Unsurprisingly turned out Michael was right and the IPs for the 2 sends were different (stupid me for not checking the obvious issue first while loosing my mind trying to understand the cryptic tokens).
So, if I send from the same IP I seethe BCL:7 and SCL:9 also in my own office365 account (even if I got them in inbox, with the same MLV/SFV tokens, but this may be "per inbox" evaluation due to inbox history). I tested 4 of my "bulk" IPs used to send the unicampania.it email (213.171.189.21, 213.171.189.11, 188.165.188.55, 188.165.188.39) and they are BCL:4, BCL:5 and 2xBCL:7. Now, from the technet I read that BCL stands for "Bulk Complaint Level" and a value from 4 to 7 (my IPs range) is described as "The message is from a bulk sender that generates a mixed number of complaints.". The 4 IPs are mostly green on SNDS and complaints are low, too, there (but I guess Office365 is a whole different infrastructure). Senderscore for the 4 IPs are 97-99, on Senderbase (Talos) are green (good), on Google Postmaster Tools are "green" (good). So, I'm kind of blind on the complaints you collected for that IPs and who could be abusing my network (shared IPs, thousands senders). Now the questions: 1) Is there a way to reset/reconsider or at least to know what (which senders?) did contribute to make it so bad? Is there an FBL or other tools like JMRP/SNDS for office365 domains? 2) While I try to fix/understand the BCL issue, is there a suggested configuration to let unicampania.it postmaster "override" this BCL and whitelist my IPs? 3) Is there a way for the unicampania.it postmaster to know if emails from our IPs received complaints from their users? 4) Is there an official way to deal with this office365/hosted exchange deliverability issues (like we do with outlook.com issues) instead of this mailop list? Thank you very much Michael, Stefano PS: I collected the full headers, I could send you offlist, but I guess there is no need for them as you were right about the different IP. Just tell me if you need them anyway. On 23 May 2017 at 20:00, Michael Wise <michael.w...@microsoft.com> wrote: > > > I’d need the full headers from BOTH samples. > > My suspicion is that the IPs used in each are different. > > Otherwise, without solid forensic data (the full headers), I’m not > prepared to, “Guess Authoritatively”. 😊 > > > > We need the full headers of both samples, from both the BCL:2 and BCL:7 > emails. > > > > Aloha, > > Michael. > > -- > > *Michael J Wise* > Microsoft Corporation| Spam Analysis > > "Your Spam Specimen Has Been Processed." > > Got the Junk Mail Reporting Tool > <http://www.microsoft.com/en-us/download/details.aspx?id=18275> ? > > > > *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Stefano > Bagnara > *Sent:* Tuesday, May 23, 2017 10:43 AM > *To:* mailop <mailop@mailop.org> > *Subject:* Re: [mailop] Hosted exchange/Office 365 specific domain junk > issue (MLV:ovrnspm) > > > > On 23 May 2017 at 19:34, Michael Wise <michael.w...@microsoft.com> wrote: > > > > Machine Learning Verdict. > > > > But it was the BCL value of the sending IP that classified it as SCL:9 > High Confidence Spam.. > > > > Can you add something more? > > The same message is not blocked from other office domains (BCL:1 & SCL:1). > > > > is the BCL something related to internal abuse collection for that > specific domain? (the postmaster told me that they don't think the emails > are spam, but in fact I see "low open rates" and this is the only "monitor" > I have (didn't receive complaints and the postmaster confirmed they are > happy to receive that messages). Or is it just related to the fact that the > sender send the same message to 2000 recipients for that domain and this > "alone" is enough to trigger MLV? > > > > What are the inputs for the BCL value for an IP? I guess this is not > "shared" (because BCL is 1 when I send the same message to another > recipient) but then if it is not shared this domain just received this > messages from that IP and they say they are happy to receive it. > > > > Iis there anything I can suggest their postmaster to do about this "false > positive"? > > > > > > > > Aloha, > > Michael. > > -- > > *Michael J Wise* > Microsoft Corporation| Spam Analysis > > "Your Spam Specimen