Internal spam in Office 365 - Introduction | Part 2#17
-
Upload
o365infocom -
Category
Documents
-
view
221 -
download
1
description
Transcript of Internal spam in Office 365 - Introduction | Part 2#17
Page 1 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
INTERNAL SPAM IN OFFICE 365 –
INTRODUCTION | PART 2#17
In the current article, we continue to review the term- “internal \
outbound spam”, miss conceptions that relate to this term, the
risks that are involved in a scenario of internal \ outbound spam,
outbound spam E-mail policy and more.
Spam mail and the default association
Most of the time, the first association of spam mail is: ”unwanted
mail that bad people use for harassing our organization users”.
Page 2 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
We usually think that “our organization users” are the victims of
spam\junk mail and, that we are the “good guys” in this story.
However, did you consider the possibility of a scenario in which the
“bad guy” is us?
For example, a scenario in which the spam\junk mail is sent from our
organization and, we are the element that disturbing and annoying
other users?
When we say that: ”our organization users can be trusted”, what is
really your level of familiarity with your organization uses?
What about a scenario in which a malware manages to compromise
some of your users’ desktop and manage to send out spam\junk mail in
their name?
What about a scenario, in which a malware manages to compromise the
security of your company’s public website and manage to send out
spam\junk mail that looks for an external recipient as – mail that comes
from your company (your domain name)?
Page 3 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
What about a scenario in which an organization’s user abuse the trust
you gave him and use the organization mail infrastructure for sending
out spam\junk mail?
What about a scenario, in which organization users from the marketing
department send out hundreds or thousands of emails that violate the
rules of commercial or marketing E-mail?
Are all these questions harming your self-confidence?
If the answer is: “Yes”, I am satisfied because this is the reality!
We don’t have the privilege to lean back in the chair with a satisfied
facial expression because, all the scenarios that mentioned above
could and will happen!
Office 365 and Exchange as SAS | Good or
bad?
One of the most popular “claim” of Office 365 customers is that
Page 4 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
because 365 and Exchange Online are SAS (software as services)
based services, we have less control of our mail infrastructure versus
Exchange on-Premises mail infrastructure.
For this reason, in a scenario in which our organization E-mail is
identified by the external recipient as spam\junk mail, “Microsoft” will
need to solve the problem because, office 365 “belong” to Microsoft!
My claim is that: the opposite is true!
1. Our full responsibility for an internal \ outbound spam
scenarios
A scenario in which mail that is sent from “our side” (our
organization) is identified by the external recipient as – spam\junk
mail, is not related in any way to Office 365 or Exchange Online!
Theoretically, the problem could be related in some way to the
Exchange Online infrastructure, but we should relate to Exchange
Online as “neutral mail platform”. Exchange Online doesn’t “cause” to
our mail to appear as spam but instead, serve as a “router” that sent
out our organization E-mail to external recipients.
2. Office 365 and security infrastructure
The security mechanism that is used for protecting Office 365 and
Exchange Online environment are significantly improved versus the
security infrastructure of a “standard” organization mail
infrastructure.
I know this declaration will arouse opposition, but the simple truth is
that the Office 365 and Exchange Online was designed to host
hundreds of thousands and even millions of users.
Page 5 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
For this reason, the Investment in information security systems,
monitoring and alerts systems and so on, are implemented on a
much larger scale compared to a normal organization’s
infrastructure.
Additionally, the Office 365 and Exchange Online environment
includes tools and improved abilities that will help us to avoid a
scenario of internal \ outbound spam.
Note – we will get more detailed information about the scenario of
troubleshooting internal \ outbound spam in Office 365 in the
articles:
My E-mail appears as spam – Troubleshooting path | Part 11#17
My E-mail appears as spam – Troubleshooting path | Part 12#17
Implementing and enforcing outbound spam
E-mail policy
Page 6 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
Q: In a scenario of internal \ outbound spam – is there any way to
control and manage, the E-mail that “goes out” from our mail
infrastructure to the external recipients?
A: The answer is – implementing a solution that could be described
as outbound spam E-mail policy
Q: What is the purpose of using outbound an e-mail policy?
A: The purpose of using outbound an e-mail policy is to use a
process which will scan and verify E-mail that are sent by our
organization users to external recipients.
For example: implementing a security scans for each outbound mail
+ have the option to stop spam from leaving our network, before it
causes our mail server IP address or our domain name to be listed
by blacklist providers + blocked by anti-spam systems.
