internal spam in office 365 - introduction | part 3#17
DESCRIPTION
Internal spam in Office 365 - Introduction | Part 3#17 http://o365info.com/internal-spam-in-office-365-introduction-part-3-17 What are the possible reasons that could cause to our mail to appear as spam\junk mail, who or what are this “elements”, that can decide that our mail is a spam mail?, what are the possible “reactions” of the destination mail infrastructure that identify our E-mail as spam\junk mail?. The information is relevant for Office 365 and Exchange Online users but at the same time, most of the information is relevant to all the rest of mail systems. Eyal Doron | o365info.comTRANSCRIPT
Page 1 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
INTERNAL SPAM IN OFFICE 365 –
INTRODUCTION | PART 3#17
In the article, we will review:
What are the possible reasons that could cause to our mail to
appear as spam\junk mail?
Who or what are this “elements”, that can decide that our mail is
a spam mail?
What are the possible “reactions” of the destination mail
infrastructure that identify our E-mail as spam\junk mail?
Page 2 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
Why is my mail identified as spam?
In a scenario in which our mail is recognized as a spam\junk mail,
besides of the unpleasant feeling (nobody wants that the term: “junk”
will be associated with him in any way), the major question is: Why is
my mail identified as spam?
The answer is that there could be many elements and “causes: for
this problem and that many times it’s not so easy to “point at” the
specific element that is “guilty” for our problem.
Page 3 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
Our mission should be:
1. Learn to know each of the “elements” could lead us into a scenario in
which our E-mail will be recognized as a spam\junk mail by another
recipient.
2. Ensure that our organization users implement the best practices and,
avoid actions that could lead to a scenario in which organization mail
will be classified as spam.
3. Monitor our organization mail flow looking for a “problematic mail
items” or, event that could lead to a scenario in which our mail will be
classified as spam.
4. In the worst-case scenario in which the event of “organization mail is
classified as
“spam\junk mail” implement the required actions to solve this issue.
Page 4 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
Who could decide that my mail is a spam mail?
1. Exchange Online
In the Office 365 environment, the first element in the “mail flow”
that could identify a specific Office 365 user E-mail message as a
spam\junk mail, is the Exchange Online by himself.
If we want to be more accurate, the element the scan the sent E-mail
is the component named: Exchange Online protection.
At first look this “behavior” look a little strange because most of the
time, we are used to a scenario in which the destination mail server
can identify our mail as spam\junk mail and not “our mail server”.
Page 5 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
The reason for using internal \ outbound spam filtering mechanism
in Office 365 and Exchange Online environment is the Exchange
Online infrastructure is a “shared mail infrastructure”, that serve at
the same time many Office 365 customers (tenants) beside of our
organization.
Office 365 Infrastructure, is taking extra care to avoid a very
unwanted scenarios in which, a specific problematic organization
that is hosted at Office 365 will “damage” the reputation of other
organizations that is hosted at the same Office 365\ Exchange Online
infrastructure.
Exchange Online include a built-in mechanism in which he checks
every outbound mail that is sent by Office 365 users to another
Office 365 users or external recipient.
In case that Exchange Online “decides” to classify specific E-mail
messages as spam mail, he doesn’t block or delete the E-mail
message and doesn’t update the SCL value of the E-mail message,
but instead, route the E-mail message to a dedicated Exchange
Online mail server named: High Risk Delivery Pool
Note – We will discuss in more details the subject of- High Risk
Delivery Pool in the articles:
High Risk Delivery Pool and Exchange Online | Part 9#17
High Risk Delivery Pool and Exchange Online | Part 10#17
2. Destination mail infrastructure | Mail Security Gateway
The “destination mail infrastructure” could be realized as: a device
that examines each incoming mail and decides whether to pass the
E-mail message, block or increase the SCL value.
Page 6 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
In a scenario in which we notified that E-mail that was sent from
organization consider as – a spam\junk mail, the common case is
that our organization appears as blacklisted (registered at some
Blacklist provider).
In the modern mail environment, every organization uses some
“security mechanism” (mail security gateway or other security
solutions) that scan each of the connection requests that are sent to
the organization’s mail server.
The “requester” (source mail server) is checked and, only if the
connection request considers as “legitimate” to “mail session” is
approved.
The “verification process” that is implemented by the mail security
gateway, is implemented by using different methods, but one of the
most basic security cheeks is implemented by accessing a database
of “blacklist provider” and verifies that the recipient domain name or
the IP address of the mail server doesn’t appear as listed in a
blacklist.
3. User mail client
Mail clients such as Outlook, include built-in security engine that can
classify incoming mail as a spam\junk mail. For example, we can deal
with a scenario, in which specific E-mail message that was sent from
our users was identified as spam\junk mail by the Outlook client and
not by the external recipient mail server.
Another option could be a scenario in which the external recipient
uses the option of block senders and adds the E-mail address of
specific organization users to the list.
4. The destination recipient
Page 7 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
The “person” that our mail is sent to his mailbox can decide to form
some reason to report our E-mail message as a spam\junk mail.
For example: recipient register to your mailing list in the past, forget
that he registered and, when he get E-mail from your organization,
he relates to the specific E-mail as spam\junk mail.
5. Desktop security application
Antivirus or other desktop security application can be configured to
scan incoming E-mail and decide to classify specific E-mail messages
as spam\junk mail.
What could happen in the case that my mail
recognizes as spam\junk mail?
In a scenario in which our E-mail recognizes as spam\junk mail by a
destination server, there is considerable importance for the external
mail server response.
