Anti-Spam Protection FAQ
Applies to: Exchange Online Protection, Exchange Online
Topic Last Modified: 2013-12-05
This section provides frequently asked questions and answers about anti-spam protection. Answers are applicable for Microsoft Exchange Online and Exchange Online Protection customers.
|For questions and answers that specifically pertain to safe sender and blocked sender lists, see Safe Sender and Blocked Sender Lists FAQ.|
Q. By default, what happens to a spam-detected message?
A. The majority of spam is deleted via connection filtering. By default, content-filtered spam is sent to the recipient’s Junk Email folder. You can change this action. For example, you can choose to send spam messages to the quarantine instead by configuring the content filter policy.
|For Exchange Online Protection customers: In order to ensure that the Move message to Junk Email folder action will work with on-premises mailboxes, you must configure two Exchange Transport rules on your on-premises servers to detect spam headers added by EOP. For details, see Ensure that Spam is Routed to Each User's Junk Email Folder.|
Q. Do I need to configure the service to provide anti-spam protection?
A. After you sign up for the service and add your domain, spam filtering is automatically enabled company-wide through the default anti-spam policies. The default policies are tuned to protect you without needing any additional configuration. However, as an administrator, you can edit the default anti-spam policies so that they are tailored to best meet the needs of your organization. For greater granularity, you can also create custom content filter policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
For more about configuring your anti-spam policies, see the following topics:
Q. If I make a change to an anti-spam policy, how long does it take after I save my changes for them to take effect?
A. It may take up to 1 hour for the changes to be replicated across all data centers.
Q. Does the service have administrator and end user management of spam-quarantined messages?
A. As an administrator, you can search for and view details about quarantined email messages in the EAC. After locating the message, you can release it to specific users and optionally report it as a false positive. For more information, see Quarantine.
As an end user, you can manage your own spam quarantined messages via end-user spam notification messages (if they are enabled by your administrator). After receiving a notification message, you can move the spam email to your inbox, or report the spam email as Not Junk, in which case it will be sent to the Microsoft Spam Analysis Team. For information about configuring this functionality, see Configure End-User Spam Notifications in EOP or Configure End-User Spam Notifications in Exchange Online. For information about using this feature, see Release a Quarantined Message and Optionally Report it as a False Positive (End Users).
Q. Is bulk email filtering automatically enabled?
A. By default, the Block all bulk email messages advanced spam filtering option is enabled for new customers. For migrated customers, this setting will match your FOPE configuration.
Q. Does the service block a URL in an email message because it was "known"? Or will it also know when a message contains a URL that appears as www.treyresearch.net but is really malicious and will direct you to a different address?
A. The URL filter only extracts (known) malicious URLs.
Q. How can customers using the service send false negatives (spam) and false positives to Microsoft?
A. Spam and non-spam messages can be submitted to Microsoft for analysis in several ways. For more information, see Submitting Spam and Non-Spam Messages to Microsoft for Analysis.
Q. Can I get spam reports?
A. Yes, you can obtain reports in the Office 365 portal or by downloading an Excel reporting workbook. For more information about reporting, see the following links:
Exchange Online customers: Monitoring, Reporting, and Message Tracing in Exchange Online
Exchange Online Protection customers: Reporting and Message Trace in Exchange Online Protection
Q. Someone sent me a message and I can’t find it. I suspect that it may have been detected as spam. Is there a tool that I can use to find out?
A. Yes, the message trace tool enables you to follow email messages as they pass through the service, in order to find out what happened to them. For more information about how to use the message trace tool to find out why a message was marked as spam, see Was a message marked as spam?
Q. Will the service throttle (rate limit) my mail if my users send outbound spam?
A. If an outbound message is determined to be spam, it is routed through the high risk delivery pool, which reduces the probability of the normal outbound-IP pool being added to a block list. If a user continues to send outbound spam through the service, they will be blocked from sending messages.
You can send a notification to a specified email address when a sender is blocked sending outbound spam. For more information about this setting, see Configure the Outbound Spam Policy.
Q. Can I use a third-party anti-spam and anti-malware provider in conjunction with Exchange Online?
A. Yes, you may configure another spam and malware filtering service to protect your Exchange Online mailboxes. To do this for inbound mail, you should redirect your email messages to the third-party provider by changing your MX records to point to the third-party provider, and then redirect the messages to EOP for additional processing. To do this for outbound mail, please configure the message delivery destination to the third-party provider (smart host), as shown in Scenario: Outbound Smart Hosting.
