Oct 09 2020 09:15 AM
In Exchange online some mails are moved to the Junk folder. Can I get a report why the mails were moved to the Junk folder?
I don't like to create large whitelists.
Thanks for your help
Stefan
Oct 09 2020 03:35 PM
The message headers on the emails themselves should be able to provide some information on why the email was sent to spam.
Oct 10 2020 12:20 AM
Also you can use https://mha.azurewebsites.net/ to analyze the header and see whats going on
Oct 10 2020 01:54 AM
Thanks for the link.
How does the process for working with junk emails looks like? After the introduction of Exchange online, the number of false positives in junk emails is going up.
I can create whitelists and the email/domain bypass the span check. But I don't think this is a good idea.
Oct 10 2020 02:17 AM
Creating a whitelist is not a proper solution, as later on if this mailbox is infected and starts sending you spam, these spam will go inside your org.
I would recommend reviewing your organization SCL level
use the command Get-OrganizationConfig | select *scl* what is the number, the higher number, the more possible of emails marked as SPAM,
Did you review the Protection.microsoft.com
Review the policy Get-HostedContentFilterPolicy
Also you need to understand that no matter your configuration, you will still have a false positive, as sometime its not your problem more than its the sender problem, such as
- senders are embedding vbs in your email (they don't know)
- sender have a bad email server configuration, (No SPF ... )
- sender have IFRAM
Try the Report Message Add-in
Oct 10 2020 03:08 AM
These are the Powershell results.
PS C:\Users\123456> Get-HostedContentFilterPolicy
Name SpamAction HighConfidenceSpamAction IsDefault
---- ---------- ------------------------ ---------
Default MoveToJmf MoveToJmf True
PS C:\Users\123456> Get-OrganizationConfig | select *scl*
SCLJunkThreshold
----------------
4
I could learn a lot from you. Can you recommend me a good book about Exchange online?
Thanks a lot
Oct 10 2020 03:43 AM
Go to Protection.microsoft.com and create a new policy that fits your organization's needs, it seems that you still using the basic one.
Also if you can dump one of the email headers from the junk here we might be able to help you in finding out why the emails are marked as junk, but usually due to an increase in SCL rate, which can be caused by the message content.
SCL level is set to 4 is the default one and seems to be fine.
for the learning, I am just like you, got a lot to struggle with and googling and reading, usually Microsoft site, even though their documentation is a bit boring, but it's fine
Oct 10 2020 04:34 AM
First I need to read to build a good/better policy.
Here is a email header
Summary
Subject: Newsletter Oktober 2020
Message Id: <5e4f2c81f89ede179062bbb51.2605fd13e6.20201004092327.22f27f5817.4259941e@mail94.suw111.mcdlv.net>
Creation time: Sun, 4 Oct 2020 09:23:33 +0000
From: Frank Geisler <FGE@sqlpass.de>
