Why it Looks Like Spam Emails are Coming From Buffermail

A few months ago it was brought to our attention that spam emails containing inappropriate content are being sent out and that it appears they are coming from a Buffer-owned domain (buffermail.com). The emails are not coming from Buffer or from buffermail.

In this post, we’ll do our best to explain what has been happening so far for anyone who has been impacted.

To start, many individuals are receiving emails with suspicious headlines like “Hello, email id” or “package waiting.” Those emails appear to be coming from a Buffer domain. In reality, we can see that they are coming from another domain and are trying to mask their content as coming from Buffer — this is called email spoofing.

We wanted to be absolutely certain that this kind of email spoofing was indeed the cause of this issue. To confirm this, we analyzed the original mail headers to verify where the emails were coming from. We found the headers clearly showing the verification checks had failed as expected in the case of spoofed mail. We also found that the servers sending the emails did not belong to us or any services that we have ever used. So in the end, we were able to confirm that this issue was not a result of a misconfiguration on our end.

In most cases, spam filters from email providers pick up on this behavior and do not put that content in the main inbox. However, there is currently an issue with Microsoft Outlook and Hotmail where this kind of content is not being sent to spam folders.  

As of January 2023, Microsoft has acknowledged that they are aware of this issue and are working to fix it.

A message from Microsoft Outlook on Twitter that says: Hello. We're sorry for any inconvenience. Our Outlook engineers and devs are already aware of this matter and working on the resolution. While the resolution is underway, we'd like to share this support article with 10 tips on how to help reduce spam: msft.it /6016duk9i.

We wish there was more we could do in this situation since the attackers are impersonating a Buffer domain — we’ve exhausted our list of options, though, and the remaining work lies with the email providers to better filter these spam messages.

Source link