High-risk delivery pool for outbound messages

%3CLINGO-SUB%20id%3D%22lingo-sub-1358290%22%20slang%3D%22en-US%22%3EHigh-risk%20delivery%20pool%20for%20outbound%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358290%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20have%20a%20question%20regarding%26nbsp%3B%3CFONT%3EHigh-risk%20delivery%20pool%20for%20outbound%20messages%3C%2FFONT%3E.%3C%2FP%3E%3CP%3EIf%20I%20receive%20a%20message%20in%20Junk%20Mail%20folder%20(SCL%206)%2C%20can%20I%20check%20if%20this%20SCL%20was%20given%20by%20my%20incoming%20spam%20filter%20policy%2C%20or%20was%20it%20outgoing%20spam%20filter%20policy%20on%20senders%20side%20that%20used%20EOP%20%3CFONT%3EHigh-risk%20delivery%20pool%20for%20outbound%20message%3F%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3EBoth%20sender%20and%20receiver%20are%20on%20Office365%20but%20different%20tenants.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3EBR%2C%20Ruslan%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1358290%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358669%22%20slang%3D%22en-US%22%3ERe%3A%20High-risk%20delivery%20pool%20for%20outbound%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358669%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F366140%22%20target%3D%22_blank%22%3E%40RNalivaika%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20suggest%20analysing%20the%20message%20headers%20using%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmha.azurewebsites.net%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmha.azurewebsites.net%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20this%20explains%20the%20process%20well%20too%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fanti-spam-message-headers%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fanti-spam-message-headers%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1360539%22%20slang%3D%22en-US%22%3ERe%3A%20High-risk%20delivery%20pool%20for%20outbound%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1360539%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20found%20out%20how%20I%20can%20see%20if%20SCL%20was%20given%20upon%20outgoing%20filtering%2C%20we%20see%20that%20in%20header%20part%20%22x-forefront-antispam-report-untrusted%22%2C%20while%20the%20incoming%20filtering%20is%20reported%20on%20%22x-forefront-antispam-report%22%20(without%20untrusted%20suffix).%3C%2FP%3E%3CP%3EThis%20one%20was%20useful%3A%20%3CA%20href%3D%22https%3A%2F%2Fc7solutions.com%2F2013%2F10%2Fwhat-is-x-forefront-antispam-report-untrusted%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fc7solutions.com%2F2013%2F10%2Fwhat-is-x-forefront-antispam-report-untrusted%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThou%2C%20still%20looking%20for%20more%20signs%20in%20the%20header%20which%20would%20tell%20me%20if%20message%20was%20sent%20through%20high%20risk%20pool.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1377846%22%20slang%3D%22en-US%22%3ERe%3A%20High-risk%20delivery%20pool%20for%20outbound%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1377846%22%20slang%3D%22en-US%22%3EDo%20the%20messages%20have%20SFS%3A10001%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1377855%22%20slang%3D%22en-US%22%3ERe%3A%20High-risk%20delivery%20pool%20for%20outbound%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1377855%22%20slang%3D%22en-US%22%3ESorry%2C%20I%20meant%20SFP%3A1501%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1442839%22%20slang%3D%22en-US%22%3ERe%3A%20High-risk%20delivery%20pool%20for%20outbound%20messages%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1442839%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F271237%22%20target%3D%22_blank%22%3E%40Matthew_79%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20response.%20I%20see%20SFP%20epmty%20in%20%22x-forefront-antispam-report%22%20section%2C%20and%20SFP%3A1101%20in%20%22x-forefront-antispam-report-untrusted%22.%20BR%2C%20Ruslan%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi, I have a question regarding High-risk delivery pool for outbound messages.

If I receive a message in Junk Mail folder (SCL 6), can I check if this SCL was given by my incoming spam filter policy, or was it outgoing spam filter policy on senders side that used EOP High-risk delivery pool for outbound message?

Both sender and receiver are on Office365 but different tenants.

BR, Ruslan

5 Replies
Highlighted
Highlighted

I have found out how I can see if SCL was given upon outgoing filtering, we see that in header part "x-forefront-antispam-report-untrusted", while the incoming filtering is reported on "x-forefront-antispam-report" (without untrusted suffix).

This one was useful: https://c7solutions.com/2013/10/what-is-x-forefront-antispam-report-untrusted

 

Thou, still looking for more signs in the header which would tell me if message was sent through high risk pool.

Highlighted
Do the messages have SFS:10001?
Highlighted
Sorry, I meant SFP:1501
Highlighted

@Matthew_79 thanks for the response. I see SFP epmty in "x-forefront-antispam-report" section, and SFP:1101 in "x-forefront-antispam-report-untrusted". BR, Ruslan