Reply to: Frank Geisler <FGE@sqlpass.de>
To: <stefan.kiessig@lll.de>
Received
Hop: 1
From: localhost (localhost [127.0.0.1])
By: mail94.suw111.mcdlv.net (Mailchimp)
With: ESMTP
Id: 4C3yvz6n3Cz1wBFnH
For: <stefan.kiessig@lll.de>
Date: 10/4/2020 11:23:43 AM
Hop: 2
From: mail94.suw111.mcdlv.net (198.2.185.94)
By: AM5EUR03FT016.mail.protection.outlook.com (10.152.16.142)
With: Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
Id: 15.20.3433.34
Via: Frontend Transport
Date: 10/4/2020 11:23:46 AM
Delay: 3 seconds
Percent: 50
Hop: 3
From: AM5EUR03FT016.eop-EUR03.prod.protection.outlook.com (2603:10a6:206:14:cafe::d5)
By: AM5PR0301CA0022.outlook.office365.com (2603:10a6:206:14::35)
With: Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
Id: 15.20.3433.36
Via: Frontend Transport
Date: 10/4/2020 11:23:47 AM
Delay: 1 second
Percent: 16.666666666666668
Hop: 4
From: AM5PR0301CA0022.eurprd03.prod.outlook.com (2603:10a6:206:14::35)
By: AM6PR08MB4198.eurprd08.prod.outlook.com (2603:10a6:20b:a7::32)
With: Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
Id: 15.20.3433.36
Date: 10/4/2020 11:23:47 AM
Delay: 0 seconds
Hop: 5
From: AM6PR08MB4198.eurprd08.prod.outlook.com (2603:10a6:20b:a7::32)
By: DBBPR08MB4726.eurprd08.prod.outlook.com
With: HTTPS
Date: 10/4/2020 11:23:49 AM
Delay: 2 seconds
Percent: 33.333333333333336
ForefrontAntiSpamReport
Country/Region: US
Language: de
Spam Confidence Level: 5
Spam Filtering Verdict: SPM
IP Filter Verdict: NLI
HELO/EHLO String: mail94.suw111.mcdlv.net
PTR Record: mail94.suw111.mcdlv.net
Connecting IP Address: 198.2.185.94
Protection Policy Category: SPOOF
Spam rules: (4636009)(6666004)(42882007)(7636003)(8676002)(33964004)(7596003)(16799955002)(3450700001)(356005)(5660300002)(7116003)(166002)(15974865002)(83080400001)(9686003)(336012)(76236003)(66574015)(58800400005)(6916009)(19810500001)(16670700002)(26005)(1096003)(83170400001)(7126003)(966005)(83380400001)(70420200002)
Source header: CIP:198.2.185.94;CTRY:US;LANG:de;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail94.suw111.mcdlv.net;PTR:mail94.suw111.mcdlv.net;CAT:SPOOF;SFS:(4636009)(6666004)(42882007)(7636003)(8676002)(33964004)(7596003)(16799955002)(3450700001)(356005)(5660300002)(7116003)(166002)(15974865002)(83080400001)(9686003)(336012)(76236003)(66574015)(58800400005)(6916009)(19810500001)(16670700002)(26005)(1096003)(83170400001)(7126003)(966005)(83380400001)(70420200002);DIR:INB;
Unknown fields: DIR:INB;
AntiSpamReport
Bulk Complaint Level: 0
Source header: BCL:0;
Other
Authentication-Results: spf=pass (sender IP is 198.2.185.94) smtp.mailfrom=mail94.suw111.mcdlv.net; lll.de; dkim=pass (signature was verified) header.d=mailchimpapp.net;lll.de; dmarc=none action=none header.from=sqlpass.de;compauth=fail reason=001
