Why does Outlook not block spam sent by employees?

Question

Our organization uses Outlook as email service and hence have our organization email domain. If someone from the organization sends a spam or phishing email to someone else in our organization, its received by the recipient.

I tried sending a simple spam email (copied from personal Gmail account Spam folder) from my organization domain to someone in the organization, and it was received by the recipient.

In the Junk Folder in Outlook, there were few spam emails, which means that Outlook does filter spam emails. But still, it does not capture simple spam emails.

Why? Are there any policies of Outlook, that let someone in organization send anything to others in the organisation?

Answer 1

Intra-domain emails (emails from your domain to someone else in your domain) have a much higher trust score, so they tend not to get blocked. This is done because legitimate employee-to-employee emails can look a lot like spam ("check out these pictures of my cat! [link]") . This is an ease of use issue.

The sensitivity level of this can be changed on the server admin panel. But test it out to see if it impacts your normal flow of business.

Exchange Online Spam filter policies

Answer 2

From what I experienced MS Office Outlook does not block Spam. Each time I receive a Spam email I tag it as Junk. Next time the same sender gets blocked. I found I have to create my own list. The ISP I am with has Spam filtering. It is adjustable by sensitivity, and also allows the user to filter out by server name, and or by email address. I found their service to be extremely effective. I found some software services that provide Spam blocking, but there are monthly fees.

Hotmail (now Outlook.com), and some others have excellent Spam filtering allowing user setup and additions. You can forward all your email to a Hotmail account or any equivalent, and then IMAP or POP it back to your your email program. You can then set up MS Office Outlook to send messages using your ISP email return address, or whatever you are authorized to use.

The link below is from MS about blocking Spam in Outlook.

https://technet.microsoft.com/en-ca/library/cc179183%28v=office.14%29.aspx?f=255&MSPPError=-2147217396

Answer 3

Because spam filtering is, ultimately, undesirable. It costs resources (processing power as well as setting up filters), it's never 100% correct, and no matter what you set it to, it will always block some emails you wanted, and allow others through that you did want.

In the real world, in most jurisdictions, spamming is already against the law (for various definitions and technicalities of "against the law"), but the problem is you can't really identify the source of most spam, so it's often impossible to stop the spammer from spamming you. Filtering spam is an incomplete, undesirable technical solution to a non-technical problem.

Withing an organization, this main reason for spam filtering doesn't exists. If an employee sends spam, you have lots of ways to act - have a stern talk with them, revoke their ability to send mail, ultimately fire them - which are the actions that should be taken instead of blocking email. Of course, the spammer might be powerful enough to not be bothered by those actions; but in that case, they're typically powerful enough to request their mails be removed from the spam list. (Arguably, this is the main reason why in many organizations, every employee needs to delete the weekly "information from the management" mail manually).

Of course, originating mail addresses can be faked, but a mail server can easily determine if the mail from john.doe@example.com was sent from the internal network (in which case you can fire John, either for spamming or for not following account security policies), or from an external network (in which case the standard mail filter rules should apply).