Spam Detections Test

Spam is unsolicited (and typically unwanted) email messages. If spam mails are not captured promptly and filtered out, they can prove to be an unwanted distraction and can also end up unnecessarily hogging your mailbox space. This is why, its good practice to run the Spam Detections test periodically.

At configured intervals, this test scans the mail traffic over Exchange Online for spam mails. Spam mails detected are then categorized based on their nature. By default, the test captures the following spam categories:

  • SpamIPBlock: Messages that were blocked based on sender IP
  • SpamDBEBFilter: Messages that were blocked based on checking the recipient against the directory. This happens when a message is addressed to an unknown recipient.
  • SpamEnvelopeBlock: Messages that were blocked based on SMTP
  • SpamContentFiltered: Messages that passed the initial IP and SMTP filters and were filtered based on content, rules or other spam configurations.

For each spam category, the test then reports the count of spam mails of that category that were found in incoming mails and outgoing mails. This will reveal to administrators whether too many spam mails are coming in or going out of the monitored Office 365 tenant, and the most common spam type. Based on the pointers provided by these metrics, administrators can make intelligent spam filtering customizations.

Moreover, the detailed metrics reported by the test reveal the top senders and receivers of spam mails. This will point administrators to email traffic that they may want to track closely, so as to check for spams.

The test additionally reports the size of the incoming and outgoing spam mails. Detailed diagnostics accurately point administrators to users who sent/received large-sized spam mails, thus enabling administrators to analyze the impact of spam mail size on the mailbox size of those users.

Target of the test : Exchange Online

Agent deploying the test : A remote agent

Outputs of the test : One set of results for each category of spam mails sent/received over Exchange Online

First-level descriptor: Spam mail category

Configurable parameters for the test

Parameters Description

Test period

How often should the test be executed

Host

The host for which the test is to be configured. By default, this is portal.office.com

O365 User Name, O365 Password, and Confirm Password

For execution, this test requires the privileges of an O365 user who is vested with the View-Only Audit Logs, View-Only Recipients, Mail Recipients, and Mail Import Export permissions. Configure the credentials of such a user against O365 User Name and O365 Password text boxes. Confirm the password by retyping it in the Confirm Password text box.

While you can use the credentials of any existing O365 user with the afore-said privileges, it is recommended that you create a special user for monitoring purposes using the Office 365 portal and use the credentials of that user here. To know how to create a new user using the Office 365 portal and assign the required privileges to that user, refer to Creating a New User in the Office 365 Portal.

Domain, Domain User Name, Domain Password, and Confirm Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, in the Domain text box, specify the name of the Windows domain to which the eG agent host belongs. In the Domain User Name text box, mention the name of a valid domain user with login rights to the eG agent host. Provide the password of that user in the Domain Password text box and confirm that password by retyping it in the Confirm Password text box.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of these parameters. By default, these parameters are set to none.

Proxy Host, Proxy Port, Proxy User Name, and Proxy Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, provide the IP/host name and port number of the Proxy server that the eG agent should use in the Proxy Host and Proxy Port parameters, respectively.

If the Proxy server requires authentication, then specify the credentials of a valid Proxy user against the Proxy User Name and Proxy Password text boxes. Confirm that password by retyping it in the Confirm Password text box. If the Proxy server does not require authentication, then specify none against the Proxy User Name, Proxy Password, and Confirm Password text boxes.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of any of the Proxy-related parameters. By default, these parameters are set to none.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time the test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD Frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enabled/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Inbound spam items

Indicates the number of incoming spam mails of this category.

Number

A high value for this measure is a cause for concern, as it indicates that many of the mails received are spam mails. In this case, use the detailed diagnosis of this measure to view the top-10 receivers, in terms of the number of spam mails they received. This information, thus points administrators to those receivers who were worst hit by spam mails.

Outbound spam items

Indicates the number of spam mails of this category that were sent.

Number

A high value for this measure is a cause for concern, as it indicates that many of the mails sent were spam mails. In this case, use the detailed diagnosis of this measure to view the top-10 senders, in terms of the number of spam mails they sent. This will also point you to those senders who are probably responsible for generating a lot of spam mails and frustrating receivers.

Inbound spam size

Indicates the total size of incoming spam mails of this category.

GB

If the value of this measure is abnormally high, then use the detailed diagnosis of this measure to view the top-10 receivers, in terms of the size of the spam mails they received.

If the mailboxes of these receivers increase in size suddenly, then check the spam mail size of these receivers to see if the spam mails caused the abnormal mailbox growth.

Outbound malware size

Indicates the total size of the outgoing spam mails of this category.

GB

If the value of this measure is abnormally high, then use the detailed diagnosis of this measure to view the top-10 senders, in terms of the size of the spam mails they sent.

If the mailboxes size of these senders increase suddenly, then check the spam mail size of these senders to see if the spam mails caused the abnormal mailbox growth.

Unique senders

Indicates the number of unique senders of spam mails of this category.

Number

Use the detailed diagnosis of this measure to view the top-10 senders, in terms of the number of spam mails they sent .

Unique receivers

Indicates the number of unique receivers of spam mails of this category.

Number

Use the detailed diagnosis of this measure to view the top-10 receivers, in terms of the number of spam mails they received.

The detailed diagnosis of the Inbound spam items measure lists the top-10 receivers, in terms of the number of spam mails they received. This will point you to that receiver who received the maximum number of spam mails and was hence affected the worst by it. With the help of the detailed metrics, you can also accurately identify who sent the spam mails to the top receive and the size of these spam mails. Using this information, administrators can tell over which email communication - i.e., communication between which sender and receiver - the maximum number of spam mails were trafficked; such email communication may be pulled up for closer monitoring.

Figure 1 : The detailed diagnosis of the Inbound malware items measure

The detailed diagnosis of the Outbound spam items measure lists the top-10 senders, in terms of the number of spam mails they sent. This will point you to that sender who sent the maximum number of spam mails. With the help of the detailed metrics, you can also accurately identify who received the spam mails from the top sender and the total size of these spam mails. Using this information, administrators can tell over which email communication - i.e., communication between which sender and receiver - the maximum number of spam mails were trafficked; such email communication may be pulled up for closer monitoring.

Figure 2 : The detailed diagnosis of the Outbound spam items measure

Use the detailed diagnosis of the Unique senders measure to view the top-10 senders, in terms of the number of spam mails they sent. This will point administrators to that sender who is responsible for unnecessarily spamming receivers, much to their frustration.

Figure 3 : The detailed diagnosis of the Unique senders measure reported by the Spam Detections test

Use the detailed diagnosis of the Unique receivers measure to view the top-10 receivers, in terms of the number of spam mails they received. This will point administrators to that receiver who was most affected by spam mails.

Figure 4 : The detailed diagnosis of the Unique receivers measure reported by the Spam Detections test

Use the detailed diagnosis of the Inbound spam size measure to view the top-10 receivers, in terms of the total size of the spam mails they received. This will point administrators to that receiver who has received large-sized spam mails. If that receiver's mailbox size suddenly grew at around the same time of the spam mails, you can conclude that it is owing to the spam mail size. The detailed statistics also point you to who sent such large-sized spam mails to the top receiver. This sender can be pulled up for questioning.

Figure 5 : The detailed diagnosis of the Inbound spam size measure

 

Use the detailed diagnosis of the Outbound spam size measure to view the top-10 senders, in terms of the total size of the spam mails they sent. This will point administrators to that sender who has sent large-sized spam mails. If that sender's mailbox size suddenly grew at around the same time of the spam mails, you can conclude that it is owing to the spam mail size. The detailed statistics also point you to who received such large-sized spam mails from the top sender. This sender can be pulled up for questioning.

Figure 6 : The detailed diagnosis of the Outbound spam size measure