Q: Is there a possibility to enforce outbound e-mail spam policy in
Exchange Online?
A: Exchange Online implements a spam filter, which scans each of
the E-mail messages that is sent by Office 365 users.
At the current time, Exchange Online doesn’t include an option which
enables us to “stop” or deletes internal mail that is identified as
spam\junk mail. The only option that we can use is a feature, which
Exchange Online will notify a contact person about such an event.
In case that Exchange Online “decide” that the E-mail message is
identified as spam\junk mail, Exchange Online will route the E-mail
message to a dedicated Exchange server pool named: Exchange
Online High Risk Delivery Pool.
Note – You can read more information about the Exchange Online
High Risk Delivery Pool in the articles:
Page 7 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
High Risk Delivery Pool and Exchange Online | Part 9#17
High Risk Delivery Pool and Exchange Online | Part 10#17
Internal \ outbound spam | The risks
In case that you didn’t convince that the issue of internal \ outbound
spam could be considered as a major problem, I would like to
Interest you, in a number of aspects of the risks related to the above
phenomenon.
DOS – denial of service. The DOS is caused when our organization
appears as blacklisted.
The “outcome” is the inability to communicate important information or,
provide an important data, files and so to our customers. Organization
users are “prevented” from using the E-mail as a communication
channel with specific companies or specific customers. The scope of the
problem, meaning the “inability” to send out E-mail, could be related
Page 8 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
only to a specific mail item, only to a specific mail user or consider as a
systemic phenomenon which affects all of our organization users.
Damage to the company’s reputation
Expose to lawsuits because the company considers as responsibility for
their employees, and it’s been up to companies to take actions and keep
their networks clean.
Additional reading
Understanding outbound spam controls in Office 365
Internal \ outbound spam | The “Starting
point”
In the current article series, we will review different aspects that
relate to Internal \ outbound spam such: how to avoid a scenario of
internal spam, how to troubleshoot scenario of internal spam and so
on.
The only question that we didn’t answer is: how do we know that we
are dealing with a scenario of internal \ outbound spam?
What are the charters or the signs for such a scenario?
The technical answer is that someone or somebody should inform us
about the problem in which mail that is sent from our origination or
from our mail, infrastructure considers as spam\junk mail.
In the following diagram, we can see an example of four possible
scenarios that will “help” us to understand that we have a problem in
which E-mail that sent by or from our organization consider as
spam\junk mail.
Page 9 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
External recipient informs us – a scenario in which external recipient
informs our organization user that he got his E-mail message, but, the
mail message was sent to the junk mail folder.
NDR message – the destination mail server, send an NDR message as a
“response” to the E-mail message that was sent by one of our
organization users.
Exchange Online and the option of outbound spam – in case that we
“activate” this option, in a scenario that mail that was sent by the Office
365 organization user was identified as a potential spam\junk mail by
Exchange Online, a notification message will be sent to the contact
person.
You can read more information about the subject of Exchange Online
outbound spam feature in the article: My E-mail appears as spam |
Troubleshooting – Domain name and E-mail content | Part 12#17
In case that we use a service which monitors well-known blacklist’s
provider and, in case that our organization appears as Blacklisted, an E-
mail notification message will be sent to the contact person that was
set. You can read more information about the subject of monitor your
Blacklist status in the article: My E-mail appears as spam |
Troubleshooting – Domain name and E-mail content | Part 12#17
Page 10 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
It’s important that we will pay attention to the common denominator
for all the above scenarios:
In a scenario of internal \ outbound spam, most of the time, we become
aware to the problem only after the fact. In simple words, the
notification that we got about the issue in which mail that was sent from
our organization is identified as spam\junk mail “happens”, only after
the mail was sent to the destination external recipient.
Even when we get a notification about the fact that mail from our
organization is considered as spam\junk mail or, our domain appears as
blacklisted, this “information” doesn’t tell us anything about the
“reasons” that lead to a scenario in which our mail is identified as
spam\junk mail. We can “understand” that we have a problem, but the
element that “inform” us doesn’t include any explanation or details
about the caused that lead to the scenario in which we mail considers as
spam\junk mail.
Page 11 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
The conclusion
It’s very important to implement a mechanism that will help us to
identify a scenario of outbound spam, but there is no option to
“fetch” information from the notification.
