The current article focused on explaining the purpose of the SPF record and, how does…
Internal spam in Office 365 – Introduction | Part 2#17
In the current article, we continue to review the term- “internal/outbound spam”, miss conceptions that relate to this term, the risks that are involved in a scenario of internal/outbound spam, outbound spam E-mail policy and more.
Table of contents
Spam mail and the default association
Most of the time, the first association of spam mail is: ”unwanted mail that bad people use for harassing our organization users”.
We usually think that “our organization users” are the victims of spam/junk mail and that we are the “good guys” in this story.
However, did you consider the possibility of a scenario in which the “bad guy” is us?
For example, a scenario in which the spam/junk mail is sent from our organization and, we are the element that disturbing and annoying other users?
When we say that: ”our organization users can be trusted,” what is really your level of familiarity with your organization uses?
- What about a scenario in which a malware manages to compromise some of your users’ desktop and manage to send out spam/junk mail in their name?
- What about a scenario, in which a malware manages to compromise the security of your company’s public website and manage to send out spam/junk mail that looks for an external recipient as – mail that comes from your company (your domain name)?
- What about a scenario in which an organization’s user abuse the trust you gave him and use the organization mail infrastructure for sending out spam/junk mail?
- What about a scenario, in which organization users from the marketing department send out hundreds or thousands of emails that violate the rules of commercial or marketing E-mail?
Are all these questions harming your self-confidence?
If the answer is: “Yes”, I am satisfied because this is the reality!
We don’t have the privilege to lean back in the chair with a satisfied facial expression because all the scenarios that mentioned above could and will happen!
Office 365 and Exchange as SAS | Good or bad?
One of the most popular “claim” of Office 365 customers is that because 365 and Exchange Online are SAS (software as services) based services, we have less control of our mail infrastructure vs. Exchange on-Premises mail infrastructure.
For this reason, in a scenario in which our organization E-mail is identified by the external recipient as spam/junk mail, “Microsoft” will need to solve the problem because Office 365 “belong” to Microsoft!
My claim is that: the opposite is true!
1. Our full responsibility for an internal/outbound spam scenarios
A scenario in which mail that sent from “our side” (our organization) identified by the external recipient as – spam/junk mail, is not related in any way to Office 365 or Exchange Online!
Theoretically, the problem could be related in some way to the Exchange Online infrastructure, but we should relate to Exchange Online as “neutral mail platform.” Exchange Online doesn’t “cause” to our E-mail to appear as spam but instead, serve as a “router” that sent out our organization E-mail to external recipients.
2. Office 365 and security infrastructure
The security mechanism that used for protecting Office 365 and Exchange Online environment significantly improved vs. the security infrastructure of a “standard” organization mail infrastructure.
I know this declaration will arouse opposition, but the simple truth is that the Office 365 and Exchange Online was designed to host hundreds of thousands and even millions of users.
For this reason, the Investment in information security systems, monitoring and alerts systems and so on, are implemented on a much larger scale compared to a traditional organization’s infrastructure.
Additionally, the Office 365 and Exchange Online environment includes tools and improved abilities that will help us to avoid a scenario of internal/outbound spam.
We will get more detailed information about the situation of troubleshooting internal/outbound spam in Office 365 in the articles:
- My E-mail appears as spam – Troubleshooting path | Part 11#17
- My E-mail appears as spam – Troubleshooting path | Part 12#17
Implementing and enforcing outbound spam E-mail policy
Q: In a scenario of internal/outbound spam – is there any way to control and manage, the E-mail that “goes out” from our mail infrastructure to the external recipients?
A: The answer is – implementing a solution that could describe as outbound spam E-mail policy
Q: What is the purpose of using outbound an e-mail policy?
A: The purpose of using outbound an e-mail policy is to use a process which will scan and verify E-mails that are sent by our organization users to external recipients.
For example: implementing security scans for each outbound mail + have the option to stop spam from leaving our network, before it causes our mail server IP address or our domain name to be listed by blacklist providers + blocked by anti-spam systems.
Q: Is there a possibility to enforce outbound E-mail spam policy in Exchange Online?
A: Exchange Online implements a spam filter, which scans each of the E-mail messages that sent to Office 365 users.
At the current time, Exchange Online doesn’t include an option which enables us to “stop” or deletes internal mail that identified as spam/junk mail. The only option that we can use is a feature, which Exchange Online will notify a contact person about such an event.
In case that Exchange Online “decide” that the E-mail message identified as spam/junk mail, Exchange Online will route the E-mail to a dedicated Exchange server pool named: Exchange Online High Risk Delivery Pool.
- High Risk Delivery Pool and Exchange Online | Part 9#17
- High Risk Delivery Pool and Exchange Online | Part 10#17
Internal/outbound spam | The risks
In case that you didn’t convince that the issue of internal/outbound spam could be considered as a major problem, I would like to Interest you, in a number of aspects of the risks related to the above phenomenon.
- DOS – Denial of service. The DOS caused when our organization appears as blacklisted.
