Email/Exchange/Office 365 - Postmaster SpamFighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?Office 365 routing of internal domain messagesCan anyone help a stupid developer trying to set up Office 365 Exchange?Strange non-delivery behavior with Office 365 Hosted ExchangeWorking around GAL conflict between Office 365 and on-premise Exchange 2003 serverOffice 365 Distribution Group Sender Receives Copy of Group EmailOffice 365 - report to find instances of emails sent directly to Office 365, bypassing spam filter?Identifying source of spam/malware emails apparently from Office 365 userMails from PHP mail() are not received through Microsoft Exchange Online serverSPF on Office 365 - Can the return-path address be spoofed by another Office 365 sender?
How to increase speed on my hybrid bike with flat handlebars and 700X35C tyres?
Displaying an Estimated Execution Plan generates CXPACKET, PAGELATCH_SH, and LATCH_EX [ACCESS_METHODS_DATASET_PARENT] waits
Explaining intravenous drug abuse to a small child
Is it safe to keep the GPU on 100% utilization for a very long time?
Is throwing dice a stochastic or a deterministic process?
What is the meaning of "matter" in physics?
If an attacker targets a creature with the Sanctuary spell cast on them, but fails the Wisdom save, can they choose not to attack anyone else?
What chord could the notes 'F A♭ E♭' form?
Is there an idiom that means that a clothe fits perfectly?
Picking a theme as a discovery writer
Crime rates in a post-scarcity economy
Employee is self-centered and affects the team negatively
Is there a reason why Turkey took the Balkan territories of the Ottoman Empire, instead of Greece or another of the Balkan states?
Why is there a cap on 401k contributions?
How to get file name from inside a latex file?
Did any early RISC OS precursor run on the BBC Micro?
How could a humanoid creature completely form within the span of 24 hours?
Test whether a string is in a list with variable
shebang or not shebang
Why did Dr. Strange keep looking into the future after the snap?
How does "politician" work as a job/career?
How do I give a darkroom course without negs from the attendees?
What does “two-bit (jerk)” mean?
Can a player choose to add detail and flavor to their character's spells and abilities?
Email/Exchange/Office 365 - Postmaster Spam
Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?Office 365 routing of internal domain messagesCan anyone help a stupid developer trying to set up Office 365 Exchange?Strange non-delivery behavior with Office 365 Hosted ExchangeWorking around GAL conflict between Office 365 and on-premise Exchange 2003 serverOffice 365 Distribution Group Sender Receives Copy of Group EmailOffice 365 - report to find instances of emails sent directly to Office 365, bypassing spam filter?Identifying source of spam/malware emails apparently from Office 365 userMails from PHP mail() are not received through Microsoft Exchange Online serverSPF on Office 365 - Can the return-path address be spoofed by another Office 365 sender?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I use Office 365 for email with about 30 people using 6 domains.
I occasionally receive messages from the "Postmaster" saying that an email was rejected which was never sent. For instance:
I assumed that one of the following was happening.
- Someone was sending messages to me pretending to be the Postmaster.
- Someone was sending messages to others with forged headers so that it looked like it was coming from me.
I basically ignored these messages because I did not believe that there was anything I could do about these two scenarios. However, I just added a new domain and these messages have now skyrocketed.
Here are my questions:
- Is there any way to tell whether these messages are legitimately from postmaster? If so, would I be able to completely block any messages not from the legit postmaster?
- Is there any way of guarding against someone forging headers to send email on one of my domains?
More Information
I am receiving these suspicious emails on my main admin account (let's say that is one domain1.com). However, the emails are coming in as if they were sent on the new domain2.com. Normally, postmaster rejects are received by the email sending it out in the first place.
Normally, a bounced email message from office 365 looks like this:
Which leads me to think that this is a fake message. However, when I look at the message header, of the suspicious message, it looks pretty legit (although I am no expert). Here is what comes up:
email exchange microsoft-office-365
asked Aug 24 '16 at 15:36
WilliamWilliam
203521
add a comment |
I use Office 365 for email with about 30 people using 6 domains.
I occasionally receive messages from the "Postmaster" saying that an email was rejected which was never sent. For instance:
I assumed that one of the following was happening.
- Someone was sending messages to me pretending to be the Postmaster.
- Someone was sending messages to others with forged headers so that it looked like it was coming from me.
I basically ignored these messages because I did not believe that there was anything I could do about these two scenarios. However, I just added a new domain and these messages have now skyrocketed.
Here are my questions:
- Is there any way to tell whether these messages are legitimately from postmaster? If so, would I be able to completely block any messages not from the legit postmaster?
- Is there any way of guarding against someone forging headers to send email on one of my domains?
