Office 365 Anti-Spam Shortcomings - Part 1

Bad, medium or good Anti-Spam.  Check Bad.

With Office 365, Microsoft is offering a very affordable email hosting service that includes a lot of added tools. Most customers seem happy with the email hosting part. As for the built-in Anti-Spam, there appears to be room for improvement. Office 365 comes with EOP (Exchange On-line Protection) buit-in. FOPE (Frontbridge Online Protection for Exchange) is Microsoft's generic Anti-Spam engine.

It turns out that many customers using Office 365 are turning to ZEROSPAM because they feel they need a better spam filter. Intrigued by this, I do not want to understand EOP's functions and capabilities. What I found is quite depressing; it completely disregards many of the principles we stand by and we have been promoting our business. I will try to sum up my findings here.

No centralized spam quarantine enabled by default

After 11 years in the Anti-Spam business, we know that 75% of people is spam, phishing or malware. With the level of sophistication that has been achieved, the use of a reasonable payload. Allowing any and all users to browse their quarantine is a huge security risk that can lead to a full-scale network infection in no time. Not to mention that it's a huge waste of time, especially with an Anti-Spam solution that discriminates between well and bad. For these two reasons,

In Office 365, a centralized quarantine requires configuration in the Exchange Administration Center (EAC) and can only be accessed through a Web interface by an administrator. Which means that the average SMB owner will need professional guidance to configure the quarantine settings correctly and failure to do so will introduce a security risk and cause users to waste a lot of time in their junk folder.

Fact #2: Tipping the scale towards more spam

This is from a Technet Exchange blog: “EOP default tends to be slightly less strict rather than risk a false positive”. Now the whole challenge in the Anti-Spam business is to stop spam without blocking legitimate emails. And it’s a hard thing to do. So every Anti-Spam vendor negotiates this threshold with care, trying to find the optimal balance. Of course, no one solution is bull’s eye every time but if you want to do a great job, you must at least TRY to reach for perfection. Accepting that spam will get through is just not the right attitude. Spam that makes it through the filters has been the number one complaint we have heard from Office 365 customers turning to ZEROSPAM. Not only is their spam threshold lower than it should but the expectation is that users will end up managing the problem by either reporting spam to Microsoft or blocking senders. A useless approach since spam is typically sent from a large number of spoofed domains that just keep changing.

Fact #3: The Office 365 spam notifications must be enabled for all users or none

In Office 365, the function that sends a daily spam digest by email is known as spam notifications. These must be enabled for all the users or none at all. Enabling every user to receive such notifications, especially in a large organization, is a waste of bandwidth and time. In any given organization, a limited number of people will normally need a spam digest. It should be possible to configure this for them without affecting the whole user base.

Fact #4: The Office 365 spam quarantine can display a maximum of 500 messages

“A maximum of 500 messages can be displayed in the Exchange Administration Center.” That seems a little restrictive. If an executive receiving over 100 emails per day is out of the office for 5 days and unable to check his quarantine while he’s away, by the time he gets back to the office, he will no longer be able to access his earliest messages. And some of these might be legitimate… By default, the ZEROSPAM quarantine displays the 1000 last messages. Very large customers can also perform searches according to different criteria (FROM address, TO address, subject, score, date, etc.) in order to display messages that are within the quarantined messages lifetime set by the client (7 to 30 days) but beyond the last 1000 received. Fact #4: A maximum of 500 messages can be displayed in the Exchange Administration Center

That seems a little restrictive. If an executive receiving over 100 emails per day is out of the office for 5 days and unable to check his quarantine while he’s away, by the time he gets back to the office, he will no longer be able to access his earliest messages. And some of these might be legitimate… By default, the ZEROSPAM quarantine displays the 1000 last messages. Very large customers can also perform searches according to different criteria (FROM address, TO address, subject, score, date, etc.) in order to display messages that are within the quarantined messages lifetime set by the client (7 to 30 days) but beyond the last 1000 received.

There are more interesting facts about how the Anti-Spam built into Microsoft 365 behaves that actual and prospective users should really know about. Watch out for our next blog post where log searches, quarantine limits, and the use of secret bad words will be explored.

';