Page 1 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

HIGH RISK DELIVERY POOL

AND EXCHANGE ONLINE |

PART 10#17

The current article is the continuation of the former

article: High Risk Delivery Pool and Exchange Online | Part

9#17

In this article we will focus on the following subjects:

How does Exchange Online “decide” to classify specific E-mail

as spam\junk mail?

Description of the internal spam E-mail message flow

Who is the authority who approves or

identifies E-mail as spam\junk mail?

Page 2 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

When Office 365 recipients ask to “deliver” E-mail to another

recipient, Exchange Online (EOP if we want to be more

accurate) must check the E-mail message and verify that the E-

mail is “OK” or not consider as spam\junk mail.

The “Security scanning process” of outbound E-mail message,

is implemented by addressing two types of “security

infrastructures”:

1. Proprietary block lists – that are not “exposed to the general

public”

2. Third-party (partner) public block lists providers.

Exchange Online Protection (EOP) uses its own proprietary

block lists as well as third-party (partner) block lists. If a user is

placed on our block lists after sending outbound messages

through the service, they’ll receive a 550 5.1.8 Access Denied,

Bad Sender message.

Additionally, the domain administrator address configured via

the sends a notification to the following email address when a

sender is blocked sending outbound spam setting in the

outbound spam policy will receive a message that the sender

was placed on our block lists.

[Source of information: Request that a user, domain, or IP address

be removed from a block list after sending outbound spam]

In the following diagram, we can see a “high level” flow of the

process, in which Exchange Online scan outgoing E-mail

Page 3 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

message that is sent by Office 365 users by using the help of

the “black and block list databases”.

Note – the popular term is “black list” providers. In the Office 365

and Exchange Online articles the term that is used most of the

time is: “Block list” providers.

We can relate to these two different terms as synonyms.

Q: Who are these “mysterious” Third-party (partner) public

blocks lists providers?

A: Information about this “Third-party (partner) public block

lists providers” is publicly published. For example, if you want

to get more information about the “Third-party (partner)

Page 4 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

public block lists providers” that are used by Office 365 and

Exchange Online you can read the following article: Request

that a user, domain, or IP address be removed from a block

list after sending outbound spam.

In the article we can see, a list of Third-party (partner) block

lists providers who are used by Exchange Online

infrastructure.

Outbound spam scenario flows in an Office

365 environment

To demonstrate the flow of “internal spam E-mail”, let’s use the

following scenario:

Office 365 users sent E-mail to a “destination recipient”. The E-

mail message is scanned and identified as spam\junk mail.

Page 5 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

For this reason, the E-mail message is routed to the Exchange

Online High Risk Delivery Pool and will be sent by the

Exchange Online High Risk Delivery Pool to “her destination”.

The “end” of the scenario is not known because, we are not

able to know what is the security policy is and the rules that

will be implemented by the destination mail infrastructure.

Step 1 – Office 365 recipients, send E-mail to an external

recipient. The request is accepted by Exchange Online server.

Step 2 – Exchange Online accepts the E-mail message and,

forward the E-mail message to Exchange EOP (Exchange

Online Protection) for further analyses.

Page 6 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

Step 3 – Exchange EOP, accept the E-mail message and,

forward the E-mail message to the Proprietary block lists +

Third-party (partner) block lists.

Page 7 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

Step 4 – the E-mail message is examined by the block lists

providers. In our scenario, the E-mail message was identified

as spam\junk mail.

The block lists a provider send back the E-mail message to

Exchange EOP and “inform” EOP that the E-mail is a

“problematic E-mail message”.

Page 8 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

Step 5 – because the E-mail message was identified as

spam\junk mail, Exchange EOP will not “forward” the E-mail

message to the standard Exchange Online server pool but

instead, the E-mail message will be forwarded to the

“Exchange Online High Risk Delivery Pool”

Page 9 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

Step 6 – one of the “High Risk Delivery Pool” members, will try

to deliver the E-mail message to the destination mail server.

The basic assumption is that – the “destination mail server”

use security services in which the incoming E-mail is scanned

and verified via the blacklist provider and other security

mechanism.

In our scenario, there is a high chance that the E-mail message

will be classified as spam\junk mail by the “destination mail

server” because, the IP address of the Exchange Online High

Risk Delivery Pool appears in well-known blacklists.

Note – other possible scenarios is that the E-mail message will be

identified as spam\junk mail because of the E-mail content and not

Page 10 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

because the E-mail message was sent via the Exchange Online-

High Risk Delivery Pool.

Step 7 – The Mail security infrastructure that is used by the

“destination mail server”.

Each of the “external mail infrastructure” uses a different mail

security policy and services.

In some scenario, the “destination security mail gateway” will

block the E-mail message and reply back with an NDR message.

In some scenario, the “destination security mail gateway” will

send the E-mail message to a quarantine.

In some scenario, the “destination security mail gateway” Will

Increase the value of the SCL (spam confidence level) and

forward the E-mail message to the destination recipient.

Page 11 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

An example for NDR message

In the following section, we can see an example of an NDR

message that was returned to Office 365 recipients by the

“destination mail server”.

Pay attention to the IP address that appear on the NDR

message. This is an IP address that “belong” to the IP range of

the “High Risk Delivery Pool”

Remote Server returned ‘550-5.7.1 [157.56.116.102 ] our

system has detected an unusual rate of 550-5.7.1 unsolicited

Page 12 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

mail originating from your IP address. To protect our 550-5.7.1

users from spam, mail sent from your IP address has been

blocked. 550-5.7.1 Please visit

http://www.google.com/mail/help/bulk_mail.html to review

550 5.7.1 our Bulk Email Senders Guidelines.

p10si13699322wje.90 – gsmtp’

Recap and final conclusions

In a scenario in which we are notified, that mail that was sent

from our organization is classified as spam\junk mail the main

question now is:

What is the reason (the causes) that mail sent from our

organization identified as spam\junk mail? Or in simple words:

who can we blame?

Is it the Office 365 users?

Is it the specific E-mail message content?

Is it the Exchange Online server who route the E-mail message to

the “High Risk Delivery Pool”?

Is it the “High Risk Delivery Pool”?

Is it the Office 365 blacklist providers?

Is it the destination mail security gateway?

Most of the time, our natural tendency will be to blame the

“other side”. The “other side” could be the destination mail

server or in our scenario, the Office 365 mail servers.

Page 13 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

The true answer is that in most of the scenarios the opposite

truth.

The element that is responsible (guilty) for the reason in which

E-mail message that was sent by our organization user is

identified as spam\junk mail is located in “our side”!

If we want to be very specific: the Office 365 users who “write

and send the specific E-mail message”.

The “source of the problem” start with the “problematic E-mail

message” that was created by the Office 365 users. The

“problematic E-mail message” Is the root of all the rest of the

process.

Note – in a scenario of malware, the “problematic E-mail message”

is created by the malware and not by the user himself.

When Exchange Online recognizes the E-mail message that

was created by the Office 365 user as spam\junk mail, he

route the E-mail message to Exchange Online “High Risk

Delivery Pool” and so on.

When the E-mail message reaches her destination, there is

reasonable chance that the “destination mail server” will block

the E-mail message because the E-mail message was sent by

the Exchange Online- High Risk Delivery Pool or because he

also “see” to problematic content of the E-mail message.

Page 14 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

Additional reading

High Risk Delivery Pool for Outbound Messages

Understanding outbound spam controls in Office 365

Internal \ outbound spam in Office 365

environment | Article series index

A quick reference for the article series

My E-mail appears as a spam | Article

series index | Part 0#17

The article index of the complete

article series

Page 15 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

Introduction to the concept of internal \ outbound spam in general

and in Office 365 and Exchange Online environment

My E-mail appears as a spam –

Introduction | Office 365 | Part 1#17

The psychological profile of the

phenomenon: “My E-mail appears as

a spam!”, possible factors for causing

our E-mail to appear a “spam mail”,

the definition of internal \ outbound

spam.

Internal spam in Office 365 –

Introduction | Part 2#17

Review in general the term: “internal \

outbound spam”, miss conceptions

that relate to this term, the risks that

are involved in this scenario,

outbound spam E-mail policy and

more.

