What do you do to beef up spam filtering for O365?

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,412
I have a few clients on O365 and apparently I must be doing something wrong because I get WAY to many emails from them asking me if this email, or that email is spam.

Basically the accounts are just completely green O365 accounts with whatever default spam filtering is put in place for a new O365 account.

What can I do to beef up some of the spam filtering so they stop getting spam emails and then emailing me spam emails asking about whether xyz email is spam....
 
Office 365 has 2x levels of SPAM filtering..the default level which comes on all hosted version up to E3....and you can add an "enhanced threat protection" service for an additional cost. This enhanced threat protection comes with the E5 package.
https://products.office.com/en-us/exchange/online-email-threat-protection

Office 365s native EOP works pretty good out of the box. It works very well if you tweak it properly. It needs to be customized and given time to "learn" the users. It seems 99% of people fail to customize it. You DO hyave options such as tweaking the Spam Confident Level (SCLs) and custom transport rules.
https://support.office.com/en-us/ar...otection-6a601501-a6a8-4559-b2e7-56b59c96a586

There are lots of guides out there to help out tweaking O365s EOP...I highly suggest reading them.

Going way back in time, most of our ~300 business clients had on-prem Exchange servers. We used to do spam filtering for them ahead of the clients Exchange server....going way back I had many clients on Apprivers SecureTide, and then we got our own spam appliance...SpamTitan...that we host here at our office, all clients MX records pointed to us and then we create a connector that shoots out the clean mail to the clients static IP address...through port 25 on the edge device (which you set to allow only inbound traffic from our IP range)...and ultimately to their Exchange server.

We do allow others to resell our SpamTitan filtering services if interested....I have a few other IT guys using it for their clients.

As we had clients start migrating to Office 365 we just adjusted the outbound connector for their domain to go to O365's SMTP. But..we found it's not really needed....as O365's works well enough. Ultimately I don't like 2x black holes to chase down missing e-mail.
 
We've found lately that some users were getting most of their emails delivered to their junk mail folder even after marking email as not junk and trusting the sender.
 
I have one customer using SpamHero, but they're a pretty lightweight user and until last month had a very hands-on office manager.

It has some nice features (completely block regions of the world, mark some regions to delay mail by 2 hours then rescan to catch emergent spam/malware, etc) and the pricing's pretty hard to beat. I believe it can be white-labeled if you want to resell it as well.
 
If you need extra spam filtering check out Securence, http://www.securence.com. Works with Office 365. Every spam filtering solution requires a bit of tweaking to get it working just right. When you have enough clients its a day to day thing, especially if when it comes to certain types of businesses where they email or receive lots of documents or information regarding wire transfers or other personal info... lots of things get caught in filters with those types of keywords.
 
What about the other options on the list:


Empty messages:
When this setting is enabled, any message in which the body and subject line are both empty, and which also has no attachment, will be marked as spam.

JavaScript or VBScript in HTML:
When this setting is enabled, any message that uses JavaScript or Visual Basic Script Edition in HTML will be marked as spam.

Frame or IFrame tags in HTML:
When this setting is enabled, any message that contains the "Frame" or "IFrame" HTML tag will be marked as spam. These tags are used on websites or in HTML messages to format the page for displaying text or graphics.

Object tags in HTML:
When this setting is enabled, any message that contains the "Object" HTML tag will be marked as spam. This HTML tag allows plug-ins or applications to run in an HTML window.

Embed tags in HTML:
When this setting is enabled, any message that contains the "Embed" HTML tag will be marked as spam. This HTML tag allows varying data types to be embedded into an HTML document. Examples include sounds, movies, or pictures.

Form tags in HTML:
When this setting is enabled, any message that contains the "Form" HTML tag will be marked as spam. This HTML tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.

Web bugs in HTML:
When you enable this setting, any message that contains a web bug is marked as spam. A web bug is an object that’s embedded in a web page or email message. It’s designed to determine whether a user has viewed the page or message.

Apply sensitive word list:
When this setting is enabled, any message that contains a word that's included in the sensitive word list will be marked as spam.

SPF record: hard fail:
When this setting is enabled, messages that hard fail an SPF check will be marked as spam (SPF filtering is always performed). Turning this setting on is recommended for organizations who are concerned about receiving phishing messages. (In order to avoid false positives for messages sent from your company, make sure that the SPF record is correctly configured for your domains.)

Conditional Sender ID filtering: hard fail:
When this setting is enabled, any message that hard fails a conditional Sender ID check is marked as spam. Turning this setting on is recommended for organizations who are concerned about phishing, especially if their own users are being spoofed. This option combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders.

