Upload
o365infocom
View
220
Download
0
Embed Size (px)
DESCRIPTION
My E-mail appears as spam | Troubleshooting - Mail server | Part 13#17 http://o365info.com/my-e-mail-appears-as-spam-troubleshooting-mail-server-part-13-17 What is the meaning of: “our mail server”? Mail server IP, host name and Exchange Online. One of our users got an NDR which informs him, that his mail server is blacklisted! How do we know that my mail server is blacklisted? The information is relevant for Office 365 and Exchange Online users but at the same time, most of the information is relevant to all the rest of mail systems. Eyal Doron | o365info.com
Citation preview
Page 1 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
MY E-MAIL APPEARS AS SPAM |
TROUBLESHOOTING – MAIL SERVER |
PART 13#17
The current article in the next articles:
My E-mail appears as spam | Troubleshooting – Mail
server | Part 14#17
My E-mail appears as spam | Troubleshooting – Mail
server | Part 15#17
Will be deducted to the troubleshooting scenarios, in
which the “element” that is blacklisted is not our domain
Page 2 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
name but instead, our mail server.
What is the meaning of: “our mail server”?
When we say: “our mail server”, the term can be translated
into two types of identities:
1. Mail server IP address
2. Mail server Host name – the mail server host name could be
mapped into one or more IP address.
This distinction is important because, in a scenario in which we
want to figure out of our mail server appear on a blacklist, we
will need to know the mail server host name and in addition,
the IP address\s that are “mapped” to the mail server host
name.
Page 3 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
For example: most of the website that enables us to verify of
our mail server appear on a blacklist will query the blacklist
provider’s database by using the mail server IP address and,
not the mail server host name.
Mail server IP, host name and Exchange
Online
Ok, now lets it even more complicated.
Q: In a scenario in which our mail infrastructure is hosted by
Exchange Online, is there a “dedicated Exchange Online mail
server” that represent our organization or our domain name?
A: In reality, there is no such “dedicated Exchange Online
server” that is allocated only to our Office 365 tenant (our
domain name). Instead, there is a “logical Exchange Online
Page 4 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
server” that is allocated or “attached” to our domain name.
The host name of this “logical Exchange Online server” will be
published in our MX record.
Note – you can get information about your Exchange Online
host name by reading the article: My E-mail appears as spam
| Troubleshooting – Mail server | Part 15#17
Q: Does the “logical Exchange Online server” that represents
our domain name have a dedicated public IP address that is
assigned only to our organization?
A: The “logical Exchange Online host name” is “mapped” or
“represented”, by Public IP address. This IP address, are not
“belong” only for our domain name but instead, shared with
other Offices 365 tenants.
Or in other words: the same Exchange Online servers who
send out our E-mails, serves an edition Offices 365 customers.
Page 5 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
A Scenario in which our mail server will be blacklisted.
Q: What are the chances for a scenario, in which “logical
Exchange Online server” that represent our domain name, will
appear as blacklisted?
A: The chances are very, very low.
Q: Why do you think that the chances for a scenario in which
“logical Exchange Online server” that represent our domain
name will appear on a blacklist are very low?
A: My answer is based on my experience and very simple logic:
the “logical Exchange Online server” that represents our
domain name, represent at the same time hundreds of
thousands or even millions of users. The “Exchange Online
infrastructure”, doesn’t have the “luxury” to be blacklisted.
Page 6 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
Q: So, there is some chance that Exchange Online server IP
address will appear as blacklisted?
A: There is a scenario, in which Exchange Online server will
appear as blacklisted, but this scenario will apply only to a
special dedicated Exchange Online server pool named: High
Risk Delivery Pool.
In a scenario in which E-mail message is sent via the Exchange
Online High Risk Delivery Pool and one of the Exchange Online
High Risk Delivery Pool appears in a blacklist, the “problem” is
not related to the specific Exchange server from the “Exchange
Online High Risk Delivery Pool”.
The “root cause” is the “problematic E-mail message”, which
was identified by Exchange Online as spam\Junk mail and for
this, the reason was routed via the Exchange Online High Risk
Delivery Pool.
Non-Exchange Online base mail infrastructure
Q: In a scenario in which the organization E-mail infrastructure
is not based on Office 365 and Exchange Online servers, what
are the chances that my mail server host name or IP address
will appear on a blacklist?
A: In case that your mail infrastructure is not based on
Exchange Online or in case that you use mixed mail
infrastructure that includes: on-Premises mail infrastructure +
“cloud mail infrastructure” (Exchange Online), there could be a
scenario in which your mail server (host name or IP address)
Page 7 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
will appear as blacklisted.
One of our users got an NDR which informs
him, that his mail server is blacklisted!
