Blog Post

Exchange Team Blog
5 MIN READ

Spam email and Office 365 environment - connection and content filtering in EOP

The_Exchange_Team's avatar
Aug 18, 2014

In the last related blog postwe gave some introduction about Exchange Online Protection (EOP), what needs to be done when EOP is not working as desired and spam email troubleshooting process and classification. In this blog we will be moving further and discussing some more advanced option to stop spam emails. In addition to the post below, you can learn more about types of anti-spam policy settings available in the Exchange admin center by reading the Office 365 Email Anti-Spam Protection article.

1. IP Block list

The “IP block list” option enables us to block email messages that came from a specific mail server (specific IP).

EOP - using the the IP Block list

  • Login to Office 365 portal, Exchange admin center
  • On the left-side menu bar, choose the Protection menu
  • On the top menu options, choose the connection filter menu
  • Choose the Default connection filter policy
  • In the window that appears, choose the option: connection filtering menu.
  • In the section: IP block list, Choose the plus icon to add the IP address of the Mail server that sent the spam

image

Additional reading

2. International spam

The “International spam” is an interesting option that enables us to block or identify mail as “spam” based on the classification of Geographical location or Language.

Note: We need to be cautious when using this option because we can very easily get into the scenario in which legitimate mail is identified as “bad\spam” mail and be blocked.

Using the International spam option

  • Login to Office 365 portal, Exchange admin center.
  • On the left side menus, choose the protection menu
  • On the top menu options, choose the content filter menu
  • Choose the Default connection filter policy
  • In the window that appears choose the option: international spam menu.

image

We can use one (or both) of the following options:

Blocking mail written in the specific language

  • Choose Filter email messages written in the following languages
  • Click on the Plus icon and choose the specific languages that you want to block

image

Blocking mail by Geographical location

  • Choose Filter email messages sent from the following countries or regions
  • Click on the Plus icon and choose the specific regions that you want to block

image

3. Content filter advanced options

Before we begin with instruction of how to use EOP advanced option for spam mail, let’s explore additional classifications of spam mail types and the tools we can use. Using a high level classification, we can define 3 “families” of spam mail types:

  • Advertisement mail - negative effect of such mail could be considered as “annoying." No real damage is caused to users besides the fact that the user is troubled by the content of the mail (suggestions to buy different medications, enlarge specific body parts and so on). This type of spam mail is automatically blocked (most of the time) by the Office 365 mail gateways. In case that some Advertisement spam mail manages to “sneak in" we can use a solution such as “rules” for blocking this type of spam mail. 
  • Mail with malicious content - this type of spam mail is closer to the definition of “virus” because, the target of the spammer is to cause the destination recipient to click or accept some suggestion that could lead the user to many kinds of attacks such as fraud, phishing and so on.
  • “Other spam mail” - in this group, we have other spam mail types that don’t belong to the former families. As an example, we can mention spam mail described as NDR backscatter.
Content Filter - Advanced options

The “Advanced options” section under the Content Filter section enables us to “harden” the default spam policy that is implemented by the Office 365 mail security gateways. To avoid incorrectly marking legitimate messages as spam, we can use the “Test mode” (we can describe this as a “Learning mode”). This mode enables us to use the “additional security filter” and decide what will happen when a specific mail item is recognized as spam by the security filter without actuallyperforming any action. We can choose to block\delete the mail item or just report the mail item (Test mode).

clip_image002

Using Content Filter - Advanced options

  • Login to Office 365 portal, Exchange admin center.
  • On the left side menus, choose the protection menu
  • On the top menu options, choose the content filter menu
  • Choose the Default connection filter policy
  • In the window that appears choose the option: advanced options menu.

As you can see there are many possible options that we can select. The options are divided into 2 categories: Increase spam Score and, Mark as spam.

image

To be able to demonstrate options available in the Content Filter - Advanced options let describe two scenarios:

  • Scenario 1: Blocking spam mail with malicious content
  • Scenario 2: Blocking spam mail classified as NDR backscatter

Scenario 1: Blocking spam mail with malicious content

Over the last month, users were complaining about spam mail that contains malicious content. When users open the mail item, they are automatically redirected to a web site, and once there are invited to download an executable file. To be able to block this spam mail item, we would activate three additional filters: mark as spam if the mail item is or contains:

Empty messages

JavaScript or VBScript in HTML

Frame or IFrame tags in HTML

image

By default, each of the security filter status is: Off. When we click on the “option arrow," we can see that we can choose the options: “Off," “On” or “Test." In case that we choose the option “On," each mail that contains content that is not allowed by one of the security filters that was selected (such as JavaScript or VBScript in HTML) will be marked as spam.

image

In case that we just want to test the “new security filter” we can choose the option “Test." In the following screenshot, we can see that we can choose one of the following three options:

  • None
  • Add the default test X-header text
  • Send a BCC message to this address  (Note: This address should have a separate mailbox that is just for testing the security filters.)

image

Scenario 2: Blocking spam mail classified as NDR backscatter

NDR backscatter is a special kind of spam because the “mechanism” that’s used by the spammer is different from the “Standard spam mail." NDR backscatter is when spammer forges the user’s email address and sends email on their behalf to other recipients. If the “destination mail system” recognizes the mail as a spam or if the mail is sent to non-existing users, the “destination mail system” creates an NDR message that is sent to the organization recipient (the user whose email address was used by the spammer).

Generally speaking, Office 365 security gateway servers are configured to block this kind of spam mails, but in case that the spam mail manages to “sneak” through, we can add the following filter using the Content Filter - Advanced options.

Using Content Filter - Advanced options - NDR backscatter

  • Login to Office 365 portal, Exchange admin center.
  • On the left side menus, choose the protection menu
  • On the top menu options, choose the content filter menu
  • Choose the Default connection filter policy
  • In the window that appears choose the option: advanced option menu.
  • Choose the option: NDR backscatter, and turn on the security filter

image

That is all for this time. Until we meet again,

Eyal Doron
Tech Lead | Office 365 | Israel

Updated Jul 01, 2019
Version 2.0
  • Great post Mohr! I think an important point worth noting is that the connection filter only sees connecting IPs. Meaning that if we enter an IP in the IP Block List, but an incoming message from that IP is relayed through a server in the middle, EOP will

    only see the IP of the server in the middle and not the originating IP. In this case, we would need to add the IP of the relay server to the IP Block List to have the connection filter block the message.

  • Why is the EOP spam filter so much worse than Forefront? We just had 100 clients which were migrated and without exception we have gotten complaints. It seems to have moved from a solution that "just worked" with very little tweeting to something that

    needs a lot "care", and even then doesn't work as well. It's odd that MS would scrap the technology behind whatever ran Forefront for EOP. I sure hope it gets better because we're now having to look for alternatives.

  • WHOA, thanks.. Do you think I could use something like Xeams in front of this to extra filter???


    Thanks!