The only way to deal with a scenario of internal \ outbound spam is:
To have a good knowledge about – the possible reason that can lead to
the scenario in which our mail is identified a spam\junk mail.
Is to have a good knowledge about – the operations and the
troubleshooting steps, which we can implement for finding the exact
cause.
Mentoring infrastructure that will help us to identify quickly and
efficiently scenario of internal \ outbound spam.
Educate our organization user and instruct them how to avoid from a
scenario in which they send out E-mail that can be identified as spam.
In the event of Internal \ outbound spam the main questions that we
will need to answer are:
1. Does the mail that was sent by the organization recipients, is indeed a
spam mail?
2. Does the classification of spam\junk mail relate to the specific
organization user? Specific E-mail message or our domain name?
3. What are the steps that we need to implement for finding the exact
cause?
4. What mechanisms should be implemented so we will be able to identify
as quick a passable a scenario in which our organization E-mail
identified as spam\junk mail?
5. What mechanisms should be implemented to prevent or avoid the
future scenario in which our organization E-mail identified as
spam\junk mail?
Page 12 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
Who is this “element” that identifies my
organization mail as spam\junk mail?
There could be two major scenarios, in which a mail that was sent
from your organization, could be classified as spam\junk mail.
1. Server-side: destination mail server and blacklist provider
By default, mail servers are not designed to implement a security
check for incoming mail. Instead, most of the time, mail server will
use the help of “external component” that will implement the
required security check for them.
For example – when our E-mail message is accepted by the
destination mail server, the mail server will connect some kind of
“blacklist provider”, for checking if our domain name or our mail
server IP address is blacklisted.
In case that the “answer” from the blacklist provider says that the
organization considers as blacklisted, the mail server will need to
decide about the next step such as – block the E-mail message, send
an NDR, etc.
2. Client-side
The scenario in which mail that was sent from your organization,
sent to the junk mail folder of the “destination recipient”, doesn’t
necessarily mean that the E-mail message was “stamped” by the
“destination mail server” as a spam message.
There could be a couple of “client-side elements”, which could
identify the E-mail message as spam\junk mail.
Page 13 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
For example:
The “destination recipient” can create an inbox rule the “classify” as a
specific sender (specific E-mail address) as spam.
The “destination recipient” mail client, could include a built-in spam filter
that can “decide” to classify specific email messages as spam.
The “destination recipient user desktop, can include an antivirus or
other mail security application that has her own “mail security system”.
Page 14 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
Internal \ outbound spam in Office 365
environment | Article series index
A quick reference for the article series
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series
Introduction to the concept of internal \ outbound spam in general
and in Office 365 and Exchange Online environment
My E-mail appears as a spam –
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: “My E-mail appears as
a spam!”, possible factors for causing
our E-mail to appear a “spam mail”,
the definition of internal \ outbound
spam.
Internal spam in Office 365 –
Introduction | Part 2#17
Review in general the term: “internal \
outbound spam”, miss conceptions
that relate to this term, the risks that
are involved in this scenario,
outbound spam E-mail policy and
more.
Page 15 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
Internal spam in Office 365 –
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spam\junk mail, who or what are this
“elements”, that can decide that our
mail is a spam mail?, what are the
possible “reactions” of the destination
mail infrastructure that identify our E-
mail as spam\junk mail?.
Commercial E-mail – Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365\ Exchange Online is
unsuitable for the purpose of
commercial E-mail?
Introduction if the major causes for a scenario in which your
organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
1. E-mail content, 2. Violation of the
SMTP standards, 3. Bulk\Mass mail
Page 16 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. “Problematic” Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The “technical side” of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.
Page 17 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
Introduction if the subject of Exchange Online - High Risk Delivery
Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal \
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.
The troubleshooting path of internal \ outbound spam scenario
My E-mail appears as spam –
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal \
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the “other side.
Page 18 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Domain name and
E-mail content | Part 12#17 Verify if
our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
My E-mail appears as spam |
Troubleshooting – Mail server | Part
13#17
What is the meaning of: “our mail
server”?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting – Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spam\NDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
Page 19 of 19 | Internal spam in Office 365 - Introduction - Part 2#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Mail server | Part
15#17
Step B – Get information about your
Exchange Online infrastructure, Step
C – fetch the information about the
Exchange Online IP address, Step D –
verify if the “formal “Exchange Online
IP address a
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal \ outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of – internal \ outbound
spam.