The “outcome” is the inability to communicate important information or, provide an important data, files and so to our customers. Organization users are “prevented” from using the E-mail as a communication channel with specific companies or specific customers. The scope of the problem, meaning the “inability” to send out E-mail, could be related only to a particular mail item, only to a specific mail user or consider as a systemic phenomenon which affects all of our organization users.
- Damage to the company’s reputation
- Expose to lawsuits because the company considers as responsibility for their employees, and it’s been up to companies to take actions and keep their networks clean.
Internal/outbound spam | The “Starting point”
In the current article series, we will review different aspects that relate to Internal/outbound spam such: how to avoid a scenario of internal spam, how to troubleshoot scenario of internal spam and so on.
The only question that we didn’t answer is: how do we know that we are dealing with a scenario of internal/outbound spam?
What are the charters or the signs for such a scenario?
The technical answer is that someone or somebody should inform us about the problem in which mail that is sent from our origination or from our mail, infrastructure considers as spam/junk mail.
In the following diagram, we can see an example of four possible scenarios that will “help” us to understand that we have a problem in which E-mail that sent by or from our organization consider as spam/junk mail.
- External recipient informs us – a scenario in which external recipient informs our organization user that he got his E-mail message, but, the mail message sent to the junk mail folder.
- NDR message – the destination mail server, send an NDR message as a “response” to the E-mail that sent by one of our organization users.
- Exchange Online and the option of outbound spam – in case that we “activate” this option, in a scenario that E-mail that sent by the Office 365 organization user identified as a potential spam/junk mail by Exchange Online, a notification message sent to the contact person.
You can read more information about the subject of Exchange Online outbound spam feature in the article: My E-mail appears as spam | Troubleshooting – Domain name and E-mail content | Part 12#17
- In case that we use a service which monitors well-known blacklist’s provider and, in case that our organization appears as Blacklisted, an E-mail notification message will be sent to the contact person that was set. You can read more information about the subject of monitor your Blacklist status in the article: My E-mail appears as spam | Troubleshooting – Domain name and E-mail content | Part 12#17
It’s important that we will pay attention to the common denominator for all the above scenarios:
- In a scenario of internal/outbound spam, most of the time, we become aware of the problem only after the fact. In simple words, the notification that we got about the issue in which E-mail that sent from our organization identified as spam/junk mail “happens,” only after the E-mail sent to the external destination recipient.
- Even when we get a notification about the fact that mail from our organization considered as spam/junk mail or, our domain appears as blacklisted, this “information” doesn’t tell us anything about the “reasons” that lead to a scenario in which our mail identified as spam/junk mail. We can “understand” that we have a problem, but the element that “inform” us doesn’t include any explanation or details about the caused that lead to the scenario in which we mail considers as spam/junk mail.
It’s imperative to implement a mechanism that will help us to identify a scenario of outbound spam, but there is no option to “fetch” information from the notification.
The only way to deal with a situation of internal/outbound spam is:
- To have a good knowledge about – the possible reason that can lead to the scenario in which our mail identified a spam/junk mail.
- Is to have a good knowledge about – the operations and the troubleshooting steps, which we can implement for finding the exact cause.
- Mentoring infrastructure that will help us to identify quickly and efficiently scenario of internal/outbound spam.
- Educate our organization user and instruct them how to avoid a situation in which they send out E-mail that can be identified as spam.
In the event of Internal/outbound spam the main questions that we will need to answer are:
- Does the mail that was sent by the organization recipients, is indeed a spam mail?
- Does the classification of spam/junk mail relate to the particular organization user? a specific E-mail message or our domain name?
- What are the steps that we need to implement for finding the exact cause?
- What mechanisms should be implemented so we will be able to identify as quick a possible a scenario in which our organization E-mail identified as spam/junk mail?
- What mechanisms should be implemented to prevent or avoid the future situation in which our organization’s E-mail identified as spam/junk mail?
Who is this “element” that identifies my organization mail as spam/junk mail?
There could be two major scenarios, in which a mail that sent from your organization could be classified as spam/junk mail.
1. Server-side: destination mail server and blacklist provider
By default, mail servers are not designed to implement a security check for incoming mail. Instead, most of the time, the mail server will use the help of “external component” that will implement the required security check for them.
For example – when our E-mail is accepted by the destination mail server, the mail server will connect some kind of “blacklist provider,” for checking if our domain name or our mail server IP address is blacklisted.
In case that the “answer” from the blacklist provider says that the organization considers as blacklisted, the mail server will need to decide about the next step such as – block the E-mail message, send an NDR, etc.
The scenario in which mail that was sent from your organization, sent to the junk mail folder of the “destination recipient”, doesn’t necessarily mean that the E-mail message was “stamped” by the “destination mail server” as a spam message.
There could be a couple of “client-side elements”, which could identify the E-mail message as spam/junk mail.
- The “destination recipient” can create an inbox rule the “classify” as a specific sender (specific E-mail address) as spam.
- The “destination recipient” mail client, could include a built-in spam filter that can “decide” to classify specific email messages as spam.
- The “destination recipient user desktop, can include an antivirus or other mail security application that has her own “mail security system”.
This Post Has 0 Comments