Let’s start with the most obvious question – why should I try to simulate spam…
Dealing with SPAM Mail in Office 365 | Part 1/2
Let’s make it short and straightforward – from my experience, a significant percentage or most of the SPAM mail is blocked by the Office 365 mail security gateways. This doesn’t mean that we cannot experience SPAM because there are no perfect systems that will prevent 100% of SPAM all the time.
In case that we do experience SPAM mail, we can use many tools and options that are available for us in Office 365 for dealing with SPAM mail.
In this article, we quickly review the different types of SPAM mail. Then we will present the different tools that we can use for fighting SPAM mail in an Office 365 environment and try to “match” the “SPAM tool” for the task based on the type of the SPAM.
Table of contents
- Dealing with SPAM Mail in Office 365 | Article Series
- Part 1: SPAM mail and Office 365 environment
- SPAM mail – Troubleshooting process and classification
- Get information about the character of the SPAM mail
- Dealing with SPAM: Server Side – optional solutions
- Part 2: Dealing with SPAM mail – Client side
Dealing with SPAM Mail in Office 365 | Article Series
The Dealing with SPAM Mail in Office 365 article series, including the following articles:
- Dealing with SPAM Mail in Office 365 | Part 1/2 (this article)
- Dealing with SPAM Mail in Office 365 | Server side (Exchange Online) | Part 2/2
Part 1: SPAM mail and Office 365 environment
One of the most considerable advantages of using Office 365 is that many of these services such as Mail security are implemented transparently, behind the scene. Office 365 mail services include by default a mail security infrastructure that based on a platform describes as EOP – Exchange Online Protection (the FOPE services implemented the previous mail security infrastructure).
The EOP infrastructure serves as mail gateways, which are responsible for the “Hygiene” of incoming and outgoing mail flow. The purpose of this mail gateway’s is to filter any malware, virus or SPAM that included in the mail flow that comes from external sources to the Office 365 recipients (incoming mail flow) and also in the opposite direction – mail that sends from Office 365 recipients to external sources.
Who is to blame?
The EOP performs his duties faithfully but, from time to time, Office 365 subscribers can experience SPAM mail that gets into their mailbox.
Before we begin with the technical part of “mitigating the SPAM issue” I would like to relate to the issue of the “Blame.” Many times the response from our customer includes an implicit or explicit claims such as: “since we move to the cloud (Office 365), we experience SPAM issue” or “Microsoft doesn’t provide a good mail security by allowing SPAM mail to enter our company.”
I think that many times these “claims” are excessive because most of the time the EOP (Exchange Online Protection) is doing an excellent job of protecting the Office 365 recipients. Let’s not forget that there is no “perfect solution” that will block 100% of SPAM mail because “SPAM Solutions\Gateways”, will always need to face the issues of:
- False Positive – a scenario in which the defending systems recognize legitimate mail is “Bad\SPAM” mail and block the mail.
- False Negative – a scene in which the defending system doesn’t recognize Bad\SPAM mail and the mail reach to the recipient mailbox.
Additionally, there is the factor of the “dynamically changes” of SPAM mail methods that present a challenge in each second\minutes for the security and the response team that manages the signature database of the EOP.
So what is the consolation? The point is that is “O.K” if we experience SPAM from time to time as long as we have the tools or the solution for stopping the SPAM.
SPAM mail – Troubleshooting process and classification
To create a clear path of the troubleshooting process, we will need to implement the workflow described in the following diagram:
Step 1 – Get information about the character of the SPAM mail
The most fundamental step is to get essential information about the SPAM message. We will need to decide if the mail message is truly a SPAM message and if so, try to recognize the type of the SPAM. Based on this information, we will need to choose the right “tools” for mitigating the SPAM.
Step 2 – Block\Report SPAM mail
When we deal with SPAM mail, we need to: try to block the SPAM mail by using the available option from the “Server Side” (Exchange Online and EOP) and the “Client-side” (Outlook). The process of blocking the SPAM mail could implement as a combined operation of – using tools for filtering SPAM mail and other tools for reporting (send a sample of the SPAM mail) to the Microsoft team that manages the EOP infrastructure.
