Dealing with SPAM Mail in office 365 ~ o365info.com Dealing with SPAM Mail in office 365
Wednesday, May 22, 2013

Let’s make it short and simple: from my experience, significant percentage or most of the SPAM mail is blocked by the office 365 mail security gateways. This doesn’t mean that we cannot experience SPAM because, there are no perfect systems that will block 100% of SPAM all the time. In case that we do experience SPAM mail, we can use many tools and option that available for us in office 365 for dealing with SPAM mail.
In this article, we quickly review the different types of SPAM mail. Then we will present the different tools that we can use for fighting SPAM mail in an office 365 environment and try to “match” the “SPAM tool” for the task based on the type of the SPAM.

Part 1: SPAM mail and office 365 environment overview

SPAM mail and office 365 environment

One of the most considerable advantages of using office 365 is that, many of these services such as: Mail security, are implemented transparently, behind the scene. Office 365 mail services include by default a mail security infrastructure, that is based on a platform describes as: EOP – Exchange Online Protection (the former mail security infrastructure was implemented by the FOPE services).

The EOP infrastructure serves as mail gateways, which are responsible for the “Hygiene” of incoming and outgoing mail flow. The purpose of this mail gateway’s is to filter any malware, virus or SPAM that included in the mail flow that comes from external sources to the office 365 recipients (incoming mail flow) and also in the opposite direction: mail that sends from office 365 recipients to external sources.

Who is to blame?

The EOP performs his duties faithfully but, from to time office 365 subscribers can experience SPAM mail that gets into their mailbox.

Before we begin with the technical part of “mitigating the SPAM issue” I would like to relate to the issue of the “Blame." Many times the response from our customer includes an implicit or explicit claims such as: “since we move to the cloud (office 365), we experience SPAM issue” or "Microsoft doesn’t provide a good mail security by allowing SPAM mail to enter our company."

I think that many times these "claims" are excessive, because most of the time the EOP (Exchange online protection) is doing a very good job of protecting the office 365 recipients. Let’s not forget that there is no “perfect solution” that will block 100% of SPAM mail because “SPAM Solutions\Gateways”, will always need to face the issues of:


Additionally, there is the factor of the “dynamically changes” of SPAM mail methods that presents a challenge in each second\minutes for the security and the response team that manages the signature database of the EOP.

So what is the consolation? The point is that is “O.K” if we experience SPAM from time to time as long as we have the tools or the solution for stopping the SPAM.


SPAM mail - Troubleshooting process and classification

To create a clear path of the troubleshooting process, we will need to implement the workflow described in the following diagram:


Step 1 - Get information about the character of the SPAM mail

The most basic step is to get an essential information about the SPAM message. We will need to decide if the mail message is truly an SPAM message and if so, try to recognize the type of the SPAM. Based on this information, we will need to choose the right “tools” for mitigating the SPAM.
Step 2 - Block\Report SPAM mail

When we deal with SPAM mail, we need to: try to block the SPAM mail by using the available option from the “Server Side” (Exchange online and EOP) and the “Client side” (Outlook). The process of blocking the SPAM mail could be implemented as a combined operation of: using tools for filtering SPAM mail and other tools for reporting (send a sample of the SPAM mail) to the Microsoft team that manages the EOP infrastructure.

Step 3 - contact office 365 support team

In case that all of our effort failed and, the our recipient still getting SPAM mail, we can always contact the office 365 support team and ask for help in our task of stopping the SPAM mail (most of the time, we will need to collect and send some sample SPAM mail so these mail items will be sent to the Microsoft team that mange the office mail security gateways.

 

Get information about the character of the SPAM mail


When a user complains about “SPAM mail," we need to verify if the mail is entitled to the title “SPAM mail." For example, we would like to know if the mail is a “truly SPAM mail” or just an “innocent mail” that was sent from by a distribution list that the user subscribed to in the past.

The SPAM mail characters

Let's assume that we check the mail, and we identify that this is an SPAM mail. Most of the time, we use the term “SPAM mail” or “Junk mail” to describe unwanted email, but in the reality, there are many types of “SPAM\Junk” mail and each of the types has his own characters. The next step is to: classify the type of the SPAM mail, because based on this information, we can use to the most appropriate solution and the amount of “resources” that we need to allocate for blocking the SPAM mail.

