Event banner
Event details
How will MS verify that mail is truly coming from an unpatched server? i mean, if its only looking at some SMTP headers or something the same could be spoofed (for good or bad) quite easily. My concern is that some on-premises server becomes compromised (even a fully patched server) and then purposely floods O365 with bogus messages that look like its from an unpatched server in order to cause all mail to be blocked. sort of like DDoS.
Similarly, what about a bad actor that simply starts sending mail to a O365 entity with purposely created bad info? Could a bad actor force mail to be blocked to that entity in any way?
- We do use information in the SMTP headers, but we also correlate it for server ownership attribution. That's one of the reasons we are starting with a specific scope of Exchange 2007 servers that send email to Exchange Online using an inbound connector type of OnPremises. This allows us to identify the customer who runs the Exchange Server and notify them both via Message Center and through the new reports in EAC, well before any throttling or blocking takes place. Right now, the focus is on removing persistently vulnerable servers from the ecosystem. Should a bad actor compromise a server and try to spoof the headers to look like an unpatched server, that would not trigger throttling or blocking right away. It takes 30 days after the server is detected for throttling to kick in, which then increases over the next 30 days. An admin monitoring the system would notice queues building and SMTP errors in their logs. When blocking begins, senders start receiving NDRs which state why the message is being blocked. The real concern is the bad actor that compromises a server and then sends a few key messages that can cause mayhem. That's what we are trying to prevent.
- Sounds good to me. I like it, btw.
