either did not let me block that domain, the domain was too generic (like @yahoo.com) to block, or it was not helpful to block the spam because those domains did not show in the return e-mail address, only the header.

For instance, let’s say it shows the reply to address as “noreply@lowes.com”, it will say something in the header about it routing from “blahblah.xyz” or some microsoft.com domain. But, even if I block the .xyz domain, it doesn’t stop them, because .xyz is only in the header, not the reply to address. It appears to only let me block the reply to domain/address, and I don’t know if there’s a loophole around that.

So far, with Rules, I cannot find a block option for the header. On the “if message header includes”, it only gives options for sending it to certain folders, such as Deleted or Junk (in terms of moving it somewhere options), but no block option, which is dumb on Microsoft’s end. I haven’t found a way around it; I didn’t know if someone with IT knowledge here had any suggestions for a workaround.

I can attempt to find a keyword in the subject or body to block, IF the rules give me a block option for the subject or body (I’ll have to check), but this specific type of spoofing is all about membership renewals and winning a prize from a legit company name, so I’m having trouble finding words I can block.

Reply | Quote

b wrote:

CaliaRose wrote:

I just realized what I wasn’t clear about. If I try to block the domain with the spoofed emails, it doesn’t work, because Outlook.com only blocks the domain in the return address line, not the other domains in the header. For example, if the spoof email is @lowes.com, then I can only block @lowes.com, which would also block emails that are genuinely from them. A few of them have also managed to show no return address, which means it doesn’t show any option to block it.

There’s also the issue of some routing from legit MS email servers, but using different combinations of random letters and numbers before the “@”, but if you find a way to block the MS domain, then you could miss important emails.

I’m just wondering if anyone has managed to find a way block other domains or keywords in the header itself. Maybe there’s a loophole to doing it that I’m missing.

That’s why you need to paste headers into Paul’s analyser site, to get the true sending domains, before adding those to the blocked senders list.

But ever-changing random users from a legitimate domain are difficult; can’t they be deleted by a rule based on keywords in the body text?

I don’t see a way to edit my last post, but I just looked, and it gives no block options in the Rules section for subject or body text keywords. Just gives the same options it does for message header. I’m not sure if you can block anything through Rules, because it doesn’t even give me a block option for just selecting if the email is from a specific e-mail address as the Condition.

 

Reply | Quote

Welcome to the frustrating world of spam blocking. 🙁
From addresses are usually spoofed and the mail does not come from that address at all. This is why we like the header analysis.

As I said before, learn to live with it.

You can quote a small part of a post by highlighting it and clicking Quote.

You can edit a reply by clicking the EDIT button on the left of QUOTE.

cheers, Paul

Reply | Quote

I’m also running into the problem that I can’t block certain domains, even in the From address line, because they are somehow inserting invisible spaces into the email address, and Outlook.com blocked lists won’t allow addresses to be added that have spaces in them. This space issue has only started recently.

For example, I can’t block: noreply@support temupallet.com , because there’s a space between support and temu, and I have no idea how this can happen. It’s almost as if there is an invisible dash or underscore. If I can’t block domains with spaces in them, how are they e-mailing from addresses with spaces?

I’m getting an increasing number of spam emails with spaces in the address line, so I can’t even add them to my blocked list.

Unfortunately, I see no way to block country domains like .ru, or (slightly off topic) no way to block certain countries from attempted sign-ins. Microsoft does NOTHING to give us more blocking options that are common sense to do. And if they do give anything, it’s through programs, MAYBE Outlook desktop, but never through Outlook.com…as if those accounts are less important than the desktop ones. All these options for country blocking emails and domains seem to be through desktop Outlook or Azure, etc.

 

Reply | Quote

@CalliaRose, They are using an invisible character. For example the character which is generated by pressing & holding the ALT key + entering 255 from a 10 key keypad appears to be a space but is actually a unique character. Holding the ALT key + 32 is the same as that generated by using the spacebar. I would have thought copying and pasting the address you want to block would work. Don’t type in a space.

Reply | Quote

Sueska wrote:

@CalliaRose, They are using an invisible character. For example the character which is generated by pressing & holding the ALT key + entering 255 from a 10 key keypad appears to be a space but is actually a unique character. Holding the ALT key + 32 is the same as that generated by using the spacebar. I would have thought copying and pasting the address you want to block would work. Don’t type in a space.

So my guess about the invisible character was correct; I’m just not familiar with them. Is there a way to unearth what the character is? I tried both copying and pasting (the list won’t accept the space) and deleting the space, but when I delete the space, it registers it as a different domain or address and won’t block the same one I’m trying to block.

Reply | Quote

I am questioning my answer now since I really thought that copy and paste should work if it was a different type of ascii character. But to answer your question, sometimes copying and pasting into a program called notepad++ has been helpful for me in determining if a character is a really a space or some other character. For example if I create an ALT + 255 character in notepad and copy that into notepad++ , I see an Capital A with a caret symbol on top. This tells me the character is not a space.

Reply | Quote

You might be on to something here, actually.

The Alt+255 character is called a “non-breaking space” [1]. There are quite a few variants of such zero-width space characters, which makes finding the right one a bit difficult [3].

I tried to create domain block rules using Alt+255 to match the sender’s exact email address. Let’s see if that works.

