Exchange AMA

We do use information in the SMTP headers, but we also correlate it for server ownership attribution. That's one of the reasons we are starting with a specific scope of Exchange 2007 servers that send email to Exchange Online using an inbound connector type of OnPremises. This allows us to identify the customer who runs the Exchange Server and notify them both via Message Center and through the new reports in EAC, well before any throttling or blocking takes place. Right now, the focus is on removing persistently vulnerable servers from the ecosystem. Should a bad actor compromise a server and try to spoof the headers to look like an unpatched server, that would not trigger throttling or blocking right away. It takes 30 days after the server is detected for throttling to kick in, which then increases over the next 30 days. An admin monitoring the system would notice queues building and SMTP errors in their logs. When blocking begins, senders start receiving NDRs which state why the message is being blocked. The real concern is the bad actor that compromises a server and then sends a few key messages that can cause mayhem. That's what we are trying to prevent.