Microsoft’s fight for junk mail is a privacy risk

I was trying to see if I comply with Microsoft email sending policies today. Apparently I’m doing perfectly fine according to the 5 points containing list, but the 5th option is a little concerning.

Microsoft has developed two programs that allow network managers and end users of their IP addresses to monitor their IP address(es) reputation . One is the Junk Email Reporting Program (JMRP) and the other one is Smart Network Data Services (SNDS). I’m going to tell more about the JMRP.

Once a user joins the JMRP with their Microsoft account, the user starts to get notifications every time some O365/Outlook user flags a message as spam or receives a message automatically recognized as spam, when the sending is done from any authorized IP address at JMRP control panel (some limits apply though e.g. there is a maximum complaint to send per IP per day).

The concerning part is that the notification is actually a copy of the email that ended up in the receiving end’s spam folder. But isn’t that still ok because the signed up user is just monitoring their own mails?

Nope. According to Microsoft: “Only users with access to all IPs are feed managers.”

This means, that in certain cases rogue network administrators can become quite great spies (if they join the JMRP), because they might get copies of any emails sent from their whole network range any time a mail ends up in O365/Outlook spam folder.

I’ve illustrated this process in this diagram where the AS1234 admin manages a whole network range and the sender (AS1234 customer) hosts a small private email server and has one IP address from AS1234 ranges:

On the other hand, using email was never a secure mean for doing communication and it’s foolish to believe it is.

Leave a Reply

Your email address will not be published. Required fields are marked *