Office 365 – Dealing with spam [EN]

Microsoft and its partners advertise Exchange Online and Outlook.com as having one of the best spam filtering. Well, every email service brags about it. But in reality things are not so good. Prior to switching our incoming and outgoing email traffic to Exchange Online we were using a local hosted solution. Well, we are still kind of using it as not all mailboxes have been migrated yet. But all the filtering is done on the cloud side now. Hosted solution consists of Exchange 2013 server and IronPort firewall/anti-spam. This is managed by a service provider and we do not have control of it (aside of creating mailboxes and tweaking some minor stuff). We had a number of filtering rules created for us by our providers. It wasn’t perfect. IronPort seems to not be that flexible. But as we have switched to Exchange Online the hell broke loose.. Well, not that bad actually. But we certainly saw the increase of spam. And sometimes it allowed emails with just a link to “learn how to please your girlfriend” to come through. Well, i wouldn’t call SUCH filtering as a first class service 🙂 So, after our MS partner’s engineer suggested to add rules i went to Office 365 Admin Center > Exchange admin center > Protection > Spam filter and edited the Default filter. Here you can find Block lists menu, where you can add email addresses or domains to block. But that didn’t change anything. Though i have noticed that emails from that list ended up in the Junk Mail folder for a few our users, who for some reason had Junk Mail enabled. Historically we always had Junk Mail disabled in Outlook application. Because of a high volume of false positives. And personally i find it illogical to still let spam through and let it sit in user’s mailbox in a separate folder and make him worry why there is an unread count on that folder and is there a legitimate email in there accidentally. It is also rather minor, but a potential security issue. So, i’m always in favor of filtering spam on the server. Junk Mail was consistently filtering out emails from a few internal systems, which was annoying. So we had it disabled for all users. Even when we switched to hosted solution, we were disabling it for every new mailbox with a PowerShell command. But the default action for Exchange Online Protection is to move spam to Junk Mail folder. As we had it disabled, the rules did nothing. So, i went to spam and bulk actions menu (in the same Default filter) and changed action for both Spam and High confidence spam to Delete message. Yeah, there is a chance that some legitimate email ends up deleted, but it would be rare and i would risk that instead of having hundreds of spam messages coming through. To see if it works you can go to Exchange admin center > Mail flow > message trace and do a search for any emails with any status, say for last 48 hours. Deleted spam messages will be shown with a Failed status. Yeah, a bit confusing. I was expecting for them to have Deleted status or something in that vein. But comparing history before and after changing the default action and also inspecting mailboxes of users i found out that Failed is indeed the indication of a spam message deleted based on the Block lists rules.

Update: after discussing this with our partner’s technician i have decided to change the action for both Spam categories to Quarantine. This way it won’t get deleted right away, but instead every filtered message will be held in Exchange admin center > Protection > Quarantine for two weeks (with an option to release the message and train the filter). Spam message filtered this way will appear in the message trace with status Quarantined.