Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Why connection filter is not rejecting an email even when the IP is in the IP block-list?

Copper Contributor

Hi All,

 

I added a blacklisted IP in the IP block list of the connection filter a few months ago.

 

But the spammer can still send Malware from that IP.

 

The IP is a Connecting IP Address according to Message Header Analyzer.

 

While the anti-Malware policy quarantines the email, I am unable to understand why the IP block list in the connection filter is not applied and the mail was not rejected primarily.

 

Microsoft has stated that tenant overrides (IP Allow list in connection filter) are not applied for Malware.

 

Does it also mean IP Block list is also not applied?

1 Reply
I think I am getting to understand why something like this is happening:
This is my hypothesis:
The rules/policies and settings created using old Microsoft admin portal were not properly migrated by Microsoft when new security and protection portals were created.
What I mean is the older values in the IP Block-list for some reason are not read by the new connection-filter engine.
---
I also encountered another issue with editing the ASF settings of an anti-spam policy created few years ago.
For one of the old anti-spam policies and the default policy, I was unable to edit the Bulk email threshold (BCL) value . A slider to increase and decrease the BCL score was not present for these policies.
I created a new policy to test if I could see the BCL slider, unsurprisingly I could see the slider.
This means Microsoft had probably made some mistakes when migrating the policy settings/values from the old admin portal to the new ones.
Only Microsoft Security team can confirm this.