question

Marc-8505 avatar image
0 Votes"
Marc-8505 asked KyleXu-MSFT commented

What can I do to find out which is the specific spam rule that the EOP has used to "identify" an email as a spam?

I have noticed that some time analyzing the header of a spammed email is not sufficient to find out which spam rule has been used to causing the spam detection What more tool can I do to find out?

office-exchange-online-itprooffice-exchange-server-mailflow
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Marc-8505

As AndyDavid said, we can only check from the message header.
If you want to know which policy applied on this email, you could try to edit the "Actions" for exist anti-spam policy from "Move message to Junk Email folder" to "Add X-header"(Set different x-header for different policies).

0 Votes 0 ·

1 Answer

AndyDavid avatar image
0 Votes"
AndyDavid answered KyleXu-MSFT commented

It depends:

You can use this link to look at the headers to determine why it was marked as SPAM:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers?view=o365-worldwide#x-forefront-antispam-report-message-header-fields

However, it may not reveal anything specific if it was marked as SPAM simply because ATP determined it was for another reason.
ie:
SFV:SPM The message was marked as spam by spam filtering.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The problem here is that there are certain emails blocked as spam. The analizer doesn't give clear evidence. The "submission" give as a rescan result: blocked due to a policy. I can't find the policy in Spam settings that block the email.
In this case what will be the right approach?

0 Votes 0 ·

There is no "policy" in the SPAM settings that blocks it. The anti-spam headers referenced in that link are the only information you are really going to get.
If 365 deems it SPAM simply for its content, then you wont be able to see what specifically the reason .
Your option at that point is to have the users report as not junk, add to their safe sender lists or you allow at the gateway

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide

0 Votes 0 ·

I didn't explain it well.
Once found by analyzer that a Bulk email threshold was flagged to 6 (EOP settled at 7) and after a completed submission didn't resolve the issue with the outcome : "blocked due to a policy" ....

142504-submission-blocked-popicy.png

I thought if I found witch is the spam setting (for example: Backscatter , SPF (DKIM, DMARC), specific words, HTML hyperlink, etc.... ) that could couse the issue I could resolve the problem withching it OFF.

At this point the only solution will be add the email to the Spam whitelist?



0 Votes 0 ·

Open a service request from Microsoft 365 admin center, check whether they could help you check the blocked reason. Before that, the white list may be the most suitable way.

0 Votes 0 ·

Yes, you do not want to modify the policy or lessen its capabilities .
Work-around the issue with safelisting:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide

Thats the recommended and best solution

0 Votes 0 ·