-->

Wednesday, October 16, 2024

Exchange - Regex Transport Rule To Block Recent Hotmail/Outlook.com Spam

I have a customer who's Exchange Online tenant is getting bombarded with spam from Hotmail and outlook.com free accounts. The spammers are creating "one-and-done" accounts with the following format:

firstname1234lastname5678@hotmail.com

firstname1234lastname5678@outlook.com

This particular tenant is receiving 1,000's of messages from these senders, so blocking them one-by-one or adding them to the tenant blocklist isn't feasible...neither is blocking the Hotmail/Outlook TLD because genuine senders could still be using those services.

So, I've come up with a regular expression to add to a Transport Rule (aka Mail Flow Rule) to block those by the text patterns.

Regex:

The patterns will look like so:

'^[a-zA-Z]+[0-9]+[a-zA-Z]+[0-9]+@outlook\.com$'

'^[a-zA-Z]+[0-9]+[a-zA-Z]+[0-9]+@hotmail\.com$'

Transport Rule:

We'll create a Transport Rule with the following settings:

Apply this rule if…

    The sender... is external

    The sender... address matches any of these text patterns:

        '^[a-zA-Z]+[0-9]+[a-zA-Z]+[0-9]+@outlook\.com$'

        '^[a-zA-Z]+[0-9]+[a-zA-Z]+[0-9]+@hotmail\.com$'

Do the following…

    Modify the message properties... set the SCL to 9 

**Note** Or you can just straight up block the messages, but I would do that after testing to ensure it’s catching these properly.

Now, you should see much less spam from Hotmail/Outlook.com until Microsoft can shut them down...they are starting to institute new throttling rules on new accounts, so hopefully that'll help.

No comments:

Post a Comment