Cloud-based scanning

Denis Beauchemin Denis.Beauchemin at usherbrooke.ca
Fri Mar 6 19:12:22 GMT 2015


Here is my first impression of the Microsoft 365 email filtering service:

1- you may not know it but you are already getting email from it because it looks like all email coming from @hotmail.com, @outlook.com and others are sharing the same outbound servers as 365. 
 a) look here for the IP addresses used: https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx
 b) all server names seen so far contain this string: outbound.protection.outlook.com

2- it looks like emails to invalid addresses are handled correctly as you can see in the following email I received after sending from gmail:
smtpe2.usherbrooke.ca rejected your message to the following email addresses:

toto at usherbrooke.quebec
The email address wasn't found at the destination domain. It might be misspelled or it might not exist any longer. Try retyping the address and resending the message.
If that doesn't work, contact the recipient (by phone or instant messaging, for example) to check that the address is correct. If the problem continues, forward this message to your email admin.

For Email Administrators
For more tips to help fix this issue, see DSN 5.1.1 Errors in Exchange Online and Office 365.

smtpe2.usherbrooke.ca gave this error:
<toto at usherbrooke.quebec>... User unknown

3- MailScanner is still useful for fine-grained work such as:
 a) detecting and neutralizing different tags: <A>, phishing, Form, Scripp, Web bugs, HTML
 b) phishing attempts
 c) whitelisted stuff (could probably be done by 365)
 d) Sanesecurity and other Clam stuff
 e) local SpamAssassin rules

4- I ended up archiving all emails that come from the list in #1 so I could get a look at them if I wanted to make sure MailScanner did the right thing when it decided to tag one of those emails as spam

5- During part of yesterday I managed to get these stats for the Microsoft 365 emails that went through MailScanner (I should get more in a few days):
=== Emails Rejected
Domain of sender address laurent.heylen at student.fi2.be does not exist: 2
Domain of sender address no-reply-iTunes.iso at Support.inc.out.com does not exist: 2

 HAM:  774
SPAM:   20
Actions Attach, Deliver, Header:  10
                 Actions Delete:  10

        <A> tags: 577
       Form tags:   1
   Phishing tags:  23
     Script tags:   2
    Web Bug tags:  29
  HTML Form tags:   1
   HTML IMG tags: 354
HTML Script tags:   2

  Expanding TNEF:   5
    Removed TNEF:   5
      Added TNEF:   4

 Phishing Frauds:  52
     Whitelisted:  27

=== Clamd::Infected::
Sanesecurity.ScamL.151.UNOFFICIAL:   1

=== Found spam-virus
Sanesecurity.ScamL.151.UNOFFICIAL:   2

=== SpamAssassin Rules
     ADVANCE_FEE_4_NEW_FRM_MNY:   1
                AXB_X_FF_SEZ_S:  18
                      BAYES_50:   3
                      BAYES_60:   2
                      BAYES_80:   3
                      BAYES_99:  12
                     BAYES_999:   9
                 BIGNUM_EMAILS:   1
                 BODY_URI_ONLY:   2
                     DCC_CHECK:   3
                   DEAR_WINNER:   1
                 EMPTY_MESSAGE:   9
                FILL_THIS_FORM:   1
           FILL_THIS_FORM_LONG:   1
                  FORM_FRAUD_5:   1
                 HAS_SHORT_URL:   2
                      HK_LOTTO:   1
        HTML_FONT_LOW_CONTRAST:   1
                  HTML_MESSAGE:   8
                  LIST_PARTIAL:   3
                 LOTS_OF_MONEY:   1
               MISSING_HEADERS:   3
                 MONEY_FRAUD_5:   1
        RCVD_IN_BL_SPAMCOP_NET:   7
                  RCVD_IN_BRBL:  12
             RCVD_IN_DNSWL_LOW:   2
            RCVD_IN_DNSWL_NONE:  18
              RCVD_IN_LASHBACK:   6
                  RCVD_IN_PSBL:   4
             RCVD_IN_SORBS_WEB:   2
            RCVD_IN_UCE_PFSM_1:   3
         REPLYTO_WITHOUT_TO_CC:   1
               TVD_SPACE_RATIO:   2
          T_FSL_HELO_BARE_IP_2:  11
                    UDES_BUY15:   2
                    UDES_BUY17:   2
                    UDES_BUY99:   2
                  UDES_VIRUS01:   1
                URIBL_AB_SURBL:   1
         URIBL_DBL_ABUSE_BOTCC:   1
         URIBL_DBL_ABUSE_REDIR:   2
                  US_DOLLARS_3:   1

6- For now I would not accept Microsoft 365-filtered emails without any local filtering; it does a good job of blocking with RBL because I didn't get any email that I blocked with Spamhaus or URIBL; I guess my MX servers will just go idle because they won't have to work as hard as before

Have a good week-end everybody!

Denis

-----Message d'origine-----
De : mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Steve Freegard
Envoyé : 3 mars 2015 18:15
À : MailScanner discussion
Objet : Re: Cloud-based scanning

Denis,

On 03/03/15 18:13, Denis Beauchemin wrote:
> Thanks Steve and all the others.

No problem - you're welcome.

> My server will act as a proxy and will reject invalid addresses in the connect phase so I should be safe. I will be testing this RSN with an alternate domain name, in case something goes wrong...

It will be interesting to see whether Microsoft will actually ask it like this (e.g. in a call-ahead style).

What I suspect will happen is that Microsoft will actually accept mail to unknown recipients and then bounce it when the delivery is attempted to you later.

I'd be interested to hear your results and experiences once you've switched over your initial test domain.

Kind regards,
Steve.

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


More information about the MailScanner mailing list