New
For right now, we have blocked all outbound mail containing the string "app.link" as we attempt to recover from what appears to be a significant spam campaign that makes use of compromised email accounts. It's not yet clear how all of these email accounts are compromised, but it appears to match the pattern of a computer virus being received and opened by users which then steals their login credentials.
The scope of the event is not objectively large, but it is large enough when considered in combination with our obsessive focus on high IP reputation and doing everything we can to ensure inbox deliveries for the emails our customers send. The chance of false positives with this "app.link" string is significant, but less significant than the impact of allowing this event to go on. We were unable to identify any other pattern, and were only lucky enough to identify this one by receiving spam back through feedback loops (Hotmail, Comcast, etc).
This isn't expected to be a long term measure.