cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Why is this image spam getting through and why is Outlook not blocking the image?

Chris Parker
Iron Contributor

‎Feb 15 2017 09:05 AM - edited ‎Feb 15 2017 09:05 AM

‎Feb 15 2017 09:05 AM - edited ‎Feb 15 2017 09:05 AM

Why is this image spam getting through and why is Outlook not blocking the image?

About two or three times a month I get an email that is one giant image. The image always looks the same except for a small amount of text that changes.

 

Most importantly, why is EOP letting this through? This kind of thing should never make it through a spam filter (I never saw these until I got off of Mimecast.)

 

Second question: Why is Outlook displaying this image by default? These emails come from different addresses and I verified that my Safe Senders list does not include the address or domain.

 

 14_27_10-Inbox - image spam - Outlook.png

5,861 Views
0 Likes
5 Replies
Reply
5 Replies
Vasil Michev

‎Feb 15 2017 11:16 AM

‎Feb 15 2017 11:16 AM

Re: Why is this image spam getting through and why is Outlook not blocking the image?

Answering those questions requires a more detailed investigation into the message content, headers and so on, why dont you open a case with support and have them look at it? At the very least, you can submit it as spam so they can "learn" from it and hopefully adjust the filters. Here's how: https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx

2 Likes
Reply
best response confirmed by VI_Migration (Silver Contributor)
Paul Cunningham

‎Feb 15 2017 07:37 PM

‎Feb 15 2017 07:37 PM

Solution

Re: Why is this image spam getting through and why is Outlook not blocking the image?

There was a vuln in OWA for Exchange/EXO that permitted a remote image that is coded as the background image for a table cell to display automatically, even when remote image loading was disabled. That was patched quite some time ago though. Not sure if the same issue affected Outlook fat clients but it's possible. Viewing the source of the message should show you how the remote image has been inserted.

 

I'd say you should:

 

  • Report the spam as Vasil suggests
  • Make sure your Outlook client is fully up to date
  • Open a support case with Microsoft to investigate why a remote image is still loading (depending on your findings)
3 Likes
Reply
Chris Parker

‎Feb 17 2017 11:39 AM

‎Feb 17 2017 11:39 AM

Re: Why is this image spam getting through and why is Outlook not blocking the image?

I'll have to wait till I get this again. I took that screenshot and deleted the message.
0 Likes
Reply
Chris Parker

‎Mar 23 2017 10:32 AM - edited ‎Mar 23 2017 10:38 AM

‎Mar 23 2017 10:32 AM - edited ‎Mar 23 2017 10:38 AM

Re: Why is this image spam getting through and why is Outlook not blocking the image?

I thought I'd follow up on this. Here's the source of a new similar message (this time yellow with just a few details changed):

 

 

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr"><img src="cid:ii_j0m296230_15afa02c0c0cbd00" style="margin-right: 25px;"><br>​<br></div>

I know HTML but I have no idea what kind of source is "cid:ii_j0m296230_15afa02c0c0cbd00".

 

edit: I now know what "cid:" means: "Content-ID". The image is base64 encoded and is embedded somewhere (haven't found that location yet).

0 Likes
Reply
Chris Parker

‎Mar 23 2017 10:45 AM

‎Mar 23 2017 10:45 AM

Re: Why is this image spam getting through and why is Outlook not blocking the image?

I sent the email, as an attachment, to junk@office365.microsoft.com. Hopefully, something will be done about this.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Paul Cunningham

‎Feb 15 2017 07:37 PM

‎Feb 15 2017 07:37 PM

Solution

Re: Why is this image spam getting through and why is Outlook not blocking the image?

There was a vuln in OWA for Exchange/EXO that permitted a remote image that is coded as the background image for a table cell to display automatically, even when remote image loading was disabled. That was patched quite some time ago though. Not sure if the same issue affected Outlook fat clients but it's possible. Viewing the source of the message should show you how the remote image has been inserted.

 

I'd say you should:

 

  • Report the spam as Vasil suggests
  • Make sure your Outlook client is fully up to date
  • Open a support case with Microsoft to investigate why a remote image is still loading (depending on your findings)

View solution in original post

3 Likes
Reply