Received-SPF: Pass (protection.outlook.com: domain of mail94.suw111.mcdlv.net designates 198.2.185.94 as permitted sender) receiver=protection.outlook.com; client-ip=198.2.185.94; helo=mail94.suw111.mcdlv.net;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchimpapp.net; s=k2; t=1601803423; i=fge=3Dsqlpass.de@mailchimpapp.net; bh=VKtPPqjYq1qddhiT8Pi1rKG2XPmSvzjO2t68d6jJYJw=; h=Subject:From:Reply-To:To:Date:Message-ID:List-ID:List-Unsubscribe: Content-Type:MIME-Version; b=HCm7cw3/meDiLrkthtktvYduDaDbjClPRW2+d/eNaFdjDCqdi1gDkjSymab7xZLp+ QDQENWgA/aCsONFYmOPM+9Wx9O33ZZwY2rlZGjvmVYZUzXOy53o1Kiw32jfNHOMT1e x3sZyQx/grV9olj0EoHBBZKcjR8vJKYdvrCBqF8jN2WyK1OFzH+4XrqmTxCyOS3eAT juoY8SItrg7Y3bxjRTX12R/36u5vmmC51ggssrLQYYoidGAnZW7HCI24weCYm8SCkV uN8tNoeG1u5iUbECoqY0sEi1sesWx+s03DkQhIymUUvKRwoy96vYkya8B3Anf7X/u3 qhtODQuszpOnQ==
X-Mailer: MailChimp Mailer - **CID22f27f58172605fd13e6**
X-Campaign: mailchimp5e4f2c81f89ede179062bbb51.22f27f5817
X-campaignid: mailchimp5e4f2c81f89ede179062bbb51.22f27f5817
X-Report-Abuse: Please report abuse for this campaign here: https://mailchimp.com/contact/abuse/?u=5e4f2c81f89ede179062bbb51&id=22f27f5817&e=2605fd13e6
X-MC-User: 5e4f2c81f89ede179062bbb51
Feedback-ID: 41713949:41713949.2063253:us10:mc
List-ID: 5e4f2c81f89ede179062bbb51mc list <5e4f2c81f89ede179062bbb51.309913.list-id.mcsv.net>
X-Accounttype: pd
List-Unsubscribe: <https://sqlpass.us10.list-manage.com/unsubscribe?u=5e4f2c81f89ede179062bbb51&id=9c25e1e776&e=2605fd1...>, <mailto:unsubscribe-mc.us10_5e4f2c81f89ede179062bbb51.22f27f5817-2605fd13e6@mailin.mcsv.net?subject=unsubscribe>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Content-Type: multipart/alternative; boundary="_----------=_MCPart_876561490"
MIME-Version: 1.0
Return-Path: bounce-mc.us10_41713949.2063253-2605fd13e6@mail94.suw111.mcdlv.net
X-MS-Exchange-Organization-ExpirationStartTime: 04 Oct 2020 09:23:46.9199 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id: 5fe4b9d7-915b-4a26-1b30-08d868473253
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: d1794c7e-c5bd-4cb5-97d8-a24c2d32e2e2:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Matching-Connectors: 132462770269308931;(c6818461-f3df-4f51-3041-08d5a06fda1b);()
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-AuthSource: AM5EUR03FT016.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: 5fe4b9d7-915b-4a26-1b30-08d868473253
X-MS-TrafficTypeDiagnostic: AM6PR08MB4198:
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Oob-TLC-OOBClassifiers: OLM:327;
X-MS-Exchange-Organization-SCL: 5
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Oct 2020 09:23:46.6903 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5fe4b9d7-915b-4a26-1b30-08d868473253
X-MS-Exchange-CrossTenant-Id: d1794c7e-c5bd-4cb5-97d8-a24c2d32e2e2
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT016.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4198
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.3220394
X-MS-Exchange-Processed-By-BccFoldering: 15.20.3433.042
X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:1;auth:0;dest:J;ENG:(20160513016)(750128)(520011016)(944506458)(944626604);
