My E-mail appears as spam | The 7 major reasons | Part 6#17
http://o365info.com/my-e-mail-appears-as-spam-the-7-major-reasons-part-6-17
Review three major reasons, that could lead to a scenario, in which E-mail that is sent from our organization identified as spam mail:
4. False positive, 5. User Desktop malware, 6. “Problematic” Website
Eyal Doron | o365info.com
Introduction to Multilingual Retrieval Augmented Generation (RAG)
My E-mail appears as spam | The 7 major reasons | Part 6#17
1. Page 1 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
MY E-MAIL APPEARS AS SPAM | THE 7
MA JOR REASONS | PART 6#17
The current article is the continuation of the former article (My E-
mail appears as spam | The 7 major reasons | Part 5#17) in which
we continue to review the major reasons, that could lead to a
scenario in which
E-mail that is sent from our organization, identified as spam E-
mail.
In the current article we will review the following causes:
False positive
User Desktop malware
“Problematic” Website
4. False positive
2. Page 2 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
Regarding the subject of internal outbound spam, the term “false
positive”, relate to a scenario in which a legitimate E-mail is
recognized by mistake as a spamjunk mail.
Q: Is there an option to completely avoid from a scenario of “false
positive”?
A: Sadly, the answer is no. There are different “elements”, which can
identify our organization E-mail by mistake as a spamjunk mail.
For example, your E-mail message could be mistakenly classified as
spamjunk mail by a blacklist provider who recognizes aspects in
your E-mail message that “look like” charters of spamjunk mail (no
system is perfect).
Another example could be: destination recipient looks at your E-mail
message, and it seemed to him like a spamjunk mail.
For this reason, he decides to report the specific E-mail message as
spamjunk mail.
3. Page 3 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
In the following diagram, we can see that there could be “additional
element” that could “decide” to identify a specific E-mail as
spamjunk mail such as – the user mail application or the security
application that is installed on the user desktop.
How to avoid?
There is no real method for “avoiding” this scenario. In case that
legitimate E-mail that was sent by organization users is classified as
spamjunk E-mail by a specific blacklist, all we can do is to address
the specific blacklist owner and ask to be removed from the blacklist.
Another best practice could be: implement a procedure, in which we
check the “spam score” of commercial E-mail, before we send the
specific E-mail message to the large group of recipients.
4. Page 4 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
You can read more information about the option of testing your
spam score in the article: My E-mail appears as spam | The 7
major reasons | Part 5#17
5. User Desktop malware
In case that the user desktop is infected with Malware (virus,
spyware, etc.) the result can be a “stranger phenomenon” such as:
mail that disappears, spam mail that sends from our organization
recipient without his knowledge and so on.
One of the major charters of such a scenario (a scenario in which the
user desktop is infected by Malware) is that the organization user is
not aware that spam E-mail is sent by his name to other recipients.
The “point” in which we become aware of this issue, is only if the
destination mail server reply using the NDR message or worse
scenario, in which our organization appears as blacklisted.
5. Page 5 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
In a scenario of an “NDR”, it’s easy to implement the reverse
engineering process in which we understand that the problem is
related to a specific recipient organization.
In a scenario in which the “destination mail server” doesn’t reply
using NDR or, in a scenario in which we found that our organization
is blacklisted, there is no thread or “bread cramp” that could lead us
to the “source of the problem”.
Q: How to recognize a scenario in which a user’s desktop is infected
with Malware that sends an E-mail message on behalf of the user?
A: There is no “magic formula” that will help you to capture this type
of scenario. Our main “weapons” is the awareness for the charters of
this type of scenarios (in which the user desktop is compromised by
malware that send spam E-mail on behalf of the organization user).
One of the main charters for this type of scenario is “lack of
coordination” between the evidence that exists in the user mailbox
versus the “evidence” that exists in the Exchange Online mail server.
For example – an organization’s user report about a strange
phenomenon in which he gets the NDR message for E-mail that he
didn’t send. The NDR message informs him that his E-mail was
rejected by the destination mail server because he was identified as
spamjunk mail.
Note – there is another spam scenario that has similar characteristics
named: NDR backscatter. In this scenario, the organization users get an
NDR message that informs them that their “destination recipient” doesn’t
exist.
This is a scenario in which a spammer impersonated himself to a
legitimate user from using our organization user identity.
6. Page 6 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
When we start to investigate this strange issue by looking at the user
mailbox and, in particular in the Sent mail folder, we cannot see any
evidence to the mail that was sent from the user mailbox.
The reason for this strange phenomenon is that most of the time, the
malware will prefer to “cover his track” by deleting the E-mail that he
sent from the sent item’s folder or by connecting the mail server
directly and bypassing the desktop mail client.
