I wanted to write a series of blog posts talking about email spam in Office 365. While majority of spam mail is blocked by the Office 365 mail security gateways, there are no perfect systems that will block 100% of spam all the time, some can still get through. In case that we do experience spam mail, we can use several tools and configuration options that are available for us in Office 365 to deal with it and improve effectiveness.

In this series, we will quickly review different types of spam mail. Then we will present different tools that we can use for fighting spam mail in an Office 365 environment and try to “match” the “spam tool” for the task based on the type of the spam.

Also please note that while we are approaching this from Office 365 viewpoint, many of the procedures listed here apply to both on-premises and hybrid deployments.

Introduction

One of the advantages of using Office 365 is that transparently, behind the scenes, we implement EOP – Exchange Online Protection (the former mail security infrastructure was implemented by FOPE services).

The Exchange Online Protection infrastructure serves as mail gateways, which are responsible for the “Hygiene” of incoming and outgoing mail flow. The purpose of this mail gateway’s is to filter any malware, virus or spam that might be included in the mail flow that comes from external sources to Office 365 recipients (incoming mail flow) and also mail that is sent from Office 365 recipients to external sources. A bit over-simplified but think of it like this:

spam1

What should I do when EOP is not working as desired?

EOP aims to provide the best possible protection, but from time to time Office 365 subscribers can experience spam mail that gets into their mailbox.

Before going further into this, let’s not forget that there is no “perfect solution” that will block 100% of spam mail because “spam solutions\gateways”, will always need to face issues of:

  • False Positive - a scenario in which the defending systems recognize legitimate mail is bad\spam mail and blocks the mail. 
  • False Negative - a scenario in which the defending system doesn’t recognize bad\spam mail and the mail reaches recipients mailbox.

Certainly any hygiene solution, even a cloud-based one, will have times when a few messages originating from a creative spammer sneak through before it is recognized as a threat. The advantage that a cloud-based solution offers is that it is set up to recognize those threats quickly, partially due to the quantity of email that it processes.

Additionally, different users will always have slightly different expectations. It is therefore challenging to have a default configuration setting that is perfect for different business customers, each with unique requirements. One person’s spam email can be another person’s legitimate business email. EOP defaults tend to be slightly less strict rather than risk a false positive. If these defaults are not adequate for your organization, EOP offers great flexibility in allowing customization of anti-spam settings.

This series of blog posts will help you understand what to do in either situation.

Spam mail - Troubleshooting process and classification

To create a clear path of the troubleshooting process, we will need to implement the workflow similar to the one in the following diagram:

spam2

Step 1 - Get information about the character of the spam mail.

The most basic step is to get essential information about the spam message. Determine if the mail message is truly a spam message and if so, try to recognize the type of spam. Based on this information, choose the right “tools” for mitigating it (we will cover more of those in future posts).

Questions to answer

Here is a list of questions that could help gather required information:

  • Q: Is the mail considered as spam mail or just standard advertisement mail from a well-known\familiar company?
  • Q: Is the spam mail sent from a specific sender email address?
  • Q: Is the spam mail sent from a specific domain?
  • Q: Does the spam mail include specific keywords in the mail subject\body?
  • Q: Does the spam mail include specific URLs in the mail body that redirect the recipient to another location?
  • Q: Does the spam mail include characters of non-English language?
  • Q: Is the spam mail from a specific geographical location?
  • Q: Is the spam mail directed to a specific user or distribution list in the organization?

General characteristics:

  • Q: Is the spam mail sent on a specific schedule (specific hour or date)?
  • Q: What is the percentage of organization users who get the spam mail?
  • Q: What is the “amount” of the spam mail (single mail item, tens or hundreds of spam mails)?
  • Q: How long has the spam mail been received (days/hours)?
  • Q: When was the last spam mail received?

Step 2 – Report\Block spam mail

When we deal with spam mail, we need to try to block the spam mail by using the available option from the “Server side” (Exchange online and EOP) and the “Client side” (Outlook). The process of blocking the spam mail could be implemented as a combined operation of using tools for filtering spam mail and other tools for reporting (sending a sample of the spam mail) to the Microsoft team that manages the EOP infrastructure.

Dealing with spam mail - Client side

1. Microsoft Junk E-mail Reporting Add-in

The Microsoft Junk E-mail Reporting Add-in, is a very useful Outlook add-in that enables each of the users to report the offending message to Microsoft.

By selecting the mail item and then choosing the option of “Report Junk," the mail item will automatically be sent to the Microsoft mail security team for further analysis and investigation to help to improve the effectiveness of our junk e-mail filtering technologies.

Using the Microsoft Junk E-mail Reporting Add-in

In Outlook 2010\2013, the Microsoft Junk E-mail Reporting Add-in is implemented by additional menu option named: Report junkthat is added to the “Junk” section to be able to report an email as spam. To “mark” mail item as Junk use the following procedure: 

  • Choose the mail items you would like to report
  • On the Home Tab choose the small black arrow of the Junk option.
  • Choose the option Report Junk

spam3

A warning message appears and informs the user that the mail item will be reported as spam. Choose the “Yes” option.

spam4

When we choose the “yes” option, the following events will occur:

  • The mail items that were reported as spam, will be sent to the Junk Email folder.
  • A copy of mail items will be sent to abuse@messaging.microsoft.com as attachments, as can be seen in the sent items folder
  • An acknowledgement email will be sent back to the recipient.

In Outlook 2007, the option to “report junk” will be added on the top menu option.

spam5

2. Outlook Junk option - block sender

Another option that is available for us from “client side” is the Outlook junk component and the option of “block sender” (Add a sender to the Blocked Senders list).

This option is most suitable in a scenario that the spam mail is delivered from a specific recipient email address. In reality, many times the “spammers” mange to send the spam mail by using a different source recipient email address, so the option to “block sender” will not help us in such scenarios.

Add a sender to the Blocked Senders list

In case that you want to block the sender who sends spam mail, we can use the junk menu for blocking this recipient.

  • Choose the required mail items,
  • In the Home Tab chooses the small black arrow of the Junk option.
  • Choose the option Block sender

spam6

Additional reading:

3. Unsubscribe from a mailing list

In case that the user reports “spam mail” and when checking the mail item, we see that the sender is not considered as “spammer” (mail is just a standard advertising email that is sent to a distribution list that the user is on), most of the time the mail will include an option that enables the user to unsubscribe from the mailing list.  So, before we start to use the “heavy artillery," please check if the option of “unsubscribe” exists and unsubscribe from the mailing list.

4. Educate users: How to avoid spam

Educating users to avoid spam belongs to a “proactive” section in which we are trying to avoid a scenario that could lead to spam mail. 

By providing our users instructions and guidance about behavior they should avoid, we can prevent or significantly reduce in advance the occurrence of “spam events."

You can read more information about this subject by using the following link:

10 tips on how to help reduce spam

That is all for today – part 2 (starting to talk about server side solutions) to follow soon!

Eyal Doron
Tech Lead | Office 365 | Israel