Page 1 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

INTERNAL SPAM IN OFFICE 365 –

INTRODUCTION | PART 2#17

In the current article, we continue to review the term- “internal \

outbound spam”, miss conceptions that relate to this term, the

risks that are involved in a scenario of internal \ outbound spam,

outbound spam E-mail policy and more.

Spam mail and the default association

Most of the time, the first association of spam mail is: ”unwanted

mail that bad people use for harassing our organization users”.

Page 2 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

We usually think that “our organization users” are the victims of

spam\junk mail and, that we are the “good guys” in this story.

However, did you consider the possibility of a scenario in which the

“bad guy” is us?

For example, a scenario in which the spam\junk mail is sent from our

organization and, we are the element that disturbing and annoying

other users?

When we say that: ”our organization users can be trusted”, what is

really your level of familiarity with your organization uses?

What about a scenario in which a malware manages to compromise

some of your users’ desktop and manage to send out spam\junk mail in

their name?

What about a scenario, in which a malware manages to compromise the

security of your company’s public website and manage to send out

spam\junk mail that looks for an external recipient as – mail that comes

from your company (your domain name)?

Page 3 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

What about a scenario in which an organization’s user abuse the trust

you gave him and use the organization mail infrastructure for sending

out spam\junk mail?

What about a scenario, in which organization users from the marketing

department send out hundreds or thousands of emails that violate the

rules of commercial or marketing E-mail?

Are all these questions harming your self-confidence?

If the answer is: “Yes”, I am satisfied because this is the reality!

We don’t have the privilege to lean back in the chair with a satisfied

facial expression because, all the scenarios that mentioned above

could and will happen!

Office 365 and Exchange as SAS | Good or

bad?

One of the most popular “claim” of Office 365 customers is that

Page 4 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

because 365 and Exchange Online are SAS (software as services)

based services, we have less control of our mail infrastructure versus

Exchange on-Premises mail infrastructure.

For this reason, in a scenario in which our organization E-mail is

identified by the external recipient as spam\junk mail, “Microsoft” will

need to solve the problem because, office 365 “belong” to Microsoft!

My claim is that: the opposite is true!

1. Our full responsibility for an internal \ outbound spam

scenarios

A scenario in which mail that is sent from “our side” (our

organization) is identified by the external recipient as – spam\junk

mail, is not related in any way to Office 365 or Exchange Online!

Theoretically, the problem could be related in some way to the

Exchange Online infrastructure, but we should relate to Exchange

Online as “neutral mail platform”. Exchange Online doesn’t “cause” to

our mail to appear as spam but instead, serve as a “router” that sent

out our organization E-mail to external recipients.

2. Office 365 and security infrastructure

The security mechanism that is used for protecting Office 365 and

Exchange Online environment are significantly improved versus the

security infrastructure of a “standard” organization mail

infrastructure.

I know this declaration will arouse opposition, but the simple truth is

that the Office 365 and Exchange Online was designed to host

hundreds of thousands and even millions of users.

Page 5 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

For this reason, the Investment in information security systems,

monitoring and alerts systems and so on, are implemented on a

much larger scale compared to a normal organization’s

infrastructure.

Additionally, the Office 365 and Exchange Online environment

includes tools and improved abilities that will help us to avoid a

scenario of internal \ outbound spam.

Note – we will get more detailed information about the scenario of

troubleshooting internal \ outbound spam in Office 365 in the

articles:

My E-mail appears as spam – Troubleshooting path | Part 11#17

My E-mail appears as spam – Troubleshooting path | Part 12#17

Implementing and enforcing outbound spam

E-mail policy

Page 6 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

Q: In a scenario of internal \ outbound spam – is there any way to

control and manage, the E-mail that “goes out” from our mail

infrastructure to the external recipients?

A: The answer is – implementing a solution that could be described

as outbound spam E-mail policy

Q: What is the purpose of using outbound an e-mail policy?

A: The purpose of using outbound an e-mail policy is to use a

process which will scan and verify E-mail that are sent by our

organization users to external recipients.