The classification could be: SPAM mail that sent from a specific Sender\Domain, SPAM mail that includes specific keyword or specific languish charters, a specific type of SPAM such as NDR backscatter ( that we will be reviewed in the section: Scenario 2: Blocking SPAM Mail classified as NDR backscatter ) and so on.


Additional type of classification that we need to get is: what is the scope and the business impact of the SPAM mail? For example: is the SPAM mail effecting a specific user or all the organization users, what is the “Dosage” of the SPAM is it one or two SPAM mail items that sent randomly or is it a “flood” of tens and hundreds of SPAM mails.

 

Questioning list

Here is a sample from a Questioning list that could help to gather the required information:
Q: Is the mail considered as SPAM mail or just standard advertisement mail from will Know\familiar Company?
Q: Is the SPAM Mail sent from a specific sender email address?
Q: Is the SPAM Mail sent from a specific domain?
Q: Does the SPAM Mail include specific keywords in the mail Subject\Body?
Q: Does the SPAM Mail include characters of non-English languish?
Q: Is the SPAM Mail from a specific geographical location?


General characters
Q: Is the SPAM Mail sent on a specific schedule (specific hour or date)?
Q: What is the percentage of organization users who get the SPAM mail?
Q: What is the ”amount” of the SPAM mail (single mail item, Tens and hundreds of SPAM mails)?

Dealing with SPAM: Server Side - optional solutions

We can classify the tools, and the operation that we can use for mitigating the SPAM issue as:

In this section I would like to quickly review the option that’s available for us from the server side.

Exchange Online Protection (EOP)

A bit history: in former versions of office 365 (and BPOS), the solution for “mail security” was implemented by a product named: FOPE (Forefront Online Protection for Exchange). Office 365 subscribers had access to FOPE web management, but the interface and the access to the FOPE management was Uncomfortable and had many advantages.
EOP (Exchange online protection) is the new successor of the FOPE, and I am happy to say that: long live the new king! 

EOP has many advantages over FOPE and the good news is that EOP is fully integrated in the Exchange online management. Actually, most of us don’t relate to the EOP as a “separated component” because from the Exchange online administrator’s point of views, the EOP is just “additional menu” in the Exchange on-line web management interface (described as Exchange Online Management -EAC).

In the following screenshot, we can see the web interface management that enables us to access to the EOP settings. In the Exchange online web management, the management of the EOP displayed as the “protection” menu.


Exchange online - Rules

An additional component that we can use for dealing with SPAM mail is the “rules” (in former versions of Exchange the term was Transport Rules). The “rule” component, is a very powerful tool that enables us to control and manage each of the incoming and outgoing mail items that is sent to the office 365 recipients, and each of the mail items sent by the office 365 recipients and to external recipients.

In the following diagram, we can see e representation of the Exchange online tolls and option that we can use based on the “Type” of the SPAM mail.

A quick wrap-up of the option that are available for us in the exchange online environment:

Part 2: Dealing with SPAM in an office 365 environment

In the following section, we will review the available option that we can use for mitigating SPAM mail in an office 365 environment. We can classify the different options\tools as: Client side and server side. 

A. Dealing with SPAM mail - Client side

 

A.1. Microsoft Junk E-mail Reporting Add-in

The Microsoft Junk E-mail Reporting Add-in, is a very useful outlook add-in that enabled each of the users to create a “direct connection” to the Microsoft team that is reasonable for: mail security (and update all the information in a Virus\SPAM signature database).

By selecting the mail item and by choosing the option of “Report Junk," the mail item will automatically be sent to the Microsoft mail security team for further analysis and investigation to help to improve the effectiveness of our junk e-mail filtering technologies.

The big advantage of the Microsoft Junk E-mail Reporting Add-in is the “Ease of Use. In a scenario of false negative (In which the defending system doesn’t recognize Bad\SPAM mail and the mail reached to the recipient mailbox), a “standard user” (no need for administrative privileges) can report about the “SPAM mail” very easily and without the need for complicated technical steps.