More Information
I am receiving these suspicious emails on my main admin account (let's say that is one domain1.com). However, the emails are coming in as if they were sent on the new domain2.com. Normally, postmaster rejects are received by the email sending it out in the first place.
Normally, a bounced email message from office 365 looks like this:
Which leads me to think that this is a fake message. However, when I look at the message header, of the suspicious message, it looks pretty legit (although I am no expert). Here is what comes up:
email exchange microsoft-office-365
asked Aug 24 '16 at 15:36
WilliamWilliam
203521
add a comment |
I use Office 365 for email with about 30 people using 6 domains.
I occasionally receive messages from the "Postmaster" saying that an email was rejected which was never sent. For instance:
I assumed that one of the following was happening.
- Someone was sending messages to me pretending to be the Postmaster.
- Someone was sending messages to others with forged headers so that it looked like it was coming from me.
I basically ignored these messages because I did not believe that there was anything I could do about these two scenarios. However, I just added a new domain and these messages have now skyrocketed.
Here are my questions:
- Is there any way to tell whether these messages are legitimately from postmaster? If so, would I be able to completely block any messages not from the legit postmaster?
- Is there any way of guarding against someone forging headers to send email on one of my domains?
More Information
I am receiving these suspicious emails on my main admin account (let's say that is one domain1.com). However, the emails are coming in as if they were sent on the new domain2.com. Normally, postmaster rejects are received by the email sending it out in the first place.
Normally, a bounced email message from office 365 looks like this:
Which leads me to think that this is a fake message. However, when I look at the message header, of the suspicious message, it looks pretty legit (although I am no expert). Here is what comes up:
email exchange microsoft-office-365
asked Aug 24 '16 at 15:36
WilliamWilliam
203521
I use Office 365 for email with about 30 people using 6 domains.
I occasionally receive messages from the "Postmaster" saying that an email was rejected which was never sent. For instance:
I assumed that one of the following was happening.
- Someone was sending messages to me pretending to be the Postmaster.
- Someone was sending messages to others with forged headers so that it looked like it was coming from me.
I basically ignored these messages because I did not believe that there was anything I could do about these two scenarios. However, I just added a new domain and these messages have now skyrocketed.
Here are my questions:
- Is there any way to tell whether these messages are legitimately from postmaster? If so, would I be able to completely block any messages not from the legit postmaster?
- Is there any way of guarding against someone forging headers to send email on one of my domains?
More Information
I am receiving these suspicious emails on my main admin account (let's say that is one domain1.com). However, the emails are coming in as if they were sent on the new domain2.com. Normally, postmaster rejects are received by the email sending it out in the first place.
Normally, a bounced email message from office 365 looks like this:
Which leads me to think that this is a fake message. However, when I look at the message header, of the suspicious message, it looks pretty legit (although I am no expert). Here is what comes up:
email exchange microsoft-office-365
email exchange microsoft-office-365
asked Aug 24 '16 at 15:36
WilliamWilliam
203521
asked Aug 24 '16 at 15:36
WilliamWilliam
203521
edited Aug 24 '16 at 19:23
William
asked Aug 24 '16 at 15:36
WilliamWilliam
203521
asked Aug 24 '16 at 15:36
WilliamWilliam
203521
asked Aug 24 '16 at 15:36
WilliamWilliam
203521
203521
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
- Look at the message headers to determine where a message really came from. There's an "app" for OWA MessageHeaderAnalyzer, which essentially loads in the same tool from testconnectivity.microsoft.com. MessageIDs from Exchange are pretty easy to pick out.
- Yes!!! The Canonical answer on Server Fault: Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?
Office 365 setup goes down the path of doing some of this. Namely doing DNS checks to make sure your MX and SPF are valid. DKIM is automagically enabled in the service as well, but this doesn't cover any "other" mail systems for your domain.
Edit:
Line 24 in the header shows how Exchange evaluated the spam posture of the message.
SFV:SKI
Similar to SFV:SKN, the message skipped filtering for another reason such as being intra-organizational email within a tenant. This doesn't seem to coincide with what you are explaining.
Reference Anti-Spam header info
Are any of the domains given in your posession?
edited Apr 13 '17 at 12:13
Community♦
1
answered Aug 24 '16 at 16:31
blaughwblaughw
2,0871616
I added my headers and some additional details above - the headers look pretty legit to me but I am no expert - however, the format of a normal reject from postmaster on Office 365 has a different format... so i am confused...
– William
Aug 24 '16 at 19:24
add a comment |
These are legitimate messages. That is the default message for the admin notifications, It's possible to actually change that verbiage in the ECP. I get quite a few of these daily as well.