For example: implementing a security scans for each outbound mail

+ have the option to stop spam from leaving our network, before it

causes our mail server IP address or our domain name to be listed

by blacklist providers + blocked by anti-spam systems.

Q: Is there a possibility to enforce outbound e-mail spam policy in

Exchange Online?

A: Exchange Online implements a spam filter, which scans each of

the E-mail messages that is sent by Office 365 users.

At the current time, Exchange Online doesn’t include an option which

enables us to “stop” or deletes internal mail that is identified as

spam\junk mail. The only option that we can use is a feature, which

Exchange Online will notify a contact person about such an event.

In case that Exchange Online “decide” that the E-mail message is

identified as spam\junk mail, Exchange Online will route the E-mail

message to a dedicated Exchange server pool named: Exchange

Online High Risk Delivery Pool.

Note – You can read more information about the Exchange Online

High Risk Delivery Pool in the articles:

Page 7 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

High Risk Delivery Pool and Exchange Online | Part 9#17

High Risk Delivery Pool and Exchange Online | Part 10#17

Internal \ outbound spam | The risks

In case that you didn’t convince that the issue of internal \ outbound

spam could be considered as a major problem, I would like to

Interest you, in a number of aspects of the risks related to the above

phenomenon.

DOS – denial of service. The DOS is caused when our organization

appears as blacklisted.

The “outcome” is the inability to communicate important information or,

provide an important data, files and so to our customers. Organization

users are “prevented” from using the E-mail as a communication

channel with specific companies or specific customers. The scope of the

problem, meaning the “inability” to send out E-mail, could be related

Page 8 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

only to a specific mail item, only to a specific mail user or consider as a

systemic phenomenon which affects all of our organization users.

Damage to the company’s reputation

Expose to lawsuits because the company considers as responsibility for

their employees, and it’s been up to companies to take actions and keep

their networks clean.

Additional reading

Understanding outbound spam controls in Office 365

Internal \ outbound spam | The “Starting

point”

In the current article series, we will review different aspects that

relate to Internal \ outbound spam such: how to avoid a scenario of

internal spam, how to troubleshoot scenario of internal spam and so

on.

The only question that we didn’t answer is: how do we know that we

are dealing with a scenario of internal \ outbound spam?

What are the charters or the signs for such a scenario?

The technical answer is that someone or somebody should inform us

about the problem in which mail that is sent from our origination or

from our mail, infrastructure considers as spam\junk mail.

In the following diagram, we can see an example of four possible

scenarios that will “help” us to understand that we have a problem in

which E-mail that sent by or from our organization consider as

spam\junk mail.

Page 9 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

External recipient informs us – a scenario in which external recipient

informs our organization user that he got his E-mail message, but, the

mail message was sent to the junk mail folder.

NDR message – the destination mail server, send an NDR message as a

“response” to the E-mail message that was sent by one of our

organization users.

Exchange Online and the option of outbound spam – in case that we

“activate” this option, in a scenario that mail that was sent by the Office

365 organization user was identified as a potential spam\junk mail by

Exchange Online, a notification message will be sent to the contact

person.

You can read more information about the subject of Exchange Online

outbound spam feature in the article: My E-mail appears as spam |

Troubleshooting – Domain name and E-mail content | Part 12#17

In case that we use a service which monitors well-known blacklist’s

provider and, in case that our organization appears as Blacklisted, an E-

mail notification message will be sent to the contact person that was

set. You can read more information about the subject of monitor your

Blacklist status in the article: My E-mail appears as spam |

Troubleshooting – Domain name and E-mail content | Part 12#17

Page 10 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

It’s important that we will pay attention to the common denominator

for all the above scenarios:

In a scenario of internal \ outbound spam, most of the time, we become

aware to the problem only after the fact. In simple words, the

notification that we got about the issue in which mail that was sent from

our organization is identified as spam\junk mail “happens”, only after

the mail was sent to the destination external recipient.