Step 3 – contact Office 365 support team
In case that all of our efforts failed and, our recipient still getting SPAM mail, we can always communicate with the Office 365 support team and ask for help in our task of stopping the SPAM mail. Most of the time, we will need to collect and send some sample SPAM mail, so these mail items sent to the Microsoft team that manage the office mail security gateways.
Get information about the character of the SPAM mail
When a user complains about “SPAM mail,” we need to verify if the
E-mail is entitled to the title “SPAM mail.” For example, we would like to know if the mail is a “truly SPAM mail” or just an “Innocent mail” that sent from by a distribution list that the user subscribed to in the past.
The SPAM mail characters
Let’s assume that we check the mail, and we identify that this is a SPAM mail. Most of the time, we use the term “SPAM mail” or “Junk Mail” to describe unwanted email, but in the reality, there are many types of “SPAM\Junk” mail and each of the types has his own characters. The next step is to: classify the kind of the SPAM mail, because based on this information, we can use the most appropriate solution and the amount of “resources” that we need to allocate for blocking the SPAM mail.
The classification could be SPAM mail that sent from a particular Sender\Domain, SPAM mail that includes a specific keyword or specific language charters, a specific type of SPAM such as NDR backscatter and so on.
An additional type of classification that we need to get is: what are the scope and the business impact of the SPAM mail? For example: is the SPAM Mail affecting a particular user or all the organization users, what is the “Dosage” of the SPAM is it one or two SPAM mail items that sent randomly or is it a “flood” of tens and hundreds of SPAM emails.
Here is a sample from a Questioning list that could help to gather the required information:
Q1: Is the mail considered as SPAM mail or just standard advertisement mail from will Know\familiar Company?
Q2: Is the SPAM Mail sent from a particular sender email address?
Q3: Is the SPAM Mail sent from a particular domain?
Q4: Does the SPAM Mail include specific keywords in the mail Subject\Body?
Q5: Does the SPAM Mail include characters of non-English language?
Q6: Is the SPAM Mail from a particular geographical location?
Q: Is the SPAM Mail sent on a specific schedule ( a emails specific hour or date)?
Q: What is the percentage of organization users who get the SPAM mail?
Q: What is the ”amount” of the SPAM mail (single mail item, Tens and hundreds of emails)?
Dealing with SPAM: Server Side – optional solutions
We can classify the tools, and the operation that we can use for mitigating the SPAM issue as:
- Client side (Outlook, OWA)
- Server side (Exchange Online server)
In this section, I would like to review quickly the option that’s available to us from the server side.
Exchange Online Protection (EOP)
A bit history – in previous versions of Office 365 (and BPOS), the solution for “mail security” was implemented by a product named: FOPE (Forefront Online Protection for Exchange). Office 365 subscribers had access to FOPE web management, but the interface and the access to the FOPE management were Uncomfortable and had many advantages.
EOP (Exchange Online Protection) is the new successor of the FOPE, and I am happy to say that: long live the new king! EOP has many advantages over FOPE, and the good news is that EOP is fully integrated in the Exchange Online management.
Most of us don’t relate to the EOP as a “separated component” because from the Exchange Online administrator’s point of views, the EOP is just “additional menu” in the Exchange Online web management interface (described as Exchange Online Management -EAC).
In the following screenshot, we can see the web interface management that enables us to access to the EOP settings. In the Exchange Online web management, the management of the EOP displayed as the “protection” menu.
Exchange Online – Rules
An additional component that we can use for dealing with SPAM mail is the “rules” (in previous versions of Exchange the term was Transport Rules). The “rule” component, is a very powerful tool that enables us to control and manage each of the incoming and outgoing mail items that sent to the Office 365 recipients, and each of the mail items sent by the Office 365 recipients and to external recipients.
In the following diagram, we can see e representation of the Exchange Online tools and option that we can use based on the “Type” of the SPAM mail.
A quick wrap-up of the option that is available for us in the Exchange Online environment:
- Specific Subject\Content – in case that the SPAM mail includes “recognizable” or repeated keyword, we can use the option of “rules” for blocking (or other actions such as put the mail in quarantine) for each mail item that includes these specific keywords.
- Specific sender – In case that the SPAM mail sent from a particular source (specific domain or specific mail server) we can use the option of connection filter to add the sender IP address to a block list.
- Particular SPAM Type – As mentioned before, the term “SPAM” used for describing many types of “unwanted\Junk” mail. The Exchange Online Protection enables us to define additional SPAM filters that are not implemented by default (by using the option of Protection – Content Filter – Advanced options).