The “disadvantages” are that this add-in, is not included by default as a part of the outlook installation (although there is an option for distributing this add-in  a centralized way(for more information read the article: Enterprise deployment) and that, Despite the fact that the user the report the SPAM mail gets a “confirmation mail," there is no clear indication about “what was done with the information," and if the information
(The SPAM mail) It was updated in the SPAM signature database. From my experience, the good news is that even without the process of “feedback” from the Microsoft team, the information is analyzed and the “SPAM signature” is updated in a short time, the SPAM mail stops to reach to the recipient mailbox.

Using the Microsoft Junk E-mail Reporting Add-in

Step 1 – Download and Install the Microsoft Junk E-mail Reporting Add-in.

You can find the Microsoft Junk E-mail Reporting Add-in using the following link: Microsoft Junk E-mail Reporting Add-in for Microsoft Office Outlook

When you get to the download page, most of the time the option that will suit your needs is: Junk Reporting Add-in for Office 2007, 2010, 2013 (32bit).msi


Step 2 - Report email as SPAM


In outlook 2010\2013, the Microsoft Junk E-mail Reporting Add-in is implemented by additional menu option named: Report junk that is added to the “Junk” section to be able to report an email as SPAM. To “mark” mail item as Junk use the following procedure: 

A warning message appears and inform the user that the mail item will be reported as a SPAM. Choose the “Yes” option.

When we choose the “yes” option, the following events will accrue:

In the following screenshot, we can see a mail item that was reported as an SPAM. The mail item will be moved automatically to the Junk Email folder . In the Sent items folder, we can see a “new mail” sent to the Microsoft abuse team that includes attachment (the mail that was reported as SPAM).

After the SPAM mail was sent to the Microsoft abuse team, a “response mail” will be sent to the user. In the following screenshot, we can see the ”approval mail” that was sent by the Microsoft support team.

 

General notes - outlook 2007 interface

When we install the Microsoft Junk E-mail Reporting Add-in for outlook 2007, the option of “report junk” will be added on the top menu option.

A.2. Outlook Junk option - block sender

Another option that is available for us from the “client side” is the: Outlook junk component and the option of:  “block sender” (Add a sender to the Blocked Senders list).

This option is most suitable in a scenario that the SPAM mail is delivered from a specific recipient email address. In reality, many times, the “spammers” mange to send the SPAM mail by using a different source recipient email address, so the option of “block sender” will not help us in such scenarios.

Add a sender to the Blocked Senders list

In case that you want to block the sender who sends SPAM mail, we can use the junk menu for blocking this recipient.

Additional reading -Outlook Junk Email folder

A.3. Antivirus software

There is the big importance of using antivirus software. Most of the Antivirus programs include a dedicate component for mail security, which is responsible for enforcing mail security such as: recognize and block Malware (antivirus, SPAM and so on). In case that a specific user complains about SPAM mail, please verify the following requirements: 

A.4. Outlook add-in\plugins

In case that we suspect the SPAM issue is caused by outlook add-in\plug-in, we can disable this “add-ins” by running outlook in safe mode.

A.5. Unsubscribe from a mailing list

In case that the user report about “SPAM Mail” and when we check the mail item, we see that the sender is not considered as “Spammer” (mail is just a standard advertising email that sent to a distribution list), most of the time the mail will include an option that enables the user to unsubscribe from the mailing list.
So, before we start to use the “heavy artillery," please check if the option of “unsubscribe” exists.

A.6. Educate users About: How to Avoid SPAM

The part of “Educate users About: How to Avoid SPAM” belong to the “proactive” section in which we are trying to avoid a scenario that could lead to SPAM Mail. 
By providing our user instructions and guidance about operation that they should avoid, we can prevent or significantly reduce in advance the occurrence of “SAPM events."

You can read more information about this subject by using the following links:



B. Dealing with SPAM: Server side (Exchange online)

The Exchange Online provides a rich set of tools and options for: “Dealing with SPAM." In the next section, we will review the different option and explain what the “best use” for each of these options.

Access EAC (Exchange Online Management)

To access Exchange online web management, Login to office 365 portal and in the Admin menu choose the option of: Exchange

 

 

Note - Add EAC for P subscription

In case that you have P subscription, the Web management interface doesn’t include access to the EAC (Exchange admin center). To get information about how to add this interface you can read the article: How to add an Exchange admin center (EAC) to office 365 P subscription portal

B.1 Exchange online protection - IP Block list

The option of “IP block list”, enable us to block email messaged that came from a specific mail server (specific IP). In case that we identify that the SPAM mail came from a specific "Host" (mail server), we can add the IP address of this mail server to the Block list. In my opinion, it’s good that we have this option but, in reality, we will use this option rarely because two main disadvantages: 

 

EOP - using the option of the IP Block list


Additional reading

 

How to map between domain name and IP address

To complete the task of: “map between domain name and IP address” we can use a free web service such as offered by mxtoolbox (http://mxtoolbox.com/).