In a “pure” Exchange Online environment (cloud only client)
there could be a scenario in which the Exchange Online server
IP address will appear as blacklisted, but it can be said that –
there is certainly a chance that the IP address “belong” to the
Exchange Online- High Risk Delivery Pool.
In that scenario, my opinion is that there is no point to start to
Invest time and energy in – trying the remove the IP address
from the blacklist because a very simple reason: the IP address
is not yours.
As an Office 365 customers, your domain name is represented
by the Exchange Online server and the Exchange Online server
IP address but, you don’t own this “IP address”.
This scenario is different from a scenario in which your
domain name is blacklisted because in this case, you (your
organization) are the owner of the domain name.
In a scenario in which you are informed that “your mail server”
is blacklisted, 99% of the time the IP address is probably
belong to the Exchange Online- High Risk Delivery Pool.
Page 8 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
In this case, the most effective troubleshooting step is – to
verify with your users, what is the special charters of the E-
mail message that was sent by them, that “lead” to the
scenario, in which the E-mail message was identified as spam
by the Exchange Online infrastructure and, for this reason,
was routed via the Exchange Online- High Risk Delivery Pool.
Q: What happens if I think that the blocked mail server IP
address, is the legitimate Exchange Online IP address and not
the Exchange Online- High Risk Delivery Pool?
A: The answer is very simple: get the public IP address that
represents your Exchange Online server and compare it to the
IP address that appear in the NDR message.
Q: In case that the IP address that appear in the NDR message
is the “formal IP address” of the Exchange Online server, which
represents my domain name, what should I do?
Page 9 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
A: The possibility of such a scenario is quite rare, but if this
scenario occurs, you should report this incident as soon as
possible to the Office 365 technical support team.
Q: In case that the IP address that appear in the NDR message
is not the “formal IP address” of the Exchange Online server
which represents my domain name, can I know what is the
source of this IP address?
A: There is a high chance that the IP address that appears in
the NDR message “belong” to the IP range of the Exchange
Online High Risk Delivery Pool.
Q: Is there a formal article that describes the IP ranges of the
Exchange Online High Risk Delivery Pool?
A: No, there is not. There is an article named: Office 365 URLs
and IP address ranges that includes information about all the
IP address ranges that are used by Office 365 and Exchange
Online worldwide but, the information doesn’t include a
specific category for the IP ranges that are used by the
Exchange Online High Risk Delivery Pool.
Q: Is there a way or a method that will help me to understand
if the IP address that appear in the NDR message, “belong to
the Exchange Online High Risk Delivery Pool?
A: There is no formal way. The only “method” that we can use
to understand what is the “source” of the IP address that
appear in the NDR message is – by using elimination.
Page 10 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
To logic of the “elimination process” is presented in the
following diagram:
In the first step, we compare the IP address that appears in
the NDR message (or in the message that was saved as in the
junk folder of the destination recipient) to the “formal IP
address” of our Exchange Online server (the Exchange Online
that represent our domain name).
In case that the IP addresses that appear in the NDR is not the
“formal Exchange Online IP address” of the Exchange Online
that represent our domain, we can look if the IP address
appears within the range of the IP ranges that are used by
Office 365 and Exchange Online Office 365 URLs and IP
address ranges – Office 365 URLs and IP address ranges
In case that the IP address appear as part of the Exchange
Online Office 365 URLs and IP address ranges, the logical
answer is that the IP address “belong” to the Exchange Online
High Risk Delivery Pool IP ranges.
Page 11 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
Q: In case that the conclusion that the IP address that appear
in the NDR message belong to the Exchange Online High Risk
Delivery Pool IP ranges what should I do?
A: You should understand that the “outcome”, in which the E-
mail message was sent via the Exchange Online High Risk
Delivery Pool is the result of a scenario, in which the E-mail
message was recognized by Exchange Online infrastructure as
a mail that has the potential to be classified as spam\Junk
mail.
In that case, you should start to find out what was “included”
in the specific E-mail message content that leads to this
problem.
How do we know that my mail server is
blacklisted?
As mentioned, the term: my E-mail appears as spam could be
translated into two major types of scenarios:
Scenario 1 – your organization domain name appears as
blacklisted.
Scenario 2 – your mail server appears as blacklisted.
The following articles and the next two articles deal with
“Scenario 2” in which our mail server (Exchange Online or
another mail server) appears as blacklisted.
Page 12 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
In case your next question is: how do I know that my mail
server is blacklisted?
There could be three possible answers to that question:
1. NDR message
A scenario in which one of your organization users reports
that he got an NDR when he sent an E-mail message to an
external recipient and the NDR “inform him” that his mail
server is blacklisted.