Has Been Processed." > > Got the Junk Mail Reporting Tool > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D18275&data=02%7C01%7Cmichael.wise%40microsoft.com%7C8305d3726620416ef92208d4a2045272%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636311586832595587&sdata=iok5raOnu64zolhsGvkYdFt8B9koGzmrxOAku5V9lgM%3D&reserved=0> > ? > > > > *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Stefano > Bagnara > *Sent:* Tuesday, May 23, 2017 5:24 AM > *To:* mailop <mailop@mailop.org> > *Subject:* [mailop] Hosted exchange/Office 365 specific domain junk issue > (MLV:ovrnspm) > > > > Hi all, > > > > One of my customer is sending an email to 2000 recipients in the > unicampania.it > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Funicampania.it&data=02%7C01%7Cmichael.wise%40microsoft.com%7C1709f6dca22f4b6c9ee308d4a1d85109%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636311397820342048&sdata=v0q%2Bu8429kdiBqte2uIZQRI6HsK%2BCHyo%2F%2F0CumcJWdc%3D&reserved=0> > domain (the domain is a university domain and the sender is a labor-union > for the university employees), a domain hosted pointing to the outlook > protection MX and using an hosted exchange service. > > > > Here is an excerpt of the junked email their postmaster sent back to me: > > X-Forefront-Antispam-Report: CIP:213.171.189.21;IPV:NLI; > CTRY:IT;EFV:NLI;SFV:SPM;SFS:(8196002)(31630200002)( > 3000300001)(438002)(286005)(359002)(199003)(349900001)( > 189002)(349012);DIR:INB;SFP:;SCL:9;SRVR:AM4PR0501MB2274;H:ms21.mailvox.it > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fms21.mailvox.it&data=02%7C01%7Cmichael.wise%40microsoft.com%7C1709f6dca22f4b6c9ee308d4a1d85109%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636311397820342048&sdata=bDRwhXK79U8jCj6O7ISNV1tVzLO7Jrs2o4fsANs%2BURQ%3D&reserved=0> > ;FPR:;SPF:Pass;*MLV:ovrnspm*;A:1;MX:1;PTR:ms21.mailvox.it > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fms21.mailvox.it&data=02%7C01%7Cmichael.wise%40microsoft.com%7C1709f6dca22f4b6c9ee308d4a1d85109%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636311397820342048&sdata=bDRwhXK79U8jCj6O7ISNV1tVzLO7Jrs2o4fsANs%2BURQ%3D&reserved=0> > ;*CAT:HSPM*;LANG:it; > X-DkimResult-Test: Passed > X-Microsoft-Antispam: > UriScan:;BCL:7;PCL:0;RULEID:(22001)(421252002)(81800236)( > 3001016)(71702078);SRVR:AM4PR0501MB2274; > X-Exchange-Antispam-Report-Test: UriScan:(81227570615382); > X-Exchange-Antispam-Report-CFA-Test: > *BCL:7*;PCL:0;RULEID:(601004)(701104)(2401047)(13018025)( > 8121501046)(13016025)(9101536074)(10201501046)( > 3002001)(93006095)(93005095);SRVR:AM4PR0501MB2274;BCL:7; > PCL:0;RULEID:;SRVR:AM4PR0501MB2274; > X-CustomSpam: Bulk Mail | Bulk Mail > SpamDiagnosticOutput: 1:6 > SpamDiagnosticMetadata: Default:7 > X-MS-Exchange-Organization-SCL: 6 > > > > I'm in touch with the unicampania.it > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Funicampania.it&data=02%7C01%7Cmichael.wise%40microsoft.com%7C1709f6dca22f4b6c9ee308d4a1d85109%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636311397820342048&sdata=v0q%2Bu8429kdiBqte2uIZQRI6HsK%2BCHyo%2F%2F0CumcJWdc%3D&reserved=0> > admin that say that they have no specific filter and they started using > hosted exchanged only recently. If I send the same message to my own > office365 hosted account (on a different domain) it is delivered in inbox > with SCL=1 instead of SCL=9 (and with BCL:2 instead of BCL:7). > > > > Does anyone know what are the meanings of the "MLV" part of the header? > This is the first time I see that "MLV:ovrnspm". We all guess what spm is > for, but what about "ovrn" ? > > > > The receiving postmaster told me that they are using an "almost > unconfigured" version of hosted exchange and they didn't apply any specific > rule (the postmaster for the receiving domain know the sender). > > > > I know how to open a ticket for the Outlook.com platform, but this is > something specific to the hosted exchange (and maybe specific to a custom > domain, even if they didn't configure anything): is there an only form for > office365/hosted-exchange issues? > > > > Stefano > > > > -- > > Stefano Bagnara > > Void Labs / VOXmail.it > > Apache James/jSPF/jDKIM > > > > > > > > > > > > >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
