Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Tenant Allow/Block Lists Versus Anti-spam List

Copper Contributor

Hello,

 

I am an unsophisticated administrator for my account. So if I am posting this information in the wrong location, please forgive me and let me know where it should be posted.

 

I have been getting inundated with financial spam or phishing emails. This spammer creates new domain names on a daily or weekly basis, and then sends new spam from these new domains. I typically get about thirty spam emails a day. And my guess is that, although they come from different domains, there is one organization behind all of them. Often, I get more than one email per domain per day. Fortunately, most of these emails end up in my junk folder.

 

I want to stop these spammers from even reaching my Junk folder in Outlook. I want to keep them completely out of my email system.

 

At first, I went to Microsoft 365 Defender > Email & collaboration > Policies & Rules > Threat policies and added their emails and domains to “Tenant Allow/Block Lists.” While that captured most of the known spam emails, one got through to my Junk folder. Being curious, I contacted Microsoft.

 

I was told to add the spammers’ email addresses and domains to the “Anti-spam” list.

 

I am not sure if this change will solve my concern.

 

My question is as follows: What is the difference between these two lists? And why should I choose one over the other?

 

My recommendations are as follows:

 

  • For the Anti-spam list, it would be helpful to allow users to add more than one email address or domain name at a time. At present, it is painful manually adding many entries.
  • For the Anti-spam list, it would be helpful to add the date each entry was added and allow for a comment section, similar to the Tenant Allow/Block list.
  • It would be great if users or admins could right mouse click on a spam or phishing email in their Outlook programs and then have that email address or domain name blocked from reaching Outlook in the future. Because this affects the organization, perhaps it is best if this ability is restricted to administrators.

 

 

4 Replies
As an update, I have added the one feisty spam’s domain and email address to Tenant Allow/Block Lists and to Anti-spam list too. So it should be covered by four different rules in total. Yet it has managed to evade detection and wind up in my Junk folder.
The Tenant Allow/Block list applies to your whole tenancy. Anti-spam policies can apply to specific domains, recipients or groups of recipients, and you can have several polices. If you have a persistent spammer who regularly morphs, have you checked to see if spammy (a) has a consistent sending IP address range that (b) is not shared with many more legitimate senders?

@ExMSW4319 

 

Thank you for your message. Although I have a corporate account, I am the sole tenant. I want my blocks to apply to me and anyone else that I decide to add to my corporate account. I find the Tenant Block/Allow List easier to input data than Anti-Spam policy lists. So that is what I will use going forward.

 

Regarding your questions if I have checked to see if spammy (a) has a consistent sending IP address range that (b) is not shared with many more legitimate senders?

 

I am not sure how to do that. I have enclosed four screenshots from two different spam emails from the same sender. 1-A and 1-B are two screenshots from Message Header Analyzer for one spam email. The same applies to my screenshots 2-A and 2-B.

 

The IP addresses differ slightly, but that they are probably from the same range. Are they shared with legitimate senders? I do not know.

 

I found it interesting that both spam emails passed SPF and dkim but not dmarc.

 

If these screenshots are exposing sensitive information, please let me know. I can either delete this post entirely or delete the attachments.

@Kevin Stecyk 

 

So your problem sender is Amazon Simple Email Services. You are looking at a major mailing bureau with a very wide selection of customers varying from those sending notifications you definitely want down to those who have managed to steal or otherwise rip off an SES account to send malware phishing. Whilst it is possible to isolate some major SES customers by IP, you are not going to be able to tackle most SES problems that way.

 

I do see a List-Unsubscribe header, and it appears to have a consistent value. I won't post that as it might prompt the sender to change the value, but it seems a mail flow rule predicate with the value List-Unsubscribe' header matches the following patterns unsubscribe\.nuisance\.com might catch your morphing pest. Remember not to use an irrevocable mail flow action until you know the rule is reliable.