The information that SNDS provides is practically a big picture of the mailing behavior of a particular IP, which is essential for consumers to be able to prevent spam. It reports a variety of email traffic characteristics. The data points provided in the report are designed to prevent the spammer from distinguishing between themselves and legitimate senders. But similarly, information is not provided for IPs that send very few emails. Because they are responsible for a small amount of spam in this situation. For each IP within the range for which the user is authorized for the access level, the following information is provided:

• IP address
• Letter information
• Time period of activity
• Traffic information
• The number of recipients of the message and the SMTP command
• Sample commands
• Don’t take information from bad letters
• Filtering results
• Complaints report
• Trapping statistics
• Sample messages
• Emails infected with viruses
• Hosting malware
• Notification of the status of open proxies

IP address

This is the IP address of the machine that caused the said activity to be displayed. In some cases, this address may be the Public address of a NAT system, in which case there may be one or more IPs of one machine behind it, and currently we have no solution to detect it. Be aware that email traffic and spam information will not be generated for IPs that send less than 100 messages per designated day.

Activity interval

The time period during which the IP email activity in question occurred. Specifically, it is the first and last hour of the day (PST (Pacific Standard Time) including Daylight Savings Time) during which activity was seen from the IP in question. , but given the billions of email events worldwide, this is practically impossible. We believe that this set range provides sufficient detail in most cases, especially when combined with other data points and sources.

RCPT commands

This value is the number of RCPT commands sent by IP during the interval in question. RCPT commands are a part of the SMTP protocol for sending mail that clearly shows the intention and purpose of a sender. That is, for example, the command “RCPT TO:<example@hotmail.com” requests Windows Live Hotmail servers to declare whether it accepts email sent from example@hotmail.com or not. This information will be useless to spammers who are trying to compile a list of recipients for future spams. Just for reference, more than a third of the IPs that send mail to Windows Live Hotmail keep part of the RCPT command, which does not result in recipients below 10% of the message statistics, and this is good news.

DATA commands

The number of DATA commands sent by the target IP during the activity interval. DATA commands are a part of the SMTP protocol that are used to send mail, especially the part that transfers the message to the intended and predetermined recipient.

message recipients

This is the number of recipients of messages sent on the desired IP. In the case of honest senders, there is usually a small difference (only a few percent) between the number of RCPT commands and this number, due to accounts that are deactivated and other such anomalies.

But a large difference between these two numbers can indicate sender problems such as out-of-date recipient lists or namespace mining, both of which are usually somehow related to spamming. Please note that if this number is slightly larger than the reported number of RCPT commands, it is most likely due to special anomalies in our system that record this data and there is nothing to worry about.

Filtering output

The graph displayed here is the overall results of spam filtering applied to all messages sent by the specified IP during the given time period. A spam-free filter is the ultimate, and in particular, each of these pieces of information is a data point that paints a picture of the Spam situation, rather than a final judgment on whether traffic is Spam or not. In the table below, the colors define the percentage of time when a message is voted as “spam”. Please note that one message to 10 people is counted as 10 spam/not spam votes, not one vote.

The yellow color range may seem large at first glance, but if you consider the high volume of IPs placed in this range compared to the other two ranges, you will realize that it is a small range. Unfortunately, because SNDS is available to anyone who can prove they own an IP range, here we have to be a little careful not to provide too much information that would be useful to spammers. But a trick can be that when viewing data for a number of IPs, it can be instructive to consider non-yellow IPs: if the IPs are green, the yellow results are very likely very close to the bottom 10%. Similarly, if the majority of other IPs are red, then yellows are likely to display results close to 90%.

Please note that these results do not indicate direct delivery to users’ inbox or junk e-mail folders. Some settings applied by each user may save legitimate traffic from ending up in the “junk e-mail” folder or, conversely, treat more messages harshly. In this case, messages that may have been taken as spam, but because, for example, they were on the safelist of a user, are not considered.

