Skip to content

High Risk Delivery Pool and Exchange Online | Part 9#17

The term: “High Risk Delivery Pool”, describes a “dedicated Exchange Online server’s pool” which is responsible for “handling” mail that posted by Office 365 recipients, which recognized as “problematic mail.”

The current article and the next article – High Risk Delivery Pool and Exchange Online | Part 10#17 ,are dedicated to the description of: How Office 365 (Exchange Online) is handling a scenario of internal \ outbound spam, by using the help of the Exchange Online- High Risk Delivery Pool.

General thoughts upon the subject of outbound mail spam in Office 365 environment

Q: What is the meaning of “problematic mail”?

A: Outbound mail that is sent by Office 365 user, sent to the EOP (Exchange Online Protection) for security check and was identified as an E-mail, which has a potential of spam\junk mail.

i have the potential to be identified as spam mail

Q: What could lead to a scenario in which my E-mail will be considered as “problematic E-mail” by Exchange Online?

A: There is no clear definition or “public information” information about the factors that will lead Exchange Online and EOP to “decide” that a particular E-mail message that sent by Office 365 users classified as spam\junk mail.

It’s reasonable to assume that the spam filter that used by Exchange Online based on the standard method for identifying a particular E-mail message as spam\junk mail.
For example – E-mail message that includes a “problematic content” or, a scenario or bulk mail.

You can read more information about the “factors” that could lead to a scenario in which E-mail recognized as spam\junk mail in the articles:

Q: What is the meaning of: “Exchange Online server pool that will handle problematic mail”?

A: In a scenario in which Exchange Online identify a “problematic E-mail” that is sent by Office 365 users, the E-mail will not be deleted or blocked, but instead, will be sent out by using a particular Exchange Online server’s pool.

Exchange Online and High Risk Delivery Pool

Exchange Online single server or servers farm?

When we say something like: “our mail server,” the association is a “single server,” which stands alone in the cold rain and wind, always ready to serve and protect.
When we use Exchange Online as our mail infrastructure, none of these “images” are correct.

We relate to “Exchange Online” as a singular entity while in reality, we need to address the Exchange Online infrastructure as – plural that realized by using dozens or even hundreds of separate mail server’s that are “scattered” word wide in the different Office 365 data centers.

Each of the Office 365 data centers includes.

  1. The “standard” Exchange Online server pool
  2. A dedicated pool of Exchange Online server who should solve the problem of “internal spam” (spam\junk mail) that is sent by our organization Office 365 users to other recipients.
Exchange Online infrastructure as a huge array of mail servers

What is the range of possibilities, which could be implemented by Office 365 mail infrastructure for dealing with a phenomenon of outbound spam?

Theoretically, there could be a couple of “solutions” that could have been implemented by Exchange Online infrastructure when dealing with a scenario of – internal spam mail.

For example, Exchange Online could have implemented any of the following options when an E-mail message that sent by Office 365 recipients identified as spam\junk mail:

Exchange Online and outbound spam - Optional scenarios

Option 1: Don’t implement outbound spam checks.

Many mail infrastructures do not implement an email security policy for “outbound mail” because the basic assumption is that mail that is sent by “our organization users” can be trusted.

In Exchange Online environment, this “assumption” in which mail that is sent by organization users can trusted cannot be implemented because – Exchange Online servers “represents” tens and even hundreds of thousands of organizations and, for this reason, Exchange Online doesn’t have this “luxurious” blindly of trusting organization users.

Exchange Online mail infrastructure is based on the assumption that the security risks can come “Indoors” and “outdoors” equally.

Option 2: implement outbound spam check | Delete the E-mail message

Another method that could have implemented by Exchange Online (and it’s not implemented) is to “block” any mail that was sent by Office 365 users and identified as spam\junk mail.

The term “block”, could be translated into several options such as: delete the E-mail, send the E-mail to a quarantine + inform the Office 365 users and so on.

In reality, none of these “actions” is implemented. There is no “formal Microsoft answer” regarding why does outbound spam, is not blocked, deleted or sent to quarantine.

My opinion is that the actions of “blocking” or deleting E-mail messages that identified as spam\junk mail, could have led to many lawsuits and additionally, breaches the principle of Office 365 customer privacy.

For this reason, the Office 365 mail infrastructure will not delete or block outbound spam but instead, will send out the E-mail message to her destination by routing the E-mail to a particular Exchange Online server pool.

Note: Exception to the above rule, is a scenario of a bulk E-mail that is sent by Office 365 users. In a very particular situation, this user will be blocked.

You can read more information bulk E-mail in Office 365 environment in the article: My E-mail appears as spam | The 7 major reasons | Part 5#17

Option 3: implement an outbound spam check | Route E-mail message to an alternate mail server pool

This is the option that is implemented by Exchange Online.
When Exchange Online (EOP if we want to be more accurate) scan the outgoing mail and identify that the mail can classify as spam\junk mail, instead of blocking or deleting the E-mail message, the E-mail will be routed to dedicated Exchange Online server poll named – “High Risk Delivery Pool.”

In a scenario in which E-mail routed to the “High Risk Delivery Pool”, the “operation” will not be reported by default (Exchange Online administrator is not aware of this “redirection process” by default).