Internal spam in Office 365 –

Introduction | Part 3#17

What are the possible reasons that

could cause to our mail to appear as

spam\junk mail, who or what are this

“elements”, that can decide that our

mail is a spam mail?, what are the

possible “reactions” of the destination

mail infrastructure that identify our E-

mail as spam\junk mail?.

Page 16 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

Commercial E-mail – Using the right

tools | Office 365 | Part 4#17

What is commercial E-mail?

Commercial E-mail as part of the

business process. Why do I think that

Office 365\ Exchange Online is

unsuitable for the purpose of

commercial E-mail?

Introduction if the major causes for a scenario in which your

organization E-mail appears as spam

My E-mail appears as spam | The 7

major reasons | Part 5#17

Review three major reasons, that

could lead to a scenario, in which E-

mail that is sent from our

organization identified as spam mail:

1. E-mail content, 2. Violation of the

SMTP standards, 3. Bulk\Mass mail

My E-mail appears as spam | The 7

major reasons | Part 6#17

Review three major reasons, that

could lead to a scenario, in which E-

mail that is sent from our

organization identified as spam mail:

4. False positive, 5. User Desktop

malware, 6. “Problematic” Website

Page 17 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

Introduction if the subject of SPF record in general and in Office

365 environment

What is SPF record good for? | Part

7#17

The purpose of the SPF record and the

relation to for our mail infrastructure.

How does the SPF record enable us to

prevent a scenario in which hostile

elements could send E-mail on our

behalf.

Implementing SPF record | Part 8#17

The “technical side” of the SPF record:

the structure of SPF record, the way

that we create SPF record, what is the

required syntax for the SPF record in

an Office 365 environment + mix mail

environment, how to verify the

existence of SPF record and so on.

Introduction if the subject of Exchange Online - High Risk Delivery

Pool

High Risk Delivery Pool and Exchange

Online | Part 9#17

How Office 365 (Exchange Online) is

handling a scenario of internal \

outbound spam by using the help of

the Exchange Online- High Risk

Delivery Pool.

Page 18 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

High Risk Delivery Pool and Exchange

Online | Part 10#17

The second article about the subject

of Exchange Online- High Risk

Delivery Pool.

The troubleshooting path of internal \ outbound spam scenario

My E-mail appears as spam –

Troubleshooting path | Part 11#17

Troubleshooting scenario of internal \

outbound spam in Office 365 and

Exchange Online environment.

Verifying if our domain name is

blacklisted, verifying if the problem is

related to E-mail content, verifying if

the problem is related to specific

organization user E-mail address,

moving the troubleshooting process

to the “other side.

My E-mail appears as spam |

Troubleshooting – Domain name and

E-mail content | Part 12#17

Verify if our domain name appears as

blacklisted, verify if the problem

relates to a specific E-mail message

content, registering blacklist

monitoring services, activating the

option of Exchange Online outbound

spam.

Page 19 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

My E-mail appears as spam |

Troubleshooting – Mail server | Part

13#17

What is the meaning of: “our mail

server”?, Mail server IP, host name

and Exchange Online. One of our

users got an NDR which informs him,

that his mail server is blacklisted!,

How do we know that my mail server

is blacklisted?

My E-mail appears as spam |

Troubleshooting – Mail server | Part

14#17

The troubleshooting path logic. Get

the information from the E-mail

message that was identified as

spam\NDR. Forwarding a copy of the

NDR message or the message that

saved to the junk mail

My E-mail appears as spam |

Troubleshooting – Mail server | Part

15#17

Step B – Get information about your

Exchange Online infrastructure, Step

C – fetch the information about the

Exchange Online IP address, Step D –

verify if the “formal “Exchange Online

IP address a

Page 20 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Written by Eyal Doron | o365info.com

De-list your organization from a

blacklist | My E-mail appears as spam

| Part 16#17

Review the charters of a scenario in

which your organization appears as

blacklisted. The steps and the

operations that need to be

implemented for de-list your

organization from a blacklist.

Summery and recap of the troubleshooting and best practices in a

scenario of internal \ outbound spam

Dealing and avoiding internal spam |

Best practices | Part 17#17

Provide a short checklist for all the

steps and the operation that relates

to a scenario of – internal \ outbound

spam.