2

I use Office 365 for email with about 30 people using 6 domains.

I occasionally receive messages from the "Postmaster" saying that an email was rejected which was never sent. For instance:

enter image description here

I assumed that one of the following was happening.

  1. Someone was sending messages to me pretending to be the Postmaster.
  2. Someone was sending messages to others with forged headers so that it looked like it was coming from me.

I basically ignored these messages because I did not believe that there was anything I could do about these two scenarios. However, I just added a new domain and these messages have now skyrocketed.

Here are my questions:

  1. Is there any way to tell whether these messages are legitimately from postmaster? If so, would I be able to completely block any messages not from the legit postmaster?
  2. Is there any way of guarding against someone forging headers to send email on one of my domains?

More Information

I am receiving these suspicious emails on my main admin account (let's say that is one domain1.com). However, the emails are coming in as if they were sent on the new domain2.com. Normally, postmaster rejects are received by the email sending it out in the first place.

Normally, a bounced email message from office 365 looks like this:

enter image description here

Which leads me to think that this is a fake message. However, when I look at the message header, of the suspicious message, it looks pretty legit (although I am no expert). Here is what comes up:

enter image description here enter image description here enter image description here enter image description here enter image description here enter image description here enter image description here enter image description here

William
  • 353
  • 1
  • 9
  • 28

2 Answers2

0
  1. Look at the message headers to determine where a message really came from. There's an "app" for OWA MessageHeaderAnalyzer, which essentially loads in the same tool from testconnectivity.microsoft.com. MessageIDs from Exchange are pretty easy to pick out.
  2. Yes!!! The Canonical answer on Server Fault: Fighting Spam - What can I do as an: Email Administrator, Domain Owner, or User?

Office 365 setup goes down the path of doing some of this. Namely doing DNS checks to make sure your MX and SPF are valid. DKIM is automagically enabled in the service as well, but this doesn't cover any "other" mail systems for your domain.

Edit:

Line 24 in the header shows how Exchange evaluated the spam posture of the message.

SFV:SKI Similar to SFV:SKN, the message skipped filtering for another reason such as being intra-organizational email within a tenant. This doesn't seem to coincide with what you are explaining.

Reference Anti-Spam header info

Are any of the domains given in your posession?

blaughw
  • 2,242
  • 1
  • 10
  • 17
  • I added my headers and some additional details above - the headers look pretty legit to me but I am no expert - however, the format of a normal reject from postmaster on Office 365 has a different format... so i am confused... – William Aug 24 '16 at 19:24
  • You also see this if you add your own domains to the "allowed domains" list in the O365 spam filter (note: this is why that very page tells you not to add your own domains). – Ruscal Dec 27 '19 at 21:09
0

These are legitimate messages. That is the default message for the admin notifications, It's possible to actually change that verbiage in the ECP. I get quite a few of these daily as well.

This setting is under Protection --> Malware --> Settings --> Administrator Settings

In my case I have it configured to only alert me when it's detected from an internal sender. However, when I get these if I check the message traces they never show up. This makes me thinks it's occurring inside Office365 and someone is attempting to send as my domain and it's triggering this alert. I'm not 100% sure yet either as I have not had time to look into it further.

In the case of your NDR's, you may want to enable NDR backscatter in the protection settings. This prevents someone from generating an NDR from a spoofed address and having that NDR sent back to your address.

Jesus Shelby
  • 1,284
  • 9
  • 14