As someone who administers an O365 tenant for ~ 500 mailboxes I just learned that if you enable https://technet.microsoft.com/en-us/library/dn600322(v=exchg.150).aspx (which I suspect most tenants do) then the O365 tools provided do NOT provide log data from the proxy server tier, at least that was what the support representative called it.
My understanding is that the flow looks something like Internet -> O365 Proxy servers -> O365 Tenant servers. The proxy tier information is not included in the O365 Message Trace results. Only log data from the tenant servers is included. Which to me means that something other than O365 should always be responsible for the MX record. Otherwise events happen and yet as an administrator I’m not privy to what, why, when, etc.. Using another service/MTA that I do have complete log data for allows me to know what is happening. I found out about this lack of log data as I was testing something, it got rejected at the edge (i.e. proxy tier) and yet Message Trace didn’t show it. Thankfully we do have another SP for our MX and their logs clearly showed the rejection. Now if I could just combine the SP and O365 logs into Splunk (or similar) I’d be very happy and could find things much faster. :-) -Chad > On Jun 13, 2016, at 12:32 PM, Michael Wise via mailop <mailop@mailop.org> > wrote: > > > Just to chime in for Office365, we either reject at the edge, or deliver to > Junk/Quarantine. > > If there is an attack on our infrastructure in progress, and we can > specifically identify distinctives of the attack, we may craft a DROP rule > for that traffic, once we're certain of the bogus nature of it, but that > happens on the order of maybe once every two or three months, and the rule is > torn out as soon as the attack has subsided. > > Otherwise, Office365 never drops mail, unless the user specifically chooses > an option (delete high confidence spam) to do so, which we don't recommend. > > Aloha, > Michael. > -- > Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been > Processed." | Got the Junk Mail Reporting Tool ? > > -----Original Message----- > From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Suresh > Ramasubramanian > Sent: Monday, June 13, 2016 10:15 AM > To: Brandon Long <bl...@google.com> > Cc: mailop <mailop@mailop.org>; Hugo Slabbert <hslabb...@stargate.ca> > Subject: Re: [mailop] Microsoft/Hotmail discards mails > > That's where a human postmaster team comes in handy along with sufficient > automation (self removals, automated relists, automated upgrades to covering > cidr blocks, a template driven ticketing system that lets you handle multiple > tickets with a single set of actions for reply / closure .. > > Give the automation you actually won't need as many people as you think (two > full time people for 40++ million users was fun till about eight years back) > > --srs > >> On 13-Jun-2016, at 9:36 PM, Brandon Long via mailop <mailop@mailop.org> >> wrote: >> >> OTOH, our SMTP time rejections have their own issues, false positives are a >> lot more visible and harder to deal with (user's can't mark an smtp time >> rejection as "not spam"). Most of the questions/complaints on mailop about >> Gmail are due to our SMTP time rejections. > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7cb38463fb725c450836c808d393aed6d5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=cd3FiliSb4BCvmPKlHhR9b3%2fIfcwXxLM%2bronn06eY1M%3d > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