For the demonstration purpose, let’s review how to find the IP address of the mail server that represent the public domain name: midorg.com (we use this domain name only for the demonstration).

In the result screen, we can see the names of the mail servers that “represent” the midorg.com domain name and their IP address.

 

B.2 Exchange online protection - international SPAM

The option of “international SPAM” is an interesting option that enables us to block or identify mail as “SPAM” based on the classification of: Geographical location or Languish.

Note - using the international SPAM option
We need to be cautious when using the option of: international SPAM because, we can get very easily into the scenario of false positive in which the defending systems recognize legitimate mail is “Bad\SPAM” mail and block the mail.


EOP - Using the option of: international SPAM

When using international SPAM, we can use one (or both) of the following options:

Blocking mail written in the specific languish

Blocking mail by Geographical location

 

B.3 Exchange online protection - content filter Advanced options

Before we begin with the instruction of: “How to use the EOP advanced option for SPAM mail," let’s use additional classification of SPAM mail types and the tolls we can use.
Using a high level classification, we can define 3 “families” of SPAM mail types:

1. Advertisement mail

The Negative effect of such mail could be considered as “annoying." No real damage is caused to the users besides the fact that the user is troubled by the content of the mail (suggestions to buy different type of Pills, enlarge specific body parts and so on). This type of SPAM mail, is automatically blocked (most of the time) by the office 365 security mail gateways. In case that some Advertisement SPAM mail manages to “sneak," we can use a solution such as “rules” for blocking this type of SPAM mail. 
2. Mail with malicious content

This type of SPAM mail is closer to the definition of “virus” because, the target of the Spammer it to cause the destination recipient to click or accept some suggestion that could lead the user to many kinds of attacks such as: fraud, phishing and so on.
3. “Other SPAM mail”

In this section, we can classify of the other SPAM mail types that doesn’t belong to the former families. As an example, we can mention SPAM mail that describes as: NDR backscatter.

Content Filter - Advanced options

The section that describes as: “Advanced options” under the Content Filter section enable us to “harden” the default SPAM policy that is implemented by the office 36 security mail gateways.
The option of “Advanced options” is more suitable for scenarios in which the SPAM Mail with malicious content or other type of SPAM such as: NDR backscatter (appear as Number 2, 3 in the attached diagram).

Regarding SAPM mail that considered as “Advertisement mail” and include specific keywords, we can use other methods such as “rules” (that will be reviewed in the next section (we will review the use of rules in the section Scenario 1 - Block SPAM Mail that includes a specific keywords

 

Content Filter - Advanced options: choosing the suitable “action”

Using the “Content Filter - Advanced options” enable us to “harden” the default security policy of the office 365 mail gateway's server. The meaning is that we can use more restrictive policy. The disadvantage is that by doing so, we can face the issues of False Positive a scenario, in which a legitimate mail will be recognized is “Bad\SPAM” mail and will be deleted.
To avoid this scenario, we can use an option that described as: “Test mode” (we can relate to this option as a “Learning mode). Using the test mode, enables us to use the “additional security filter” and decide what will happen when a specific mail item is recognized as SPAM by the security filter. We can choose to block\delete the mail item or just report about the mail item (Test mode). 

 

Using Content Filter - Advanced options
As you can see there are many passable options that we can select. The options are divided into 2 categories: Increase Spam Score (Number 5) and, Mark as Spam (Number 6).

To be able to demonstrate the option available in the Content Filter - Advanced options let describe two scenarios:

 

Scenario 1: Blocking SPAM Mail with malicious content

In the last mount, users are complaining about an SPAM mail that contains a malicious content. When the users open the mail item, they are automatically redirected to a web site, and that they are invited to download some exe file. To be able to block this SPAM mail item, we will activate three additional filters: mark as SPAM if the mail item is or contain:

Choosing the suitable “Action”

By default, each of the security filter status is: off. When we click on the “option arrow," we can see that we can choose the options: “off," “on” or “test." In case that we choose the option of: “on," each mail that contains content that is not allowed by one of the security filters that was selected (such as JavaScript or VBScript in HTML) will be marked as SPAM.

