outlook receiving tons of spam

Just noticed that there is a rule that has been setup on the computers that are having this problem.  I deleted the rule but the emails are still coming in.  

There is the only solution. Find the source of these spam emails and add them on a blacklist in a spam filter or block them on the firewall.

I guess I will have to find the source because blacklisting them is not an option because they are all coming from different email addresses.  

they are all coming from different email addresses.  

But you'll probably find that they are emanating from the same source or only a very few CIDR blocks.  This kind of SPAM dump has become more common over the last six months; randomly generated one-time-use sending domain names (to spoof Bayesian filtering) and continuous dumping of SPAM until one gets through.

I've seen quite a lot of xxx.xxx.xxx.something through xxx.xxx.xxx.something-plus-20 SPAM dumps recently, all coming from little tiny hosting companies.  It becomes necessary to block that hosting company's entire CIDR block.  Fortunately, they're all so small that this is not an issue.

So take Hello There's suggestion above, find the CIDR blocks that the dumps are coming from, and deny the entire CIDR block for a week or so.  They'll be back, but usually a week blocking means that next time it'll be from somewhere else.

Take a domain from which these emails come (xxx@domain.com) and use nslookup to get the source mail server. Then block it. Or block the entire domain.

I must not be doing this correctly.  Do I have to type set type to MX after typing nslookup and then the domain name?
The email address of one of the emails is:  sales@southernoffroad.com

don't. those as most likely using spoofed addresses.
you probably can dig into headers. if you are VERY LUCKY, you may actually find out they do come from a few blocks.

other than that, unfortunately, this is the job of whoever runs the mail server. and that person is microsoft so good luck expecting them to consider your issue is important.

for reference, here is the information you can quickly grab for the above

$ host southernoffroad.com
southernoffroad.com has address 162.251.233.197
southernoffroad.com mail is handled by 0 southernoffroad.com.
$ whois 162.251.233.197

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
#


NetRange:       162.251.232.0 - 162.251.239.255
CIDR:           162.251.232.0/21
NetName:        FHUB-NET-9
NetHandle:      NET-162-251-232-0-1
Parent:         NET162 (NET-162-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS53340, AS62956
Organization:   VegasNAP, LLC (VEGAS-3)
RegDate:        2014-01-15
Updated:        2014-01-15
Ref:            https://rdap.arin.net/registry/ip/162.251.232.0


OrgName:        VegasNAP, LLC
OrgId:          VEGAS-3
Address:        1110 Palms Airport Dr.
Address:        Suite 110
City:           Las Vegas
StateProv:      NV
PostalCode:     89119
Country:        US
RegDate:        2009-11-09
Updated:        2017-01-28
Ref:            https://rdap.arin.net/registry/entity/VEGAS-3

ReferralServer:  rwhois://rwhois.fiberhub.com:4321

OrgTechHandle: RTY1-ARIN
OrgTechName:   Tyree, Robert 
OrgTechPhone:  +1-702-487-3838 
OrgTechEmail:  rob@fiberhub.com
OrgTechRef:    https://rdap.arin.net/registry/entity/RTY1-ARIN

OrgAbuseHandle: RTY1-ARIN
OrgAbuseName:   Tyree, Robert 
OrgAbusePhone:  +1-702-487-3838 
OrgAbuseEmail:  rob@fiberhub.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/RTY1-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
#



Renvoi trouvé vers rwhois.fiberhub.com:4321.

Select allOpen in new window

more pertinent :

$ host -t txt southernoffroad.com
southernoffroad.com descriptive text "v=spf1 ip4:162.251.233.197 ip4:216.24.148.2 5 ip4:216.24.148.12 +a +mx +ip4:216.24.148.7 ~all"

Select allOpen in new window

meaning this seems to be a legit and properly configured domain

... try and look at the headers to see where the email actually come from.

paste them if you don't know

If I use this below, I get this IP address: 162.251.233.197

nslookup -query=mx southernoffroad.com 

Select allOpen in new window

OK. so should I block the ip address?  Seems like it is legit

I would block it temporarily for now to stop the spam flow.

I did this one as well and got more info:

These as well. But there are hundreds that are different.

pick one, look at the headers. see where it actually comes from.

then you check with a few of them and take the adequate decision, assuming the bulk is in the same case.

randomly blocking addresses that may or may not be responsible for your problem is not the solution.

i can send an ip address to your server identifying myself as speedygonzales@acme.com quite easily. and believe me, i do not own the acme.com domain.



additionally, we may be able to uncover a new virus spread, hijacking of dead domains, bulk creation of fake ones...

if you don't want to bother, pack a handful of them including full headers and post them. i can take required actions providing i see a pattern.

you can also report that to m$ and let them handle the issue as they see fit.

There is another question.  It looks like this email address has been signed up for thousands of free offers, newsletters, and coupon websites.  I assume that there is no easy way for these emails to stop coming if the email address was signed up for it correct?  

Might have to dump the email address and start with another

at least we know they are not all hosted by the same isp, not sharing identical framework, probably not admin tools either... so spoofing seems likely. the headers will tell us which is which for sure.

do you have a reason to believe your user's mail addresses may have leaked ? a chain letter going through the whole company ? ... is is actually ALL users ?

yes.
you mean a single mail address receives it all ???

There are 2 email addresses in our domain that are receiving all the spam emails. Out of 300 email addresses.  

Also, is there anything I could of had in place or should have in place to prevent this?

 We have Advanced Threat Protection in place if that helps with this kind of thing.

you deal with microsoft. means they handle your spam issues. poorly. there is not much you can do. you can add a local antispam as an outlook module of some sort, but that will be crazily inefficient.

send me the headers

only 2 addresses is reassuring as we don't need to figure out how your addresses were harvested. they just probably got exposed accidentally.

one way to handle the issue is to change this addresses if that is somehow feasible in your case.

You could set your Junk mail filter to Exclusive whereby only emails coming from safe senders list will arrive your Inbox.

But here is a danger that some legit mails get sent to junk folder because they are not in safe senders list.

Consider that first before you do it.

Open outlook.com > top right next to your name, click the Gear icon > click More mail settings > right side, under Preventing junk emails, click Filters and Reporting > select Exclusive > click Save when done.

Found out the issue:

 Just found out that our company Verizon account was hacked and the hackers ordered several iphones and then crushed the 2 email accounts on the Verizon account with massive spam attack to bury the email from Verizon that phones had been ordered.  

Just found out that our company Verizon account was hacked and the hackers ordered several iphones and then crushed the 2 email accounts on the Verizon account with massive spam attack to bury the email from Verizon that phones had been ordered.  

both interesting and somehow weird since they could delete said email quite easily if they hacked the accounts. i would assume something a little more complex involving an xss like hack to grab information from the email without actually knowing the password... care to  share the details ?

beware the computers accessing said accounts might be compromised.