Page 1 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

HIGH RISK DELIVERY POOL

AND EXCHANGE ONLINE |
PART 10#17

The current article is the continuation of the former

article: High Risk Delivery Pool and Exchange Online | Part
9#17
In this article we will focus on the following subjects:

How does Exchange Online decide to classify specific E-mail

as spam\junk mail?
Description of the internal spam E-mail message flow

Who is the authority who approves or

identifies E-mail as spam\junk mail?
Written by Eyal Doron | o365info.com

Page 2 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

When Office 365 recipients ask to deliver E-mail to another

recipient, Exchange Online (EOP if we want to be more
accurate) must check the E-mail message and verify that the Email is OK or not consider as spam\junk mail.
The Security scanning process of outbound E-mail message,
is implemented by addressing two types of security
infrastructures:
1. Proprietary block lists that are not exposed to the general
public
2. Third-party (partner) public block lists providers.

Exchange Online Protection (EOP) uses its own proprietary

block lists as well as third-party (partner) block lists. If a user is
placed on our block lists after sending outbound messages
through the service, theyll receive a 550 5.1.8 Access Denied,
Bad Sender message.

Additionally, the domain administrator address configured via

the sends a notification to the following email address when a
sender is blocked sending outbound spam setting in the
outbound spam policy will receive a message that the sender
was placed on our block lists.
[Source of information: Request that a user, domain, or IP address
be removed from a block list after sending outbound spam]

In the following diagram, we can see a high level flow of the

process, in which Exchange Online scan outgoing E-mail

Written by Eyal Doron | o365info.com

Page 3 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

message that is sent by Office 365 users by using the help of

the black and block list databases.
Note the popular term is black list providers. In the Office 365
and Exchange Online articles the term that is used most of the
time is: Block list providers.
We can relate to these two different terms as synonyms.

Q: Who are these mysterious Third-party (partner) public

blocks lists providers?
A: Information about this Third-party (partner) public block
lists providers is publicly published. For example, if you want
to get more information about the Third-party (partner)

Written by Eyal Doron | o365info.com

Page 4 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

public block lists providers that are used by Office 365 and
Exchange Online you can read the following article: Request
that a user, domain, or IP address be removed from a block
list after sending outbound spam.
In the article we can see, a list of Third-party (partner) block
lists providers who are used by Exchange Online
infrastructure.

Outbound spam scenario flows in an Office

365 environment
To demonstrate the flow of internal spam E-mail, lets use the
following scenario:
Office 365 users sent E-mail to a destination recipient. The Email message is scanned and identified as spam\junk mail.

Written by Eyal Doron | o365info.com

Page 5 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

For this reason, the E-mail message is routed to the Exchange

Online High Risk Delivery Pool and will be sent by the
Exchange Online High Risk Delivery Pool to her destination.
The end of the scenario is not known because, we are not
able to know what is the security policy is and the rules that
will be implemented by the destination mail infrastructure.
Step 1 Office 365 recipients, send E-mail to an external
recipient. The request is accepted by Exchange Online server.

Step 2 Exchange Online accepts the E-mail message and,

forward the E-mail message to Exchange EOP (Exchange
Online Protection) for further analyses.

Written by Eyal Doron | o365info.com

Page 6 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Step 3 Exchange EOP, accept the E-mail message and,

forward the E-mail message to the Proprietary block lists +
Third-party (partner) block lists.

Written by Eyal Doron | o365info.com

Page 7 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Step 4 the E-mail message is examined by the block lists

providers. In our scenario, the E-mail message was identified
as spam\junk mail.
The block lists a provider send back the E-mail message to
Exchange EOP and inform EOP that the E-mail is a
problematic E-mail message.

Written by Eyal Doron | o365info.com

Page 8 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Step 5 because the E-mail message was identified as

spam\junk mail, Exchange EOP will not forward the E-mail
message to the standard Exchange Online server pool but
instead, the E-mail message will be forwarded to the
Exchange Online High Risk Delivery Pool

Written by Eyal Doron | o365info.com

Page 9 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Step 6 one of the High Risk Delivery Pool members, will try
to deliver the E-mail message to the destination mail server.
The basic assumption is that the destination mail server
use security services in which the incoming E-mail is scanned
and verified via the blacklist provider and other security
mechanism.
In our scenario, there is a high chance that the E-mail message
will be classified as spam\junk mail by the destination mail
server because, the IP address of the Exchange Online High
Risk Delivery Pool appears in well-known blacklists.
Note other possible scenarios is that the E-mail message will be
identified as spam\junk mail because of the E-mail content and not

Written by Eyal Doron | o365info.com

Page 10 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

because the E-mail message was sent via the Exchange OnlineHigh Risk Delivery Pool.

Step 7 The Mail security infrastructure that is used by the

destination mail server.
Each of the external mail infrastructure uses a different mail
security policy and services.

In some scenario, the destination security mail gateway will

block the E-mail message and reply back with an NDR message.
In some scenario, the destination security mail gateway will
send the E-mail message to a quarantine.
In some scenario, the destination security mail gateway Will
Increase the value of the SCL (spam confidence level) and
forward the E-mail message to the destination recipient.