Using the Test option
In case that we just want to test the “new security filter” we can choose the option of: “test." In the bottom of the advance option windows, we can configure the result of the “Test." In the following screenshot, we can see that we can choose one of the following three options:

 

Scenario 2: Blocking SPAM Mail classified as NDR backscatter

SPAM that describes as: NDR backscatter is a special kind of SPAM because the “mechanism” that’s used by the spammer is different from the “Standard SPAM mail." NDR backscatter is implemented in the following way:

The spammer forges organization user email address and sends on their behalf email to other recipients. In case that the “destination mail system” recognizes the mail as an SPAM or if the mail is sent to a non-existing users, the “destination mail system” creates an NDR message that sent to the organization recipient (the user whom his email address was used by the spammer).

For example: In the last week, organization users complain that they get an error message about a mail that was sent by them to any external recipient (the external recipient can be known to the organization user or unknown). The organization users are sure that they did not send any kind of mail message to this recipient, but they keep getting error messages such as: “mailbox full," "user doesn't exist," etc. So now, the obvious question is: is it really happening? The answer is: “Yes." The user description suitable for an SPAM attack described as: NDR backscatter.

Generally speaking, the office 365 security gateway's server are configured to block this kind of SPAM mails, but in case that the SPAM mail mange to “sneak” from the mall security servers, we can add this filter using the Content Filter - Advanced options.

Using Content Filter - Advanced options - NDR backscatter
Additional reading

B.4 Exchange online - mail flow - rules

Exchange Online includes a built-in component that describes as: Rules (in former versions of Exchange this component was called “Transport rules). We can use the option of “Exchange rules” for many purposes. In this section, I would like to emphasize the use of “Exchange rules” relating to the issue of: SPAM mail.

For the demonstration purposes let’s use 2 different scenarios of SPAM mail:

Scenario 1 - Block SPAM Mail that includes a specific keywords

In case that the SPAM mail includes a specific keyword in the mail Body\Subject, we can create an Exchange rule that will delete the SPAM mail items.

Step 1 - Creating new rule


Step 2 - Add a name to the rule

You can choose any name which is suitable for your need. It’s recommended to choose a “descriptive name” that will enable us to identify the rule's purpose by looking at the rule name. In our example, we will name the rule as  “inappropriate words”.


Step 3 - define the rule logic/condition (if)

In this part, we define “what is the event the will trigger or activate the rule." In our scenario, we would like to block mail that includes specific keywords such as: buy cheap pills or: enlarge you’re… (you know what)

 

Step 4 - define the required action

In this part, we configure what is the required action that will be implemented if a mail item “answer” the former condition that was set in the previous step.

Step 5 - choose a mode for the rule

The last part of the rule described as: “choose a mode for the rule." The default “mode” is “enforce." In our example, we don’t like to make changes in the production environment with the option to test the “rule” and the check has been the Implications when using this rule. To fulfill this requirement, we will choose the option of: Test without policy tips.
Choosing one of this option will “turn on” the rule.
In case that mail item will answer the logic\condition that appears in the rule the information logged in message tracking logs. The exchange doesn’t take any action that will impact the delivery of the message.



Scenario 2 - Block SPAM Mail from a specific domain

In the section that describe the option of the IP Block list ( B.1 Exchange online protection - IP Block list ) we mention that the main disadvantage is that most of the time is not very useful to use a block rule that is based on IP address. The most effective option is to block SPAM mail that comes from a specific sender email address of specific domain names. The good news is that we can use the “rule” (mail flow – rules) option to overcome this limitation.

In the following demonstration, we will create a rule that will block or reject mail that sends from a specific domain name.

Note - for the demonstration purposes we will use the domain name: midorg.com as the domain that we want to block. In the realty, this is a legitimate domain.