- Specific language or particular geographic location – Many times we can classify the SPAM mail as mail that sent from a specific geographical region in the world or mail that includes characters of specific languages. Using the option of “international SPAM,: ” we can block this kind of SPAM mail.
Part 2: Dealing with SPAM mail – Client side
In the following section, we will review the available option that we can use for mitigating SPAM mail in an Office 365 environment. We can classify the different options\tools Client side and server side.
1. Microsoft Junk E-mail Reporting Add-in
The Microsoft Junk E-mail Reporting Add-in is a very useful Outlook add-in that enabled each of the users to create a “direct connection” to the Microsoft team that is reasonable for mail security (and update all the information in a Virus\SPAM signature database).
By selecting the mail item and by choosing the option of “Report Junk,” the mail item will automatically be sent to the Microsoft mail security team for further analysis and investigation to help to improve the effectiveness of our junk e-mail filtering technologies.
The significant advantage of the Microsoft Junk E-mail Reporting Add-in is the “Ease of Use. In a scenario of false negative (In which the defending system doesn’t recognize Bad\SPAM mail and the mail reached to the recipient mailbox), a “standard user” (no need for administrative privileges) can report about the “SPAM mail” very easily and without the need for complicated technical steps.
The “disadvantages” are that this add-in is not included by default as a part of the Outlook installation. Although, there is an option for distributing this add-in a centralized way, and despite the fact that the user the report the SPAM mail gets a “confirmation E-mail,” there is no clear indication of “what was done with the information,” and if the information
(The SPAM mail) It updated in the SPAM signature database. From my experience, the good news is that even without the process of “feedback” from the Microsoft team, the information is analyzed and the “SPAM signature” is updated in a short time, the SPAM mail stops to reach to the recipient mailbox.
Step 1 – Download and Install the Microsoft Junk E-mail Reporting Add-in
You can find the Microsoft Junk E-mail Reporting Add-in using the following link: download link not available anymore.
When you get to the download page, most of the time the option that will suit your needs is Junk Reporting Add-in for Office 2007, 2010, 2013 (32bit).msi
Step 2 – Report email as SPAM
In Outlook 2010\2013, the Microsoft Junk E-mail Reporting Add-in is implemented by additional menu option named – Report junk that is added to the “Junk” section to be able to report an email as SPAM. To “mark” mail item as Junk use the following procedure:
- Choose the required mail items
- In the Home Tab, select the small black arrow of the Junk option.
- Choose the option Report Junk
A warning message appears and informs the user that the mail item will be reported as a SPAM. Choose the “Yes” option.
When we choose the “yes” option, the following events will accrue:
- The mail items that reported as SPAM sent to the Junk Email folder.
- A copy of the mail item sent to the following email address: firstname.lastname@example.org as attachments
- When the E-mail reaches to his destination, an approval mail will be sent to the recipient.
In the following screenshot, we can see a mail item that reported as a SPAM. The mail item will be moved automatically to the Junk Email folder.
In the Sent Items folder, we can see a “new mail” sent to the Microsoft abuse team that includes an attachment (the E-mail that reported as SPAM).
After the SPAM mail sent to the Microsoft abuse team, a “response mail” will be sent to the user. In the following screenshot, we can see the ”approval E-mail” that was sent by the Microsoft support team.
When we install the Microsoft Junk E-mail Reporting Add-in for Outlook 2007, the option of “report junk” will be added to the top menu option.
2. Outlook Junk option – block sender
Another option that is available for us from the “client side” is the: Outlook junk component and the option of: “block sender” (Add a sender to the Blocked Senders list).
This option is most suitable in a scenario that the SPAM mail delivered from a particular recipient email address. In reality, many times, the “spammers” manage to send the SPAM mail by using a different source recipient email address, so the option of “block sender” will not help us in such scenarios.
Add a sender to the Blocked Senders list
In case that you want to block the sender who sends SPAM mail, we can use the junk menu for blocking this recipient.
- Choose the required mail items,
- In the Home Tab, select the small black arrow of the Junk option.
- Choose the option of – Block sender
3. Antivirus software
There is the great importance of using Antivirus software. Most of the Antivirus programs include a dedicated component for mail security, which is responsible for enforcing mail security such as: recognize and block Malware (Antivirus, SPAM and so on).
