Page 1 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

HIGH RISK DELIVERY POOL

AND EXCHANGE ONLINE |
PART 9#17

The term: High Risk Delivery Pool, describes a dedicated

Exchange Online servers pool which is responsible for
handling mail that was posted by Office 365 recipients, which
was recognized as problematic mail.
The current article and the next article: High Risk Delivery Pool
and Exchange Online | Part 10#17 ,are dedicated to the
description of:
How Office 365 (Exchange Online) is handling a scenario of
internal \ outbound spam, by using the help of the Exchange
Online- High Risk Delivery Pool.
Written by Eyal Doron | o365info.com

Page 2 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

General thoughts upon the subject of

outbound mail spam in Office 365
environment
Q: What is the meaning of problematic mail?
A: Outbound mail that is sent by Office 365 user, sent to the
EOP (Exchange Online protection) for security check and was
identified as a mail, which has a potential of spam\junk mail.

Q: What could lead to a scenario in which my mail will be

considered as problematic mail by Exchange Online?
A: There is no clear definition or public information
information about the factors that will lead Exchange Online
and EOP to decide that a specific E-mail message that was
sent by Office 365 users are classified as spam\junk mail.

Written by Eyal Doron | o365info.com

Page 3 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

Its reasonable to assume that the spam filter that is used by

Exchange Online is based on the standard method for
identifying a specific E-mail message as spam\junk mail.
For example E-mail message that includes a problematic
content or, a scenario or bulk mail.

You can read more information about the factors that

could lead to a scenario in which E-mail is recognized as
spam\junk mail in the articles:

My E-mail appears as spam | The 7 major reasons | Part

5#17
My E-mail appears as spam | The 7 major reasons | Part
6#17
Q: What is the meaning of: Exchange Online server pool that
will handle problematic mail?
A: In a scenario in which Exchange Online identify a
problematic E-mail that is sent by Office 365 users, the E-mail
will not be deleted or blocked, but instead, will be sent out by
using a specific Exchange Online servers pool.

Written by Eyal Doron | o365info.com

Page 4 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

Exchange Online single server or servers

farm?
When we say something like: our mail server, the association
is a single server, which stands alone in the cold rain and
wind, always ready to serve and protect.
When we use Exchange Online as our mail infrastructure,
none of these images are correct.
We relate to Exchange Online as a singular entity while in
reality, we need to address the Exchange Online infrastructure
as: plural that is realized by using dozens or even hundreds of
separated mail servers that are scattered word wide in the
different Office 365 data centers.
Each of the Office 365 data center includes.
1. The standard Exchange Online server pool
Written by Eyal Doron | o365info.com

Page 5 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

2. A dedicated pool of Exchange Online server who should solve

the problem of internal spam (spam\junk mail) that is sent by
our organization Office 365 users to other recipients.

What is the range of possibilities, which could

be implemented by Office 365 mail
infrastructure for dealing with a phenomenon
of outbound spam?
Note the current heading, won last year in the international
competition for the longest titles in the universe

Written by Eyal Doron | o365info.com

Page 6 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

Theoretically, there could be a couple of solutions that could

have been implemented by Exchange Online infrastructure
when dealing with a scenario of internal spam mail.
For example, Exchange Online could have implemented any of
the following options when an E-mail message that is sent by
Office 365 recipients identified as spam\junk mail:

Option 1: Dont implement outbound spam checks.

Many mail infrastructures do not implement an email security
policy for outbound mail because, the basic assumption is
that mail that is sent by our organization users can be
trusted.
In Exchange Online environment, this assumption in which
mail that is sent by organization users can be trusted cannot
be implemented because Exchange Online servers
represents tens and even hundreds of thousands of
organizations and, for this reason, Exchange Online doesnt
have this luxurious blindly of trusting organization users.

Written by Eyal Doron | o365info.com

Page 7 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

Exchange Online mail infrastructure is based on the

assumption that the security risks can come Indoors and
outdoors equally.
Option 2: implement outbound spam check | Delete the Email message
Another method that could have implemented by Exchange
Online (and its not implemented) is to block any mail that
was sent by Office 365 users and identified as spam\junk mail.
The term block, could be translated into several options such
as: delete the E-mail, send the E-mail message to a quarantine
+ inform the Office 365 users and so on.
In reality, none of these actions is implemented. There is no
formal Microsoft answer regarding why does outbound
spam, is not blocked, deleted or sent to quarantine.
My opinion is that the actions of blocking or deleting E-mail
messages that were identified as spam\junk mail, could have
led to many lawsuits and additionally, breaches the principle
of Office 365 customer privacy.
For this reason, the Office 365 mail infrastructure will not
delete or block outbound spam but instead, will send out the
E-mail message to her destination by routing the E-mail
message to a specific Exchange Online server pool.