Step 1 - Creating new rule

 

Step 2 - Add a name to the rule

You can choose any name that is suitable for your need. It’s recommended to choose a “descriptive name” that will enable us to identify the rule's purpose by looking at the rule name. In our example, we will name the rule as: “Block mail sends from the midorg.com domain

Step 3 - define the rule logic/condition (if)

In this part, we define “what is the event the will trigger or activate the rule."
In our scenario, we would like to block mail that comes from the domain name: midorg.com

  • In the section of: *Apply this rule if..., choose the option: The sender address includes

  • In the pop out window that appear, under the specify words or phrases section add the domain name: Midorg.com (this is the domain name that we want to block in our example).
  • Don’t forget to click on the add icon , because without adding the value, we will not be able to save the rule.
  • Click on the Ok button

Now we can see that the value that we add was saved, and the value name (midorg.com) appears in the right part of the rule condition.

 

Step 4 - define the required action

In this part we configure what is the required action that will be implemented if a mail item “answer” the former condition that was set in the previous step.

Click on the small arrow in the *Do the following... section.
You can see that we can choose from several options. In our example, we will choose the option of: Reject the message with the explanation.


Step 5 - choose a mode for the rule

The last part of the rule described as: “choose a mode for the rule”. The default “mode” is “Enforce”. The meaning is that this rule will be implemented immediately as we will choose to save the rule. An additional option that we have is: Test with policy Tips or Test without policy Tips. Choosing one of this option will turn on the rule.

In case that mail item will answer the logic\condition that appears in the rule the information logged in message tracking logs. The exchange doesn’t take any action that will impact the delivery of the message.

After we choose the save option the rule will be enforced and mail item that was sent from midorg.com domain will be blocked.

 

Part 3: Sending sample of SPAM mail

This part is related to a scenario in which all of our effort failed, and we did not manage to stop the SPAM mail. In this case, the best practice is to contact the office 365 support team and ask for their help. Assuming that we have implemented all of the steps described in this article, the only option will be to: sending the SPAM mail items to the office 365 support team and ask them to forward these mail items for further analyses and examination.

Send the problematic/SPAM mail as an attachment

There is significance importance of sending the SPAM mail “as attachment” because when we use this option, the “complete mail item” is sent and the technical person that gets the SPAM mail can use the additional information contained in the meal header and son on.

How to use the option of: Forward as attachment

The mail item should be sent as “Attachment”. To send an email as attachment chooses the mail item, in the Home tab chooses the More icon and the option of: Forward as attachment

Option 2: Save mail item and send

In case that you have a problem with the option of: “send mail as attachment," you can save the email item and sent the “files” (the mail items) to the support team.

  • Double click on the required mail item
  • Choose the File menu and Save As option

  • Save the mail item

 

Additional reading

Download PDF File

You can download a PDF version of the instructions


Download

Now it’s Your Turn!
We really like to know what is your opinion on the Article

{ 3 comments... read them below or Comment }

  1. Yi Jia {fb:linyijia@gmail.com}August 5, 2013 at 9:19 AM

    Hi Johanes Djogan,

    I have not read the full article , just few scroll down page. I will allocate time to read on the spam topic.but honestly your site helps me a lot.I thank you for providing this to those who might need this. Thanks again.

    Keep up the good work,

    Sincerely,
    Yijia

    ReplyDelete
  2. Let's make this short and simple. The way to deal with spam in Office 365 is use a service that can actually filter spam (like mxlogic). Office 365 spam filtering is absolutly horrible.

    We have been on Office 365 for over a year now. Prior to that we had our own server and used a Barracuda device to filter spam. I can't think of many solutions that would be worse than the Office 365 (Forefront) filtering.

    We are plagues with false-positives -- so much that we had to entirely turn off the quarantine. We regularly receive e-mail that is obvious, easy to block spam (for example, advertisements for "viagra" spelled as "v1a$ra".

    Just before writing this message, I got a spam message with faked headers reporting to have come from my company AND CARRYING AN EXECUTABLE PAYLOAD!

    Microsft is doing fine with the e-mail part, but they are falling flat on their face on the anti-spam side. I have yet to experience a worse solution.

    ReplyDelete
  3. While I agree that Office 365 leaves a lot to be desired, you can easily block executable payloads. That one was your fault.

    ReplyDelete

About

Recent posts

Popular Post

- Copyright © o365info.com -Metrominimalist- Powered by Blogger - Designed by Johanes Djogan -