[1] https://en.wikipedia.org/wiki/Non-breaking_space

[2] https://theasciicode.com.ar/extended-ascii-code/non-breaking-space-no-break-space-ascii-code-255.html

[3] https://stackoverflow.com/a/28405917

 

Reply | Quote

Quick off topic question. Does clicking “Secure your account” on the relentless attempted unsuccessful sign-ins or syncs on the sign-in activity page do anything at all to block that particular IP, etc.? If you click it, there’s a dialog box that says “Thanks for telling us”…but is it even worth the time? I send the phishing reports on the junk and spoofed emails, by clicking the Report as phishing, but I wonder if that does more good than the “Secure your account” clicks.

Any thoughts?

 

Reply | Quote

Attempting to block individual addresses is a waste of time IMO. The spammer will use a different address tomorrow.

CaliaRose wrote:

relentless attempted unsuccessful sign-ins

You can ignore those warnings if you use either of these two ways ways to login.
1. Use 2FA.
2. Use a long and strong password. At least 16 characters and a mix of upper, lower, digits and punctuation. The easiest is to use something that is easy to remember (birth date?) and a word (middle name?) and then pad them with punctuation marks.
Here is a sample 19 character password: #Tom20030914,,,,.##
Or use a password manager and a really complex password.

cheers, Paul

1 user thanked author for this post.

b

Reply | Quote

@CaliaRose

For a lonnnng time I struggled with similar issues.  Blocking, reporting, viewing message source, rules, filters.  Until one day I discovered that it was all in vain.  The Outlook.com spam filters, rules etc. are for the inbox and nothing else.  Of which I get very little.  And when I do, I mark them as junk and move on.

https://support.microsoft.com/en-us/office/block-senders-or-mark-email-as-junk-in-outlook-com-or-outlook-on-the-web-a3ece97b-82f8-4a5e-9ac3-e92fa6427ae4

There is also a limit to the number of blocked addresses and domains.  1024 (1 GB) to be precise.

https://support.microsoft.com/en-us/office/block-senders-or-unblock-senders-in-outlook-9bf812d4-6995-4d19-901a-76d6e26939b0

Another thing I do is exclude friends and family from the “Safe Senders And Domains” list because I don’t want to expose them to any M$ data collection abuse.

After learning this, I quit banging my head on the wall.  Now I just report junkmail as needed and move on.  So much easier and less stressful.  Good luck with your efforts.

Win 8.1 (home & pro) Group B, W10/11 Avoider, Linux Dabbler

Reply | Quote

I am hitting the exact same issue as CaliaRose.

The main problem is e-mails entering the Junk mail folder that contains a space character within the domain of the sender. You can see that in the actual “From: ” field when seeing the source of the message.

The e-mail headers contain other randomly-generated domains too. Unlike other domain blocking rules, Outlook doesn’t allow blocking a sender with a SPACE:

Here’s an example snippet:

> From: NETFLIX $2/year Subscription <noreply@customer support.netflix.com>

If you try to add to the block list, Outlook gives this error

> Error – Either the email address or domain name isn’t formatted correctly.

This becomes an issue because hotmail sometimes has useful e-mail sent to the Junk Mail folder. So, having 100s of unblockable emails in the Junk Mail folder to sift through to find any false-positives is really annoying. Ideally, these domains would just be blockable.

There has been a recent order of magnitude increase of such emails (over the last 6 months).

Other relevant header info from such emails:
…
Authentication-Results: spf=none (sender IP is 194.150.235.110)
smtp.mailfrom=rLGKOZYYftNOranYDDesB.net; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=;
Received-SPF: None (protection.outlook.com: rLGKOZYYftNOranYDDesB.net does not
designate permitted sender hosts)
Received: from mta.alerts.honda.com (194.150.235.110) by
AM7EUR06FT027.mail.protection.outlook.com (10.233.255.143) with Microsoft
SMTP Server id 15.20.7249.22 via Frontend Transport; Mon, 29 Jan 2024
18:10:49 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:5755B85E02D4B09426034699E21616AB39F2A07ADCB270D9A9C036016887692B;UpperCasedChecksum:A2BDA9488A8EF7D21E02DCAF391E93EB5434B5833E5C34483494B6B020CD17CB;SizeAsReceived:372;Count:9
Date: Mon, 29 Jan 2024 19:10:41 +0100
To: <REDACTED>
From: NETFLIX $2/year Subscription <noreply@customer support.netflix.com>
Subject: YOUR NETFLIX TV MEMBERSHIP HAS EXPIRED! EXTEND YOUR MEMBERSHIP FOR ONLY 2$/YEAR !
Content-Type: text/html; charset=”UTF-8″
Content-Transfer-Encoding: 7bit
X-IncomingHeaderCount: 9
Message-ID:
<4c1a6d44-5d94-4fb5-9ad6-89eadbb82395@AM7EUR06FT027.eop-eur06.prod.protection.outlook.com>
Return-Path: <REDACTED>
…
X-Sender-IP: 194.150.235.110
X-SID-Result: NONE
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-AtpMessageProperties: SA|SL
X-MS-Exchange-Organization-SCL: 5
X-Microsoft-Antispam: BCL:0;
…

Moderator Note: Return path redacted to avoid potentially harmful content from a clickable link.

Reply | Quote