I’ve just been trying to reduce all the emails from a particularly large global spam bot which hit my tenant daily and aren’t being picked up automatically as SPAM by the service.   The bot uses many different individual email mailboxes, on many different (real) domains, registered in many countries (including European countries) – and the domains only seem to make it onto the occasional blacklist. The mail server IPs seem to be Russian ISPs , but several of those too.  So it has been difficult to stop but I’m pretty much there as there is only a small variation in the content.  

In the process of dealing with it, I have noticed that Exchange rules I have defined appear to take precedence over domain entries in the tenant allow/block list, where I expected it to be the other way around.   i.e I expected the TABL would be checked before anything else. 

e.g. I have a particular domain listed in the TABL because I want to block anything/everything from it as it is actually the predominant domain spamming us, and an Exchange rule that just looks for content rather than the source to catch all the other domains that are sending out the exact same junk.  The other day, my rule caught an email from the domain based on content, and it is clear the TABL had not had an activation against it. 

Is my understanding correct, and if so, is there something somewhere that describes how the various components of 365 act on incoming messages and in what order – kinda like a flow chart?  I’ve had a look and can’t find anything. 

Thanks!

​I’ve just been trying to reduce all the emails from a particularly large global spam bot which hit my tenant daily and aren’t being picked up automatically as SPAM by the service.   The bot uses many different individual email mailboxes, on many different (real) domains, registered in many countries (including European countries) – and the domains only seem to make it onto the occasional blacklist. The mail server IPs seem to be Russian ISPs , but several of those too.  So it has been difficult to stop but I’m pretty much there as there is only a small variation in the content.   In the process of dealing with it, I have noticed that Exchange rules I have defined appear to take precedence over domain entries in the tenant allow/block list, where I expected it to be the other way around.   i.e I expected the TABL would be checked before anything else.  e.g. I have a particular domain listed in the TABL because I want to block anything/everything from it as it is actually the predominant domain spamming us, and an Exchange rule that just looks for content rather than the source to catch all the other domains that are sending out the exact same junk.  The other day, my rule caught an email from the domain based on content, and it is clear the TABL had not had an activation against it.  Is my understanding correct, and if so, is there something somewhere that describes how the various components of 365 act on incoming messages and in what order – kinda like a flow chart?  I’ve had a look and can’t find anything.  Thanks!  Read More

​