Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1139
Views
0
Helpful
2
Replies

How to deal with e-mail providers like Office365, Google, etc. when SBRS reputation is negative?

Jason Meyer
Level 1
Level 1

‎08-12-2015 12:04 PM

Wanted to get the communities input on how to deal with e-mail providers like Office365. 

I receive e-mail from a lot of shops that use Office365 as their e-mail provider and what I'm finding is a lot of Office365s servers have very poor reputations for SPAM.  Right now they have over 100 IP address that have a SBRS score of -3.0 or worse.   A poor Office365 tenant has no control over what server their e-mail comes from (or do they know what IP, other than .outlook.com) within the Office365 cloud and intermittently it will be sent from an IP that has a poor reputation.   Well, then my system, protected by IronPort filtering sees that poor SBRS reputation and says no way, so then the sender gets all upset and contacts the recipient (my customer) and the recipient doesn't know what to tell them, so they say, send it to GMAIL account, and more times than not it works.   Making it seem that the problem is on my end when in all reality it is on the senders end because they are hosted on an environment that has a poor reputation SMTP server.

 

To resolve the problem the best answer that I can come up with is to add .outlook.com to a policy that ignores SBRS scores, allowing ALL of them to connect to my appliances and send all kinds of garbage that most (if there is a definition for it) get filtered out before getting to my users mailboxes but at the expense of my environments resources.  But ultimately some gets through because its new and we report it to Cisco but this doesn't improve the volume of garbage that Office365 can send me, only the amount that I have to filter out from them.  Can't throttle the volume of e-mail down to a helpful level accepted from Office365 as we already have a high volume of legitimate e-mail coming from it.

 

Anyway, wanted to get the communities input on this, is there a better answer, and how this is going to work moving forward with more and more organizations moving to cloud providers where they have a large number of organizations hosted on one environment.

 

Jason

 

 

2 people had this problem
Labels:
0 Helpful
2 Replies 2

exMSW4319
Level 3
Level 3

‎08-13-2015 07:17 AM

I'd say you have done the right thing in exempting the whole Office365 community from SBRS. However, those rating were earned for a reason - I've never found Senderbase to be unduly aggressive. It's curious that there's this dissonance between what MS regards as acceptable use and what Senderbase regards as spam. Have you tried some of the blacklisted server IPs on other DNSBLs?

If the Office365 servers are now in their own Sender Group and you have a large number of mailboxes open to attack, can you rate-limit Office365? That of course only mitigates, and could also give you false positives.

So the mail comes from Office365 servers but the senders have all ported in their own domain names? Can anything be done with that, or are the legitimate users too clueless to publish any information that might distinguish between regular users and those who want to spam from Office?

I assume that the Marketing filter is ineffective here, or that you are in a position where you cannot use it? Likewise, is URL Filtering off the menu for being too CPU-expensive or unable to focus on the problem?

Finally, are there any message headers added by particular features of Office365 that might indicate bulk?

There are a number of other bitty and rather unsatisfactory solutions that might work for a small organisation but not for larger ones. Among the many assumptions I've made in this posting is that with several appliances, you're in the latter category.

Yes, we too are looking at the potential nightmare of a significant part of the business community moving to officeapps.live.com.

 

0 Helpful

Jason Meyer
Level 1
Level 1
In response to exMSW4319

‎08-18-2015 10:04 AM

Have you tried some of the blacklisted server IPs on other DNSBLs?  

I have not but am guessing that if Senderbase shows them as -3.0, -5.0, some are even -10.0 that they will be listed.

 

If the Office365 servers are now in their own Sender Group and you have a large number of mailboxes open to attack, can you rate-limit Office365?

I didn't create a Sender Group specifically for Office365 servers.  We do receive a large volume of legitimate e-mail from Office365 so the throttled limit would have to be so large that it would not be affective.

 

So the mail comes from Office365 servers but the senders have all ported in their own domain names?

Yes, as part of the Office365 configuration tenants authorize Office365 SMTP servers to send e-mail on their domains behalf.  Email tenant is @mydomain.com, but is sent from .outlook.com SMTP servers.

 

I assume that the Marketing filter is ineffective here, or that you are in a position where you cannot use it? Likewise, is URL Filtering off the menu for being too CPU-expensive or unable to focus on the problem?

Both Marketing and URL filtering help a ton but both still miss a lot of SPAM, Marketing, Phishing e-mails. 

 

Finally, are there any message headers added by particular features of Office365 that might indicate bulk?

Not that I know of.

 

Appreciate your response and look forward to how the industry reacts to this trend.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents