Let’s speak openly and honestly about the default settings for Office 365 SPAM protection. They suck. Out of the box Office 365 is more likely to help you pick out which safe to buy to house all the money that the Nigerian prince is going to send you instead of letting you know it’s a scam. There is hope though, Office 365’s SPAM / Virus protection can be taught some new tricks to help give your users a fighting chance.
E pluribus unum
This post is the first of what will be an ongoing series about protecting the users in your tenant from SPAM and viruses. This is a controversial topic, and as with nearly any topic involving IT there will be differing opinions. I can promise that 50% of you will think these tips don’t go far enough and the other 50% will think I’m being too paranoid. These tips are grounded in my reality of managing multiple Office 365 tenants across clients spanning the gamut of industries. Certainly if your tenant has unique requirements then some of these tips will need to be modified to suit your specific needs. Please feel free to reach out to me for help making these modifications.
Where and What
We’ll be walking through creating new rules and modifying the built-in protections to bolster your protection from SPAM and viruses. For all these changes you’ll want to sign in to your exchange control panel @ outlook.office365.com/ecp and then focus your attention to the Mail Flow and Protection tabs on the right hand side. First it’s important to understand a couple of key concepts / terms in regards to Office 365’s Exchange Online module.
Exchange Online – The email component of the Office 365 online suite.
EOP – Exchange Online Protection, the brain behind the SPAM / Virus protection in Office 365.
EAC – Exchange Admin Console, the central control panel where tenant administrators can modify a wide array of Exchange Online settings including SPAM filtration.
SCL – SPAM Confidence Level is a measurement of how confident Office 365 is that a message is SPAM. The values are either -1,0,1,5,6,9, or 10.
-1 is reserved for mail that is coming a known safe sender so it was not scanned or evaluated, -1 messages are delivered to the user’s inbox.
0, and 1 SCLs are for messages that came from a non-known safe sender but passed scanning and evaluation. 0, and 1 SCL messages are delivered to the user’s inbox.
5 and 6 SCLs are messages thought to be SPAM and will be delivered to the user’s Junk Email folder in Outlook / Outlook Web access.
9 indicates the SCL of a message that is almost certainly SPAM, by default this message is still sent to the user’s Junk Email folder in Outlook / Outlook Web access.
Junk Email Folder – This is a system generated folder present in all mailboxes. Users can see the contents of this folder in real time without having to wait for a quarantine report.
Quarantine – Quarantine in Office 365 holds messages that were of high SCL or were placed there due to a Mail Flow rule created by the tenant administrators.
Like Paul Revere But For SPAM
You’ll find the Content Filter on the Protection tab inside the Exchange Admin Console. The first change we’ll make is to enable daily quarantine reports for users. By default users receive no notification if a message of theirs is sent to Quarantine, this doesn’t matter much because by default Office 365 sends almost all messages to the user’s Junk Email folder. However, we'll want to enable these alerts because we're going to start making changes which will send some SPAM content to Quarantine instead of Junk Email. After clicking on the Content Filter tab you’ll want to click on the Configure end-user spam notifications link and configure the options as shown below. Sadly you cannot set the time of day that these notifications are sent.
Being Content With Your Content settings
With quarantine alerts enabled it’s time to modify what Office 365 considers SPAM. While still on the Content Filter tab you’ll want to edit the Default policy to match the settings below.
The biggest changes are that we’re going to send messages with a SCL of 9 to Quarantine and not the user’s Junk Email Folder while lowering the threshold for what EOP will consider to be SPAM from 7 to 5.
To protect against international SPAM we’re going to block all languages and countries of origin not applicable to your business, for me this is everything not in English or Spanish and not from North American countries (Pro tip: after clicking one country / language you can use ctrl + a to select the rest and then ctrl click the ones you want to de select).
We’ve also tweaked the SPF and DKIM filters to catch messages that fail these tests which help prevent phishing emails.
Since we’ve started sending mail to Quarantine it’s important that you know how to release messages as needed. There are two ways to release email from Quarantine. First, users can click release messages from quaratine by clicking the Release to Inbox link on their daily Quarantine reports. Secondly, administrators can release the message manually from the Quarantine heading under the Protection tab of the EAC. At this time Office 365 does not have an end-user accessible quarantine outside of the daily reports.
The End of the Chapter, Not the Book
So that’s round 1, as time goes on I’ll be sure to pass on other tips and tricks to beef up the SPAM filtering power of Office 365 and EOP. As always if you have any questions about this post, requests for future topics, or pure vitriol please leave a comment below or use the contact form on the right side of the page.