Note Exception to the above rule, is a scenario of a bulk Email that is sent by Office 365 users. In a very specific
scenario, this user will be blocked.
Written by Eyal Doron | o365info.com

Page 8 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

You can read more information bulk E-mail in Office 365

environment in the article:
My E-mail appears as spam | The 7 major reasons | Part
5#17
Option 3: implement an outbound spam check | Route Email message to an alternate mail server pool
This is the option that is implemented by Exchange Online.
When Exchange Online (EOP if we want to be more accurate)
scan the outgoing mail and identify that the mail can be
classified as spam\junk mail, instead of blocking or deleting
the E-mail message, the E-mail message will be routed to
dedicated Exchange Online server poll named: High Risk
Delivery Pool.
In a scenario in which E-mail is routed to the High Risk
Delivery Pool, the operation will not be reported by default
(Exchange Online administrator is not aware to this
redirection process by default).
Only when the Exchange Online administrator activate the
option of: outbound spam, Exchange Online will send E-mail
notification to the provided E-mail for each of the mail items
that was routed (delivered) to the High Risk Delivery Pool.

Written by Eyal Doron | o365info.com

Page 9 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

In reality, the High Risk Delivery Pool is not just a specific

Exchange Online server. As the name implies, a pool or mail
servers. Additionally, each of the Office 365 data center use is
own pool of Exchange Online server who acts as the High
Risk Delivery Pool.
Q: Does Microsoft publish public information about the IP
range of the Exchange Online- High Risk Delivery Pool in each
of the Office 365 data centers?
A: As far as I know, there is not such public information. The
logic is that the Interest of Microsoft is to keep this
information hidden and not public.
Technically speaking, Microsoft publicly publishes the
complete public IP range of the Exchange Online and
Exchange EOP IP range, but this data doesnt include a specific
indication for the Exchange Online- High Risk Delivery Pool.
From my experience and I must stress that this is no formal
information that you can rely upon, the High Risk Delivery
Pool IP ranges in the Europe Office 365 data centers are
represented by the following IP range: 157.56-57.0.0.
Written by Eyal Doron | o365info.com

Page 10 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

Note you can read more information about the Office

365 IP address ranges in the articles:

Office 365 URLs and IP address ranges

Exchange Online Protection IP addresses

What is the purpose of the High Risk Delivery

Pool?
The purpose of the Exchange Online High Risk Delivery Pool
is a little confusing because their job is to distract the fire
from the standard Exchange Online servers pool. The most
appropriate metaphor that I can think of is: scapegoat
The Exchange Online High Risk Delivery Pool serves as a
scapegoat in a scenario of internal spam.

Written by Eyal Doron | o365info.com

Page 11 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

Lets go back to the moment, in which Exchange Online

identifies a specific E-mail message that was sent by Office 365
users as a spam\junk mail.
Because Exchange Online is not allowed to stop or block this
type of E-mail, Exchange Online will need to find a safe way for
delivers the E-mail message to the destination without
compromise the integrity and the reliability of the standard
Exchange Online server pool.
For example, in the case that the E-mail message was sent to
external recipients, Exchange Online will need to contact the
mail server of the external recipient and try to deliver him the
E-mail message.
But in this case, the main risk is that the external mail server
will also identify the E-mail message as a spam\junk mail and
for this reason, will add the IP address of the standard
Exchange Online pool IP address to a blacklist.
In this scenario, the damage is not only to the specific
organization that sent the spam E-mail but instead, to all the
other Office 365 tenants who send E-mail via the specific
Exchange Online which his IP address was blacklisted.
Exchange Online High Risk Delivery Pool as a RiskManagement solution
The answer to this challenge is: implementing Risk
Management process.

Written by Eyal Doron | o365info.com

Page 12 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

In the scenario of a problematic E-mail that is sent by Office

365 users, the problematic E-mail messages will be routed to a
deducted Exchange Online server pool: the High Risk Delivery
Pool.
The Exchange Online- High Risk Delivery Pool will be used to
send out the problematic E-mail.
At a first glance, this declaration looks a little peculiar, but
this is that exact purpose of the Exchange Online High Risk
Delivery Pool.
Instead of sending the problematic E-mail message via the
standard Exchange Online server and by doing so, put at risk
all the other Office 365 tenants (customers) who rely on the
Exchange Online mail infrastructure, the problematic E-mail
message will be sent by the scapegoat Exchange Online
server: High Risk Delivery Pool.
Because the High Risk Delivery Pool will send most of the
time, E-mail that is classified as spam\junk mail, there is a
reasonable chance that the IP address of the specific Exchange
member in the Exchange Online- High Risk Delivery Pool, will
appear as blacklisted.
By using the Exchange Online- High Risk Delivery Pool,
Exchange Online infrastructure manages to complete the two
goals:
1. Avoid from a scenario in which the Exchange Online will block or
delete E-mail message that was sent by Office 365 users.