NDR backscatter:
 
nlinecomputers said:
What about the other options on the list:
*
*
*:
Click to expand...

The rest of those on that page are pretty self explanatory and of little value, IMO. Thus of being little value..and likely resulting in just a TON of calls from clients complaining that legit e-mail is being junked...I leave those default.

The rest of the meat of things that I change in EOP is in the settings of the spam filter itself...SCL settings (you can adjust those numbers), and bulk mail filtering has a few different options.

https://blogs.msdn.microsoft.com/tz...ugh-office-365-and-what-can-be-done-about-it/

https://support.office.com/en-us/ar...cc8-af2e-5029a9433d59?ui=en-US&rs=en-US&ad=US
 
My clients on O365 rarely complain about spam. If they do, it is often just some legitimate mailing lists that they need to unsubscribe from. We do, however, get a lot of phishing scams. They are often highly targeted. At one client I had to implement a rule in EAC that adds a (EXTERNAL) tag to the subject line of any external emails as they kept getting hit with typosquatting scams. Just blocking similar domain names helped in that regard as well.
 
TAPtech said:
My clients on O365 rarely complain about spam. If they do, it is often just some legitimate mailing lists that they need to unsubscribe from. We do, however, get a lot of phishing scams. They are often highly targeted. At one client I had to implement a rule in EAC that adds a (EXTERNAL) tag to the subject line of any external emails as they kept getting hit with typosquatting scams. Just blocking similar domain names helped in that regard as well.
Click to expand...

The SPF Hard Fail can help with that.
I don't do the full enforce of SFP...sadly way too many legit places don't setup their SPF...so if you flip on that setting your phone will never..ever..stop ringing from clients complaining that the spam filter is blocking too much.

demarc and dkim are two things that are evolving along to take over the main spoofing prevention....becoming more effective than SPF. Probably something I'll completely switch my clients over towards end of this year.
 
YeOldeStonecat said:
The rest of those on that page are pretty self explanatory and of little value, IMO. Thus of being little value..and likely resulting in just a TON of calls from clients complaining that legit e-mail is being junked...I leave those default.

The rest of the meat of things that I change in EOP is in the settings of the spam filter itself...SCL settings (you can adjust those numbers), and bulk mail filtering has a few different options.

https://blogs.msdn.microsoft.com/tz...ugh-office-365-and-what-can-be-done-about-it/

https://support.office.com/en-us/ar...cc8-af2e-5029a9433d59?ui=en-US&rs=en-US&ad=US
Click to expand...
Yep. It's what I figured you say. And I tend to agree.
 
YeOldeStonecat said:
demarc and dkim are two things that are evolving along to take over the main spoofing prevention....becoming more effective than SPF. Probably something I'll completely switch my clients over towards end of this year.
Click to expand...
This. If I ever get a free moment I'll get it setup on my own systems and my clients. Keeps getting pushed back. :(
 
YeOldeStonecat said:
The SPF Hard Fail can help with that.
I don't do the full enforce of SFP...sadly way too many legit places don't setup their SPF...so if you flip on that setting your phone will never..ever..stop ringing from clients complaining that the spam filter is blocking too much.

demarc and dkim are two things that are evolving along to take over the main spoofing prevention....becoming more effective than SPF. Probably something I'll completely switch my clients over towards end of this year.
Click to expand...
Good to know demarc and dkim are helping with this. The targeting phishing scams are often rather scary. Had a client who got so close to pulling the trigger on wiring a very large sum of money before even contacting me to see if something was up. Must have gone through 4 employees before someone got spooked. Turned out to be a typo-domain, which I picked up on right away.

I agree about the SPF conversation here, there are just too many legitimate but ill-configured mailservers to be able to tick that box :)
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Client email all the sudden swarmed with spam (O365)
Replies
8
Views
859
Sky-Knight
Sky-Knight
thecomputerguy
[O365] You don't often get email from XXX (Learn why this is important).
Replies
10
Views
901
thecomputerguy
thecomputerguy
J
Outlook continually sends emails from one address to Junk Email
Replies
4
Views
722
callthatgirl
callthatgirl
thecomputerguy
What is the correct solution for a vendors SMTP usage to us?
Replies
5
Views
635
Sky-Knight
Sky-Knight
thecomputerguy
I cannot possibly see how this MX record swap is going to work...
Replies
2
Views
627
thecomputerguy
thecomputerguy
Back
Top