Office 365 And Spam

Microsoft Office 365 Exchange Online - spam


Office 365 delivers all incoming messages to your mailbox. It does not hold messages in a spam quarantine.

[05/09/12 Update below]


Microsoft does thorough spam filtering on incoming mail for Office 365 subscribers – and then uses technology built into Exchange to make the experience with spam completely painless. This is an important advantage for Office 365 subscribers!

Most spam filtering services put messages identified as spam into an online quarantine. A summary is emailed to the user every day or two. The services differentiate themselves by crowing about how many messages are trapped and how few of them are mistakes that weren’t really spam after all. The predecessor to Office 365, Microsoft Online Services BPOS, worked like that.

It’s an administrative nightmare and burdensome for users. Scanning the daily summary and trying to spot a nugget that should have been delivered the day before is an annoying chore. There are a thousand ways for the process to go wrong – the message doesn’t get delivered when the “Release” button is clicked, or the user doesn’t get the daily summary, or the administrator has to go chasing down undelivered messages, trying to figure out why they didn’t arrive.

Office 365 has a different approach.

Microsoft Forefront Online Protection - Office 365 And SpamIncoming messages are delivered to an elaborate infrastructure built up by Microsoft specifically for filtering messages. Microsoft Forefront Online Protection for Exchange uses a dizzying blend of technology to detect viruses and other malicious code in email messages. The global Forefront network is updated every fifteen minutes with antivirus definitions from multiple security companies. Microsoft engineers watch for virus outbreaks and develop additional rules to identify malicious messages every two hours.

If messages contain a virus or malicious code, they are permanently dropped. Period.

Forefront provides service level agreements guaranteeing 100% known virus protection.

Once the dangerous messages are gone, the second pass involves a blend of sophisticated techniques to identify spam. This article describes some of the techniques – IP Reputation, Connection Analysis, Reputation Analysis, IP-Based Authentication, Fingerprinting, Rule Based Scoring, and (my personal favorite) “NDR Backscatter Mitigation.”

Forefront claims to be more than 98% effective at identifying junk and has a false positive rate of less than 1 in 250,000 (0.0004%).

None of the spam messages are quarantined.

Forefront simply adds a code in the header of a spam message and sends it on to the Office 365 Exchange Hub Transport server. (The code is internal, not visible to you.) When the Exchange Server sees that code, it puts the spam message in your Junk Mail folder.

And that’s it! Office 365 subscribers are receiving every message sent to them. If a message is not received, it almost certainly is an outside problem. There is no ambiguity, no quarantine to explore, no summary to wait for. Everything is in the mailbox.

[Technical note: larger businesses can change this arrangement to suit their needs. Office 365 administrators for enterprises have access to almost all the settings in Forefront to add and change policies. Small business clients will never change the default mail handling, which works as I describe.]

Office 365 users have to check their junk mail folder. In my experience the accuracy of the spam filtering is uncanny; I almost never find a legitimate message in Junk Mail. Blacklisting and whitelisting senders is handled in Outlook’s junk mail settings.

I have worked with many spam filtering services. Many of my clients relied on Exchange Defender for years, and some are still subscribers. The experience with Office 365 is easier to understand and easier to deal with day to day.

No ambiguity. All messages are delivered. No delays in receiving mail. I had the Microsoft support engineer repeat that to me several times today to make sure I understood him correctly, then did the research and confirmed it.

If you’re interested in Office 365 and Exchange Online, give me a call!

Update 05/09/12

Some of my Office 365 clients were getting quarantine delivery reports, which didn’t fit the setup I describe above. After investigating, it appears that new Office 365 accounts are set up as described, but accounts originally set up with Microsoft Online Services BPOS were migrated over with the BPOS spam settings – a spam quarantine and a spam report every three days.

As far as I know, my description here accurately describes the default setting for Office 365 unless and until an administrator changes it (which is very likely in larger companies). I’ve now turned off the spam quarantine for my migrated clients.

If anyone has different information, let me know! I want to be confident about this.