Search

AnotherUCBlog > Exchange, S4B, O365

Share my findings in the Microsoft unified communication world

Category

EOP

EOP – Emails identified as spam do not go to the Junk email folder

Hi,

Today we encounter a new issue, a user was complaining about receiving a lot of spam in their inbox. He sent me more than ten examples and when looking at the header, all of them were well identified by EOP and should have been moved to the Junk email folder…

X-Forefront-Antispam-Report: CIP:31.220.114.14;CTRY:DE;IPV:NLI;EFV:NLI;SFV:SPM;SFS:(2990300002)(438002)(3380300002)(189002)(199003)(107886002)(106466001)(58226001)(2351001)(77156002)(19617315012)(46102003)(81156007)(16236675004)(62966003)(15975445007)(512874002)(450100001)(5002240100001)(84326002)(2920100001)(64706001)(229853001)(4001450100002)(5001960100002)(2160300002)(110136002)(92566002)(5001860100001)(5001830100001)(81686999)(50986999)(4001540100001)(5002050100002)(54356999)(42186005)(19580395003)(189998001)(44706002)(86362001)(87836001)(100156002);DIR:INB;SFP:;SCL:5;SRVR:DB3PR06MB140;H:7ibe5o3.bilti.faith;FPR:;SPF:Pass;PTR:7ibe5o3.bilti.faith;MX:1;A:1;LANG:en;

I have also performed a mail trace and it was explicit that the email has been moved to the junk email folder !

MailTrace

After some search, I found that there is a possiblity to disable and also custom the junk email rule for a specific mailbox. This can be done thanks to this command Set-MailboxJunkEmailConfiguration (https://technet.microsoft.com/en-us/library/Dd979780(v=EXCHG.150).aspx).

After running the command Get-MailboxJunkEmailConfiguration for this user, I have effectively seen that for him the rule was disabled ! Why this was disabled, I don’t really know but I think that this was done before the migration to O365 and this setting is kept during the move.

EOP Hybrid – Ensure spam are moved to “Junk” folder for on-premise users

Hello,

After that we started to get a lot of users in the cloud, we started to move the MX records to target directly the cloud and then transfer to on-premise environment if the user was not yet migrated.

As soon as we started this task, non migrated users started to complains about receiving a lot of spam in their inbox…

Email headers are showing  that the email is well identified as spam, you can see it thanks to the line below :

X-Forefront-Antispam-Report: CIP:185.109.146.205;CTRY:;IPV:NLI;EFV:NLI;SFV:SPM;SFS:(2990300002)(438002)(199003)(189002)(19618635001)(4590100002)(450100001)(23846002)(77156002)(110146008)(18206015028)(15975445007)(62966003)(118296001)(64706001)(19617315012)(2351001)(87836001)(229853001)(46102003)(54356999)(50466002)(50986999)(23676002)(106466001)(551544002)(86362001)(42186005)(92566002)(4001450100002)(19580395003)(5002240100001)(5002050100002)(5820100001)(5001960100002)(189998001)(2160300002)(4001540100001)(5001830100001)(5001860100001)(81156007)(110136002)(107886002)(5210400004);DIR:INB;SFP:;SCL:5;SRVR:server;H:eukwrgnut.postexchange.party;FPR:;SPF:Pass;PTR:eukwrgnut.postexchange.party;A:1;MX:1;LANG:en

The thing is that your on-premise Exchange do not take a look at this line and as O365 and your on-premise are not in the same organization, the message is not moved…

To correct MS advise to create a transport rule (https://technet.microsoft.com/en-us/library/jj837173(v=exchg.150).aspx) that check the header of each emails to see if he find the value “SFV:SPM” and then increment the SCL value above the SclJunkThreshold value set on-premise.

Be sure that the SCL value that you set in the transport rule is above (equal is not sufficient unlike what is wrote in the technet page) the SCLJunkThreshold one.

EOP Apply an antispam policy on a domain

Hello,

If you have created an antispam policy and applied it only on some domains and you do not understand why it is not working on some mailboxes, you must verify that the principal SMTP of those mailboxes is part of the domains set in the antispam policy.

Indeed, only the principal SMTP address of the mailboxes is checked in order to know if the antispam policy has to be applied or not.

EOP Spam and malware reports

Update 08/17/2015 : Finally, MS will not restore this parameter and will remove them from the technet pages… That’s really not a good news for big companies receiving a lot of emails…

Update 08/04/2015 : MS told me that effectively this parameter is not working and they are going to make a fix.

Hi Guys,

Recently for my company I had to perform some reports regarding spam and malware identified by EOP. You will told me “Easy you can get them weekly or monthy by the O365 admin portal” (tab “reports”).

PortalReport

The problem is that you can only have a global report and as we have a lot of messaging domains in O365, we wanted to split them by domains. So I thought about using PowerShell :

Two commands to know, Get-MailDetailSpamReport and Get-MailDetailMalwareReport which will give you all the spam or malware identified in a timeframe.You can also give a domain to get only the spam or malware identified for a given domain.

The problem is that when using the domain parameter, the command doesn’t return any results…

I’m currently in touch with MS to know why it isn’t working ! They gave me a tool that looks extremely useful for malware and spam report which is “Mail Protection Reports for Office 365 “, you just have to give your admin credentials and the timeframe you want and the excel file will be filled with graphics and details !

But the spam and malware details tabs cannot get enough data to give me more than 20 min information instead of 1 week ! (reported also to MS)

I will keep you update on what I will found to perform this.

Blog at WordPress.com.

Up ↑