Quantcast
Channel: Terry Zink: Security Talk
Viewing all articles
Browse latest Browse all 243

When creating support tickets about spam, be sure to include message headers

$
0
0

When users get spam and phishing messages in the inbox, we ask users to submit them back to us, using the instructions here: Submit spam, non-spam, and phishing scam messages to Microsoft for analysis. I explain why this is important in Why does spam and phishing get through Office 365? And what can be done about it?

But sometimes, we get customer support tickets, or random questions, from customers or other people within Microsoft. Unfortunately, many times these submissions are not that useful. The following are examples that don't help us:

  • Forwarding the original spam message (i.e., hitting "Forward" in your email client of the spam message to someone else who asks for a sample)
  • Screenshots of a spam message
  • Partial headers, and not the full set, in a text file of a message
  • Partial headers, and not the full set, from the message header analyzer
  • A verbal description with no example (e.g., "I'm having trouble delivering to Microsoft" or "I'm getting lots of spam messages")
  • Message traces in a csv or Excel file without the originals attached
  • Screenshots showing deliverability going down over time

None of these are helpful. Occasionally for the first one we can do a message trace and find a candidate message, and then go back to the logs and figure out what happened. That works, but it is time-consuming and doesn't scale beyond one or two messages.

All of those can help, but without the original message headers, it limits our ability to investigate.

So, for everyone who has ever asked for help with deliverability to Microsoft (or too much deliverability in the way of spam), here's a quick primer.

Getting message headers in Outlook


Getting message headers in Outlook Web Access (OWA, also referred to as Outlook on the web)

BTW, this also works in Outlook.com's web interface.

 

Attaching messages using drag-and-drop in Outlook (or attach item) sometimes drops important headers

Sometimes people will do the correct thing and forward a message as an attachment. That is, in Outlook, people will compose a new message and then drag-and-drop the spam message as an attachment. Or, they'll use the "Attach item" feature.

This is supposed to preserve the entire contents of the message, but sometimes it doesn't. Sometimes, for reasons I don't understand, when dragging-and-dropping a message from the Outlook list view into a new message as an attachment, a bunch of headers get stripped from the original message. This appears to be some header firewall issue between certain versions of Outlook and Exchange. You'll never notice when it happens, it's done secretly with no notification to the user.

So, to be safe, you may want to copy/paste the headers of a message into the message body. That's what I do, and it's what some versions of our spam reporting plug-in used to do - to avoid this very problem.

Basic troubleshooting

Sometimes, you can troubleshoot simple missed spam, or false positive, problems yourself. The key header to look for is the X-Forefront-Antispam-Report header, which is documented at Antispam message headers. If it's a user configuration, you can either adjust it yourself or contact an administrator.

Example 1 – Missed spam caused by SCL -1 and reason SKN

X-Forefront-Antispam-Report: CIP:104.47.32.118;IPV:NLI;CTRY:;EFV:NLI;SFV:SKN;SCL:-1;SFS:(These are spam rules);DIR:INB;SFP:;SRVR:CO2PR0801MB677;H:NAM01-SN1-obe.outbound.protection.outlook.com;FPR:;SPF:Pass;PTR:mail-sn1nam01on0118.outbound.protection.outlook.com;A:1;MX:1;LANG:en;

Example 2 – False positive with SCL 6 and Reason SKB

X-Forefront-Antispam-Report: CIP:104.47.32.118;IPV:NLI;CTRY:;EFV:NLI;SFV:SKB;SCL:6;SFS:(These are spam rules);DIR:INB;SFP:;SRVR:CO2PR0801MB677;H:NAM01-SN1-obe.outbound.protection.outlook.com;FPR:;SPF:Pass;PTR:mail-sn1nam01on0118.outbound.protection.outlook.com;A:1;MX:1;LANG:en;

 

Example 3 – Missed spam SCL -1 and reason IPV:CAL

X-Forefront-Antispam-Report: CIP:104.47.32.118;IPV:CAL;CTRY:;EFV:NLI;SFV:SKN;SCL:-1;SFS:(These are spam rules);DIR:INB;SFP:;SRVR:CO2PR0801MB677;H:NAM01-SN1-obe.outbound.protection.outlook.com;FPR:;SPF:Pass;PTR:mail-sn1nam01on0118.outbound.protection.outlook.com;A:1;MX:1;LANG:en;

Example 4 - Bulk email

To determine if a message is marked as spam because it's bulk email, you need to look at the X-Microsoft-Antispam header. This will contain the BCL value. In Office 365, the default value for BCL blocking is 7 (meaning 7-9 are blocked by default). Some customers will lower the BCL which will be more aggressive in terms of bulk email filtering, but this is usually associated with more false positives (see How to securely add a sender to an allow list in Office 365 for tips on how to avoid this).

X-Forefront-Antispam-Report: ...SFV:SPM; [Message is marked as spam, there is no special code]

X-Microsoft-Antispam: UriScan:;BCL:7;PCL:0;RULEID:(SpamRules);SRVR:BN6PR1101MB2113;

X-CustomSpam: Bulk mail [This is stamped when a message is spam due to bulk email filtering and BCL value is non-default]


Conclusion

This should help provide both you and us with the necessary information to troubleshoot spam problems when you experience them in Office 365. It lets you see if there's some configuration problems on your side, and if there isn't, then getting us data in a usable format reduces friction on side to quickly fix the problem so you can get on with your day.


Viewing all articles
Browse latest Browse all 243

Trending Articles