Recently, in Office 365 we introduced two new features in our Forefront Online Protection for Exchange product (FOPE). I refer to this as FOPE 14 because the service runs on Exchange version 14. This is our older service, all of our customers are either migrated or will be migrated to Exchange Online Protection. I refer to this as EOP 15 because the service runs on Exchange version 15.
Below is a description of both. 1. An Additional Spam Filtering (ASF) rule for marking Bulk email as spam
Below is a description of both.
1. An Additional Spam Filtering (ASF) rule for marking Bulk email as spam
Our existing FOPE 14 customers now have the ability to mark Bulk email as spam using ASF rules (our EOP customers already has this setting). Before we released this feature, the FOPE service would mark messages as bulk by stamping SRV:BULK in the X-Forefront-Antispam-Report header, and then customers could mark them as spam by creating a rule on their local on-premise email server (an ETR in Exchange, or the equivalent for software like Postfix, Sendmail, etc). The process for that is described here:
Bulk Mail Filtering in FOPE
While this works, it is counterintuitive to customers to use the FOPE Admin Center for managing their spam filter options and then have to do an additional step on their local mail server.
The change for FOPE 14 is that marking bulk messages as spam is now an option in the Admin Center. By enabling this option, all email with SRV:BULK in the headers will be marked as spam:
There is no Test mode for this rule because all bulk email is already stamped with SRV:BULK. This acts as a de facto Test mode. To see what this rule would mark as spam, simply look for this header with this value.
Some notes about this rule:
a) Integration with the rest of the spam filter
This ASF rule acts like any other rule. If a user has configured safe senders for a specific sender and syncs their safe senders list to FOPE, and email arrives from that sender and is marked as Bulk, and this ASF rule is enabled, the spam filter respects the safe sender and the message will be delivered to the user’s inbox.
Respecting safe senders is a big improvement as long as the lists are sync’ed to FOPE .
b) Migration of the setting
This ASF rule is Off by default in FOPE. However, the ASF rule already exists in EOP and it is On by default for new customers. In other words, if you are an existing customer in FOPE, this feature will now appear in your ASF rules but it will be Off. If you are a brand new customer of ours and you sign up for EOP, this ASF rule will be On.
As a FOPE 14 customer, when you are migrated to EOP, this setting will be migrated as well. If it is Off in FOPE it will be Off when it is migrated to EOP. If it is On in FOPE, it will be migrated as On in EOP.
c) Detection capabilities
The mechanism of Bulk Email detection is the same in FOPE as in EOP. One is not better than the other.
Some customers find our bulk email detection too conservative, in a future post I will explain how to expand this detection capability in EOP.
That is the first change we made in FOPE spam filtering this past summer.
2. Expansion of URL filtering
One of the mechanisms that we use in our spam filters is examining the content of the message, extracting the URLs and then checking them against a 3rd party URL list. If it matches, we increase the spam score of the message. At the end of the filtering pipeline, if the spam score is greater than the threshold, the message is marked as spam.
The greater the number of URL lists we use, the wider the coverage of malicious URLs. While our spam rules engine looks for other spammy characteristics within messages (headers, subject line and body content), spammy URLs provides an additional layer of protection. In general, the more URL lists the better. A URL can catch a spam with short, non-sensical body content and a link to a spammy web site better than regular expressions do (in some circumstances).
In the FOPE service, we use the following lists:
EOP already used the latter two lists. But what changed even in EOP is that the number of total unique URLs greatly increased so that we now use a much larger overall total of each of the lists. Both environments now use the same lists. However, at present we do not indicate in the message itself what URL is on each list in the case that a message is marked as spam because it contains a URL on one of these three lists. That’s the second change we made to the FOPE service this past summer.
EOP already used the latter two lists. But what changed even in EOP is that the number of total unique URLs greatly increased so that we now use a much larger overall total of each of the lists. Both environments now use the same lists. However, at present we do not indicate in the message itself what URL is on each list in the case that a message is marked as spam because it contains a URL on one of these three lists.
That’s the second change we made to the FOPE service this past summer.