Complaint rate

This number is the proportion of time that a message received from an IP is complained about by Hotmail or Windows Live during a certain period of activity. Users have the option to report almost all messages through the web interface. The formula used is: “number of complaints” divided by “number of message recipients” explained above. If you see that the complaint rate is above 100%, please note that SNDS displays complaints for the day the messages were reported, not retroactively from the day the complained email was received. As a reference, more than 30% of IPs sending email to Windows Live Hotmail keep their complaint rate below 0.3%, and this number indicates a good situation.

If you are interested in receiving the real messages that users have reported for your IP space, please see the information in the Junk Mail Reporting Partner Program on the main page of Postmaster.

Trap message time period

Similar to the activity time period, this information represents the times that the initial and final messages were sent to the tele accounts that were received by the IP during the activity time period. Although telemessages are distinct events with a specific time attached to them (as opposed to summary statistics), times are accurate to the minute. This information should be very useful for ranges where IPs are dynamically assigned to different clients, as exactly two times are selected and can be used to assign activity to one or even two specific owners of an IP address. To be used at a desired time when the message is sent.

Trap hits

It shows the number of messages that have been sent to tele accounts. Trap accounts are accounts maintained by Windows Live Hotmail that do not request any email. So, any message sent to tele accounts is likely to be known as Spam. Trusted email senders keep track of the number of accounts they have, because they’re generally sending to people they’ve given their addresses to, and they also collect Non-Delivery Reports (NDRs). and process. Spammers have a lot of time, because generally they can’t and won’t do those good practices.

We found that providing real-time trap messages would be beneficial to legitimate businesses trying to clear listings. However, there is another bad situation on the other side of the story, where there is a potential risk of profiteering and using the data for spammers.

Sample messages

In order to facilitate error detection, legal crime detection and evidence, SNDS has provided sample messages. SNDS does this for user input reports such as trap statistics. In order to strike a balance between utility and avoiding large amounts of data, SNDS provides one sample message per IP and per both types for each day. To access sample messages, just click on the desired data for that day. If you also want to receive more complaint messages than sample messages, please see the following link: Junk Mail Reporting Partner Program

Example command HELO

As a real-world example, the HELO or EHLO command is sent by IP. HELO/EHLO is a command sent by the SMTP client side system to initiate an SMTP protocol session. This operation is performed in order to declare the identity of the sender and receive options supported by the receiving server. Spammers are interested in hiding their identity, so if this field or value points to a usable identity for the customer, then, along with other data, it can help determine whether an IP is spam or not. Slow

Example of the MAIL command

The MAIL command is a real example sent by IP. MAIL is a command sent by the SMTP client-side system to signal the start of a message, and indicates to which address DSNs (Delivery Status Notifications, usually NDRs or Non-Delivery Reports) should go for this message. . Just like the identity issue in HELO, spammers are interested in hiding their identity, so if this field or value points to a usable identity for the client, then, along with other data, it can determine whether an IP Is it spam or not, please help.

Comments

This column provides some additional data about the IP. The set of possible conditions that display the data are described in the following sections:

Emails infected with viruses

Windows Live Hotmail scans email for virus content. When it detects a virus in it, in addition to preventing the email from being infected with the virus or spreading it, it also records the IP address by which the virus was uploaded. When an IP detects one or more viruses on a particular day, it notes it like this: “1 virus(es) detected, starting at 3/4/05 1:23 PM”. To solve this problem, a suitable antivirus must be installed on the system and the email server. It is also recommended to use other security software such as Windows Live OneCare.

Malware hosting

Microsoft has launched a system and mechanism that detects websites on the Internet that secretly install web browser vulnerabilities on client computers. It is a fully automatic system that uses dedicated software to run web browser software such as Microsoft Internet Explorer, which is exactly the same as a user. This system may run with various security updates installed, which is considered to be a kind of imitation of user systems that may have been updated with the most software updates.

