Quite obvious spam is passing with very low SCL
Question
All replies
-
Hi.
I'm use to EOP with rule.
Create White domain list all other to Junk folder. Users check Junk folder and if they found good email forward to special mailbox. I'm add to White list and Allow list.
After 3 mounts you are added 5-10 domain to White list every week.
You can planing your protection.
Antispam and antimalware protection in Exchange 2016
Exchange Online Protection effective rate 95% by default. After make rule and customize filter 99,9%
MCITP, MCSE. Regards, Oleg
- Edited by Oleg.Kovalenko Thursday, June 8, 2017 3:14 PM
-
Hi,
Have you check the messages are come from same domain specific email / IP address ?
Please post out the detailed spam message header as below:
Hope it helps.
Regards,
Jason Chao
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com. -
Hi.
Continue post Jason.Chao.
When you are copy headers. You go to https://testconnectivity.microsoft.com/ and analize this headers.
Analyzing Email Headers in Outlook and OWA
Email Fundamentals: How to Read Email Message Headers
MCITP, MCSE. Regards, Oleg
-
Its done, thanks a lot :)
But for other spams, do you have a solution ?
For information, here is two things i found disturbing, can you help me understanding thoses ?
First : When i run get-antispamtoprblproviders , nothing is shown, where i believe it is supposed to show me my blocklist providers and the amount they blocked, i'm right ?
Here's how they are configured :
IPBlocklistconfig :
And the second strange thing :
When i run get-AntispamTopBLockedSenderIPs , it's sorting me the public IP of my MX record for mail and nothing else.
Is this normal ?
Thanks
- Edited by Pierre Chevallier Friday, June 9, 2017 12:32 PM
-
Get-AntispamTopRBLProviders.ps1 means to Retrieve what RBL block the most. Use that chart before remove a RBL. Some RBL are too strict sometime, but removing it can cause a lot of spam to actually enter. When a user call, it’s the dilemma to accept one email versus what the RBL block. as per: Exchange Server: How to Diagnose Spam Problem so we don't have anything, possibly, because we are not getting spam emails from IP addresses blocked on any RBL.
Which leads me to my final point and to you solving your own issue with the finding of your IP address after running Get-AntispamTopBLockedSenderIPs
Please take a look at the header screenshots:
You can see that all 3 emails come from the same IP address which is your MX server leading to 2 possibilities I can think of, either (1) your MX has been hijacked (not likely), or (2) your MX server is not retaining headers and treating incoming emails as its own, as coming from it directly. These are speculations as I'm not proficient with On Premises infrastructures but something is clearly off with the MX server since we have 3 different domains sending emails from it and that's what we need to address.
Another thing, just to be sure, you got the complete headers directly from the end-user, right?! You did not have them send the .eml or .msg by email so that you retrieve the headers afterwards cause if you send an email as an attachment over email, some of the headers will get stripped off. The best method is to ask the end-user to get the headers as per: Internet message header in Outlook on the Web, OWA and Outlook.com.
Everything that can be automatized, should and must be automatized.
