Re: SPAM Coming through

Mike Sanders · ‎02-03-2023

Hello,

In the past, we were told by Microsoft 365 to allow an IP range. We were told that we have to have 40.107.0.0/17 in our allowed list.

However, every 2-3 days we receive SPAM emails and when we investigate the issue on IronPort we notice that the spam came because it was in the allowed IP range. So the other day a spam email came to 2 people as below:

Person A Didn't get it as Ironport blocked the IP 40.107.243.60 as unknown. which is good.

Person B received the email because it came from 40.107.92.76 which falls under the allowed range of 40.107.0.0/17.

Could someone please explain why this happens all the time as the email comes from different IPs and why we were told to allow 40.107.0.0/17? also how come the scammer sends it from 40.107.92.76? do they spoof the IP to do so?

Wrooby · ‎02-03-2023

Hi Mike,

If you're an O365 user sending outbound mail through Secure Email, Microsoft likely meant to recommend that IP range to be added the list of MTA's that are allowed to relay through your appliance (send outbound mail). For Cisco Secure Email this would be your RELAYLIST sendergroup (or any sendergroup with a Mail Flow Policy assigned RELAY as a connection behavior)

Adding this IP Range to a sendergroup that has the anti-spam feature disabled can cause these kinds of discrepancies. There is no reason to bypass that many IP's for anti-spam.

Generally we recommend adding the .protection.microsoft.com host to the relaylist instead. This does open you up to a potential open-relay from other O365 tenants, but configuring a secret key header in your O365 mail flow rules, as well as a Message Filter (or content filter) to catch or drop open relay messages would mitigate that.

---Cheers!