By browsing websites in this way, the system is able to identify program installations by exploiting vulnerabilities. If the system detects a website that exploits browser vulnerabilities, this column will read: “Hosting malicious URL (target URL) detected on: 4/3/05 1:23 PM. “

When a website is reported as an abused URL, SNDS performs a DNS lookup of that website to determine and identify: 1) the IP address of the website in question, and 2) the URLs of the website. IPs of valid DNS servers for that website’s domain. First, it identifies the IP addresses of the computer systems that host the website. These IP addresses are listed because they are the addresses of systems that deliver malicious code outside of user browsing and checking websites. The second one determines the addresses of the DNS servers that are responsible for mapping the website name to the IP addresses specified in number 1. These are listed and presented here firstly for reference results, and secondly because in some cases it is possible that valid DNS servers have been compromised by a malicious user.

Notification of open proxy status

Windows Live Hotmail continuously tests the IPs that connect to its mail server for open proxies. If an IP test is positive, this column is reported as: “Open Proxy detected at 3/4/05 1:23 PM”. In contrast, Windows Live Hotmail’s policy is to send email from a device that has an open proxy server, and access to some or all Windows Live Hotmail servers will be blocked as long as it remains in that state.

This allows a malicious user to create a new entry for the website or change a value and assign it to a group of IPs that may not be under the control and management of the domain network administrator.

The information provided can be brief in nature. The listed IP addresses may no longer provide hosting service to an abused URL because it has been deleted, changed, or moved to another IP. However, it is often worthwhile to investigate why the root cause of an exploit is detected.

Proxy servers against unauthorized use, see the following sites: http://darkwing.uoregon.edu/~joe/proxies, http://www.kb.cert.org/vuls/id/150227 and http:/ /en.wikipedia.org/wiki/Open proxy. Please note that these sites contain information that is not provided by Microsoft. Microsoft does not endorse the content of these sites, nor does it provide any guarantees or endorsements on the accuracy of the information provided on these sites.

IP address status

On the View IP Status page, a list of IPs that have an abnormal status with Windows Live Hotmail is prepared. Currently, two different modes are provided:

Blocked: IPs that are blocked from sending email to Hotmail. Attempts to send e-mail to Hotmail’s e-mail servers by these IPs will result in persistent denials, however, use of the Hotmail web interface may not be affected – this is handled separately. The root cause or source of the block is provided along with more specific information. To see how to unblock an IP address, please visit the main Postmaster site and follow the relevant instructions there.

Bot: Recently viewed IPs exhibit bot-like behavior. To correct this situation, please cooperate with the owner of the machine(s) where the IP address is to investigate and test, de-virus, and secure those machines against potential future attacks.

When and for how long is the information available?

This happens on a daily basis and around midnight, so that a process is started to collect and consolidate the previous day’s data from different systems in Windows Live Hotmail. Due to processing a large amount of data, this process can take several hours. Therefore, data for a given day may not be available immediately after midnight. This data is available for display in SNDS for 90 days to be able to provide and display past behavior for comparison and trends over time.

Why is my IP blocked or email not delivered?

The most important thing is that you are in a position to go to the original Postmaster site and follow the instructions that are there to solve the problem. The SNDS team does not have the ability to process any support requests for delivery – the SNDS system only displays data that affects delivery.

When contacting Microsoft through the appropriate support channel, please note that differences between spam filter status (red/yellow/green), complaint rate, statistics and trap visits, and blocked status do not indicate a bug in the system. Not all indicators for a message or IP address need to be negative for action to be taken. For example, if email is being filtered, there is a small chance that users will see it and file a complaint, so the complaint rate will naturally decrease.

How can I recover data?

There are two ways to access the data that SNDS provides. The first method is by entering this website and browsing and searching for data. By clicking the Export to .CSV button, you can output the data manually at the bottom of the data pages and run that file, for example, with Excel software. Please ensure that cookies and JavaScript are enabled, as they are required for the site to function properly.

The second method to access the data provided means an automatic system for data consumption, because it provides simple access to the data, the URL does not require Windows Live ID authentication. This option is optionally enabled using this page, which is an example of the URLs used to download data after the feature is enabled. The data provided through this mechanism is identical to the .CSV provided when using the Export to .CSV option on the main data page.