Skip to content

Dealing with SPAM Mail in Office 365 | Server side (Exchange Online) | Part 2/2

The Exchange Online provides a rich set of tools and options for: “Dealing with SPAM.” In the next section, we will review the different option and explain what the “best use” for each of these options.

Dealing with SPAM Mail in Office 365 | Article Series

The Dealing with SPAM Mail in Office 365 article series, including the following articles:

  1. Dealing with SPAM Mail in Office 365 | Part 1/2
  2. Dealing with SPAM Mail in Office 365 | Server side (Exchange Online) | Part 2/2 (this article)

Access EAC (Exchange Online Management)

To access Exchange Online web management, Login to Office 365 portal and in the Admin menu choose the option of: Exchange

Access Exchange Online web management

1. Exchange Online protection – IP Block list

The option of “IP block list”, enable us to block email messaged that came from a specific mail server (specific IP). In case that we identify that the SPAM mail came from a specific “Host” (mail server), we can add the IP address of this mail server to the Block list. In my opinion, it’s good that we have this option but, in reality, we will use this option rarely because two main disadvantages:

  • Dynamic\Static IP – most of the “SPAM server” doesn’t use a static IP. Instead, they’re “specialty” is to use many different IP addresses, and use many different mail servers in many locations.
  • Translating the Domain name to IP address – when we identify SPAM mail, the most prominent characters are the sender email address (that include the sender domain) and the mail content (keywords, etc.).
    The option of – “IP block list”, as the name Implies, “recognize” mail server by their IP address and not by their SMTP domain name.In case that we want to block a SPAM mail that comes from a particular domain, we will need to find a method of finding the IP address of the mail servers that represent or send E-mail to the “SPAM domain.” We will explain how to get this information in the section below.

EOP – using the option of the IP Block list

  1. Login to Office 365 portal, Exchange admin center.
  2. On the left-side menu bar, choose the protection menu (number 1).
  3. On the top menu options, choose the connection filter menu (number 2).
  4. Choose the Default connection filter policy (number 3).
  5. In the window that appears, choose the option: connection filtering (number 4) menu.
  6. In the section IP block list (number 5), choose the plus icon to add the IP address of the Mail server that send the SPAM.
Exchange Online protection - connection filter - IP block list 01

How to map between domain name and IP address

To complete the task of: “map between the domain name and IP address” we can use a free web service such as offered by MXToolbox.

For the demonstration purpose, let’s review how to find the IP address of the mail server that represent the public domain name: midorg.com (we use this domain name only for the demonstration).

  • Go to MXToolbox website, The default page is: MX lookup
  • Type the name of the domain name: in our example: midorg.com
  • Click on the MX lookup button
map between domain name and IP address MXTOOLBOX 01

In the result screen, we can see the names of the mail servers that “represent” the midorg.com domain name and their IP address.

map between domain name and IP address MXTOOLBOX 02

2. Exchange Online protection – international SPAM

The option of “international SPAM” is an interesting option that enables us to block or identify the mail as “SPAM” based on the classification of Geographical location or language.

  • Blocking mail by Geographical location – For example, there are well-known ISP providers or specific countries that enable some spammers to use their service, without enforcing any kind of restricting. In that case, we can decide to block mail that comes from a particular region\countries in the world.
  • Blocking mail written in the particular language- some of the SPAM methods based on manipulating or hiding mail content by using special characters. An additional option is SPAM mail that written is a specific language that is no relevance or cannot be read by the organization users. In that case, we can decide that we will block mail that includes characters of a language that we don’t know. For example -block mail item that contains non-standard English characters.

Note: We need to be cautious when using the option of international SPAM because we can get very easily into the scenario of false positive in which the defending systems recognize legitimate mail is “Bad/SPAM” mail and block the mail.

EOP – Using the option of international SPAM

  1. Login to Office 365 portal, Exchange admin center.
  2. On the left side menus, choose the protection menu (number 1).
  3. On the top menu options, choose the content filter menu (number 2).
  4. Choose the Default connection filter policy (number 3).
  5. In the window that appears choose the option: international spam (number 4) menu.
Exchange Online protection - Content Filter - international SPAM 01

When using international SPAM, we can use one (or both) of the following options:

Blocking mail written in the specific language

  • Choose the option of: Filter email messages written in the following languages (number 5)
  • Click on the Plus icon and choose the specific languages that you want to block
Exchange Online protection - Content Filter - international SPAM Blocking mail written in the specific language -02