Even when we get a notification about the fact that mail from our

organization is considered as spam\junk mail or, our domain appears as

blacklisted, this “information” doesn’t tell us anything about the

“reasons” that lead to a scenario in which our mail is identified as

spam\junk mail. We can “understand” that we have a problem, but the

element that “inform” us doesn’t include any explanation or details

about the caused that lead to the scenario in which we mail considers as

spam\junk mail.

Page 11 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

The conclusion

It’s very important to implement a mechanism that will help us to

identify a scenario of outbound spam, but there is no option to

“fetch” information from the notification.

The only way to deal with a scenario of internal \ outbound spam is:

To have a good knowledge about – the possible reason that can lead to

the scenario in which our mail is identified a spam\junk mail.

Is to have a good knowledge about – the operations and the

troubleshooting steps, which we can implement for finding the exact

cause.

Mentoring infrastructure that will help us to identify quickly and

efficiently scenario of internal \ outbound spam.

Educate our organization user and instruct them how to avoid from a

scenario in which they send out E-mail that can be identified as spam.

In the event of Internal \ outbound spam the main questions that we

will need to answer are:

1. Does the mail that was sent by the organization recipients, is indeed a

spam mail?

2. Does the classification of spam\junk mail relate to the specific

organization user? Specific E-mail message or our domain name?

3. What are the steps that we need to implement for finding the exact

cause?

4. What mechanisms should be implemented so we will be able to identify

as quick a passable a scenario in which our organization E-mail

identified as spam\junk mail?

5. What mechanisms should be implemented to prevent or avoid the

future scenario in which our organization E-mail identified as

spam\junk mail?

Page 12 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

Who is this “element” that identifies my

organization mail as spam\junk mail?

There could be two major scenarios, in which a mail that was sent

from your organization, could be classified as spam\junk mail.

1. Server-side: destination mail server and blacklist provider

By default, mail servers are not designed to implement a security

check for incoming mail. Instead, most of the time, mail server will

use the help of “external component” that will implement the

required security check for them.

For example – when our E-mail message is accepted by the

destination mail server, the mail server will connect some kind of

“blacklist provider”, for checking if our domain name or our mail

server IP address is blacklisted.

In case that the “answer” from the blacklist provider says that the

organization considers as blacklisted, the mail server will need to

decide about the next step such as – block the E-mail message, send

an NDR, etc.

2. Client-side

The scenario in which mail that was sent from your organization,

sent to the junk mail folder of the “destination recipient”, doesn’t

necessarily mean that the E-mail message was “stamped” by the

“destination mail server” as a spam message.

There could be a couple of “client-side elements”, which could

identify the E-mail message as spam\junk mail.

Page 13 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

For example:

The “destination recipient” can create an inbox rule the “classify” as a

specific sender (specific E-mail address) as spam.

The “destination recipient” mail client, could include a built-in spam filter

that can “decide” to classify specific email messages as spam.

The “destination recipient user desktop, can include an antivirus or

other mail security application that has her own “mail security system”.

Page 14 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

Internal \ outbound spam in Office 365

environment | Article series index

A quick reference for the article series

My E-mail appears as a spam | Article

series index | Part 0#17

The article index of the complete

article series

Introduction to the concept of internal \ outbound spam in general

and in Office 365 and Exchange Online environment

My E-mail appears as a spam –

Introduction | Office 365 | Part 1#17

The psychological profile of the

phenomenon: “My E-mail appears as

a spam!”, possible factors for causing

our E-mail to appear a “spam mail”,

the definition of internal \ outbound

spam.

Internal spam in Office 365 –

Introduction | Part 2#17

Review in general the term: “internal \

outbound spam”, miss conceptions

that relate to this term, the risks that

are involved in this scenario,

outbound spam E-mail policy and

more.

Page 15 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

Internal spam in Office 365 –

Introduction | Part 3#17

What are the possible reasons that

could cause to our mail to appear as

spam\junk mail, who or what are this

“elements”, that can decide that our

mail is a spam mail?, what are the

possible “reactions” of the destination

mail infrastructure that identify our E-

mail as spam\junk mail?.