In case that the external mail server responds by – sending a “reply”
in a form of NDR message, that informs us that our mail was blocked
because our mail is spam\junk mail, we are able to be aware of the
problem and respond respectively.
In a scenario in which the external mail server decides “not to
respond”, technically, we have no way to know that there is some
problem with E-mail that is sent from our organization.
The only way that we can be aware of the problem is – in a scenario
in which the external mail server “forward” the E-mail message to the
destination recipient and because the email server increases the SCL
value, the E-mail is sent to the junk mail folder.
Page 8 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
Only if the “destination recipient” fined the E-mail in the junk mail
folder and, only if he is “kind enough” to inform us, only then, we can
know that we have a problem with mail that is sent from our
organization.
When our E-mail is accepted by an external mail server and, the
external mail server identifies our mail as “spam\junk mail”, the
external mail server could implement one of the following options:
Page 9 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
Option 1: Block the E-mail message + inform the source mail server
that the E-mail message was blocked.
This scenario makes our life easier. Is truth that the Office 365
recipients E-mail didn’t get to his destination but, we have a “clear
indication” for the failure of the mail delivery.
Now, our mission will be: to find what was the reason for classifying
our E-mail message as spam\junk mail.
Option 2: Block the E-mail message + do not notify the source mail
server (silent drop)
Page 10 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
A scenario in which the “destination mail server” classifies the E-mail
message as spam\junk mail and, just deletes the E-mail message
without sending any notification or update to the “source” that sends
the E-mail message.
Option 3: Deliver the E-mail message to the destination recipient +
Increase the SCL value
This type of scenario is the “standard” or the default behavior in
Exchange Online environment.
In case that the E-mail message is recognized as a spam mail and the
“spam level” is “reasonable”, Exchange Online will not block or delete
the spam mail, but instead, “stamp” the E-mail message with a high
value of SCL (spam confidence level) and, deliver the E-mail message
to the destination recipient.
The destination recipient” will have to decide “what to do with the E-
mail message”.
Page 11 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
In this scenario, the E-mail message will get to the user “Junk mail
folder”, and most of the time; users do not tend to look at the junk
mail folder.
In this scenario the “destination recipient” will usually reports, that he
didn’t get the E-mail message, but the E-mail message is “hidden” in
his Junk mail folder.
Option 4: Deliver the E-mail message to a quarantine queue
A scenario that is similar to the former scenario. The difference is
that the Mail server delivers the E-mail message that was identified
as spam to a special store named: quarantine.
Option 5: The mail server doesn’t recognize the E-mail message as
spam but, the mail client does.
Many mail clients such as Outlook, considers as a sophisticated mail
client and has built-in options for recognizing spam mail, create a
block sender list, etc.
In this scenario, there is a chance that the mail client will decide that
a specific E-mail message can be considered as – a spam E-mail
message.
Exchange Online and SCL
In the current article series, we will mention from time to time the
term: SCL
Q: What is the meaning of SCL?
A: The term SCL, stand for Spam Confidence Level
Page 12 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
In simple words, the SCL is a value that is “attached” by the mail
server (usually Exchange server) to a specific E-mail item and define
the “trust level” of the specific E-mail item from the perspective of:
spam.
An SCL value such as: “-1” is “saying” that the E-mail item can be fully
trusted and a high SCL value such as: 5, “say” that the specific E-mail
item considers as spam mail.
Spam Confidence Level Threshold
Outlook unexpectedly marks messages as junk even if the SCL level is
lowSpam Confidence Levels
Spam Confidence Level
Junk email with an SCL rating of 5 goes to the inbox
Configure content filter policies
Messages aren’t quarantined when you change the SCL rating in Office
365 or Exchange Online Protection
Exposing SCL (Spam Confidence Level) in Outlook
Page 13 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
Internal \ outbound spam in Office 365
environment | Article series index
A quick reference for the article series
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series
Introduction to the concept of internal \ outbound spam in general
and in Office 365 and Exchange Online environment
My E-mail appears as a spam –
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: “My E-mail appears as
a spam!”, possible factors for causing
our E-mail to appear a “spam mail”,
the definition of internal \ outbound
spam.
Internal spam in Office 365 –
Introduction | Part 2#17
Review in general the term: “internal \
outbound spam”, miss conceptions
that relate to this term, the risks that
are involved in this scenario,
outbound spam E-mail policy and
more.
Page 14 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
Internal spam in Office 365 –
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spam\junk mail, who or what are this
“elements”, that can decide that our
mail is a spam mail?, what are the
possible “reactions” of the destination
mail infrastructure that identify our E-
mail as spam\junk mail?.
Commercial E-mail – Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365\ Exchange Online is
unsuitable for the purpose of
commercial E-mail?
Introduction if the major causes for a scenario in which your
organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
1. E-mail content, 2. Violation of the
SMTP standards, 3. Bulk\Mass mail
Page 15 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. “Problematic” Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The “technical side” of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.
Page 16 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
Introduction if the subject of Exchange Online - High Risk Delivery
Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal \
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.
The troubleshooting path of internal \ outbound spam scenario
My E-mail appears as spam –
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal \
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the “other side.
Page 17 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Domain name and
E-mail content | Part 12#17 Verify if
our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
My E-mail appears as spam |
Troubleshooting – Mail server | Part
13#17
What is the meaning of: “our mail
server”?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting – Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spam\NDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
Page 18 of 18 | Internal spam in Office 365 - Introduction | Part 3#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Mail server | Part
15#17
Step B – Get information about your
Exchange Online infrastructure, Step
C – fetch the information about the
Exchange Online IP address, Step D –
verify if the “formal “Exchange Online
IP address a
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal \ outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of – internal \ outbound
spam.