If any Email System is compromised by Malware or a Malicious Spam Attack, and it is sending outbound spam using EOP(Exchange online Protection), it will end up with block listing the IP addresses of the EOP Data Center Servers. Hence the Mails from theses IP Addresses will be rejected by the other mailing systems. Since the EOP is shared services other customers mails also will get blocked which ever passing through these IP Addresses.
For an Example, Customer A- Email System got compromised and sending lots of Spam mails using the EOP server IP Address 18.104.22.168 and it got blocked by all the Email Systems. If Customer B also uses same IP Addresses for sending emails, their mails also will get blocked.. it is serious issue..Isn’t it?.
Therefore, all outbound messages that exceed the spam threshold are delivered through a higher risk delivery pool(HRDP). The higher risk delivery pool is a secondary outbound email pool that is used to send messages that may be of low quality, thus helping to protect the rest of the network from sending messages that are more likely to result in the sending IP address being blocked.
The use of a dedicated higher risk delivery pool helps ensure that the normal outbound pool is only sending messages that are known to be of a high-quality. The possibility of the higher risk delivery pool being placed on a blocked list remains a risk. This is by design. This secondary IP pool helps to reduce the probability of the normal outbound-IP pool being added to a blocked list.
The outbound higher risk delivery pool manages the delivery for all “bounced” or “failed” Delivery Status Notification (DSN) messages.
Possible causes for a surge in DSN messages include the following:
- A spoofing campaign affecting one of the customers using the service
- A directory harvest attack
- A spam attack
- A rogue SMTP server
All of these issues can result in a sudden increase in the number of DSN messages being processed by the service. Many times these DSN messages appear to be spam to other email servers and services.
How to configure the Outbound Spam Policy
Log in to https://outlook.office365.com/ecp –> Protection –> Outbound Spam –> Edit the Policy which you have created. Default is the policy name in my case
1. Send a copy of all suspicious outbound email messages to the following email address or addresses:
These are messages that are marked as spam by the filter (regardless of the SCL rating). They are not rejected by the filter but are routed through the higher risk delivery pool. Separate multiple addresses with a semicolon. Note that the recipients specified will receive the messages as a Blind carbon copy (Bcc) address (the From and To fields are the original sender and recipient).
2. Send a notification to the following email address when a sender is blocked sending outbound spam.
When a significant amount of spam is originating from a particular user, the user is disabled from sending email messages. The administrator for the domain, who is specified using this setting, will be informed that outbound messages are blocked for this user.