Legitimate Messages in Outlook 03 and 07 Junk Folders

[mcintoshs]

We have an emergency notification web service called AlertNow which notifies
parents and internal staff within our school district of emergencies.
Administrators from our school district compose and send the messages within
the external AlertNow web servers and then the message is sent to parents'
addresses outside the district and to selected individuals within the
District. Regardless of where the message is sent from the AlertNow email
servers, the 'From' address is from our internal mail domain (I will call it
school1.org). Since such emails coming back into our district appear to be
'spoofed,' we had to configure special 'IP Lock' settings within our
Google-Postini spam filtering service to allow such messages to be deivered.
Now, however, we are finding that users with Outlook03 and 07 are seeing
such messages go to their 'Junk folder.' Is there a setting within our
Exchange Server 03 Enterprise SP2 which can eliminate this behavior? For
example, all such messages have a 'from' address of '(e-mail address removed).' We
need to circumvent whatever spoofing settings may currently exist in the
Exchange server configuration.

 

[VanguardLH]

We have an emergency notification web service called AlertNow which notifies
parents and internal staff within our school district of emergencies.
Administrators from our school district compose and send the messages within
the external AlertNow web servers and then the message is sent to parents'
addresses outside the district and to selected individuals within the
District. Regardless of where the message is sent from the AlertNow email
servers, the 'From' address is from our internal mail domain (I will call it
school1.org). Since such emails coming back into our district appear to be
'spoofed,' we had to configure special 'IP Lock' settings within our
Google-Postini spam filtering service to allow such messages to be deivered.
Now, however, we are finding that users with Outlook03 and 07 are seeing
such messages go to their 'Junk folder.' Is there a setting within our
Exchange Server 03 Enterprise SP2 which can eliminate this behavior? For
example, all such messages have a 'from' address of '(e-mail address removed).' We
need to circumvent whatever spoofing settings may currently exist in the
Exchange server configuration.

When the domain in the return-path headers (e.g., From) don't match the
source Received header, that e-mail looks to be spoofed by some filters.
It is not invalid to use return-path headers pointing at a different
domain than from where the e-mail originated, like when using Reply-To,
but some filters will up the scoring on those e-mails, and that score
could approach and exceed the ham/spam threshold.

Are ALL the recipients using the same mail server as you? Or are they
off-domain and using their own SMTP servers to which your Exchange
server is transferring your message? You mention Exchange but then you
also mention Google. Are all recipients insiders to your Exchange
domain or are there outsiders getting your alerts? I've never
administered an Exchange server so I'm only looking at your problem from
the client end. If every recipient is using the same Exchange server
(or the same organization of Exchange servers), a group that discusses
Exchange rather than the client might offer more help, like the
microsoft.public.exchange.* groups.

Is there a reason that the recipients cannot whitelist your e-mails?
Seems they could add you to their Safe Senders list, or enable the
option in Safe Senders to include contacts in their address book, or
define a whitelist rule that checks if the sender is listed in that rule
or the rule checks against contacts in the address books (where they
would add you to their address book). This assumes your e-mail actually
arrives to their mailbox (which would seem true for it to end up in the
Junk folder).

 

[mcintoshs]

Our Exchange server is only receiving and delivering messages to our internal
administrator users once received from the AlertNow email server via the
Postini mail servers which shows our own internal domain as the 'From'
address. Other external recipients don't seem to experience this issue
because messages from the AlertNow server go via their individual ISP's mail
servers and are not seen as spoofed.

We have many internal users and many of them are very technically unsavvy
and I don't want to inconvenience them with making whitelist configuration
changes within Outlook folders.

 

[VanguardLH]

Our Exchange server is only receiving and delivering messages to our internal
administrator users once received from the AlertNow email server via the
Postini mail servers which shows our own internal domain as the 'From'
address. Other external recipients don't seem to experience this issue
because messages from the AlertNow server go via their individual ISP's mail
servers and are not seen as spoofed.

We have many internal users and many of them are very technically unsavvy
and I don't want to inconvenience them with making whitelist configuration
changes within Outlook folders.

I'm not spoofing is the issue. That the domain in the From header
doesn't matched the domain in the Received header from the sourcing mail
server is not cause for claiming a spoofed e-mail. Anyone can claim any
e-mail address as their own which is not on the domain from which they
sourced their e-mail. After all, the sender doesn't have to use the
Reply-To header if they want replies to go to a different domain than
from where they sent their message. I'm wondering if other return-path
headers are conflicting with each other. It doesn't sound like the
outside alert service is actually *using* your mail server to originate
its messages but merely changing the From header which doesn't match up
with other return-path headers, and those other return-path headers
don't match up with the domain in the source Received header (because,
again, they aren't using your server to issue the messages).

The junk filter added to OL2003+ is a Bayes filter (Microsoft spews out
paragraphs to describe their filter in trying to hide that they
eventually got around to adding a Bayes filter, something that was
available in anti-spam products a decade earlier). It weights words
based on their occurrence as keywords and get biased toward ham or spam
thresholds. I have not heard that Microsoft's Bayesian filter includes
headers so it would only be based on the body of the e-mail. However,
Microsoft pushes out a monthly update to its Bayes database which means
that list of weighted words are NOT what were experienced by an
individual user but what Microsoft has deemed as good/bad words found in
their samples. Other Bayesian filters allow reclassification by the
user (i.e., the user can mark ham as spam or spam as ham) but not so
with Microsoft's implementation. So it's possible that the words in
Microsoft's monthly updated database are weighted so that keywords
selected from your alerts will identify they as spam.

http://www.slipstick.com/rules/junkmail.asp
http://office.microsoft.com/en-us/outlook/HP052429671033.aspx

If Microsoft's choice of keyword weighting ends up targeting your
e-mails, you'll have to disable (select "no automatic filtering") that
rather simplistic Bayes filter that Microsoft added to OL2003+ (it omits
many features found in more robust Bayesian filters, like word expiry to
eliminate out-of-date noise or poisoning of the database). After all,
if these are all internal Exchange users, the peripheral spam filtering
should be performed up at the mail server (Exchange) rather than rely on
a monthly-updated, non-user modifiable Bayesian database. Or, at least,
have your users set Outlook's junk filtering to low.

It seems odd that these recipients are unwilling or so stupid that they
cannot add the sender of your alerts to their contacts list. Then,
according to http://technet.microsoft.com/en-us/library/cc179183.aspx,
they could enable the "trust e-mail from contacts" option. If they want
these alerts, why can't they filter them in? I don't admin domains but
since you mention Exchange then perhaps all these internal users are on
a domain and you could push an Office-related policy to enable this
option. Then add a comment at the top of your alert telling the
recipient that if they want to ensure these alerts aren't junked that
they should add the sender to their Contacts list. If they won't add
them to their Contacts list then apparently THEY don't think these
alerts are very important.