SPAM amplification alert (Resolved) Investigating / Notice
14 days

While we have marked this issue as resolved we wanted to offer further updates (after banning M365 misconfigured instances from ExchangeDefender - they will still arrive in your SureSPAM folder and if you whitelist the domain they will pass on as normal)

  • In the same timespan we have also seen a rise of a new botnet, so we have temporarily become more aggressive towards mail servers that are new to us and our partners in the managed email space. 
  • We're seeing an increase in SPAM overall as offices that have been shut for months are suddenly coming back online (unpatched) and suddenly starting to relay SPAM. Unfortunately, this has not spared Microsoft, Google, or any of the other email providers and we're taking more aggressive steps to mitigate this.
  • As a result of the complaints, several partners have opened up tickets with specific targeted spear phishing campaigns. While we have rendered these mute with ExchangeDefender firewall, it's annoying to see the SPAM come in as well.

We will have a new managed offering launching later in Summer 2021 to address these but for the moment we are dealing with multiple attack vectors and appreciate every .eml report we can get at

Update 02/24/2021 00:49 AM 21 days

As mentioned in the previous update, we have been blocking a lot of the new exploited IP addresses. One thing they all seem to have in common is that they are abusing organizations that match these two criteria:

  1. Domain has an SPF record with a soft fail action (meaning it can be spoofed and not neccessarily flagged as SPAM)
  2. Microsoft Office365 customer that has enabled anonymous access (becoming an open relay)

You will see these headers in many SPAM pieces.

X-MS-Exchange-Organization-MessageDirectionality: Incoming

X-MS-PublicTrafficType: Email


X-MS-Exchange-Organization-AuthAs: Anonymous

For the time being, we will classify Microsoft email from these open relays as SPAM far more aggressively. It will not impact normal traffic from Microsoft, but if they are an open relay those messages.

Update 02/23/2021 17:13 PM 22 days

We have been monitoring an explosion of new compromised systems that are suddenly broadcasting large amounts of SPAM. These IP addresses have never been used for SPAM activity before (and clearly belong to legitimate companies) and we are blocking them as fast as they show up on our firewalls. Here are some of the top subjects:

Restore Your Gut Health As You Sleep with Peptiva $COMPANY // Reach the Peak

Green Veggie INFLAMES Diabetes Type 2 (Avoid)

Worried about your identity? Try ?ife?ock free!

African Priest Helps White Man Gain 6 Inches

White Man Offers Wife To African Priest For Member Growth Secret

2021 is Here - Big D Paving Co Start of Year Funding Deals

While most of these are getting picked off by our SPAM filtering natively, we are actively mapping out this new botnet and blocking it aggressively. 

If you have users with SureSPAM policy set to "Deliver" you should immediately change it to Quarantine/Store so your users aren't being annoyed with pieces that are coming from IP addresses with good IP reputation.