Blocking mail by Geographical location

  • Choose the option of –Filter email messages sent from the following countries or regions (number 6)
  • Click on the Plus icon and choose the specific regions that you want to block
Exchange Online protection - Content Filter - international SPAM Blocking mail written in the specificregions -03

3. Exchange Online protection – content filter Advanced options

Before we begin with the instruction of: “How to use the EOP advanced option for SPAM mail,” let’s use additional classification of SPAM mail types and the tools we can use.
Using a high-level classification, we can define 3 “families” of SPAM mail types:

1. Advertisement mail

The Negative effect of such mail could consider as “annoying.” No real damage caused to the users besides the fact that the user is troubled by the content of the E-mail (suggestions to buy a different type of Pills, enlarge specific body parts and so on). This kind of SPAM mail is automatically blocked (most of the time) by the Office 365 security mail gateways. In case that some Advertisement SPAM mail manages to “sneak,” we can use a solution such as “rules” for blocking this type of SPAM mail.

2. Mail with malicious content

This type of SPAM mail is closer to the definition of “virus” because, the target of the Spammer it to cause the destination recipient to click or accept some suggestion that could lead the user to many kinds of attacks such as fraud, phishing and so on.

3. “Other SPAM mail”

In this section, we can classify the other SPAM mail types that don’t belong to the previous families. As an example, we can mention SPAM mail that describes as -NDR backscatter.

Content Filter – Advanced options

The section that describes as: “Advanced options” under the Content Filter section enable us to “harden” the default SPAM policy that implemented by the office 36 security mail gateways.

The option of “Advanced options” is more suitable for scenarios in which the SPAM Mail with malicious content or other type of SPAM such as: NDR backscatter (appear as number 2, 3 in the attached diagram).

Regarding SPAM mail that considered as “Advertising mail” and include specific keywords, we can use other methods such as “rules” (that will be reviewed in the next section.

SPAM Mail and Exchange Online options

Content Filter – Advanced options: choosing the suitable “action”

Using the “Content Filter – Advanced options” enable us to “harden” the default security policy of the Office 365 mail gateway’s server.

The meaning is that we can use more restrictive policy. The disadvantage is that by doing so, we can face the issues of False Positive a scenario, in which a legitimate mail will be recognized is “Bad\SPAM” mail and will be deleted.

To avoid this scenario, we can use an option that described as:“Test mode” (we can relate to this option as a “Learning mode). Using the test mode, enables us to use the “additional security filter” and decide what will happen when a particular mail item recognized as SPAM by the security filter. We can choose to block/delete the mail item or just report about the mail item (Test mode).

Content Filter - Advanced options logic

Using Content Filter – Advanced options

  1. Login to Office 365 portal, Exchange admin center.
  2. On the left side menus, choose the protection menu (number 1).
  3. On the top menu options, choose the content filter menu (number 2).
  4. Choose the Default connection filter policy (number 3).
  5. In the window that appears choose the option – advanced options (number 4) menu.

As you can see there are many possible options that we can select. The options are divided into two categories: Increase Spam Score (number 5) and, Mark as Spam (number 6).

Content Filter - Advanced options -01

To be able to demonstrate the option available in the Content Filter – Advanced options let describe two scenarios:

  • Scenario 1: Blocking SPAM Mail with malicious content
  • Scenario 2: Blocking SPAM Mail classified as NDR backscatter Scenario

Scenario 1: Blocking SPAM Mail with malicious content

In the last month, users are complaining about a SPAM mail that contains malicious content. When the users open the mail item, they are automatically redirected to a website, and that they are invited to download some EXE file. To be able to block this SPAM mail item, we will activate three additional filters – Mark as SPAM if the mail item is or contain:

  • Empty messages
  • JavaScript or VBScript in HTML
  • Frame or IFrame tags in HTML
Content Filter - Advanced options -02

Choosing the suitable “Action.”

By default, each of the security filters is  – off.
When we click on the “option arrow,” we can see that we can choose the options: “off,” “on” or “test.” In case that we choose the option of: “on,” each mail that contains content that is not allowed by one of the security filters that selected (such as JavaScript or VBScript in HTML) marked as SPAM.