2. Blacklist monitor service
In case that you use this type of service, the monitor service
could “capture” a scenario in which your mail server appears
as blacklisted. This scenario is more common in case that your
mail infrastructure is not based on Exchange Online mail
infrastructure, but instead, on a “private” or on-Premises mail
infrastructure.
3. External recipient reports that our mail saved in his junk
mail folder and send you a copy of the original E-mail
message.
This scenario is the “less obvious” or “less easy” to
troubleshoot because of two main reasons:
Reason 1 – the only way for us to know about the problem, in
which our organization E-mail appears as spam\junk mail is –
in case that the destination recipient “bother” to inform us.
Page 13 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
In case that the destination recipient didn’t notice that our E-
mail was saved in his junk mail folder or, in case that he didn’t
was “kind” enough to inform us, we could not know about this
problem.
Reason 2 – when an email message is “sent” to the user junk
mail folder, there is no detailed description that “explain” the
reasons for classifying the E-mail message as spam\junk mail.
In other words: we can never know if the reason for identifying
the E-mail message as spam\junk mail was related to the – E-
mail message content, our domain name, our mail server, etc.
In this case, the only option that we can use is – reasoning and
elimination.
For example: in case that we suspect that the problem is
related to our mail server IP address or to a scenario in which
the E-mail message was sent by using the Exchange Online-
High Risk Delivery Pool, the option that we have is – asking
from the destination recipient to send us a copy of the E-mail
message.
When we get the required copy of the E-mail – analyses the E-
mail message header, find the IP address of the Exchange
Online server that sent out the message and verify if the IP
address that appears is our “formal Exchange Online IP
address” or other IP address.
Page 14 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
How do I “fetch” the IP address of the
Exchange Online mail server IP address?
The way that we use for getting the IP address of the Exchange
Online server who sent the E-mail message to the external
recipient, depends on the specific scenario.
Case 1 – NDR message
An NDR message, that sent by the destination mail as a “reply”
to our Office 365 users.
In this scenario, we get “fetch” the required information from
the “NDR reply” that was created by the mail server that
rejects the E-mail message.
Case 2 – destination recipient reports that our mail was saved
in his junk mail folder.
The external recipient informs us, that our mail is sent to his
junk mail folder.
Page 15 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
The way that we need to use for getting the required
information about the Exchange Online server IP address is by
using the information that appears in the E-mail message
header.
The E-mail message header includes a “documentation” of the
mail flow and by reading the information that appears in the
E-mail message header, we can implement a “reverse
engineering” process, which will “reveal” the IP address of the
Exchange Online server that sent out the E-mail message.
In the next article – My E-mail appears as spam |
Troubleshooting – Mail server | Part 14#17, we will learn how
to get the required information about our Exchange Online
mail server.
Page 16 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
Internal \ outbound spam in Office 365
environment | Article series index
A quick reference for the article series
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series
Introduction to the concept of internal \ outbound spam in general
and in Office 365 and Exchange Online environment
My E-mail appears as a spam –
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: “My E-mail appears as
a spam!”, possible factors for causing
our E-mail to appear a “spam mail”,
the definition of internal \ outbound
spam.
Internal spam in Office 365 –
Introduction | Part 2#17
Review in general the term: “internal \
outbound spam”, miss conceptions
that relate to this term, the risks that
are involved in this scenario,
Page 17 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
outbound spam E-mail policy and
more.
Internal spam in Office 365 –
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spam\junk mail, who or what are this
“elements”, that can decide that our
mail is a spam mail?, what are the
possible “reactions” of the destination
mail infrastructure that identify our E-
mail as spam\junk mail?.
Commercial E-mail – Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365\ Exchange Online is
unsuitable for the purpose of
commercial E-mail?
Introduction if the major causes for a scenario in which your
organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
Page 18 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
1. E-mail content, 2. Violation of the
SMTP standards, 3. Bulk\Mass mail
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. “Problematic” Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The “technical side” of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.
Page 19 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
Introduction if the subject of Exchange Online - High Risk Delivery
Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal \
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.
The troubleshooting path of internal \ outbound spam scenario
My E-mail appears as spam –
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal \
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
Page 20 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
moving the troubleshooting process
to the “other side.
My E-mail appears as spam |
Troubleshooting – Domain name and
E-mail content | Part 12#17
Verify if our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
My E-mail appears as spam |
Troubleshooting – Mail server | Part
13#17
What is the meaning of: “our mail
server”?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting – Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spam\NDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
Page 21 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Mail server | Part
15#17
Step B – Get information about your
Exchange Online infrastructure, Step
C – fetch the information about the
Exchange Online IP address, Step D –
verify if the “formal “Exchange Online
IP address a
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal \ outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of – internal \ outbound
spam.
Page 22 of 22 | My E-mail appears as spam | Troubleshooting - Mail server | Part
13#17
Written by Eyal Doron | o365info.com