Only when the Exchange Online administrator “activate” the option of outbound spam, Exchange Online will send an E-mail notification to the provided E-mail for each of the mail items that was routed (delivered) to the “High Risk Delivery Pool”.

Exchange Online recognize E-mail sent by Office 365 user as a spam - High Risk Delivery Pool

In reality, the “High Risk Delivery Pool” is not just a particular Exchange Online server. As the name implies, a “pool” or mail servers. Additionally, each of the Office 365 data center use is “own pool” of Exchange Online server which acts as the “High Risk Delivery Pool”.

Q: Does Microsoft publish public information about the IP range of the Exchange Online- High Risk Delivery Pool in each of the Office 365 data centers?

A: As far as I know, there is not such “public information”. The logic is that the Interest of Microsoft is to keep this information “hidden” and not public.

Technically speaking, Microsoft publicly publishes the complete public IP range of the Exchange Online and Exchange EOP IP range, but this data doesn’t include a specific indication for the Exchange Online- High Risk Delivery Pool.

From my experience and I must stress that this is no “formal information” that you can rely upon, the “High Risk Delivery Pool” IP ranges in the “Europe Office 365 data centers” are represented by the following IP range: 157.56-57.0.0.

What is the purpose of the “High Risk Delivery Pool”?

The purpose of the Exchange Online “High Risk Delivery Pool” is a little confusing because their job is to “distract the fire” from the “standard Exchange Online server’s pool”. The most appropriate metaphor that I can think of is: scapegoat

The Exchange Online “High Risk Delivery Pool” serves as a scapegoat in a scenario of internal spam.

Exchange Online High Risk Delivery Pool as a scapegoat

Let’s go back to the moment, in which Exchange Online identifies a particular E-mail message that was sent by Office 365 users as a spam\junk mail.

Because Exchange Online is not “allowed” to stop or block this type of E-mail, Exchange Online will need to find a safe way for “delivers“ the E-mail to the destination without compromise the integrity and the reliability of the standard Exchange Online server pool.

For example, in the case that the E-mail sent to external recipients, Exchange Online will need to contact the mail server of the external recipient and try to deliver him the E-mail.

But in this case, the main risk is that the “external mail server” will also identify the E-mail as a spam\junk mail and for this reason, will add the IP address of the “standard Exchange Online pool IP address to a blacklist.

In this scenario, the damage is not only to the particular organization that sent the “spam E-mail” but instead, to all the other Office 365 tenants who send E-mail via the specific Exchange Online, which his IP address was blacklisted.

Exchange Online – High Risk Delivery Pool as a Risk-Management solution

The answer to this “challenge” is: implementing Risk Management process.

In the scenario of a “problematic E-mail” that is sent by Office 365 users, the problematic E-mail messages will be routed to a deducted Exchange Online server pool: the “High Risk Delivery Pool”.

The Exchange Online- High Risk Delivery Pool will be used to send out the “problematic E-mail”.

At a first glance, this “declaration” looks a little peculiar, but this is that exact purpose of the “Exchange Online High Risk Delivery Pool”.

Instead of sending the problematic E-mail message via the “standard” Exchange Online server and by doing so, put at risk all the other Office 365 tenants (customers) who rely on the Exchange Online mail infrastructure, the problematic E-mail message will be sent by the “scapegoat” Exchange Online server: “High Risk Delivery Pool”.

Because the “High Risk Delivery Pool” will send most of the time, E-mail that classified as spam\junk mail, there is a reasonable chance that the IP address of the particular Exchange member in the Exchange Online- High Risk Delivery Pool, will appear as blacklisted.

By using the Exchange Online- High Risk Delivery Pool, Exchange Online infrastructure manages to complete the two goals:

  1. Avoid from a scenario in which the Exchange Online will block or delete E-mail message that was sent by Office 365 users.
  2. Avoid from a possibility in which the “standard Exchange Online” public IP address will be blacklisted.

Exchange Online High Risk Delivery Pool, half of the solution?

Blacklist providers, “recognize” organization by two main elements:

  1. The IP address of the mail server that sends E-mail “on behalf” of an organization.
  2. The domain name of the organization (the “right part” of E-mail address)

Pay attention to the simple fact that although the “problematic E-mail message” is sent via the Exchange Online “High Risk Delivery Pool”, the domain name which included in the “problematic E-mail message” could also be listed in blacklists.

In other words: the use of Exchange Online: “High Risk Delivery Pool” prevents the option in which the IP address of “our mail server” will appear as blacklisted but cannot avoid a scenario in which our domain name will appear as blacklisted.

To add another layer of understanding about the purpose of Exchange Online- High Risk Delivery Pool, here is a quotation from a Microsoft article:

When a customer’s email system has been compromised by malware or a malicious spam attack, and it is sending outbound spam through the hosted filtering service, this can result in the IP addresses of the data center servers listed on other block lists.
Also, destination servers that do not use the hosted filtering service, but use these block lists, end up rejecting all email sent from any of the hosted filtering IP addresses that added to those lists.
Therefore, all outbound messages that exceed the spam threshold are delivered through a High-risk delivery pool. The High-risk delivery pool is a secondary outbound email pool that is used to send messages that may be of low quality, thus helping to protect the rest of the network from sending messages that are more likely to result in the sending IP address blocked.

[Source of information: High Risk Delivery Pool for Outbound Messages]
The two Exchange Online server pools
o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *