Embed Size (px)
DESCRIPTION
High Risk Delivery Pool and Exchange Online | Part 9#17 http://o365info.com/high-risk-delivery-pool-and-exchange-online-part-9-17 How Office 365 (Exchange Online) is handling a scenario of internal \ outbound spam by using the help of the Exchange Online- High Risk Delivery Pool. Eyal Doron | o365info.com
Citation preview
Page 1 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
HIGH RISK DELIVERY POOL
AND EXCHANGE ONLINE |
PART 9#17
The term: “High Risk Delivery Pool”, describes a “dedicated
Exchange Online server’s pool” which is responsible for
“handling” mail that was posted by Office 365 recipients, which
was recognized as “problematic mail”.
The current article and the next article: High Risk Delivery Pool
and Exchange Online | Part 10#17 ,are dedicated to the
description of:
How Office 365 (Exchange Online) is handling a scenario of
internal \ outbound spam, by using the help of the Exchange
Online- High Risk Delivery Pool.
Page 2 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
General thoughts upon the subject of
outbound mail spam in Office 365
environment
Q: What is the meaning of “problematic mail”?
A: Outbound mail that is sent by Office 365 user, sent to the
EOP (Exchange Online protection) for security check and was
identified as a mail, which has a potential of spam\junk mail.
Q: What could lead to a scenario in which my mail will be
considered as “problematic mail” by Exchange Online?
A: There is no clear definition or “public information”
information about the factors that will lead Exchange Online
and EOP to “decide” that a specific E-mail message that was
sent by Office 365 users are classified as spam\junk mail.
Page 3 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
It’s reasonable to assume that the spam filter that is used by
Exchange Online is based on the standard method for
identifying a specific E-mail message as spam\junk mail.
For example – E-mail message that includes a “problematic
content” or, a scenario or bulk mail.
You can read more information about the “factors” that
could lead to a scenario in which E-mail is recognized as
spam\junk mail in the articles:
My E-mail appears as spam | The 7 major reasons | Part
5#17
My E-mail appears as spam | The 7 major reasons | Part
6#17
Q: What is the meaning of: “Exchange Online server pool that
will handle problematic mail”?
A: In a scenario in which Exchange Online identify a
“problematic E-mail” that is sent by Office 365 users, the E-mail
will not be deleted or blocked, but instead, will be sent out by
using a specific Exchange Online server’s pool.
Page 4 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
Exchange Online single server or servers
farm?
When we say something like: “our mail server”, the association
is a “single server”, which stands alone in the cold rain and
wind, always ready to serve and protect.
When we use Exchange Online as our mail infrastructure,
none of these “images” are correct.
We relate to “Exchange Online” as a singular entity while in
reality, we need to address the Exchange Online infrastructure
as: plural that is realized by using dozens or even hundreds of
separated mail server’s that are “scattered” word wide in the
different Office 365 data centers.
Each of the Office 365 data center includes.
1. The “standard” Exchange Online server pool
Page 5 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
2. A dedicated pool of Exchange Online server who should solve
the problem of “internal spam” (spam\junk mail) that is sent by
our organization Office 365 users to other recipients.
What is the range of possibilities, which could
be implemented by Office 365 mail
infrastructure for dealing with a phenomenon
of outbound spam?
Note – the current heading, won last year in the international
competition for the “longest titles in the universe”
Page 6 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
Theoretically, there could be a couple of “solutions” that could
have been implemented by Exchange Online infrastructure
when dealing with a scenario of – internal spam mail.
For example, Exchange Online could have implemented any of
the following options when an E-mail message that is sent by
Office 365 recipients identified as spam\junk mail:
Option 1: Don’t implement outbound spam checks.
Many mail infrastructures do not implement an email security
policy for “outbound mail” because, the basic assumption is
that mail that is sent by “our organization users” can be
trusted.
In Exchange Online environment, this “assumption” in which
mail that is sent by organization users can be trusted cannot
be implemented because – Exchange Online servers
“represents” tens and even hundreds of thousands of
organizations and, for this reason, Exchange Online doesn’t
have this “luxurious” blindly of trusting organization users.
Page 7 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
Exchange Online mail infrastructure is based on the
assumption that the security risks can come “Indoors” and
“outdoors” equally.
Option 2: implement outbound spam check | Delete the E-
mail message
Another method that could have implemented by Exchange
Online (and it’s not implemented) is to “block” any mail that
was sent by Office 365 users and identified as spam\junk mail.
The term “block”, could be translated into several options such
as: delete the E-mail, send the E-mail message to a quarantine
+ inform the Office 365 users and so on.
In reality, none of these “actions” is implemented. There is no
“formal Microsoft answer” regarding why does outbound
spam, is not blocked, deleted or sent to quarantine.
My opinion is that the actions of “blocking” or deleting E-mail
messages that were identified as spam\junk mail, could have
led to many lawsuits and additionally, breaches the principle
of Office 365 customer privacy.
For this reason, the Office 365 mail infrastructure will not
delete or block outbound spam but instead, will send out the
E-mail message to her destination by routing the E-mail
message to a specific Exchange Online server pool.
Note – Exception to the above rule, is a scenario of a bulk E-
mail that is sent by Office 365 users. In a very specific
scenario, this user will be blocked.
Page 8 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
You can read more information bulk E-mail in Office 365
environment in the article:
My E-mail appears as spam | The 7 major reasons | Part
5#17
Option 3: implement an outbound spam check | Route E-
mail message to an alternate mail server pool
This is the option that is implemented by Exchange Online.
When Exchange Online (EOP if we want to be more accurate)
scan the outgoing mail and identify that the mail can be
classified as spam\junk mail, instead of blocking or deleting
the E-mail message, the E-mail message will be routed to
dedicated Exchange Online server poll named: “High Risk
Delivery Pool”.
In a scenario in which E-mail is routed to the “High Risk
Delivery Pool”, the “operation” will not be reported by default
(Exchange Online administrator is not aware to this
“redirection process” by default).
Only when the Exchange Online administrator “activate” the
option of: outbound spam, Exchange Online will send E-mail
notification to the provided E-mail for each of the mail items
that was routed (delivered) to the “High Risk Delivery Pool”.
Page 9 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
In reality, the “High Risk Delivery Pool” is not just a specific
Exchange Online server. As the name implies, a “pool” or mail
servers. Additionally, each of the Office 365 data center use is
“own pool” of Exchange Online server who acts as the “High
Risk Delivery Pool”.
Q: Does Microsoft publish public information about the IP
range of the Exchange Online- High Risk Delivery Pool in each
of the Office 365 data centers?
A: As far as I know, there is not such “public information”. The
logic is that the Interest of Microsoft is to keep this
information “hidden” and not public.
Technically speaking, Microsoft publicly publishes the
complete public IP range of the Exchange Online and
Exchange EOP IP range, but this data doesn’t include a specific
indication for the Exchange Online- High Risk Delivery Pool.
From my experience and I must stress that this is no “formal
information” that you can rely upon, the “High Risk Delivery
Pool” IP ranges in the “Europe Office 365 data centers” are
represented by the following IP range: 157.56-57.0.0.
Page 10 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
Note – you can read more information about the Office
365 IP address ranges in the articles:
Office 365 URLs and IP address ranges
Exchange Online Protection IP addresses
What is the purpose of the “High Risk Delivery
Pool”?
The purpose of the Exchange Online “High Risk Delivery Pool”
is a little confusing because their job is to “distract the fire”
from the “standard Exchange Online server’s pool”. The most
appropriate metaphor that I can think of is: scapegoat
The Exchange Online “High Risk Delivery Pool” serves as a
scapegoat in a scenario of internal spam.
Page 11 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
Let’s go back to the moment, in which Exchange Online
identifies a specific E-mail message that was sent by Office 365
users as a spam\junk mail.
Because Exchange Online is not “allowed” to stop or block this
type of E-mail, Exchange Online will need to find a safe way for
“delivers“ the E-mail message to the destination without
compromise the integrity and the reliability of the standard
Exchange Online server pool.
For example, in the case that the E-mail message was sent to
external recipients, Exchange Online will need to contact the
mail server of the external recipient and try to deliver him the
E-mail message.
But in this case, the main risk is that the “external mail server”
will also identify the E-mail message as a spam\junk mail and
for this reason, will add the IP address of the “standard
Exchange Online pool IP address to a blacklist.
In this scenario, the damage is not only to the specific
organization that sent the “spam E-mail” but instead, to all the
other Office 365 tenants who send E-mail via the specific
Exchange Online which his IP address was blacklisted.
Exchange Online – High Risk Delivery Pool as a Risk-
Management solution
The answer to this “challenge” is: implementing Risk
Management process.
Page 12 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
In the scenario of a “problematic E-mail” that is sent by Office
365 users, the problematic E-mail messages will be routed to a
deducted Exchange Online server pool: the “High Risk Delivery
Pool”.
The Exchange Online- High Risk Delivery Pool will be used to
send out the “problematic E-mail”.
At a first glance, this “declaration” looks a little peculiar, but
this is that exact purpose of the “Exchange Online High Risk
Delivery Pool”.
Instead of sending the problematic E-mail message via the
“standard” Exchange Online server and by doing so, put at risk
all the other Office 365 tenants (customers) who rely on the
Exchange Online mail infrastructure, the problematic E-mail
message will be sent by the “scapegoat” Exchange Online
server: “High Risk Delivery Pool”.
Because the “High Risk Delivery Pool” will send most of the
time, E-mail that is classified as spam\junk mail, there is a
reasonable chance that the IP address of the specific Exchange
member in the Exchange Online- High Risk Delivery Pool, will
appear as blacklisted.
By using the Exchange Online- High Risk Delivery Pool,
Exchange Online infrastructure manages to complete the two
goals:
1. Avoid from a scenario in which the Exchange Online will block or
delete E-mail message that was sent by Office 365 users.
Page 13 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
2. Avoid from a possibility in which the “standard Exchange Online”
public IP address will be blacklisted.
Exchange Online- High Risk Delivery Pool half
of the solution?
Blacklist providers, “recognize” organization by two main
elements:
1. The IP address of the mail server that send E-mail “on behalf” of
an organization.
2. The domain name of the organization (the “right part” of E-mail
address)
Pay attention to the simple fact that although the “problematic
E-mail message” is sent via the Exchange Online “High Risk
Delivery Pool”, the domain name which included in the
“problematic E-mail message” could also be listed in blacklists.
In other words: the use of Exchange Online: “High Risk Delivery
Pool” prevents the option in which the IP address of “our mail
server” will appear as blacklisted but cannot prevent a
scenario in which our domain name will appear as blacklisted.
To add another layer of understanding about the purpose of
Exchange Online- High Risk Delivery Pool, here is a quotation
from a Microsoft article:
When a customer’s email system has been compromised by
malware or a malicious spam attack, and it is sending
outbound spam through the hosted filtering service, this can
Page 14 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
result in the IP addresses of the data center servers being
listed on other block lists.
In addition, destination servers that do not use the hosted
filtering service, but use these block lists, end up rejecting all
email sent from any of the hosted filtering IP addresses that
have been added to those lists.
Therefore, all outbound messages that exceed the spam
threshold are delivered through a High risk delivery pool. The
High risk delivery pool is a secondary outbound email pool
that is used to send messages that may be of low quality, thus
helping to protect the rest of the network from sending
messages that are more likely to result in the sending IP
address being blocked.
[Source of information: High Risk Delivery Pool for Outbound
Messages]
Page 15 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
Internal \ outbound spam in Office 365
environment | Article series index
A quick reference for the article series
Page 16 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series
Introduction to the concept of internal \ outbound spam in general
and in Office 365 and Exchange Online environment
My E-mail appears as a spam –
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: “My E-mail appears as
a spam!”, possible factors for causing
our E-mail to appear a “spam mail”,
the definition of internal \ outbound
spam.
Internal spam in Office 365 –
Introduction | Part 2#17
Review in general the term: “internal \
outbound spam”, miss conceptions
that relate to this term, the risks that
are involved in this scenario,
outbound spam E-mail policy and
more.
Internal spam in Office 365 –
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spam\junk mail, who or what are this
“elements”, that can decide that our
Page 17 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
mail is a spam mail?, what are the
possible “reactions” of the destination
mail infrastructure that identify our E-
mail as spam\junk mail?.
Commercial E-mail – Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365\ Exchange Online is
unsuitable for the purpose of
commercial E-mail?
Introduction if the major causes for a scenario in which your
organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
1. E-mail content, 2. Violation of the
SMTP standards, 3. Bulk\Mass mail
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
Page 18 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
4. False positive, 5. User Desktop
malware, 6. “Problematic” Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The “technical side” of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.
Introduction if the subject of Exchange Online - High Risk Delivery
Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal \
outbound spam by using the help of
Page 19 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
the Exchange Online- High Risk
Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.
The troubleshooting path of internal \ outbound spam scenario
My E-mail appears as spam –
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal \
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the “other side.
My E-mail appears as spam |
Troubleshooting – Domain name and
E-mail content | Part 12#17 Verify if
our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
Page 20 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
option of Exchange Online outbound
spam.
My E-mail appears as spam |
Troubleshooting – Mail server | Part
13#17
What is the meaning of: “our mail
server”?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting – Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spam\NDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
My E-mail appears as spam |
Troubleshooting – Mail server | Part
15#17
Step B – Get information about your
Exchange Online infrastructure, Step
C – fetch the information about the
Exchange Online IP address, Step D –
verify if the “formal “Exchange Online
IP address a
Page 21 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17
Written by Eyal Doron | o365info.com
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal \ outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of – internal \ outbound
spam.
![[ 역량 Pool ]](https://img.pdfslide.tips/doc/110x75/56814f45550346895dbce6b9/-pool--569f5580d665e.jpg)