Content Filter - Advanced options -03

Using the Test option

In case that we just want to test the “new security filter” we can choose the option of: “test.” In the bottom of the advance option windows, we can configure the result of the “Test.” In the following screenshot, we can see that we can choose one of the following three options:

  • None
  • Add the default test X-header text
  • Send a BCC message to this address
Content Filter - Advanced options -04

Scenario 2: Blocking SPAM Mail classified as NDR backscatter

SPAM that describes as -NDR backscatter, is a particular kind of SPAM because the “mechanism” that’s used by the spammer is different from the “Standard SPAM mail.” NDR backscatter is implemented in the following way:

The spammer forges organization user email address and sends on their behalf email to other recipients. In case that the “destination mail system” recognizes the E-mail as a SPAM or if the mail sent to non-existing users, the “destination mail system” creates an NDR message that sent to the organization recipient (the user whom his E-mail address was used by the spammer).

For example: In the last week, organization users complain that they get an error message about an E-mail that was sent by them to any external recipient (the external recipient can be known to the organization user or unknown).

The organization users are sure that they did not send any kind of mail message to this recipient, but they keep getting error messages such as: “mailbox full,” “user doesn’t exist,” etc.

So now, the obvious question is: is it really happening? The answer is: “Yes.”
The user description suitable for a SPAM attack described as NDR backscatter.

Generally speaking, the Office 365 security gateway’s server are configured to block this kind of SPAM E-mails, but in case that the SPAM mail manage to “sneak” from the mall security servers, we can add this filter using the Content Filter – Advanced options.

Using Content Filter – Advanced options – NDR backscatter

  1. Login to Office 365 portal, Exchange admin center.
  2. On the left side menus, choose the protection menu (number 1).
  3. On the top menu options, choose the content filter menu (number 2).
  4. Choose the Default connection filter policy (number 3).
  5. In the window that appears choose the option: advanced options (number 4) menu.
  6. Choose the option: NDR backscatter, and turn on the security filter
Content Filter - Advanced options Blocking SPAM Mail classified as NDR backscatter -01

4. Exchange Online – mail flow – rules

Exchange Online includes a built-in component that describes as Rules (in previous versions of Exchange this component was called “Transport rules). We can use the option of “Exchange rules” for many purposes. In this section, I would like to emphasize the use of “Exchange rules” relating to the issue of SPAM mail.

For the demonstration purposes let’s use two different scenarios of SPAM mail:

  • Scenario 1 – Block SPAM Mail that includes a specific keyword
  • Scenario 2 – Block SPAM Mail from a specific domain

Scenario 1 – Block SPAM Mail that includes a specific keyword

In case that the SPAM mail contains a specific keyword in the mail Body\Subject, we can create an Exchange rule that will delete the SPAM mail items.

Step 1 – Creating new rule

  1. Login to Office 365 portal, Exchange admin center.
  2. On the left side menus, choose the mail flow menu (number 1).
  3. On the top menu options, choose the rules menu (number 2).
  4. Choose the New icon (number 3).
  5. Choose the option: Create a new rule (number 4).
Reject SPAM mail with a specific keywords 01

Step 2 – Add a name to the rule

You can choose any name which is suitable for your need. It’s recommended to choose a “descriptive name” that will enable us to identify the rule’s purpose by looking at the rule name. In our example, we will name the rule as “inappropriate words”.

Reject SPAM mail with a specific keywords 02

Step 3 – define the rule logic/condition (if)

In this part, we define “what is the event the will trigger or activate the rule.” In our scenario, we would like to block mail that includes specific keywords such as: buy cheap pills or – enlarge your… (you know what)

  • In the section of *Apply this rule if…, choose the option: The subject or the body includes
Reject SPAM mail with a specific keywords 03
  • In the pop out the window that appears, under the specify words or phrases section add the keywords (if this keyword appears in mail item, we would like to block this mail).
  • Don’t forget to click on the add icon because without adding the value; we will not be able to save the rule.
  • Click on the Ok button.
Reject SPAM mail with a specific keywords 04

Step 4 – define the required action

In this part, we configure what is the necessary action that implemented if a mail item “answer” the previous condition that set in the last step.

  • Click on the small arrow in the *Do the following… section
  • You can see that we can choose from several options. In our example, we will choose the option of Delete the message without notifying anyone.
Reject SPAM mail with a specific keywords 05

Step 5 – choose a mode for the rule

The last part of the rule described as: “choose a mode for the rule.” The default “mode” is “enforce.” In our example, we don’t like to make changes in the production environment with the option to test the “rule” and the check has been the Implications when using this rule. To fulfill this requirement, we will choose the option of Test without policy tips.
Choosing one of this option will “turn on” the rule.

In case that mail item will answer the logic\condition that appears in the rule the information logged in message tracking logs. The exchange doesn’t take any action that will impact the delivery of the message.