This setting is under Protection --> Malware --> Settings --> Administrator Settings
In my case I have it configured to only alert me when it's detected from an internal sender. However, when I get these if I check the message traces they never show up. This makes me thinks it's occurring inside Office365 and someone is attempting to send as my domain and it's triggering this alert. I'm not 100% sure yet either as I have not had time to look into it further.
In the case of your NDR's, you may want to enable NDR backscatter in the protection settings. This prevents someone from generating an NDR from a spoofed address and having that NDR sent back to your address.
answered Aug 31 '16 at 3:34
Jesus ShelbyJesus Shelby
1,114814
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f798868%2femail-exchange-office-365-postmaster-spam%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
- Look at the message headers to determine where a message really came from. There's an "app" for OWA MessageHeaderAnalyzer, which essentially loads in the same tool from testconnectivity.microsoft.com. MessageIDs from Exchange are pretty easy to pick out.
- Yes!!! The Canonical answer on Server Fault: Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?
Office 365 setup goes down the path of doing some of this. Namely doing DNS checks to make sure your MX and SPF are valid. DKIM is automagically enabled in the service as well, but this doesn't cover any "other" mail systems for your domain.
Edit:
Line 24 in the header shows how Exchange evaluated the spam posture of the message.
SFV:SKI
Similar to SFV:SKN, the message skipped filtering for another reason such as being intra-organizational email within a tenant. This doesn't seem to coincide with what you are explaining.
Reference Anti-Spam header info
Are any of the domains given in your posession?
edited Apr 13 '17 at 12:13
Community♦
1
answered Aug 24 '16 at 16:31
blaughwblaughw
2,0871616
I added my headers and some additional details above - the headers look pretty legit to me but I am no expert - however, the format of a normal reject from postmaster on Office 365 has a different format... so i am confused...
– William
Aug 24 '16 at 19:24
add a comment |
- Look at the message headers to determine where a message really came from. There's an "app" for OWA MessageHeaderAnalyzer, which essentially loads in the same tool from testconnectivity.microsoft.com. MessageIDs from Exchange are pretty easy to pick out.
- Yes!!! The Canonical answer on Server Fault: Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?
Office 365 setup goes down the path of doing some of this. Namely doing DNS checks to make sure your MX and SPF are valid. DKIM is automagically enabled in the service as well, but this doesn't cover any "other" mail systems for your domain.
Edit:
Line 24 in the header shows how Exchange evaluated the spam posture of the message.
SFV:SKI
Similar to SFV:SKN, the message skipped filtering for another reason such as being intra-organizational email within a tenant. This doesn't seem to coincide with what you are explaining.
Reference Anti-Spam header info
Are any of the domains given in your posession?
edited Apr 13 '17 at 12:13
Community♦
1
answered Aug 24 '16 at 16:31
blaughwblaughw
2,0871616
I added my headers and some additional details above - the headers look pretty legit to me but I am no expert - however, the format of a normal reject from postmaster on Office 365 has a different format... so i am confused...
– William
Aug 24 '16 at 19:24
add a comment |
- Look at the message headers to determine where a message really came from. There's an "app" for OWA MessageHeaderAnalyzer, which essentially loads in the same tool from testconnectivity.microsoft.com. MessageIDs from Exchange are pretty easy to pick out.
- Yes!!! The Canonical answer on Server Fault: Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?
Office 365 setup goes down the path of doing some of this. Namely doing DNS checks to make sure your MX and SPF are valid. DKIM is automagically enabled in the service as well, but this doesn't cover any "other" mail systems for your domain.
Edit:
Line 24 in the header shows how Exchange evaluated the spam posture of the message.
SFV:SKI
Similar to SFV:SKN, the message skipped filtering for another reason such as being intra-organizational email within a tenant. This doesn't seem to coincide with what you are explaining.
Reference Anti-Spam header info
Are any of the domains given in your posession?
edited Apr 13 '17 at 12:13
Community♦
1
answered Aug 24 '16 at 16:31
blaughwblaughw
2,0871616
- Look at the message headers to determine where a message really came from. There's an "app" for OWA MessageHeaderAnalyzer, which essentially loads in the same tool from testconnectivity.microsoft.com. MessageIDs from Exchange are pretty easy to pick out.
- Yes!!! The Canonical answer on Server Fault: Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?
Office 365 setup goes down the path of doing some of this. Namely doing DNS checks to make sure your MX and SPF are valid. DKIM is automagically enabled in the service as well, but this doesn't cover any "other" mail systems for your domain.
Edit:
Line 24 in the header shows how Exchange evaluated the spam posture of the message.
SFV:SKI
Similar to SFV:SKN, the message skipped filtering for another reason such as being intra-organizational email within a tenant. This doesn't seem to coincide with what you are explaining.
