Office 365 spam filter seems to have changed

Anonymous

One of my customers who has been using 365 for a few years, says that in the last week or so, multiple users are getting lots of genuine email from customers being put in their Outlook spam folder. This is from multiple external customers to multiple internal users. And its all started suddenly.

I am going on site tomorrow for other reasons but will check facts.

No 365 settings have changed (they do not have access).

The anti spam settings are probably default, and the SCL is set to 7.

Yes, they can add to safe senders list, but something has changed behind the scenes somewhere to affect multiple users.

The email headers do not show anything that may be causing this, so wonder if anything is altered behind the scenes or what I can do?

The header for below is reply to an email conversation which the user had multiple chats with, this is incoming reply to 365. SPF all OK, no BCL/PCL and SCL below threshold - so why moved to junkmail?

Authentication-Results: spf=pass (sender IP is xxx)

smtp.mailfrom=xxxx

header.d=none;xxxxx; dmarc=bestguesspass action=none

header.from=xxxxx; dkim=none (message not signed)

header.d=none;

Received-SPF: Pass (protection.outlook.com: domain xxxdesignates

xxx as permitted sender) receiver=protection.outlook.com;

client-ip=xxxx; helo=xxx;

...

X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: 287d98bd-d4fc-4239-8088-abd9e933dc25:0

X-MS-Exchange-Organization-MessageDirectionality: Incoming

X-Forefront-Antispam-Report: CIP:74.208.4.201;IPV:NLI;CTRY:US;EFV:NLI;SFV:SPM;SFS:(8196002)(2980300002)(438002)(199003)(377454003)(189002)(71364002)(50126003)(19580395003)(19580405001)(18206015028)(93886004)(1600100001)(19627595001)(19617315012)(356003)(106466001)(345774005)(15975445007)(33646002)(92566002)(110756004)(81686999)(76176999)(73972006)(50986999)(8676002)(9686002)(10000500002)(54356999)(86362001)(17760045003)(84326002)(626004)(189998001)(110136002)(7846002)(107886002)(7906003)(7596002)(82202001)(22756006)(5660300001)(450100001)(104016004)(586003)(10126002)(33716001)(22730200002)(8896002)(10750500005)(22746007)(512874002)(2950100001)(11100500001)(4001520100001)(16601075003)(1096003)(7099028)(5001760100003)(2674002)(19222003)(50140200003);DIR:INB;SFP:;SCL:5;SRVR:VI1PR0701MB2413;H:mout.gmx.com;FPR:;SPF:Pass;A:1;MX:1;LANG:en;

X-MS-Office365-Filtering-Correlation-Id: c6068ac6-738f-44b4-22f0-08d3db09cc2d

X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(8251501002)(71701004)(71702002);SRVR:VI1PR0701MB2413;

X-MS-Exchange-Organization-AVStamp-Service: 1.0

X-Exchange-Antispam-Report-Test: UriScan:(209352067349851)(158362468548515);

X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(102415321)(9101531078)(601004)(2401047)(13016025)(13018025)(8121501046)(3002001)(10201501046);SRVR:VI1PR0701MB2413;BCL:0;PCL:0;RULEID:;SRVR:VI1PR0701MB2413;

X-MS-Exchange-Organization-SCL: 5

SpamDiagnosticOutput: 1:22

SpamDiagnosticMetadata: Default

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

13 answers

Anonymous

2016-09-19T14:29:03+00:00

Hi Blue Snowman,

An admin you can add the email sender's IP address to their connection filter IP Allow list by following the steps in “Use the EAC to edit the default connection filter policy” in Configure the connection filter policy.

You can also add domains or individual senders to an allow list by following the steps in Configure your spam filter policies to check this issue.

For your reference: Prevent false positive email marked as spam with a safelist or other techniques

Let me know the result so that we can further assist you.

Best regards,

Shyamal
Was this answer helpful?

6 people found this answer helpful.

0 comments No comments
Anonymous

2016-09-19T15:31:42+00:00

Thank you, I am aware of that, but please see the original question. 365 has, in the last week or so, started to flag emails FROM multiple customers TO multiple internal users.

These customers had been contacted and emailed previously. They are multiple customers, multiple addresses, multiple domains, multiple IPs. It is not possible to manually white list every customer or every customer domain. We can't whitelist new and unknown customers.

Also, even if I could, that is masking the new issue of this happening rather than understand and resolve the core issue - why this is now happenng.

According to my interpretation of the header posted, there is no reason why this email was flagged as spam - nothing in the header tells me why - and all the values I highlighted are below spam detection limits. So why was it flagged as spam.

The link you posted is well known to me, and of no use to this question

So I'm looking to find out WHY a particular email (or multiple ones) was filtered as spam - when the header suggest nothing was wrong with it.
Was this answer helpful?

2 people found this answer helpful.

0 comments No comments
Anonymous

2016-09-19T20:46:12+00:00

Hi Blue Snowman,

Since the SCL value is 5, it’s an expected behavior that the message is marked as spam.

Please refer to:

https://technet.microsoft.com/en-us/library/jj200686(v=exchg.150).aspx

And as sender’s IP is on the public block list, the message has a high SCL value.

About “The anti spam settings are probably default, and the SCL is set to 7.”, this setting is for bulk emails, not for normal emails. And it’s BCL, not SCL. 1 marks the most bulk emails as spam and 9 allows the most bulk email to be delivered. You can refer to:

https://technet.microsoft.com/en-us/library/dn759623(v=exchg.150).aspx

To let the messages which has been marked as spam (SCL is 5 or higher) to be delivered to the intended recipients, you can use the action Prepend subject line with text, **** then **** the message will be delivered to the intended recipients but prepends the subject line with the text that you specify in the Prefix subject line with this text input box.

Thanks,

Franky
Was this answer helpful?

0 comments No comments
Anonymous

2016-09-19T17:42:03+00:00

Thanks for that.

The email content validator, when fed with headers and content, gave a score of 0.5 "excellent".

You are also correct, the sending IP is on a RBL - but it was from a @mail.com address, so pretty much outside of anyones control, and whitelisting a sending IP is impossible as I'm sure @mail.com use multiple IPs!

The one example I have to hand is that the 365 user and external user had multiple conversations, and only the odd one gets trapped as spam, and that's usually a reply. Signatures are the same in both.

Hence its a bit strange - and not knowing WHY is a pain.

I will get my hands on other examples tomorrow and check it out.
Was this answer helpful?

0 comments No comments
Anonymous

2016-09-19T17:18:50+00:00

Hello Blue Snowman,

As per the header, SCL marked as 5 which means there is some reputation issue on the e-mail content, check if you have any e-mail signature that contains URL. Verify the domain reputation specified on the URL on the below link also verify your domain reputation on the below link

Blacklist check

I see that the connecting IP address on the header is blacklisted with an external RBL

http://www.spamsources.fabel.dk/ip/74.208.4.20

Unless the sending domain or IP is not blacklisted on Microsoft or Microsoft partner RBL, e-mail will not be marked as spam.

Microsoft partner RBL (Real Time Blacklist)

As a word around you can white list the sender IP or domain on office 365, but analyzing the e-mail content and domain reputation issue will give the permanent fix.

There are several online tools available to check e-mail content reputation, you may try the below to check the e-mail content reputation

e-mail content validator
Was this answer helpful?

0 comments No comments

Share via

Office 365 spam filter seems to have changed

13 answers