EOP Field Notes

Exchange Online Protection: Notes from the field

EOP Field Notes

  • Use PowerShell to search for transport rules

    PowerShell can be used to quickly search through rules matching specific criteria. This can be incredibly valuable for a tenant that contains a lot of rules, think upwards of 50 or more. While possible to search for transport rules in the EOP portal, PowerShell offers a more powerful (and cooler) way to accomplish this.

  • EOP IP Address Additions - March 2015 Edition

    This is a quick public service announcement before the weekend starts. Exchange Online Protection has been allocated a new IP range. Starting in 30 days, EOP will add 40.107.0.0/16 to the IP pool that is used to deliver mail that passes through custom connectors (ex. EOP outbound connector which routes inbound mail to your on-premises environment). 

  • Troubleshoot a broken junk mail folder

    I recently worked on a very interesting case that I wanted to share. This organization had set EOP to deliver all spam messages to end users junk mail folder.

    This worked great for most users, but a small number experienced EOP delivering spam messages directly to their inbox, as if they weren’t being scanned at all. Very peculiar indeed. Let’s go through the troubleshooting process to figure out what’s happening here. 

  • Determine where a message leaves an Office 365 tenant

    When troubleshooting mail flow it is often important to determine where a message is handed off from a partner to your Office 365 tenant, or from your Office 365 tenant to a partner. This is easy to see in a message header, just look for the receiving host with the domain mail.protection.outlook.com, as this will indicate Office 365 servers.

    But what if your partner is also an Office 365 tenant, then how can we tell when a message left their tenant and entered yours, or vice versa? If troubleshooting a mail delay, this is crucial information as this will let us know which tenant is experiencing the delay.

  • Using DMARC to Prevent Spoofing

    I have recently seen a large number of cases where an organization’s own domain was spoofed to send that company phishing messages. This isn’t all that uncommon, but what was concerning for me was the method used in these cases to do the spoofing. In these cases, only the 5322.From header was spoofed, which cannot be detected by an SPF check.

  • Ensure your SPF Record is Correct

    I've recently seen an increase in cases that involve incorrectly published SPF records that have resulted in sent mail failing the SPF check. Ensuring your SPF record is up to date is great proactive work that can help prevent issues with SPF checks. In this article I'm going to go over how to properly set your SPF record if you are using Exchange Online or Exchange Online Protection.

    There is also a common mistake that organizations sometimes make in their SPF record when they are smart hosting mail out through EOP which I will also highlight.

  • Recipient Notifications

    The ability to send a notification to the recipient when a transport rule triggers. This is a request that we have received from a lot of customers, and I’m happy to let you know that it is now rolling out in the form of an action in EOP transport...
  • IP Ranges Added to EOP

    On TechNet we publish the range of IP addresses that are used when sending mail out of a custom EOP connector. If you have created an EOP on-premises connector to deliver inbound mail to your on-premises mail environment, or an EOP partner connector to...
  • An Ode to EOP

    This is typically a slow week for people, so what better time than to post something fun about Exchange Online Protection! Back in May I presented a session on EOP at TechEd North America 2014 which took place in Houston. To be a little different,...
  • Top Ten Posts of 2014

    I only began this blog in June of this year and so it’s hard to believe that it is already six months old! Looking back over the past six months I have had a blast writing and sharing articles with the community and have received a lot of positive...
  • Message Trace, the PowerShell Way

    From my experience, a very small number of people actually choose PowerShell over the GUI (Graphical User Interface, ie. The Office 365 Portal). But once you get a grasp of PowerShell and write some scripts, you’ll see the light and going back to...
  • Exchange Server December Updates

    Update, Dec 11/14: Exchange Server 2010 SP3 Update Rollup 8 has been temporarily pulled due to a problem. Update, Dec 15/14: Exchange Server 2010 SP3 Update Rollup 8 v2 has been posted While I mainly target Exchange Online Protection with this blog...
  • Remote Desktop Connection Manager updated to v2.7

    Remote Desktop Connection Manager, or RDC Man, is a wonderful piece of software that I’ve been using for the past eight years. RDC Man is one of those applications, like Outlook, that I open almost every single day and although not directly applicable...
  • An Early Gift, EOP Bulk Mail Detection - The Easy Way

    This past summer we added new bulk detection capabilities to Exchange Online Protection. At the time, if you wanted to take advantage of these new capabilities you had to add an EOP transport rule to detect the BCL (bulk complain level) that EOP stamped...
  • Easily tell which transport rules a message triggered

    Hello fellow traveller, come sit with me by the fire, there is plenty of room. You look to be weak from your travels, I have plenty of rations that I will gladly share with you. I have many stories from my own travels that I would love to share. Wait…...
  • Transport Rule Limit Increase

    In the past the maximum number of transport rules that you could create in Exchange Online ( Enterprise , Education , and Government plans) was 100. This limit has recently been increased to 300 (for Enterprise , Education , and Government plans)! For...
  • Best Practices for Finding Executable Content

    This article may be common knowledge for some, but it is important to revisit and refresh outselves on. You may be aware of what content EOP will flag as being executable, or you may not. In either case, I think this is an important topic so sit back...
  • P2 Headers Now Respected for End User Safe and Blocked Senders Lists

    Exchange Online Protection will now evaluate both the P1 and P2 headers in a message against an end users safe and blocked senders list. I know, I’m super excited too! Previously only the P1 header of a message was compared to these lists. Not only...
  • Daisy Chaining with EOP

    Update Dec 23, 2014 – I’ve revised this article to make a couple of points clearer. On the mail flow side there are no issues with daisy chaining. However, if the intent is to evaluate the effectiveness of EOP filtering, having a service sit...
  • Inbound Connector Configuration You’ll Want to Avoid

    I recently worked with a customer who had a configuration in their EOP outbound connector that broke inbound mail for a newly added domain. I want to share this tale in hopes that you not only learn more about EOP partner connectors, but that you decrease...
  • Behavior Change When Setting the SCL with a Transport Rule

    With my coffee currently in one hand, it would be very useful if I could type with only my other hand. Alas I cannot, so I’ll be typing this article with both hands while my coffee waits for me. With none of this at all being relevant to this blog...
  • Special Case, Set SCL to 0

    Update (August 28, 2014) - Setting the SCL with a transport rule to anything from 0 to 4 will cause the behavior that is described in this article. This is a scenario I’ve wanted to write about for some time now as it isn’t very intuitive...
  • Importing Safe and Block Lists with PowerShell

    I just dropped my van off for some maintenance at the dealership and am currently waiting for a shuttle to take me to the office. As I sit here I’m thinking about EOP and PowerShell and have come up with a great idea for this week’s article...
  • One MX to Rule Them All

    Before I start I would like to call out that I think this is the best blog title that I have come up with to date. Surprisingly, or maybe not, I thought of this title and article while I was playing Ultimate Frisbee. My mind was obviously not in the game...
  • Is X-Microsoft-Antispam a New EOP Header

    Yes, yes it is, and I’m glad you noticed! X-Microsoft-Antispam is quite new and only started showing up in messages passing through EOP a few months ago. This new header currently contains two published values to help with bulk mail and phishing...