TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
High risk delivery pool and Exchange Online - part 10 of 17
1. High Risk Delivery Pool and Exchange Online
| Part 10#17
Eyal Doron o365info.com
2. 2
• Who is the authority who approves or identifies E-mail as spamjunk
mail?
• Outbound spam scenario flows in an Office 365 environment
• Recap and final conclusions
AGENDA
The current article is the continuation of the former article: High Risk Delivery Pool and Exchange Online | Part 9#17In this article we will focus on the following subjects:
How does Exchange Online “decide” to classify specific E-mail as spam\junk mail?
Description of the internal spam E-mail message flow
When Office 365 recipients ask to “deliver” E-mail to another recipient, Exchange Online (EOP if we want to be more accurate) must check the E-mail message and verify that the E-mail is “OK” or not consider as spam\junk mail.
The “Security scanning process” of outbound E-mail message, is implemented by addressing two types of “security infrastructures”:
Proprietary block lists – that are not “exposed to the general public”
Third-party (partner) public block lists providers.
Exchange Online Protection (EOP) uses its own proprietary block lists as well as third-party (partner) block lists. If a user is placed on our block lists after sending outbound messages through the service, they’ll receive a 550 5.1.8 Access Denied, Bad Sender message.
Additionally, the domain administrator address configured via the sends a notification to the following email address when a sender is blocked sending outbound spam setting in the outbound spam policy will receive a message that the sender was placed on our block lists.
[Source of information: Request that a user, domain, or IP address be removed from a block list after sending outbound spam]In the following diagram, we can see a “high level” flow of the process, in which Exchange Online scan outgoing E-mail message that is sent by Office 365 users by using the help of the “black and block list databases”.
Note – the popular term is “black list” providers. In the Office 365 and Exchange Online articles the term that is used most of the time is: “Block list” providers.We can relate to these two different terms as synonyms.
Q: Who are these “mysterious” Third-party (partner) public blocks lists providers?
A: Information about this “Third-party (partner) public block lists providers” is publicly published. For example, if you want to get more information about the “Third-party (partner) public block lists providers” that are used by Office 365 and Exchange Online you can read the following article: Request that a user, domain, or IP address be removed from a block list after sending outbound spam.
In the article we can see, a list of Third-party (partner) block lists providers who are used by Exchange Online infrastructure.
To demonstrate the flow of “internal spam E-mail”, let’s use the following scenario:
Office 365 users sent E-mail to a “destination recipient”. The E-mail message is scanned and identified as spam\junk mail.
For this reason, the E-mail message is routed to the Exchange Online High Risk Delivery Pool and will be sent by the Exchange Online High Risk Delivery Pool to “her destination”.The “end” of the scenario is not known because, we are not able to know what is the security policy is and the rules that will be implemented by the destination mail infrastructure.
Step 1 – Office 365 recipients, send E-mail to an external recipient. The request is accepted by Exchange Online server.
Step 2 – Exchange Online accepts the E-mail message and, forward the E-mail message to Exchange EOP (Exchange Online Protection) for further analyses.
Step 3 – Exchange EOP, accept the E-mail message and, forward the E-mail message to the Proprietary block lists + Third-party (partner) block lists.
Step 4 – the E-mail message is examined by the block lists providers. In our scenario, the E-mail message was identified as spam\junk mail.The block lists a provider send back the E-mail message to Exchange EOP and “inform” EOP that the E-mail is a “problematic E-mail message”.
Step 5 – because the E-mail message was identified as spam\junk mail, Exchange EOP will not“forward” the E-mail message to the standard Exchange Online server pool but instead, the E-mail message will be forwarded to the “Exchange Online High Risk Delivery Pool”
Step 6 – one of the “High Risk Delivery Pool” members, will try to deliver the E-mail message to the destination mail server.
The basic assumption is that – the “destination mail server” use security services in which the incoming E-mail is scanned and verified via the blacklist provider and other security mechanism.
In our scenario, there is a high chance that the E-mail message will be classified as spam\junk mail by the “destination mail server” because, the IP address of the Exchange Online High Risk Delivery Pool appears in well-known blacklists.
Note – other possible scenarios is that the E-mail message will be identified as spam\junk mail because of the E-mail content and not because the E-mail message was sent via the Exchange Online- High Risk Delivery Pool.
Step 7 – The Mail security infrastructure that is used by the “destination mail server”.
Each of the “external mail infrastructure” uses a different mail security policy and services.
In some scenario, the “destination security mail gateway” will block the E-mail message and reply back with an NDR message.
In some scenario, the “destination security mail gateway” will send the E-mail message to a quarantine.
In some scenario, the “destination security mail gateway” Will Increase the value of the SCL (spam confidence level) and forward the E-mail message to the destination recipient.
An example for NDR message
In the following section, we can see an example of an NDR message that was returned to Office 365 recipients by the “destination mail server”.
Pay attention to the IP address that appear on the NDR message. This is an IP address that “belong” to the IP range of the “High Risk Delivery Pool”
Remote Server returned ‘550-5.7.1 [157.56.116.102 ] our system has detected an unusual rate of 550-5.7.1 unsolicited mail originating from your IP address. To protect our 550-5.7.1 users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review 550 5.7.1 our Bulk Email Senders Guidelines. p10si13699322wje.90 – gsmtp’
In a scenario in which we are notified, that mail that was sent from our organization is classified as spam\junk mail the main question now is:
What is the reason (the causes) that mail sent from our organization identified as spam\junk mail? Or in simple words: who can we blame?
Is it the Office 365 users?
Is it the specific E-mail message content?
Is it the Exchange Online server who route the E-mail message to the “High Risk Delivery Pool”?
Is it the “High Risk Delivery Pool”?
Is it the Office 365 blacklist providers?
Is it the destination mail security gateway?
Most of the time, our natural tendency will be to blame the “other side”. The “other side” could be the destination mail server or in our scenario, the Office 365 mail servers.
The true answer is that in most of the scenarios the opposite truth.
The element that is responsible (guilty) for the reason in which E-mail message that was sent by our organization user is identified as spam\junk mail is located in “our side”!
If we want to be very specific: the Office 365 users who “write and send the specific E-mail message”.
The “source of the problem” start with the “problematic E-mail message” that was created by the Office 365 users. The “problematic E-mail message” Is the root of all the rest of the process.
Note – in a scenario of malware, the “problematic E-mail message” is created by the malware and not by the user himself.
When Exchange Online recognizes the E-mail message that was created by the Office 365 user as spam\junk mail, he route the E-mail message to Exchange Online “High Risk Delivery Pool” and so on.
When the E-mail message reaches her destination, there is reasonable chance that the “destination mail server” will block the E-mail message because the E-mail message was sent by the Exchange Online- High Risk Delivery Pool or because he also “see” to problematic content of the E-mail message.