My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
http://o365info.com/my-e-mail-appears-as-spam-troubleshooting-mail-server-part-15-17
Step B: Get information about your Exchange Online infrastructure, Step C – Fetch the information about the Exchange Online IP address, Step D – verify if the “formal “Exchange Online IP address appear as blacklisted.
Eyal Doron | o365info.com
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
1. Page 1 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
MY E-MAIL APPEARS AS SPAM |
TROUBLESHOOTING – MAIL SERVER |
PART 15#17
In the current article, we will review the rest of the steps, in
our troubleshooting journey that relates to a scenario in
which we think or suspect that:
The cause of the problem, in which “our E-mail” identified as
spamJunk mail is caused by the fact that our Exchange
Online IP address paper as blacklisted.
In the former article – My E-mail appears as spam |
Troubleshooting – Mail server | Part 15#17, we have
reviewed the required steps for “fetching” the Exchange
2. Page 2 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
Online IP address from the E-mail message.
The current article is dedicated to step “B”, Step “C” and
step “D”.
Step B – Get information about Exchange Online
infrastructure
Get the required information about the Exchange Online
server that represent our domain name (the Exchange Online
host name + IP address)
Step C – Fetch the information about the Exchange Online
IP address
In this step, we will need to locate the Exchange Online server
IP address. The IP address could appear as part of the NDR E-
mail message or, in case of a scenario in which we get a copy
of the E-mail message that was sent to the junk mail folder of
the destination recipient, fetch the required information from
the E-mail header.
Step D – verify if the “formal “Exchange Online IP address
appear as blacklisted.
This step builds on the information, we have obtained three
previous steps.
Given that we have the IP address of the Exchange Online
server who appears in the NDR E-mail message + that we
know what is the IP address of our Exchange Online server
3. Page 3 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
who represents our domain name in Office 365, we can verify
if the IP address that appear in the NDR is the IP address of
our Exchange Online server.
In case that the IP address is not the IP of our Exchange Online
server (this is the most common scenario), it’s probably one of
the IP addresses that belong to the Exchange Online High Risk
Delivery Pool.
Step B – Get information about your Exchange
Online infrastructure
4. Page 4 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
Step 1 – get the host name of the Exchange Online server
who represents our domain in Office 365.
To be able to answer the question: what is the IP address of
the Exchange Online server who represents our domain? We
will first need to know the “FQDN” (host name) of the
Exchange Online server that represents our tenant in Office
365.
There are a two ways that we can use to get information about
the FQDN of the Exchange Online that “send E-mail for our
domain”
Option 1: Office 365 administrate portal
Login on to Office 365 administrate portal
On the left sidebar – choose the domain menu
5. Page 5 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
Choose – Manage DNS
Under the Exchange Online section, look for information about
the MX record host name (POINTS TO ADDRESS). In our
scenario, the Exchange Online server who will “represent” our
organization is: o365info-com.mail.protection.outlook.com
Option 2: using the nslookup tool
Another option for getting information about the “Host name”
of the Exchange Online mail server that “represent” our
organization is: by using the nslookup tool.
Open the command prompt
Type the command: Nslookup
Type the command: set type=mx
6. Page 6 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
Type the name of the domain that you want to display his MX
record. In our scenario: com
In the following screenshot, we can see the result of our MX
query.
In our example, the host name of the Exchange Online server
who represents our domain is:o365info-
com.mail.protection.outlook.com
Step 2 – Get the IP address of the Exchange Online server
who represent our domain.
A couple of notes regarding the subject of Exchange Online
and his Public IP address:
The Exchange Online (that host name who appears in our
domain MX record) is mapped to more than one IP address.
7. Page 7 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
This “IP address” represent additional Office 365 tenants besides
our domain.
In case that we suspect that our Exchange Online mail server
appears as blacklisted, we will need to verify information about
each of the public IP addresses that are “bind” to the Exchange
Online server who represents our domain name.
To be able to get information about the IP address that are
“mapped” to the host name of the Exchange Online server
who represents our domain, we can use an option such as the
nslookup tool.
Open the command prompt
Type the command: Nslookup
Type the host name of the Exchange Online server who
represents your domain. In our example:o365info-
com.mail.protection.outlook.com
In the following screenshot, we can see the results.
In our example, the “answer” is the IP address of the Exchange
Online servers who represent our domain are: 213.199.154.87
8. Page 8 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
and 213.199.154.23
Step C – Fetch the information about the
Exchange Online IP address
In the phase, our mission is to get the IP address of the
Exchange Online server who appear in the E-mail message.
