EOP how to import / manage a large blacklist

%3CLINGO-SUB%20id%3D%22lingo-sub-615484%22%20slang%3D%22en-US%22%3EEOP%20how%20to%20import%20%2F%20manage%20a%20large%20blacklist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-615484%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EWe%20have%20recently%20switched%20to%20EOP%20and%20are%20now%20struggling%20with%20the%20amount%20of%20spam%20and%20potentially%20dangerous%20files%20that%20are%20still%20getting%20through.%20We%20have%20set%20EOP%20to%20send%20spam%20through%20to%20the%20users%20Junk%20folder%20and%20phishing%20mails%20to%20the%20hosted%20quarantine.%3C%2FP%3E%3CP%3EWe%20noticed%20now%20that%20some%20dangerous%20mails%20are%20still%20ending%20up%20in%20the%20junk%20folder.%20We%20would%20like%20to%20prevent%20this.%20With%20our%20previous%20antispam%20solution%20we%20had%20a%20large%20blacklist%20of%20addresses%20and%20domains%20which%20filtered%20out%20a%20lot%20of%20the%20spam%20we%20were%20getting.%20I%20would%20like%20to%20import%20this%20blacklist%20into%20EOP.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EHowever%20it%20is%20about%201900%20entries%20long%20and%20I%20have%20honestly%20no%20clue%20how%20to%20manage%20a%20blacklist%20this%20large%20in%20EOP.%20The%20spam%20blocklist%20limit%20is%20around%20500%20if%20I%20am%20not%20mistaken.%20And%20also%20we%20want%20these%20mails%20to%20go%20to%20the%20hosted%20quarantine%20(as%20they%20were%20blacklisted%20before%20and%20potentially%20sending%20malware%20we%20are%20100%25%20sure%20we%20don't%20want%20any%20of%20the%20mails%20arriving%20in%20the%20users%20junk%20folder).%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20have%20tried%20creating%20mailflow%20rules%20but%20these%20are%20limited%20to%20a%20length%20of%208000something%20characters.%20To%20accomodate%20our%20blacklist%20we%20would%20have%20to%20create%20probably%206%20or%20more%20Rules.%20Adding%20addresses%20via%20powershell%20is%20limited%20per%20command%20as%20well%2C%20so%20managing%20it%20like%20that%20is%20very%20tedious.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThis%20can't%20be%20the%20way%20it%20is%20supposed%20to%20work%3F%20Has%20anybody%20got%20a%20solution%20or%20a%20better%20idea%20for%20this%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-615484%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-615550%22%20slang%3D%22en-US%22%3ERe%3A%20EOP%20how%20to%20import%20%2F%20manage%20a%20large%20blacklist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-615550%22%20slang%3D%22en-US%22%3EYou%20are%20correct%20about%20the%20hard%20limits%20of%20the%20safe%20and%20blocked%20sender%20lists%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsafe-sender-and-blocked-sender-lists-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsafe-sender-and-blocked-sender-lists-faq%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20they%20are%20that%20large%20and%20absolutely%20must%20be%20blocked%20then%20I%20would%20consider%20a%20third%20party%20AV%2FAS%20which%20does%20not%20have%20these%20hard%20limits.%20There%20are%20several%20well%20known%20ones%20which%20work%20with%20Office%20365%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-615689%22%20slang%3D%22en-US%22%3ERe%3A%20EOP%20how%20to%20import%20%2F%20manage%20a%20large%20blacklist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-615689%22%20slang%3D%22en-US%22%3EHi%20Christopher%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20taking%20the%20time%20to%20respond!%3CBR%20%2F%3E%3CBR%20%2F%3EUnfortunately%20using%20a%20third%20party%20AS%20is%20not%20possible%20for%20us%20at%20the%20moment%20(As%20we%20only%20switched%20recently).%3CBR%20%2F%3EIf%20there%20is%20no%20other%20way%20I%20will%20have%20to%20add%20the%20Mailflow%20Rules.%20But%20I%20will%20see%20maybe%20somebody%20has%20had%20the%20same%20problem%20and%20found%20a%20simpler%20way.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%2C%3CBR%20%2F%3EAnna%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-615742%22%20slang%3D%22en-US%22%3ERe%3A%20EOP%20how%20to%20import%20%2F%20manage%20a%20large%20blacklist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-615742%22%20slang%3D%22en-US%22%3EThanks%20for%20letting%20me%20know.%20In%20that%20case%20it%20is%20going%20to%20be%20multiple%20mail%20flow%20rules%20in%20order%20to%20get%20around%20the%20limit.%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20is%20a%20uservoice%20here%20in%20order%20to%20raise%20the%20limit%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F33529975-spam-filter-allowed-and-blocked-sender-limit%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F33529975-spam-filter-allowed-and-blocked-sender-limit%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20recommend%20to%20vote%20on%20this%20and%20push%20it%20up%20the%20agenda.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20terms%20of%20the%20dangerous%20files%20you%20mention%20may%20want%20to%20look%20at%20Advanced%20Threat%20Protection%20to%20add%20to%20EOP%20which%20protects%20against%20malicious%20attachments%20and%20URL%E2%80%99s%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi everyone,


We have recently switched to EOP and are now struggling with the amount of spam and potentially dangerous files that are still getting through. We have set EOP to send spam through to the users Junk folder and phishing mails to the hosted quarantine.

We noticed now that some dangerous mails are still ending up in the junk folder. We would like to prevent this. With our previous antispam solution we had a large blacklist of addresses and domains which filtered out a lot of the spam we were getting. I would like to import this blacklist into EOP.


However it is about 1900 entries long and I have honestly no clue how to manage a blacklist this large in EOP. The spam blocklist limit is around 500 if I am not mistaken. And also we want these mails to go to the hosted quarantine (as they were blacklisted before and potentially sending malware we are 100% sure we don't want any of the mails arriving in the users junk folder).


I have tried creating mailflow rules but these are limited to a length of 8000something characters. To accomodate our blacklist we would have to create probably 6 or more Rules. Adding addresses via powershell is limited per command as well, so managing it like that is very tedious.


This can't be the way it is supposed to work? Has anybody got a solution or a better idea for this?


Thanks in advance!

3 Replies
Highlighted
You are correct about the hard limits of the safe and blocked sender lists

https://docs.microsoft.com/en-us/office365/securitycompliance/safe-sender-and-blocked-sender-lists-f...

If they are that large and absolutely must be blocked then I would consider a third party AV/AS which does not have these hard limits. There are several well known ones which work with Office 365

Hope that answers your question

Best, Chris
Highlighted
Hi Christopher,

Thanks for taking the time to respond!

Unfortunately using a third party AS is not possible for us at the moment (As we only switched recently).
If there is no other way I will have to add the Mailflow Rules. But I will see maybe somebody has had the same problem and found a simpler way.

Best regards,
Anna
Highlighted
Thanks for letting me know. In that case it is going to be multiple mail flow rules in order to get around the limit.

There is a uservoice here in order to raise the limit

https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/33529975-sp...

Would recommend to vote on this and push it up the agenda.

In terms of the dangerous files you mention may want to look at Advanced Threat Protection to add to EOP which protects against malicious attachments and URL’s

Hope that answers your question.

Best, Chris