The phenomenon becomes even stranger when we look at our
Exchange Online message trace log and finds out, that the Exchange
Online log includes information about dozens or even hundreds of E-
mail messages that was sent by the specific organization user.
This scenario is a clear evidence of a scenario of Malware that took
over the user desktop and impersonate as a legitimate organization
user.
Q: How to avoid a scenario in which organization user desktop can
be compromised?
A: Verify that you implemented the basic security best practices that
relate to the user desktop security:
7. Page 7 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
Verify that the desktop includes installation of antivirus software.
Verify the antivirus software include all the last updates.
Verify the antivirus software service is turned on.
Another option:
Reset the organization user password
Monitor the “problematic user” activity by using the Exchange Online
message trace log.
For example, look at the Exchange Online log and try to locate a
“strange behavior” in which there are many E-mails that are sent “by the
user” to unknown E-mail address.
6. “Problematic” Website
Another interesting and unknown reason for classifying E-mail as a
spamjunk mail is related to the website address (URL) that appears
in E-mail message.
Exchange Online and other mail server are using the services of a
special blacklist provider, such as: surbl that specialized is a specific
“realm” that is focused on a URL address that considers is
“problematic URL address” and that appear in a user E-mail message.
Attached a quotation from the surbl website:
SURBLs are lists of web sites that have appeared in unsolicited
messages. Unlike most lists, SURBLs are not lists of message
senders.
I have read the information in the website that explains the method
that is used and I must admit, that I’m sure that I completely
8. Page 8 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
understand the full concept of the “methods” that are used by the
surbl service.
As I understand it, the first step that is implemented by the surbl
service is to – create a list of public websites that their name (their
URL address) appears in E-mails that was classified or identified as
spamjunk mail.
The fact that a specific website URL address “appear” in unsolicited E-
mail messages, “stamp” this website “suspicious”.
In case that user sends an E-mail message, which includes the URL
address of a website that appeared on the list of “suspicious web
site”, the E-mail message could be considered as mail item that
contains spam content.
Additional reading
SURBL
9. Page 9 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
NON-OFFICE 365 AND EXCHANGE ONLINE
ISSUES
Under the subject of – “factors and element that can lead into a
scenario in which E-mail that is sent from your organization could be
identified as spamjunk mail” there could be additional causes that
we didn’t review.
The reason that we have not reviewed these factors is – because that
in Office 365 and Exchange Online this factor cannot be realized.
An example of such causes could be:
A mail server that is hacked by spammers, mail server that
configured as: open relay, Mail application that doesn’t use standard
or non-RFC complaint SMTP protocol, missing MX record, missing
PTR records, using a dynamic IP address as the IP address of the mail
server and more.
Although in Office 365 and Exchange Online we should not be
concerned about the above issues, in case that we manage a “private
mail infrastructure” it’s important to be aware of this potential
problem.
Additional reading
Open mail relay
Email Fundamentals: What is an Open Relay?
The return of the open relays
What is SMTP relay?
10. Page 10 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
Internal outbound spam in Office 365
environment | Article series index
A quick reference for the article series
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series
Introduction to the concept of internal outbound spam in general
and in Office 365 and Exchange Online environment
My E-mail appears as a spam –
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: “My E-mail appears as
a spam!”, possible factors for causing
our E-mail to appear a “spam mail”,
the definition of internal outbound
spam.
Internal spam in Office 365 –
Introduction | Part 2#17
Review in general the term: “internal
outbound spam”, miss conceptions
that relate to this term, the risks that
are involved in this scenario,
outbound spam E-mail policy and
more.
11. Page 11 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
Internal spam in Office 365 –
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spamjunk mail, who or what are this
“elements”, that can decide that our
mail is a spam mail?, what are the
possible “reactions” of the destination
mail infrastructure that identify our E-
mail as spamjunk mail?.
Commercial E-mail – Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365 Exchange Online is
unsuitable for the purpose of
commercial E-mail?
Introduction if the major causes for a scenario in which your
organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
1. E-mail content, 2. Violation of the
SMTP standards, 3. BulkMass mail
12. Page 12 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. “Problematic” Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The “technical side” of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.
13. Page 13 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
Introduction if the subject of Exchange Online - High Risk Delivery
Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.
The troubleshooting path of internal outbound spam scenario
My E-mail appears as spam –
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the “other side.
14. Page 14 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Domain name and
E-mail content | Part 12#17 Verify if
our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
My E-mail appears as spam |
Troubleshooting – Mail server | Part
13#17
What is the meaning of: “our mail
server”?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting – Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spamNDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
15. Page 15 of 15 | My E-mail appears as spam | The 7 major reasons | Part 6#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Mail server | Part
15#17
Step B – Get information about your
Exchange Online infrastructure, Step
C – fetch the information about the
Exchange Online IP address, Step D –
verify if the “formal “Exchange Online
IP address a
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of – internal outbound
spam.