Q. Does Microsoft have any documentation about how I can protect myself from phishing scams?
A. Yes we do, please consult the following articles:
Q. Are spam and malware messages being investigated as to who sent them, or being transferred to law enforcement entities?
A. The service focuses on spam and malware detection and removal, though we may occasionally investigate especially dangerous or damaging spam or attack campaigns and pursue the perpetrators. This may involve working with our legal and digital crime units to take down a spammer botnet, blocking the spammer from using the service (if they’re using it for sending outbound email), and passing the information on to law enforcement for criminal prosecution.
Q. What are a set of best outbound mailing practices that will ensure that my mail is delivered?
A. The guidelines presented below are best practices for sending outbound email messages.
- The sending domain of the email should resolve in DNS.
For example, if the sender is firstname.lastname@example.org, the domain example.com resolves to the IP address 184.108.40.206. If a sending domain has no A-record and no MX record in DNS, the service will route the message through its high risk delivery pool regardless of whether or not the content of the message is spam. For more information about the high risk delivery pool, see High Risk Delivery Pool for Outbound Messages.
- The sending IP address of the outbound mail server should have a reverse DNS (PTR) entry.
For example, if sending from the IP address 220.127.116.11, the reverse DNS entry for this IP is 43-10.any.icann.org.
- The HELO/EHLO and MAIL FROM commands should be consistent and be present in the form of a domain name rather than an IP address.
The HELO/EHLO command should be configured to match the reverse DNS of the sending IP address so that the domain remains the same across the various parts of the message headers.
- Ensure that proper SPF records are set up in DNS.
SPF records are a mechanism for validating that mail sent from a domain really is coming from that domain and is not spoofed. For more information about SPF records, see the following links:
Customize an SPF Record to Validate Outbound Email Sent from Your Domain
Create DNS records for Office 365
Microsoft’s Sender ID wizard
- Signing email with DKIM, sign with relaxed canonicalization.
If a sender wants to sign their messages using Domain Keys Identified Mail (DKIM) and they want to send outbound mail through the service, they should sign using the relaxed header canonicalization algorithm. Signing with strict header canonicalization may invalidate the signature when it passes through the service.
- Domain owners should have accurate information in the WHOIS database.
This identifies the owners of the domain and how to contact them by entering the stable parent company, point of contact, and name servers.
- For bulk mailers, the From: name should reflect who is sending the message, while the subject line of the message should be a brief summary on what the message is about.
The message body should have a clear indication of the offering, service, or product. For example, if a sender is sending out a bulk mailing for the Contoso company, the following is what the email From and Subject should resemble:
Subject: New updated catalog for the Christmas season!
The following is an example of what not to do because it is not descriptive:
- If sending a bulk mailing to many recipients and the message is in newsletter format, there should be a way of unsubscribing at the bottom of the message.
The unsubscribe option should resemble the following:
- If sending bulk email, list acquisition should be performed using double opt-in. If you are a bulk mailer, double opt-in is an industry best practice.
Double opt-in is the practice of requiring a user to take two actions to sign up for marketing mail:
Once when the user clicks on a previously unchecked check box where they opt-in to receive further offers or email messages from the marketer.
A second time when the marketer sends a confirmation email to the user’s provided email address asking them to click on a time-sensitive link that will complete their confirmation.
- Once when the user clicks on a previously unchecked check box where they opt-in to receive further offers or email messages from the marketer.
- Bulk senders should create transparent content for which they can be held accountable:
Verbiage requesting that recipients add the sender to the address book should clearly state that such action is not a guarantee of delivery.
When constructing redirects in the body of the message, use a consistent link style.
Don’t send large images or attachments, or messages that are solely composed of an image.
When employing tracking pixels (web bugs or beacons), clearly state their presence in your public privacy or P3P settings.
- Verbiage requesting that recipients add the sender to the address book should clearly state that such action is not a guarantee of delivery.
- Format outbound delivery status notifications.
When generating delivery status notification messages, senders should follow the format of a bounce as specified in RFC 3464.
- Remove bounced email addresses for non-existent users.
If you receive an NDR indicating that an email address is no longer in use, remove the non-existent email alias from your list. Email addresses change over time, and people sometimes discard them.
- Use Hotmail’s Smart Network Data Services (SNDS) program.
Hotmail uses a program called Smart Network Data Services that allows senders to check complaints submitted by end users. The SNDS is the primary portal for troubleshooting delivery problems to Hotmail.