Written by Eyal Doron | o365info.com

Page 13 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

2. Avoid from a possibility in which the standard Exchange Online

public IP address will be blacklisted.

Exchange Online- High Risk Delivery Pool half

of the solution?
Blacklist providers, recognize organization by two main
elements:
1. The IP address of the mail server that send E-mail on behalf of
an organization.
2. The domain name of the organization (the right part of E-mail
address)

Pay attention to the simple fact that although the problematic

E-mail message is sent via the Exchange Online High Risk
Delivery Pool, the domain name which included in the
problematic E-mail message could also be listed in blacklists.
In other words: the use of Exchange Online: High Risk Delivery
Pool prevents the option in which the IP address of our mail
server will appear as blacklisted but cannot prevent a
scenario in which our domain name will appear as blacklisted.
To add another layer of understanding about the purpose of
Exchange Online- High Risk Delivery Pool, here is a quotation
from a Microsoft article:
When a customers email system has been compromised by
malware or a malicious spam attack, and it is sending
outbound spam through the hosted filtering service, this can

Written by Eyal Doron | o365info.com

Page 14 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

result in the IP addresses of the data center servers being

listed on other block lists.

In addition, destination servers that do not use the hosted

filtering service, but use these block lists, end up rejecting all
email sent from any of the hosted filtering IP addresses that
have been added to those lists.

Therefore, all outbound messages that exceed the spam

threshold are delivered through a High risk delivery pool. The
High risk delivery pool is a secondary outbound email pool
that is used to send messages that may be of low quality, thus
helping to protect the rest of the network from sending
messages that are more likely to result in the sending IP
address being blocked.
[Source of information: High Risk Delivery Pool for Outbound
Messages]

Written by Eyal Doron | o365info.com

Page 15 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

Internal \ outbound spam in Office 365

environment | Article series index
A quick reference for the article series

Written by Eyal Doron | o365info.com

Page 16 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

My E-mail appears as a spam | Article

series index | Part 0#17
The article index of the complete
article series

Introduction to the concept of internal \ outbound spam in general

and in Office 365 and Exchange Online environment
My E-mail appears as a spam
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: My E-mail appears as
a spam!, possible factors for causing
our E-mail to appear a spam mail,
the definition of internal \ outbound
spam.
Internal spam in Office 365
Introduction | Part 2#17
Review in general the term: internal \
outbound spam, miss conceptions
that relate to this term, the risks that
are involved in this scenario,
outbound spam E-mail policy and
more.
Internal spam in Office 365
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spam\junk mail, who or what are this
elements, that can decide that our

Written by Eyal Doron | o365info.com

Page 17 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

mail is a spam mail?, what are the

possible reactions of the destination
mail infrastructure that identify our Email as spam\junk mail?.
Commercial E-mail Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365\ Exchange Online is
unsuitable for the purpose of
commercial E-mail?

Introduction if the major causes for a scenario in which your

organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which Email that is sent from our
organization identified as spam mail:
1. E-mail content, 2. Violation of the
SMTP standards, 3. Bulk\Mass mail
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which Email that is sent from our
organization identified as spam mail:

Written by Eyal Doron | o365info.com

Page 18 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

4. False positive, 5. User Desktop

malware, 6. Problematic Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The technical side of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.

Introduction if the subject of Exchange Online - High Risk Delivery

Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal \
outbound spam by using the help of

Written by Eyal Doron | o365info.com

Page 19 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

the Exchange Online- High Risk

Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.

The troubleshooting path of internal \ outbound spam scenario

My E-mail appears as spam
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal \
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the other side.
My E-mail appears as spam |
Troubleshooting Domain name and
E-mail content | Part 12#17 Verify if
our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
Written by Eyal Doron | o365info.com

Page 20 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

option of Exchange Online outbound

spam.
My E-mail appears as spam |
Troubleshooting Mail server | Part
13#17
What is the meaning of: our mail
server?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spam\NDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
My E-mail appears as spam |
Troubleshooting Mail server | Part
15#17
Step B Get information about your
Exchange Online infrastructure, Step
C fetch the information about the
Exchange Online IP address, Step D
verify if the formal Exchange Online
IP address a

Written by Eyal Doron | o365info.com

Page 21 of 21 | High Risk Delivery Pool and Exchange Online | Part 09#17

De-list your organization from a

blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal \ outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of internal \ outbound
spam.

Written by Eyal Doron | o365info.com