Comments on: Stopping Spam Sent from Bad Microsoft 365 Domains

By: John

John — Fri, 05 Apr 2024 03:45:14 +0000

Armands, I had to make things a bit more complicated over the last few weeks, as there are some other exceptions and Microsoft’s “Bookings” feature manifests itself in different ways. My current Rule is:

Apply this rule if:
Includes these words in the sender’s address: ‘onmicrosoft.com’
and Is received from ‘Outside the organization’

Except if:
‘Content-ID’ header contains ”bookings_reminder’ or ‘bookings_teams”
or Includes these words in the sender’s address: ‘postmaster’ or ‘.onmicrosoft.com’
or sender’s address domain portion belongs to any of these domains: ‘.onmicrosoft.com’
or Includes these words in the message subject or body: ‘onmicrosoft.com/bookings/’ or ‘Microsoft Bookings’
or ‘Content-Type’ header matches the following patterns: ‘text/plain; name=booking.ics’ or ‘method=CANCEL’ or ‘method=REQUEST’

By: Armands

Armands — Thu, 04 Apr 2024 09:34:14 +0000

In reply to John. Hello, John! It`s not working for me, can you please explain bit more? Only Header with anything related to Bookings is " X-MS-TrafficTypeDiagnostic" containing example value of: "...6105:EE_BookingsEmail|DB1P...". Creating rule with exception, based on this header is not working for me.

By:

Tony Redmond

The Real Person!

Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

Tony Redmond — Thu, 28 Mar 2024 20:42:16 +0000

In reply to Chris. Apply if the address in the message matches the pattern onmicrosoft.com unless it comes from your own domain or any other onmicrosoft.com domains known as good senders.

By: Chris

Chris — Thu, 28 Mar 2024 20:23:14 +0000

I tried creating this rule, but it isn’t clear to me what options you selected to create the “apply if” and “except if”. I tried the message properties and message header properties, but the options didn’t seem to reflect what you set. Can you offer a pointer? Thanks.

By:

Tony Redmond

The Real Person!

Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

Tony Redmond — Fri, 15 Mar 2024 14:10:51 +0000

In reply to John. Thanks John!

By: John

John — Fri, 15 Mar 2024 10:40:56 +0000

In reply to John. Whoops, looks like the Commenting engine filtered out the header value in my previous comment. The value is "bookings_reminder" surrounded by pointy-brackets.

By: John

John — Fri, 15 Mar 2024 10:38:11 +0000

I started quarantining onmicrosoft.com emails and it’s catching a ton of spam, thanks! But based on the last few weeks of data, I’ve also seen legit emails from the MS Bookings feature getting snagged, since Bookings seems to send messages by default from the sending tenant’s onmicrosoft.com domain. So I added another Rule Exception that allows a “Content-ID” header of “”, which seems to be a common feature of those messages.

Comments on: Stopping Spam Sent from Bad Microsoft 365 Domains

By: John

By: Armands

By: Tony Redmond The Real Person! Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By: Chris

By: Tony Redmond The Real Person! Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By: John

By: John

By:

Tony Redmond

The Real Person!

Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By:

Tony Redmond

The Real Person!

Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.