Jan Hajek

I am Honza, hi.

5 minute read

For the past couple of months, I have been really frustrated by the amount of spam appearing in my Inbox folder in my personal e-mail provided by Outlook.com (previously Hotmail or MSN). I have been using Outlook.com since 2007 and I have never had such a huge amount of spam bypass the filter. I am also a M365 Family subscriber. Nowadays, at least 5 messages make it through the spam filter and appear in my inbox.

I am not the only one

There are plenty people complaining about this situation on Reddit (1, 2, 3, 4, 5, 6), Microsoft Answers (1, just Google for more yourself) and many more. The answers from Microsoft are really “helpful”. I had a bunch of tickets open with Microsoft Support (#1056895825, #1056728569, …), all of which resulted in the case being closed and being told “it’s a known issue and we are working on it” and also “keep reporting the messages”. Well, it’s been 6+ months and nothing has changed (perhaps stop pushing Copilot everywhere and put more people on this issue?).

Recently, I complained on Twitter and got another very helpful response - most of this doesn’t even apply to Outlook.com service.

Why does this seem to happen?

…and why it doesn’t happen with business Microsoft 365 accounts? Well, first of all, M365 for companies is using Exchange Online Protection (EOP) which seems to deal with spam really well, while M365 for consumer is using, I guess, Outlook Live Protection (OLP) which seem to be two very different systems. I suppose the issue with using EOP for consumer accounts would be, that it wasn’t built for filtering spam of milions of user accounts and that consumer protections are not interoperable with business ones.

I have been trying to figure our why the e-mails bypass the filter and so far, I managed to find out the following:

Most e-mails which bypass the rules are sent from compromised accounts and domains (just ban them from the system, use ZAP on all send messages within last X minutes and wait for their admin to reach out?).

Those messages have valid SPF and DKIM (a lot of legit e-mail server admins are behind with this, Google will require it soon anyways).

And the content is just remote pictures linking to websites. When you click the link, the Safelinks feature should prevent you from continuing since it is usually phishing or scam, but it just redirects you. Seems like the verification and checks on the links could use some care too. Especially when e-mail and its content has been reported multiple times as spam by various users.

What can you do?

Besides waiting for Microsoft to do something about this, which I am not really sure whether or when will it happen, there are few things you can configure yourself.

The things which worked for me are following:

  1. Navigate to Junk e-mail settings
  2. Make sure your safe sender list is up to date and you know all the addresses there
  3. Scroll down to Filters and check both Only trust email from addresses in my safe senders and domains list and safe mailing lists and Block attachments, pictures, and links from anyone not in my Safe senders and domains list
  4. the steps below are for advanced users, if you are non-technical, ask someone to help you out
  5. Before saving, open developer tools in your browser (F12) and navigate to Network tab
  6. Save the settings
  7. In the Network tab, you will see a request containing action=SetMailboxJunkEmailConfiguration, right click it and select Edit and resend
  8. Find a property in the body called ContactsTrusted and set its value to true
  9. Resend the request

This will effectively allow only whitelisted senders (contacts and safe list members) to appear in your inbox. It is not the ideal solution, since you should at least once a week check your junk folder for any false positives and if so, add them to your contacts or safe list, but it’s a much better solution than having to deal with loads of annoying spam messages.

Conclusion

I would like to conclude this article with one statement: I love Outlook.com, I am a paying user, but the level of support and communication Microsoft is providing regarding this issue is completely unacceptable. The status page says nothing is wrong, there is no support article publicly available regarding the spam issue and the biggest issue is that standard, non-technical users, who are much more vulnerable to falling for phishing are facing this as well. I am sure that Microsoft is aware and working to resolve this as fast as they can, but they should at least communicate this to their users like they do with other services.

Continues with part 2 where we use Logic Apps and OpenAI to classify the Junk mail and detect legit messages.

Comments

Jason

I appreciate the post and due-dillegence, however the safe senders list is not followed (for me anyway) in Outlook.com. And, I would still have to watch the Junk folder regularly for new people that are safe senders and add them… Again, just an insight from a reader.

To submit comments, go to GitHub Discussions.

You May Also Enjoy

Searching for a lost MacBook

12 minute read

This is going to be a very unusual post for this blog, but I found this a very interesting topic which no one has written about yet. And I also believe it ma...

Gaming in the cloud

7 minute read

I have been a gamer since my childhood. Watching my cousins play Half-Life or Return to Castle Wolfenstein, through playing GTA: Vice City, Counter-Strike, e...

Hosting PHP in Azure Container Apps

14 minute read

This is a continuation of my endeavor to host a few of my side projects. In the previous post from 2018, I explained how I moved from a local webhost to an A...