Exchange office 365 transport rules to block spam when FROM doesn’t match smtp.mailfrom or return path

exchangemicrosoft-office-365spamspam-filter

I'm sure this type of question has been answered already so I apologize in advance, but I can't seem to find anything. I have spf, dkim, dmarc all setup so I'm not worried about outgoing spam, but I have incoming spam coming through that's clearly spam when looking at the headers. \

Are there good transport rules to block when authentication fails, the smtp.mailfrom and from are different, and the to field is not the recipient? Also the subject and the from is getting encoded. Which might be how it's getting past basic spam filtering.

This seems like it should be easy, but I can't find anything…

From: =?utf-8?Q?=C6=8Aropbox?= <shared@onlineconnect.dpbox.com> 
Return Path: mjw@nutra-balance-products.com
Message ID: <1518007996.63064545@webmail.emailsrvr.com>
To: <me@dropbox.com>
Authentication-Results: spf=none (sender IP is 173.203.187.93) smtp.mailfrom=nutra-balance-products.com; mysitehere.com; dkim=none (message not signed) header.d=none;mysitehere.com; dmarc=none action=none header.from=onlineconnect.dpbox.com;
Subject: =?utf-8?Q?New_document_shared_-_=28investment-2018-en.pdf=29?= which decodes to New document shared - (investment-2018-en.pdf)

Best Answer

The mismatch between Return-Path (envelope sender) and From: doesn't necessarily indicate spam and shouldn't be used as an explicit rule for blocking any messages.

For example we could have a situation where a mailing list forwards message for its subscribers. The mailing list can't change the behavior of SPF for the original sender and it should not modify the From: header specifying (RFC 4021, 2.1.2) the author(s) of the message. Therefore, it must change the envelope sender in order to pass the SPF test on the recipient side.

Return-Path: <postlist@example.net>
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=198.51.100.30; 
    helo=mail.example.net; envelope-from=postlist@example.net; receiver=<UNKNOWN> 
To: <postlist@example.net>
From: "Original Sender" <user@example.com>

On the other hand, Office 365 mail flow rules aren't designed for doing such comparisons; you can for example compare senders with their location (inside / ouside tenant) or bypass filtering for trusted external servers. These are for addressing more specific problems, where heuristics fail.

If you think you only receive legitimate mails from senders that have SPF/DKIM/DMARC set, you could e.g. add a rule that alters Spam Confidence Level (SCL) based on Authentication-Results containing spf=none and dkim=none. Depending on your situation it may cause false positives.

Related Solutions

Emails are going to spam

The following is based off of the IP I see in your logs as the mail sending IP of 67.55.9.182.

You have a PTR entry, which is good.

;; ANSWER SECTION:
182.9.55.67.in-addr.arpa. 14400 IN      PTR     dsl-67-55-9-182.acanac.net.

However your forward and reverse should match ideally. The reverse entry leads me to believe that you are running this off of a DSL ISP connection. That is enough to get your mail marked as spam in some systems. They do not like seeing mail coming from "home" or "consumer" connections.

Your IP is also listed in several blacklists:

67.55.9.182 is listed in dnsbl-3.uceprotect.net 
67.55.9.182 is listed in bl.spamcannibal.org

This will also result in your mail being sent to the spam bin.

Resolve the above issues and you will likely see your mail being accepted as ham. Hope that helps and let me know if you have any questions.

GMail suspects confirmation email in stealing personal information

Mailchimp have an excellent article on How To Avoid Spam Filters

Update: Ok, seeing as I got slammed for just giving this link (to be fair its contents probably wouldn't solve your problem here), I've added more specific to what you're sending.

I suspect its the text you're using. 'Please confirm your email address by clicking the link' - I think you should replace the text with 'Subscribe to this list:'. It may even be as simple as switching from 'please confirm your email' to 'please confirm your subscription' - to indicate you're not trying to get any personal information.
I've no idea why you're adding the HTML as an attachment - if you send a client a normal email from your email client you wouldn't attach it as HTML you just send it as normal HTML (or text) - so why would you do things differently when you're trying not to appear like a spammer?
Given how short your email is you could probably just send it as text - in fact you are sending it as text and as base64 encoded - either send the message as html or as text you don't need both.
When trying to send an email to Gmail they will strip off all the html headers (I found Gmail to be the biggest pain for accepting HTML emails in a correct format)
If you're still getting problems I'd recommend you start sending emails through something like MailChimp - they'll end up looking nicer and you'll have happier customers
What you're being accused of is phishing style emails. Here's an example of one from my junk filter:

Dear online service customer,

Access to your account logged in successfully.

To ensure your protection, we've now blocked access to your accounts. You now need to restore your security details. You won't be able to gain access to your accounts until you've done this.

To restore Please click the link below to restore your account access.

RESTORE YOUR ACCOUNT ACCESS (in the email this is a link to a dodgy site)

© Shop Direct Limited. All Rights Reserved.

Here's an example of a nice please confirm your email from CopyHackers:

Subject: CopyHackers Newsletter: Please Confirm Subscription

Body:

enter image description here

Best Answer

Related Solutions

Emails are going to spam

GMail suspects confirmation email in stealing personal information

Related Topic