The Exchange Online IP address could appear in the NDR
message or in the E-mail header of the E-mail message that
was saved in the junk mail folder of the destination external
receipt.
9. Page 9 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
The information about the Exchange Online mail server that
sent the E-mail message appears in the content of the E-mail
header.
Technically speaking, we get the required information from
the “raw data” in the mail header text but this is not an easy
task.
The preferred option is using a mail header analyzer, which
will help us the display the information in a clear way.
In our example, we will use the Microsoft tool
named: Exchange connectivity analyzer
1. Access the Exchange connectivity analyzer web site
2. Copy the information from the mail header.
10. Page 10 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
3. Choose the Message Analyzer tab
4. In the section: “Insert the message header you would like to
analyze” paste the information from the mail header
In the following screenshot, we can see the results. The
information in the Received headers, displays a clear path
through the mail flow.
We can see the Exchange Online servers that accept the E-mail
from the Office 365 recipients, but this is not the “final node”
in our mail flow.
11. Page 11 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
The Exchange Online server (10.255.179.24) forward the E-mail
message to the additional Exchange Online server
(10.255.179.23) and the Exchange Online server the “deliver”
the E-mail message to the external recipient, is an Exchange
Online server who is represented by the IP address:
157.55.234.141
Conclusion from the Message Analyzer
By analyzing the information in the E-mail header, we can see
the flow of the E-mail message “inside Exchange Online
infrastructure”.
We can see that the E-mail message “travel” between a couple
or more than one Exchange Online server. The “most
important” Exchange Online server in our scenario is the “last
Exchange Online server”, who is responsible for delivering the
E-mail message to “her destination” (the mail server that
represents the destination recipient).
12. Page 12 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
If you notice, in our example, the IP address of the Exchange
Online server that sent out the E-mail message is:
157.55.234.141.
As mentioned, from my experience, this IP address is “belong”
to the Exchange Online Higher Risk Delivery Pool.
Step D – verify if the “formal “Exchange Online
IP address appear as blacklisted.
In this phase, we want to verify if the IP address that appear in
the NDR message that we got (or the E-mail message that was
sent to the junk mail folder of the destination recipient) is the
“formal IP address” of the Exchange Online server who
represents our domain.
Note – the scenario in which the Exchange Online IP address
that represent our domain name is blacklisted is quite rare. A
more common scenario, is a scenario in which the IP address
that appear in the E-mail message belong to the Exchange
Online- High Risk Delivery Pool IP address range.
13. Page 13 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
After we got the IP address that are mapped to the Exchange
Online server who represents our domain, the next step is –
use online tools, which will help us to check if one of the IP
addresses of our Exchange Online mail server name appears
as blacklisted.
In the following example, we will use a free on-line tool that is
offered by mxtoolbox.
1. Go to the mxtoolbox site and choose the Blacklists menu.
2. In our example, our Exchange Online host name is mapped
to the following IP address: 213.199.154.87 and
213.199.154.23
In the box: Server IP or domain we will enter the IP:
213.199.154.87
Choose: Blacklists check.
14. Page 14 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
In the following screenshot, we can see the result. In our
scenario, it appears that the IP address of our mail server
(o365info-com.mail.protection.outlook.com) is “green and clean”
meaning; the domain IP Address doesn’t appear in well-known
blacklists.
15. Page 15 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
The scenario in which the “formal IP address” of the Exchange
Online server who represents our domain name could be
considered as rare scenario.
16. Page 16 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
In case that you experienced the above scenario, the only
available option is to report this problem to the Office 365
technical support.
Get more information about the Exchange Online IP
address
Just a short recap about the troubleshooting path that we’ve
been through so far:
1. We got an NDR message which informs us that our mail server
is blacklisted.
2. We have already verified that our “formal Exchange Online IP
address” doesn’t appear as blacklisted.
3. We have “fetch” from the NDR message the IP address that is
blacklisted.
4. We want to get more detailed information about this specific IP
address.
In this phase, we can assume that the IP address that appears
in the NDR belong to the Exchange Online- High Risk Delivery
Pool IP range. To be able to validate our hypothesis, we can
use the information about the public IP range of Office 365
and Exchange Online that was published by Microsoft.
How do I know, if the IP address of the “mail
server” is Office 365 Exchange Online IP
address?
