Poor SDR reputation with new O365 hosted domains

rolelael · ‎10-12-2021

Hi All,

We recently increased the SDR scanning engine, to include the 'poor' in the reject verdict ( Awful was standard enabled ), after we scanned the number of 'poor' SDR's in a period of time offcourse

But now we see that most domains that fell into the Poor SDR, are O365 hosted domains.

On TalosIntelligence we see always the same behaviour

xxxxxxxxx.mail.protection.outlook.com

Web Repuaution : neutral

Email Reputation : ?? None listed

Email Volume : 0

So what I assume is that these domains are migrated domains from own mailservers towards O365 , or domains that exist a long time, but firstly started to email. Because :

Message 30100789 Consolidated Sender Reputation: Poor, Threat Category: Spam , Suspected Domaini(s): xxxxx.be. Youngest Domain Age: 21 years 2 months 1 day for domain: xxxxxxx.be

Opening a reputation ticket with Talos does not help. They are not willing to increase the reputation.

We now add those 'O365' customer domains in a sdr exception list ( and will check them after 30d and clean the list )

Anyone else seen this behaviour ?

Libin Varghese · ‎12-08-2021

Just to clarify the web reputation on talosintelligence.com is not the same as SDR.

SDR is not reflected on talosintelligence.com. As it currently needs the entire email header to look up an SDR score.

I have not seen reports of O365 hosted domains specifically being marked poor, however if there are false positives I would recommend opening a TAC case to get that investigated through Talos. We might get additional details that way.

Regards,

Libin