high risk delivery pool and exchange online | part 10#17
DESCRIPTION
High Risk Delivery Pool and Exchange Online | Part 10#17 http://o365info.com/high-risk-delivery-pool-and-exchange-online-part-10-17 How Office 365 (Exchange Online) is handling a scenario of internal \ outbound spam by using the help of the Exchange Online- High Risk Delivery Pool. The second article about the subject of Exchange Online- High Risk Delivery Pool. Eyal Doron | o365info.com The second article about the subject of Exchange Online- High Risk Delivery Pool.TRANSCRIPT
Page 1 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
HIGH RISK DELIVERY POOL
AND EXCHANGE ONLINE |
PART 10#17
The current article is the continuation of the former
article: High Risk Delivery Pool and Exchange Online | Part
9#17
In this article we will focus on the following subjects:
How does Exchange Online “decide” to classify specific E-mail
as spam\junk mail?
Description of the internal spam E-mail message flow
Who is the authority who approves or
identifies E-mail as spam\junk mail?
Page 2 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
When Office 365 recipients ask to “deliver” E-mail to another
recipient, Exchange Online (EOP if we want to be more
accurate) must check the E-mail message and verify that the E-
mail is “OK” or not consider as spam\junk mail.
The “Security scanning process” of outbound E-mail message,
is implemented by addressing two types of “security
infrastructures”:
1. Proprietary block lists – that are not “exposed to the general
public”
2. Third-party (partner) public block lists providers.
Exchange Online Protection (EOP) uses its own proprietary
block lists as well as third-party (partner) block lists. If a user is
placed on our block lists after sending outbound messages
through the service, they’ll receive a 550 5.1.8 Access Denied,
Bad Sender message.
Additionally, the domain administrator address configured via
the sends a notification to the following email address when a
sender is blocked sending outbound spam setting in the
outbound spam policy will receive a message that the sender
was placed on our block lists.
[Source of information: Request that a user, domain, or IP address
be removed from a block list after sending outbound spam]
In the following diagram, we can see a “high level” flow of the
process, in which Exchange Online scan outgoing E-mail
Page 3 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
message that is sent by Office 365 users by using the help of
the “black and block list databases”.
Note – the popular term is “black list” providers. In the Office 365
and Exchange Online articles the term that is used most of the
time is: “Block list” providers.
We can relate to these two different terms as synonyms.
Q: Who are these “mysterious” Third-party (partner) public
blocks lists providers?
A: Information about this “Third-party (partner) public block
lists providers” is publicly published. For example, if you want
to get more information about the “Third-party (partner)
Page 4 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
public block lists providers” that are used by Office 365 and
Exchange Online you can read the following article: Request
that a user, domain, or IP address be removed from a block
list after sending outbound spam.
In the article we can see, a list of Third-party (partner) block
lists providers who are used by Exchange Online
infrastructure.
Outbound spam scenario flows in an Office
365 environment
To demonstrate the flow of “internal spam E-mail”, let’s use the
following scenario:
Office 365 users sent E-mail to a “destination recipient”. The E-
mail message is scanned and identified as spam\junk mail.
Page 5 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
For this reason, the E-mail message is routed to the Exchange
Online High Risk Delivery Pool and will be sent by the
Exchange Online High Risk Delivery Pool to “her destination”.
The “end” of the scenario is not known because, we are not
able to know what is the security policy is and the rules that
will be implemented by the destination mail infrastructure.
Step 1 – Office 365 recipients, send E-mail to an external
recipient. The request is accepted by Exchange Online server.
Step 2 – Exchange Online accepts the E-mail message and,
forward the E-mail message to Exchange EOP (Exchange
Online Protection) for further analyses.
Page 6 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
Step 3 – Exchange EOP, accept the E-mail message and,
forward the E-mail message to the Proprietary block lists +
Third-party (partner) block lists.
Page 7 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
Step 4 – the E-mail message is examined by the block lists
providers. In our scenario, the E-mail message was identified
as spam\junk mail.
The block lists a provider send back the E-mail message to
Exchange EOP and “inform” EOP that the E-mail is a
“problematic E-mail message”.
Page 8 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
Step 5 – because the E-mail message was identified as
spam\junk mail, Exchange EOP will not “forward” the E-mail
message to the standard Exchange Online server pool but
instead, the E-mail message will be forwarded to the
“Exchange Online High Risk Delivery Pool”
Page 9 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
Step 6 – one of the “High Risk Delivery Pool” members, will try
to deliver the E-mail message to the destination mail server.
The basic assumption is that – the “destination mail server”
use security services in which the incoming E-mail is scanned
and verified via the blacklist provider and other security
mechanism.
In our scenario, there is a high chance that the E-mail message
will be classified as spam\junk mail by the “destination mail
server” because, the IP address of the Exchange Online High
Risk Delivery Pool appears in well-known blacklists.
Note – other possible scenarios is that the E-mail message will be
identified as spam\junk mail because of the E-mail content and not
Page 10 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
because the E-mail message was sent via the Exchange Online-
High Risk Delivery Pool.
