An update on the forwarding email problem in Office 365

Well over a year ago, I wrote the following blog post: Why does my email from Facebook, that I forward from my outlook.com account, get rejected? It’s a very popular blog post, it gets more comment than almost any other post that I have written. The overwhelming majority of comments asks the question: “When will this…

0

What do we mean when we refer to the ‘sender’ of an email?

There’s a lot of ambiguity about the term “sender” when talking about the sender of an email. What do we mean? The term is overloaded because there are so many possible “senders” of a message. Here’s the most commonly used terms and how they show up in various email clients: 1. The From: address in…

0

How the Outlook.com Spam Fighters program works

Over here in Outlook.com (and Office 365), we hate spam (and phishing, and malware). We’re doing everything we can, every single day, to keep it out of your Inbox.But we know that there are many of you out there as well that also hate spam as much as we do, and that’s where the Spam Fighters…

7

Fixing a problem with “Unsubscribe” in Outlook.com

One of the problems that some of our users have been experiencing in Outlook.com is using the “You can unsubscribe” widget: The widget above shows up when we think the message is bulk, and the message contains a List-Unsubscribe header, and that header contains a mailto. We parse out the mailto and send a message…

1

Why adding to Blocked Senders sometimes doesn’t block the sender

Recently in Outlook.com, I’ve seen a spurt of user complaints that they are adding senders to the blocked senders list, but keep getting spam from the same sender day after day. I did some investigation. First, adding spammers to Blocked Senders isn’t the best way to stop spammers from sending you unwanted email. Spammers randomize…

4

A tip for mailing list operators to interoperate with DMARC to avoid failures

One of the problems with DMARC is how mailing lists deal with participants that publish p=reject records. The domain owner has published a policy to prevent spoofing, but all of the various participants on the mailing list may be affected. This includes people within an organization that previous were taking part in technical discussions, but…

1

A quick overview of Outlook.com (Hotmail) sender support

Over the past two months, I have taken on a role to deal with deliverability and user complaints for Outlook.com (Hotmail). The main areas of focus are reducing user spam complaints, and helping to streamline the process for senders when they get blocked from delivering to Outlook.com. This includes fixing bugs in the spam filtering…

0

If you want to send to Outlook.com, send with a valid From: address

I’ve been quiet on this blog for a couple of weeks, and that’s because I’ve been helping out addressing some of the spam complaints in Outlook.com. The biggest issue we’ve seen recently is spam from invalid senders. This is an email where the From: address is not RFC compliant, and does one of two things:…

1

The difference between adding Safe and Blocked senders in Outlook, vs. Outlook.com

I’m currently doing a bunch of work around making Outlook.com better, and one the things I’ve noticed is different is how you add to your Safe and Blocked senders list when you use a desktop client like Outlook, vs. when you use the web UX in either Outlook.com (our consumer email product) or Outlook Web…

4

Would a DMARC reject record have prevented Donald Trump from getting elected?

One of the reasons I just wrote that four part series on where email authentication is helpful against phishing, and where it is not-so-helpful, is because I wanted to examine the John Podesta email hacks. In case you’re not aware, John Podesta was the Chair of the Democratic Campaign to elect Hillary Clinton for President…

5

Where email authentication falls flat at stopping phishing – impersonation attacks using display tricks

In this series so far, we’ve seen how email authentication is a great thing at stopping phishing under some circumstances, and where it isn’t that useful in other circumstances. A circumstance where it isn’t that useful is a variant of Business Email Compromise (BEC) that we call an Impersonation Attack. An Impersonation Attack is when…

2

Where email authentication is potentially great – protecting against spoofing from domains with weak authentication

So, in the past couple of posts, I’ve talked about how email authentication is not that great against phishing attacks that use random parameters in the sender, but is well-designed to work against springboard spear-phishing attacks. There’s another scenario where it is simultaneously well-positioned to protect against spear-phishing, yet not in a good position to…

0

A security story that is kind of disturbing

I’ve got a story for you. As a security person, it’s a little disturbing. I was driving in the car with my wife yesterday who works in the health care industry (she’s not a doctor). She was telling me that earlier that day, she was trying to email a file to some other organization and…

2