Le blog de numerunique
→fr

Microsoft analyzes your mails furtively and in detail...
31/08/2021

Or then it's all the same !

Automatic analysis of mail links by an "anti-virus"

numerunique provides a service of conversion of SMS in mail : the SMS are sent to a virtual number where they are automatically received ; a mail is then sent to the addresses that appear in the head of the message with the rest of the SMS as content of the mail.

As it is about mails sent automatically, to avoid that they are considered as spams, a unsubscription link is inserted in the headers of these mails. This link allows the recipients to refuse to receive again mails automatically transmitted by conversion of SMS.

By elsewhere numerunique monitors attentively its servers to fight against the pirates and notes that the unsubscription links are systematically followed from IP addresses in the range 40.94.101.1-100 with an IP address of this range that differs each time according to a random order.

A simple investigation reveals that these IP addresses belong to Microsoft Corporation (MSFT) although none is associated with a server or a service namedly identified (no reverse defined for the connoisseurs).

Interrogated on the possible motivation of this mechanism, the French network experts who exchange on a public discussion list (FRnOG) identify the likely treatment of an "anti-virus" that would analyze in detail the content of the received messages to spot eventual problematic links and warn their recipients of the reading of a mail judged dangerous.

Activation of all active buttons of the analyzed pages

However, numerunique also offers a document sharing service (https://64.nun.tf) that is distinguished by the freedom given to all those who use it to add other files or to delete the shared files:

The "-" button that precedes each file thus shared activates a function (in javascript, that is to say by a local treatment on the user's post) that displays a message asking for a confirmation of the deletion of the file:

If the user clicks on OK, the file is deleted ; it's all simple, at least if we are a human user and much less for a robot…

Only, numerunique shared with this service a file on a discussion list on Internet (FRnOG also in this case) what therefore generated a mail sent automatically to all the users registered on this list. And the file thus shared was deleted after some minutes from the IP address 40.94.101.8 (IP address in the range identified above)…

This reveals that not only the links of this mail were followed but that even the dynamic functions associated with the buttons on the pages of these links were systematically explored. In addition, one of the readers of this discussion list is therefore equipped with this "anti-virus" that analyzes his mails.

Destruction of one of the best services of Internet

The motivation (protect the recipients of malicious mails) is undoubtedly laudable but the result is disastrous if we thus deprive them of a useful and harmless service.

The finding is that it is now discouraged to insert in a mail a link towards a useful service to simplify the access to the recipient.

Already that the mail inboxes are saturated with spams and phishing mails, that the main messaging providers (including at least outlook and gmail) arrogate themselves the right to make disappear surreptitiously the mails that they consider arbitrarily as spam, that it has become almost impossible to a modest entity to send perfectly legitimate mails (without a massive sending of mail, we have by default the reputation of a spammer), this last touch of interference in the content of the mails reduces even more the interest and the usage of this service that was yet one of the oldest and best of Internet.

But it's like that and we have to do with.

Previous | Next