17. Page 17 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
Microsoft publishes a set of articles that include detailed
information about the public IP range and the URL address of
all Office 365 infrastructures.
The main article or the index for all the different Office 365
infrastructure is an article: Office 365 URLs and IP address
ranges
This article includes a detailed information about all the
“different parts and infrastructures” of Office 365 such as –
Exchange Online, EOP (Exchange Online protection),
SharePoint Online, Lync Online etc.
In our scenario, our main Interest is regarding the Exchange
Online public IP range and the EOP (Exchange Online
Protection) public IP range.
The information about the EOP public IP range appears in a
separate article:
Exchange Online Protection IP addresses
In the following screenshot, we can see an example of the
information about the public IP range of EOP (Exchange Online
protection).
18. Page 18 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
In case that the IP address that appear in the NDR is not our
“formal Exchange Online IP address” and in case that the IP
address appears in the “Office 365 and Exchange Online”
public IP range, you cannot be sure 100 percent that the IP
address belongs to the Exchange Online High Risk Delivery
Pool, but It is very likely to assume.
In this case, we already know, that the issue is not related to a
problem with the IP address of the Exchange Online server,
19. Page 19 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
but instead, to the E-mail message content that was sent by
our organization user.
The E-mail address in the NDR doesn’t appear in the Office
365 public IP range.
This scenario is quite rare, but I think that it’s important that
you will be aware of all the possible scenario and tools that
you can use in the different scenarios.
The charters of this scenario are as follows:
The NDR message that we got informed us that our mail server
is blacklisted. The IP address in the NDR is not the formal IP
address of the Exchange Online that representative our domain.
We have performed a search for the IP address in the NDR in the
public IP address range of Office 365 and Exchange Online by
using the public articles:
o Office 365 URLs and IP address ranges
o Exchange Online Protection IP addresses
And we didn’t find the IP address.
The main question now is: who is the “owner” of the IP
address that appear in the NDR message?
To be able to get the required answers, we can use public site
that can provide us information about the owner of a specific
public IP address.
Using a public website that can provide is information
about the “owner” of a specific Public IP address.
20. Page 20 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
As mentioned, an additional option that we can use to get
information about a specific public IP address is by using
different free services.
In the following example, we will use a website
named: https://db-ip.com/
In the following screenshot, we can see the result of the query
for the IP address that appear in our results when using the
mail header analyzer forms the former step:
Additional reading
DB-IP – IP Geolocation and Network Intelligence
utrace
myip
reputationauthority
Additional information
21. Page 21 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
dnsbl
Blacklist Check
Internal outbound spam in Office 365
environment | Article series index
A quick reference for the article series
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series
Introduction to the concept of internal outbound spam in general
and in Office 365 and Exchange Online environment
My E-mail appears as a spam –
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: “My E-mail appears as
a spam!”, possible factors for causing
our E-mail to appear a “spam mail”,
the definition of internal outbound
spam.
Internal spam in Office 365 –
Introduction | Part 2#17
Review in general the term: “internal
outbound spam”, miss conceptions
that relate to this term, the risks that
22. Page 22 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
are involved in this scenario,
outbound spam E-mail policy and
more.
Internal spam in Office 365 –
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spamjunk mail, who or what are this
“elements”, that can decide that our
mail is a spam mail?, what are the
possible “reactions” of the destination
mail infrastructure that identify our E-
mail as spamjunk mail?.
Commercial E-mail – Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365 Exchange Online is
unsuitable for the purpose of
commercial E-mail?
Introduction if the major causes for a scenario in which your
organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
23. Page 23 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
1. E-mail content, 2. Violation of the
SMTP standards, 3. BulkMass mail
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. “Problematic” Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The “technical side” of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.
24. Page 24 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
Introduction if the subject of Exchange Online - High Risk Delivery
Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.
The troubleshooting path of internal outbound spam scenario
My E-mail appears as spam –
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the “other side.
25. Page 25 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Domain name and
E-mail content | Part 12#17
Verify if our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
My E-mail appears as spam |
Troubleshooting – Mail server | Part
13#17
What is the meaning of: “our mail
server”?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting – Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spamNDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
26. Page 26 of 26 | My E-mail appears as spam | Troubleshooting - Mail server | Part 15#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Mail server | Part
15#17
Step B – Get information about your
Exchange Online infrastructure, Step
C – fetch the information about the
Exchange Online IP address, Step D –
verify if the “formal “Exchange Online
IP address a
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of – internal outbound
spam.