X-Microsoft-Antispam-Message-Info: KXhyTJSHBABVJ1XDyhfaJEb30NtICLiTdLrSsQEH0vnenUa9bHQxUHHEjCQNNdTmYqoMP4qX1V2jH6ssm2NckuLlkGWySIUnHxXXTB0U3UkDulWGhvip9wOofUklpD/7JfJYUGaiALOaQPBdfhDRO2Bufj4pxjpQmA4Kbe+Qbuka5jT9ofoGyNL0q2C2UgRYFbx/HEeD2TiEnl8olLntpfa9Ihc5HAujlofhr+KQiw/Xcqi+eJXqpT4pJwL1+ouaqLQUvBALuONHaLIa+LrW0NG65VRqs+/7uIrjxTevH36ubh2Wx5ZL2T8z1PQx4F/T2Y+1J5k9DcNhWrd0tMXl3K1rr3mSEbAZY1YMRQHICEgt8lrz8+z3EC+G5PpLUyZKCptzbT1hJPBQ3m7gsjucLXJiOLaH40uYZPUPAxwfLR/GM87OKhdkNyU2i/422g8iAt93pUn9EYOGX2Bsmh41QoJCayCjMR8Vb/ljHZye5t4JwIyaIp7pK0qHpeQ8evYyQEizSJv4n9sF9KIzj154N5y8rqrM1422W3iJTQea5InfXukjVHDX9rmHnJ2ukbevrg9H/1I+nnL64p079zjldRdUwpPnIEcq2znQEIWHBU3Zx8Fmvwny/8zmsDm3tADH3Stp70U1ClNNY/ddMqRN7rSqtxQgeivjvacfZTiB3PcD9Oaugev2Qs9LOJ7hNNSIg9+YEOAQiA6117bY/Z8NrWeu19S0d1Vn7kS7MDsG45SyIORUTftTh1XC8KfWbSnzzi/bTlKNzL5v9+DGNM+ZaR6hCTbPnR8sUxzNJ5HWrrGV3OlCAClEuHW0V3bnZv1ZcOlly7kFiNmcFDYOpMWBBguMTOW8RayBE5f+jJfF4wij3Ha+uS+iloZGyvYBO2F7FcsrIHxwaNxgCQXdKI8zkNYcg9hsT5bGca0T0g/kLAxO+eBs5PmRg9K7W8ot9koM/547XFu2eN/uVWJT7lDQhtepOwCSr0g5CRnx4sQrfgm4Jn93ELPLUNLqArx2kbWSHgnVlegResxdf/Up9HrmYLbCF4QPPYdMeEg2WFytdpiDZurir2qD6s2KtKm2SvH3PRt1CC2yKACD9c26UPWiftKlPOxPb5ZQLbas+AYtuDoU/oclMGLxgm0JsfUbjjReUI/v6am9QHT99uPb1uHPHQSUX1iFhBcY6vbBMN7kwspF6vFyb4x7ydcMcaIi0D3hw3Z/EaPqPLYaidcQBNvXCm4RrcOowdr4AAIsOQYMGtwbMrFK72U5g/Fuy8Ct329ZOk28XKNaqOhUasCbDKE5fiuYMUmNeqjGQC8BgdFsiR8mjWYS1UeyfVEg8N5VfUFRIVYTxLqdzgugBbi3r9YBa22VPYM6JEHRkVhjG1ZyhHLLD2OpnAxegZyWsnbdkTe+shYeqylIJ/ciyml8vL73shXUv9UYtccYRQfBkg7zsGBjp73FdP7drsMNnUb450vYEaYsQ16tXo3kZ36e8I6u0JITJKQM/EF4bPz13RbAb2RzPSnhztFpwrEFr9zGFCzFJOqYQi6yrFmrIvXFUkHV5UXxsrBTZ97Tj1pdHOJ8l/2xmr1sVLf5GRADhEFu9Ya/c5S5snWzTmLDfdmEgrgPC/17t/fs2LtO7+VzJwRoBqLjAguQBLCdOCzSaYwqkbNXWQdTb4tDRPdwvNWswMows0pSGlcsH3dneSFNbaVSK79s3pzAn37o6W3UP/ZmMo45aVMoziwclyp3RG4pKoWJNRm9/ppw5i7EuBCM8yXX+hGx/wnGFrzmzHqJl0SAe4MXaAUcDHTzq7zn+2SnXr2PUdSi98a3Icxv/8DruhWWHTJnR7VeJDrfAXBY2M7XIIY5xw4Vhq1IWpkOIuMnJwm4foV0ljG3jqPJUMUn+NOGG/bEpjL+w1CPbwlaXVxQueyt9EMbhCaglmxgLAVMql+mQiDApef9UZub6FKlwAGnEOoljK0evERnO61bVbWhzCeYh/JRO0TM+NDNlJbBZnVgbgu66Y0thvxbpje426WAKPtNUnhYFJYq3x4HI/NkyZIL/xSQ4DXMfd/Lm3lVOKTwOU9uKJwQJ96OLvCPckI4ugY=
Oct 10 2020 04:36 AM
How is you process?
Die Kellegen senden Ihnen die Emails zu und sie analysieren die Header? Or is there a better way?
Oct 10 2020 11:20 AM
What I see in this email header is that SCL is set to 5 in this message and your settings are set to 4 causing this message to be spam, the reason behind this is the antispam itself and how it categorizes this message, it seems that this message is a maillist and I guess the score of this email will be increased.
a useful link can be found here on how to check the report.
Check this link
https://docs.microsoft.com/en-us/exchange/monitoring/use-mail-protection-reports
I would highly recommend to go through the Security and Compliance Center and create a new policy which fit your organization need.
Hope this help
-------------------------------
If you find this answer helpful, Please don't forget to click best response and hit the like sign :)