In the last related blog postwe gave some introduction about Exchange Online Protection (EOP), what needs to be done when EOP is not working as desired and spam email troubleshooting process and classification. In this blog we will be moving further and discussing some more advanced option to stop spam emails.
The “IP block list” option enables us to block email messages that came from a specific mail server (specific IP).
EOP - using the the IP Block list
The “International spam” is an interesting option that enables us to block or identify mail as “spam” based on the classification of Geographical location or Language.
Note: We need to be cautious when using this option because we can very easily get into the scenario in which legitimate mail is identified as “bad\spam” mail and be blocked.
Using the International spam option
We can use one (or both) of the following options:
Blocking mail written in the specific language
Blocking mail by Geographical location
Before we begin with instruction of how to use EOP advanced option for spam mail, let’s explore additional classifications of spam mail types and the tools we can use. Using a high level classification, we can define 3 “families” of spam mail types:
The “Advanced options” section under the Content Filter section enables us to “harden” the default spam policy that is implemented by the Office 365 mail security gateways. To avoid incorrectly marking legitimate messages as spam, we can use the “Test mode” (we can describe this as a “Learning mode”). This mode enables us to use the “additional security filter” and decide what will happen when a specific mail item is recognized as spam by the security filter without actuallyperforming any action. We can choose to block\delete the mail item or just report the mail item (Test mode).
Using Content Filter - Advanced options
As you can see there are many possible options that we can select. The options are divided into 2 categories: Increase spam Score and, Mark as spam.
To be able to demonstrate options available in the Content Filter - Advanced options let describe two scenarios:
Scenario 1: Blocking spam mail with malicious content
Over the last month, users were complaining about spam mail that contains malicious content. When users open the mail item, they are automatically redirected to a web site, and once there are invited to download an executable file. To be able to block this spam mail item, we would activate three additional filters: mark as spam if the mail item is or contains:
Frame or IFrame tags in HTML
Frame or IFrame tags in HTML
In case that we just want to test the “new security filter” we can choose the option “Test." In the following screenshot, we can see that we can choose one of the following three options:
Scenario 2: Blocking spam mail classified as NDR backscatter
NDR backscatter is a special kind of spam because the “mechanism” that’s used by the spammer is different from the “Standard spam mail." NDR backscatter is when spammer forges the user’s email address and sends email on their behalf to other recipients. If the “destination mail system” recognizes the mail as a spam or if the mail is sent to non-existing users, the “destination mail system” creates an NDR message that is sent to the organization recipient (the user whose email address was used by the spammer).
Generally speaking, Office 365 security gateway servers are configured to block this kind of spam mails, but in case that the spam mail manages to “sneak” through, we can add the following filter using the Content Filter - Advanced options.
Using Content Filter - Advanced options - NDR backscatter
That is all for this time. Until we meet again,
Eyal Doron Tech Lead | Office 365 | Israel