Reject SPAM mail with a specific keywords 06

Scenario 2 – Block SPAM Mail from a specific domain

In the section that describes the option of the IP Block list. we mention that the main disadvantage is that most of the time is not very useful to use a block rule that is based on IP address. The most effective option is to block SPAM mail that comes from a specific sender email address of specific domain names. The good news is that we can use the “rule” (mail flow – rules) option to overcome this limitation.

In the following demonstration, we will create a rule that will block or reject mail that sends from a particular domain name.

For demonstration purposes, we will use the domain name: midorg.com as the domain we want to block. In the reality, this is a legitimate domain.

Step 1 – Creating new rule

  1. Login to Office 365 portal, Exchange admin center.
  2. On the left side menus, choose the Mail Flow menu (number 1).
  3. On the top menu options, choose the rules menu (number 2).
  4. Choose the New icon (number 3).
  5. Select the option: Create a new rule (number 4).
Reject SPAM mail with a specific keywords 01

Step 2 – Add a name to the rule

You can choose any name that is suitable for your need. It’s recommended to choose a “descriptive name” that will enable us to identify the rule’s purpose by looking at the rule name. In our example, we will name the rule as: “Block mail sends from the midorg.com domain.”

Reject SPAM mail from aspecific domain -02

Step 3 – define the rule logic/condition (if)

In this part, we define “what is the event the will trigger or activate the rule.”
In our scenario, we would like to block mail that comes from the domain name: midorg.com

  • In the section of *Apply this rule if…, choose the option: The sender address includes
Reject SPAM mail from a specific domain -03
  • In the pop out window that appear, under the specify words or phrases section add the domain name: Midorg.com (this is the domain name that we want to block in our example).
  • Don’t forget to click on the add icon,Plus icon because without adding the value; we will not be able to save the rule.
  • Click on the Ok button
Reject SPAM mail from a specific domain -04

Now we can see that the value that we add saved, and the value name (midorg.com) appears in the right part of the rule condition.

Reject SPAM mail from a specific domain -05

Step 4 – define the required action

In this section, we configure what is the necessary action that implemented if an E-mail item “answer” the previous condition that set in the last step.

Click on the small arrow in the *Do the following… section.

You can see that we can choose from several options. In our example, we will choose the option of Reject the message with the explanation.

Reject SPAM mail from a specific domain -06
  • In the pop out window that appears, we will need to add the content for the: specify the rejection reason. The “reject message” that sent as a response, every time that a mail recipient who uses the domain name: midorg.com will send mail to our organization. In our example, the content of the reject message is: mail from your domain!).
Reject SPAM mail from a specific domain -07

Step 5 – choose a mode for the rule

The last part of the rule described as: “choose a mode for the rule”. The default “mode” is “Enforce”. The meaning is that this rule will be implemented immediately as we will choose to save the rule. An additional option that we have is: Test with policy Tips or Test without policy Tips. Choosing one of this option will turn on the rule.

In case that mail item will answer the logic\condition that appears in the rule the information logged in message tracking logs. Exchange Online doesn’t take any action that will impact the delivery of the message.

After we choose the save option the rule will be enforced and mail item that was sent from midorg.com domain will be blocked.

Reject SPAM mail from a specific domain -08

5. Sending sample of SPAM mail

This part is related to a scenario in which all of our efforts failed, and we did not manage to stop the SPAM mail. In this case, the best practice is to contact the Office 365 support team and ask for their help.

Assuming that we have implemented all of the steps described in this article, the only option will be to sending the SPAM mail items to the Office 365 support team and ask them to forward these mail items for further analyses and examination.

Send the problematic/SPAM mail as an attachment

There is significance importance of sending the SPAM mail “as attachment” because when we use this option, the “complete mail item” is sent and the technical person that gets the SPAM mail can use the additional information contained in the meal header and so on.

How to use the option of: Forward as attachment

The mail item should send as “Attachment”. To send an email as attachment chooses the mail item, in the Home tab chooses the More icon and the option of: Forward as Attachment

Outlook - Forward as attachment

Another option is to save the mail item and send it.

In case that you have a problem with the option of: “send mail as attachment,” you can save the email item and sent the “files” (the mail items) to the support team.

  • Double click on the required mail item
  • Choose the File menu and Save As option
outlook - save mail item
  • Save the mail item
outlook - save mail item 02
o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 2 Comments

  1. Thanks for the marvelous posting! I quite enjoyed
    reading it, you may be a great author.I will make sure to
    bookmark your blog and will often come back in the foreseeable future.
    I want to encourage you continue your great job, have
    a nice day!

Leave a Reply

Your email address will not be published. Required fields are marked *