Step 7 – The Mail security infrastructure that is used by the
“destination mail server”.
Each of the “external mail infrastructure” uses a different mail
security policy and services.
In some scenario, the “destination security mail gateway” will
block the E-mail message and reply back with an NDR message.
In some scenario, the “destination security mail gateway” will
send the E-mail message to a quarantine.
In some scenario, the “destination security mail gateway” Will
Increase the value of the SCL (spam confidence level) and
forward the E-mail message to the destination recipient.
Page 11 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
An example for NDR message
In the following section, we can see an example of an NDR
message that was returned to Office 365 recipients by the
“destination mail server”.
Pay attention to the IP address that appear on the NDR
message. This is an IP address that “belong” to the IP range of
the “High Risk Delivery Pool”
Remote Server returned ‘550-5.7.1 [157.56.116.102 ] our
system has detected an unusual rate of 550-5.7.1 unsolicited
Page 12 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
mail originating from your IP address. To protect our 550-5.7.1
users from spam, mail sent from your IP address has been
blocked. 550-5.7.1 Please visit
http://www.google.com/mail/help/bulk_mail.html to review
550 5.7.1 our Bulk Email Senders Guidelines.
p10si13699322wje.90 – gsmtp’
Recap and final conclusions
In a scenario in which we are notified, that mail that was sent
from our organization is classified as spam\junk mail the main
question now is:
What is the reason (the causes) that mail sent from our
organization identified as spam\junk mail? Or in simple words:
who can we blame?
Is it the Office 365 users?
Is it the specific E-mail message content?
Is it the Exchange Online server who route the E-mail message to
the “High Risk Delivery Pool”?
Is it the “High Risk Delivery Pool”?
Is it the Office 365 blacklist providers?
Is it the destination mail security gateway?
Most of the time, our natural tendency will be to blame the
“other side”. The “other side” could be the destination mail
server or in our scenario, the Office 365 mail servers.
Page 13 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
The true answer is that in most of the scenarios the opposite
truth.
The element that is responsible (guilty) for the reason in which
E-mail message that was sent by our organization user is
identified as spam\junk mail is located in “our side”!
If we want to be very specific: the Office 365 users who “write
and send the specific E-mail message”.
The “source of the problem” start with the “problematic E-mail
message” that was created by the Office 365 users. The
“problematic E-mail message” Is the root of all the rest of the
process.
Note – in a scenario of malware, the “problematic E-mail message”
is created by the malware and not by the user himself.
When Exchange Online recognizes the E-mail message that
was created by the Office 365 user as spam\junk mail, he
route the E-mail message to Exchange Online “High Risk
Delivery Pool” and so on.
When the E-mail message reaches her destination, there is
reasonable chance that the “destination mail server” will block
the E-mail message because the E-mail message was sent by
the Exchange Online- High Risk Delivery Pool or because he
also “see” to problematic content of the E-mail message.
Page 14 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
Additional reading
High Risk Delivery Pool for Outbound Messages
Understanding outbound spam controls in Office 365
Internal \ outbound spam in Office 365
environment | Article series index
A quick reference for the article series
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series
Page 15 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
Introduction to the concept of internal \ outbound spam in general
and in Office 365 and Exchange Online environment
My E-mail appears as a spam –
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: “My E-mail appears as
a spam!”, possible factors for causing
our E-mail to appear a “spam mail”,
the definition of internal \ outbound
spam.
Internal spam in Office 365 –
Introduction | Part 2#17
Review in general the term: “internal \
outbound spam”, miss conceptions
that relate to this term, the risks that
are involved in this scenario,
outbound spam E-mail policy and
more.
Internal spam in Office 365 –
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spam\junk mail, who or what are this
“elements”, that can decide that our
mail is a spam mail?, what are the
possible “reactions” of the destination
mail infrastructure that identify our E-
mail as spam\junk mail?.
Page 16 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
Commercial E-mail – Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365\ Exchange Online is
unsuitable for the purpose of
commercial E-mail?
Introduction if the major causes for a scenario in which your
organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
1. E-mail content, 2. Violation of the
SMTP standards, 3. Bulk\Mass mail
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. “Problematic” Website
Page 17 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The “technical side” of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.
Introduction if the subject of Exchange Online - High Risk Delivery
Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal \
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.
Page 18 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.
The troubleshooting path of internal \ outbound spam scenario
My E-mail appears as spam –
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal \
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the “other side.
My E-mail appears as spam |
Troubleshooting – Domain name and
E-mail content | Part 12#17
Verify if our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
Page 19 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Mail server | Part
13#17
What is the meaning of: “our mail
server”?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting – Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spam\NDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
My E-mail appears as spam |
Troubleshooting – Mail server | Part
15#17
Step B – Get information about your
Exchange Online infrastructure, Step
C – fetch the information about the
Exchange Online IP address, Step D –
verify if the “formal “Exchange Online
IP address a
Page 20 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17
Written by Eyal Doron | o365info.com
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal \ outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of – internal \ outbound
spam.