Commercial E-mail – Using the right

tools | Office 365 | Part 4#17

What is commercial E-mail?

Commercial E-mail as part of the

business process. Why do I think that

Office 365\ Exchange Online is

unsuitable for the purpose of

commercial E-mail?

Introduction if the major causes for a scenario in which your

organization E-mail appears as spam

My E-mail appears as spam | The 7

major reasons | Part 5#17

Review three major reasons, that

could lead to a scenario, in which E-

mail that is sent from our

organization identified as spam mail:

1. E-mail content, 2. Violation of the

SMTP standards, 3. Bulk\Mass mail

Page 16 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

My E-mail appears as spam | The 7

major reasons | Part 6#17

Review three major reasons, that

could lead to a scenario, in which E-

mail that is sent from our

organization identified as spam mail:

4. False positive, 5. User Desktop

malware, 6. “Problematic” Website

Introduction if the subject of SPF record in general and in Office

365 environment

What is SPF record good for? | Part

7#17

The purpose of the SPF record and the

relation to for our mail infrastructure.

How does the SPF record enable us to

prevent a scenario in which hostile

elements could send E-mail on our

behalf.

Implementing SPF record | Part 8#17

The “technical side” of the SPF record:

the structure of SPF record, the way

that we create SPF record, what is the

required syntax for the SPF record in

an Office 365 environment + mix mail

environment, how to verify the

existence of SPF record and so on.

Page 17 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

Introduction if the subject of Exchange Online - High Risk Delivery

Pool

High Risk Delivery Pool and Exchange

Online | Part 9#17

How Office 365 (Exchange Online) is

handling a scenario of internal \

outbound spam by using the help of

the Exchange Online- High Risk

Delivery Pool.

High Risk Delivery Pool and Exchange

Online | Part 10#17

The second article about the subject

of Exchange Online- High Risk

Delivery Pool.

The troubleshooting path of internal \ outbound spam scenario

My E-mail appears as spam –

Troubleshooting path | Part 11#17

Troubleshooting scenario of internal \

outbound spam in Office 365 and

Exchange Online environment.

Verifying if our domain name is

blacklisted, verifying if the problem is

related to E-mail content, verifying if

the problem is related to specific

organization user E-mail address,

moving the troubleshooting process

to the “other side.

Page 18 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

My E-mail appears as spam |

Troubleshooting – Domain name and

E-mail content | Part 12#17 Verify if

our domain name appears as

blacklisted, verify if the problem

relates to a specific E-mail message

content, registering blacklist

monitoring services, activating the

option of Exchange Online outbound

spam.

My E-mail appears as spam |

Troubleshooting – Mail server | Part

13#17

What is the meaning of: “our mail

server”?, Mail server IP, host name

and Exchange Online. One of our

users got an NDR which informs him,

that his mail server is blacklisted!,

How do we know that my mail server

is blacklisted?

My E-mail appears as spam |

Troubleshooting – Mail server | Part

14#17

The troubleshooting path logic. Get

the information from the E-mail

message that was identified as

spam\NDR. Forwarding a copy of the

NDR message or the message that

saved to the junk mail

Page 19 of 19 | Internal spam in Office 365 - Introduction - Part 2#17

Written by Eyal Doron | o365info.com

My E-mail appears as spam |

Troubleshooting – Mail server | Part

15#17

Step B – Get information about your

Exchange Online infrastructure, Step

C – fetch the information about the

Exchange Online IP address, Step D –

verify if the “formal “Exchange Online

IP address a

De-list your organization from a

blacklist | My E-mail appears as spam

| Part 16#17

Review the charters of a scenario in

which your organization appears as

blacklisted. The steps and the

operations that need to be

implemented for de-list your

organization from a blacklist.

Summery and recap of the troubleshooting and best practices in a

scenario of internal \ outbound spam

Dealing and avoiding internal spam |

Best practices | Part 17#17

Provide a short checklist for all the

steps and the operation that relates

to a scenario of – internal \ outbound

spam.