Reference Anti-Spam header info
Are any of the domains given in your posession?
edited Apr 13 '17 at 12:13
Community♦
1
answered Aug 24 '16 at 16:31
blaughwblaughw
2,0871616
edited Apr 13 '17 at 12:13
Community♦
1
edited Apr 13 '17 at 12:13
Community♦
1
edited Apr 13 '17 at 12:13
Community♦
1
1
answered Aug 24 '16 at 16:31
blaughwblaughw
2,0871616
answered Aug 24 '16 at 16:31
blaughwblaughw
2,0871616
answered Aug 24 '16 at 16:31
blaughwblaughw
2,0871616
2,0871616
I added my headers and some additional details above - the headers look pretty legit to me but I am no expert - however, the format of a normal reject from postmaster on Office 365 has a different format... so i am confused...
– William
Aug 24 '16 at 19:24
add a comment |
I added my headers and some additional details above - the headers look pretty legit to me but I am no expert - however, the format of a normal reject from postmaster on Office 365 has a different format... so i am confused...
– William
Aug 24 '16 at 19:24
I added my headers and some additional details above - the headers look pretty legit to me but I am no expert - however, the format of a normal reject from postmaster on Office 365 has a different format... so i am confused...
– William
Aug 24 '16 at 19:24
I added my headers and some additional details above - the headers look pretty legit to me but I am no expert - however, the format of a normal reject from postmaster on Office 365 has a different format... so i am confused...
– William
Aug 24 '16 at 19:24
add a comment |
These are legitimate messages. That is the default message for the admin notifications, It's possible to actually change that verbiage in the ECP. I get quite a few of these daily as well.
This setting is under Protection --> Malware --> Settings --> Administrator Settings
In my case I have it configured to only alert me when it's detected from an internal sender. However, when I get these if I check the message traces they never show up. This makes me thinks it's occurring inside Office365 and someone is attempting to send as my domain and it's triggering this alert. I'm not 100% sure yet either as I have not had time to look into it further.
In the case of your NDR's, you may want to enable NDR backscatter in the protection settings. This prevents someone from generating an NDR from a spoofed address and having that NDR sent back to your address.
answered Aug 31 '16 at 3:34
Jesus ShelbyJesus Shelby
1,114814
add a comment |
These are legitimate messages. That is the default message for the admin notifications, It's possible to actually change that verbiage in the ECP. I get quite a few of these daily as well.
This setting is under Protection --> Malware --> Settings --> Administrator Settings
In my case I have it configured to only alert me when it's detected from an internal sender. However, when I get these if I check the message traces they never show up. This makes me thinks it's occurring inside Office365 and someone is attempting to send as my domain and it's triggering this alert. I'm not 100% sure yet either as I have not had time to look into it further.
In the case of your NDR's, you may want to enable NDR backscatter in the protection settings. This prevents someone from generating an NDR from a spoofed address and having that NDR sent back to your address.
answered Aug 31 '16 at 3:34
Jesus ShelbyJesus Shelby
1,114814
add a comment |
These are legitimate messages. That is the default message for the admin notifications, It's possible to actually change that verbiage in the ECP. I get quite a few of these daily as well.
This setting is under Protection --> Malware --> Settings --> Administrator Settings
In my case I have it configured to only alert me when it's detected from an internal sender. However, when I get these if I check the message traces they never show up. This makes me thinks it's occurring inside Office365 and someone is attempting to send as my domain and it's triggering this alert. I'm not 100% sure yet either as I have not had time to look into it further.
In the case of your NDR's, you may want to enable NDR backscatter in the protection settings. This prevents someone from generating an NDR from a spoofed address and having that NDR sent back to your address.
answered Aug 31 '16 at 3:34
Jesus ShelbyJesus Shelby
1,114814
These are legitimate messages. That is the default message for the admin notifications, It's possible to actually change that verbiage in the ECP. I get quite a few of these daily as well.
This setting is under Protection --> Malware --> Settings --> Administrator Settings
In my case I have it configured to only alert me when it's detected from an internal sender. However, when I get these if I check the message traces they never show up. This makes me thinks it's occurring inside Office365 and someone is attempting to send as my domain and it's triggering this alert. I'm not 100% sure yet either as I have not had time to look into it further.
In the case of your NDR's, you may want to enable NDR backscatter in the protection settings. This prevents someone from generating an NDR from a spoofed address and having that NDR sent back to your address.
answered Aug 31 '16 at 3:34
Jesus ShelbyJesus Shelby
1,114814
answered Aug 31 '16 at 3:34
Jesus ShelbyJesus Shelby
1,114814
answered Aug 31 '16 at 3:34
Jesus ShelbyJesus Shelby
1,114814
answered Aug 31 '16 at 3:34
Jesus ShelbyJesus Shelby
1,114814
1,114814
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f798868%2femail-exchange-office-365-postmaster-spam%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