Written by Eyal Doron | o365info.com

Page 11 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

An example for NDR message

In the following section, we can see an example of an NDR
message that was returned to Office 365 recipients by the
destination mail server.
Pay attention to the IP address that appear on the NDR
message. This is an IP address that belong to the IP range of
the High Risk Delivery Pool
Remote Server returned 550-5.7.1 [157.56.116.102 ] our
system has detected an unusual rate of 550-5.7.1 unsolicited
Written by Eyal Doron | o365info.com

Page 12 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

mail originating from your IP address. To protect our 550-5.7.1

users from spam, mail sent from your IP address has been
blocked. 550-5.7.1 Please visit
http://www.google.com/mail/help/bulk_mail.html to review
550 5.7.1 our Bulk Email Senders Guidelines.
p10si13699322wje.90 gsmtp

Recap and final conclusions

In a scenario in which we are notified, that mail that was sent
from our organization is classified as spam\junk mail the main
question now is:
What is the reason (the causes) that mail sent from our
organization identified as spam\junk mail? Or in simple words:
who can we blame?

Is it the Office 365 users?

Is it the specific E-mail message content?
Is it the Exchange Online server who route the E-mail message to
the High Risk Delivery Pool?
Is it the High Risk Delivery Pool?
Is it the Office 365 blacklist providers?
Is it the destination mail security gateway?

Most of the time, our natural tendency will be to blame the

other side. The other side could be the destination mail
server or in our scenario, the Office 365 mail servers.

Written by Eyal Doron | o365info.com

Page 13 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

The true answer is that in most of the scenarios the opposite

truth.
The element that is responsible (guilty) for the reason in which
E-mail message that was sent by our organization user is
identified as spam\junk mail is located in our side!
If we want to be very specific: the Office 365 users who write
and send the specific E-mail message.
The source of the problem start with the problematic E-mail
message that was created by the Office 365 users. The
problematic E-mail message Is the root of all the rest of the
process.
Note in a scenario of malware, the problematic E-mail message
is created by the malware and not by the user himself.

When Exchange Online recognizes the E-mail message that

was created by the Office 365 user as spam\junk mail, he
route the E-mail message to Exchange Online High Risk
Delivery Pool and so on.
When the E-mail message reaches her destination, there is
reasonable chance that the destination mail server will block
the E-mail message because the E-mail message was sent by
the Exchange Online- High Risk Delivery Pool or because he
also see to problematic content of the E-mail message.

Written by Eyal Doron | o365info.com

Page 14 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Additional reading

High Risk Delivery Pool for Outbound Messages

Understanding outbound spam controls in Office 365

Internal \ outbound spam in Office 365

environment | Article series index

A quick reference for the article series

My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series

Written by Eyal Doron | o365info.com

Page 15 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Introduction to the concept of internal \ outbound spam in general

and in Office 365 and Exchange Online environment
My E-mail appears as a spam
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: My E-mail appears as
a spam!, possible factors for causing
our E-mail to appear a spam mail,
the definition of internal \ outbound
spam.
Internal spam in Office 365
Introduction | Part 2#17
Review in general the term: internal \
outbound spam, miss conceptions
that relate to this term, the risks that
are involved in this scenario,
outbound spam E-mail policy and
more.
Internal spam in Office 365
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spam\junk mail, who or what are this
elements, that can decide that our
mail is a spam mail?, what are the
possible reactions of the destination
mail infrastructure that identify our Email as spam\junk mail?.

Written by Eyal Doron | o365info.com

Page 16 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Commercial E-mail Using the right

tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365\ Exchange Online is
unsuitable for the purpose of
commercial E-mail?

Introduction if the major causes for a scenario in which your

organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which Email that is sent from our
organization identified as spam mail:
1. E-mail content, 2. Violation of the
SMTP standards, 3. Bulk\Mass mail
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which Email that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. Problematic Website

Written by Eyal Doron | o365info.com

Page 17 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

Introduction if the subject of SPF record in general and in Office

365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The technical side of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.

Introduction if the subject of Exchange Online - High Risk Delivery

Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal \
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.

Written by Eyal Doron | o365info.com

Page 18 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

High Risk Delivery Pool and Exchange

Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.

The troubleshooting path of internal \ outbound spam scenario

My E-mail appears as spam
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal \
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the other side.
My E-mail appears as spam |
Troubleshooting Domain name and
E-mail content | Part 12#17
Verify if our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
Written by Eyal Doron | o365info.com

Page 19 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

My E-mail appears as spam |

Troubleshooting Mail server | Part
13#17
What is the meaning of: our mail
server?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spam\NDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
My E-mail appears as spam |
Troubleshooting Mail server | Part
15#17
Step B Get information about your
Exchange Online infrastructure, Step
C fetch the information about the
Exchange Online IP address, Step D
verify if the formal Exchange Online
IP address a

Written by Eyal Doron | o365info.com

Page 20 of 20 | High Risk Delivery Pool and Exchange Online | Part 10#17

De-list your organization from a

blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal \ outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of internal \ outbound
spam.

Written by Eyal Doron | o365info.com