In case that particular user complains about SPAM mail, please verify the following requirements:
- Check that the desktop includes installation of Antivirus software
- Verify the Antivirus software service is turned on
- Check the Antivirus software includes all of the last software updates
- Check that the “Antivirus mail security” component is activated
4. Outlook add-in plugins
In case that we suspect the SPAM issue caused by Outlook add-in\plug-in, we can disable this “add-ins” by running Outlook in safe mode.
- Go to the Run menu and use the following command: Outlook /safe
5. Unsubscribe from a mailing list
In case that the user report about “SPAM Mail” and when we check the mail item, we see that the sender not considered as “Spammer” (mail is just a standard advertising email that sent to a distribution list). Most of the time, the E-mail will include an option that enables the user to unsubscribe from the mailing list.
So, before we start to use the “heavy artillery,” please check if the option of “unsubscribe” exists.
6. Educate users about – How to Avoid SPAM
The part of “Educate users About: How to Avoid SPAM” belong to the “proactive” section in which we are trying to avoid a scenario that could lead to SPAM Mail. By providing our user instructions and guidance about the operation that they should avoid, we can prevent or significantly reduce in advance the occurrence of “SAPM events.”
In the next article, we will look at Dealing with SPAM Mail in Office 365 | Server side (Exchange Online) | Part 2/2.
This Post Has 15 Comments
Outlook in office 365 simply does not work to filter spam. As if that was not bad enough, blocking does not work AT ALL either. Its completely unacceptable and wastes 5-15% of our company’s productivity on a daily basis (multiply that by 88,000!).
I would never recommend, and do all I can to dissuade further use of Microsoft Office 365 products as a result.
Hurrah! Finally I got a website from where I know hoow to actually take useful data concerning my study and knowledge.
Howdy! This is my first comment here so I
just wanted to give a quick shout out and tell you I really enjoy reading your posts.
Can you recommend any other blogs/websites/forums that go over the same topics?
Thanks for your time!
It’s really a cool and helpful piece of information. I’m satisfied
that you simply shared this helpful info with us.
Please stay us informed like this. Thank you for sharing.
Hi to every body, it’s my first pay a visit of this web site; this weblog carries awesome
and really fine stuff in favor of readers.
I’ve recently started a website, the info you provide on this
site has helped me tremendously. Thanks for all of your time
This is a step by step guideline with the screenshot for fighting with spam emails in Office 365. I am really thankful to you for this solutions. Now I can deal with a better way.
Normally I don’t read post on blogs, however I wish to say that
this write-up very compelled me to take a look at and do so!
Your writing taste has been amazed me. Thank you,
very nice article.
This article is horrible! The grammar is atrocious. Links point to non-existent websites. It doesn’t address the main problem I was looking for which is how to deal with false positives.
I’m extremely pleased to find this page. I wanted to thank you
for ones time due to this wonderful read!! I definitely savored every bit of it and I have
you book-marked to check out new stuff on your blog.
Great web site you have here.. It’s hard to find
high quality writing like yours nowadays. I really appreciate
people like you! Take care!!
While I agree that Office 365 leaves a lot to be desired, you can easily block executable payloads. That one was your fault.
Let’s make this short and simple. The way to deal with spam in Office 365 is use a service that can actually filter spam (like mxlogic). Office 365 spam filtering is absolutly horrible.
We have been on Office 365 for over a year now. Prior to that we had our own server and used a Barracuda device to filter spam. I can’t think of many solutions that would be worse than the Office 365 (Forefront) filtering.
We are plagues with false-positives — so much that we had to entirely turn off the quarantine. We regularly receive e-mail that is obvious, easy to block spam (for example, advertisements for “viagra” spelled as “v1a$ra”.
Just before writing this message, I got a spam message with faked headers reporting to have come from my company AND CARRYING AN EXECUTABLE PAYLOAD!
Microsft is doing fine with the e-mail part, but they are falling flat on their face on the anti-spam side. I have yet to experience a worse solution.
Hi, I have not read the full article , just few scroll down page. I will allocate time to read on the spam topic.but honestly your site helps me a lot.I thank you for providing this to those who might need this. Thanks again.Keep up the good work, Sincerely,Yijia