Home » EOP » EOP

I am into enterprise Antispam solution design for last few years and recently used Microsoft Exchange Online Protection (EOP) solution. This post is to highlight the useful features in EOP. Someone using or going to use EOP can take the reference with the understanding of information provided as is. Most notable features of EOP lies with the ability to give end user the control of their SPAM protection, over and above the global settings. For large enterprises, this is useful as for one user you no longer have to alter the global settings like whitelisting or blocking a particular email ID. Other notable features include

  • PowerShell to manage and task automation
  • Categorising content filter based on user group i.e. certain set of users would have a particular feature like bulk email protection different from rest of others

Setting up the things

Make onprem exchange environment ready for EOP in case of a hybrid deployment

EOP works based on Spam confidence levels (SCL) of a message. It starts with -1 for safe email and goes up to 9 for high confidence email. As the email passes through various filter, the SCL value can alter and based on the final score, it is categorised as trusted, non-spam, spam or high confidence spam.

In case of hybrid deployment, the message is routed to onprem mailbox with Antispam-Report and SCL header. Hence at organization level your on prem exchange environment must be configured with SCL threshold, 4 to be inline with EOP. This tells the onprem exchange server to route any email with SCL value above 4 to user Junk folder instead of inbox, unless MailboxJunkEmailConfiguration for the mailbox is in disabled state. One can check the current value of SCLJunkThreshold with Get-OrganizationConfig cmdlet and if required change with Set-OrganizationConfig

Get-OrganizationConfig|select SCLJunkThreshold

Next you need to configure two transport rule as per the TechNet article http://technet.microsoft.com/en-us/library/jj837173(v=exchg.150).aspx , that converts the mails detected as SPAM from EOP to get hihger SCL value so that based on the SCLJunkThreshold they goes into user Junk Folder.


New-TransportRule "EOP_SPM" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SPM" -SetSCL 6

New-TransportRule "EOP_ETR" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SKS" -SetSCL 6

Explanation of the X-Forefront-Antispam-Report header at http://technet.microsoft.com/en-us/library/dn205071(v=exchg.150).aspx would be helpful to understand the above two rules.

Now onprem environment is ready for EOP. Office365 comes preconfigured with these two rules, no additional configuration required.

Setup SPF, Dmarc record etc. to defend against spoofing

A typical email would have two from address in header, P1 and P2. P1 comes from the “mail from” verb in the SMTP protocol transition between two mail servers. P2 is added by the mail client in the data portion of the email. Spammer tries to spoof these to make the user think the email is from someone internal and try to open it. Technologies like SPF has evolved to address some of these challenges.

SPF helps protecting the P1 header as the domain administrators declares the list of server authorised to send email with their domain mail address in the from field. http://www.openspf.org/ would be a good reference on SPF. DMARC http://www.dmarc.org/ helps to strengthen this further. To start with EOP, at least the SPF record need to be published to protect the internal user against P1 spoofing and in turn helping other domains not receiving spam email in the published domain name.

To check the SPF record of a domain, you can start nslookup => set the query type to txt => give the domain name . The line starting with “v=spf1 would be the SPF record.

Similary quering for txt record for _dmarc.<domain_name> would give the dmarc record that start with “v=DMARC1;

Connect EOP to Onprem Exchange

A minimum of two connect, one for EOP to receive messages from onprem Edge server and one for EOP to route messages to onprem edge server would be required. The connectors need to use mutual TLS so that mails through them are treated authenticated i.e. internal.

Under the scope section, limit the connector with public IP address of onprem edge server.

One more to Onprem

A round robin public DNS record as above pointing to all onprem edge server to be used in delivery section with smart host option.

Part 2 of the post will be on configuring EOP scan engines

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*