2

After the marketing team starts an email campaign, our web server gets pummeled with strange requests from Microsoft's EOP IP range. Looking back through the logs, this has always happened, albeit the number of emails we were sending were a lot smaller, so we didn't notice. This last time, though, it brought our web server to it's knees.

The EOP servers all requested the exact same, generated URL:

https:// {corp domain} /ZW1haWwtdW

That path has never existed and I really do not know what they're looking for. Everything I've searched for leads to discussions or promotions for Microsoft EOP services and not about the actual workings from a server perspective.

Does anyone know what they're looking for? How we should respond to the requests? Any documentation I can read?

The company wants to be a good net 'citizen' and accommodate anything that assists in enhancing 'trust' regarding our email marketing so dropping the traffic is not an option. Thoughts?

Taylor Howellsmith
  • 23
  • 3
  • Have you given any thought to hosting the content of your email elsewhere? – Semicolon Feb 07 '19 at 19:52
  • Which email service do you use, Exchange online/on-premise/hybrid or other providers? In my understanding, EOP is a cloud based email filtering service that helps protect your organization against spam and malware. I don’t think it would send request initiatively. Do you deploy anything related to EOP? Or you may call to O365 support. – Shaw Lu Feb 08 '19 at 02:48
  • @Semicolon, The emails we send out are html and contain links to various services we offer. They do not contain images or anything else that should be downloaded. – Taylor Howellsmith Feb 08 '19 at 13:33
  • @Shaw, We don't use a service to send out our emails. Just a plain old linux box using sendmail. We have nothing to do with EOP, which is why this is so confusing to us. We suspect EOP is trying to do some sort of verification of the domain we link to in the emails, but we don't know for sure. Our email servers have valid DMARC, SPF and DKIM records set up too. Its just very weird. – Taylor Howellsmith Feb 08 '19 at 13:38
  • Your DMARC/SPF/DKIM is irrelevant. I mean, its good that they're properly configured, but just because your SPF record is accurate doesn't mean that your mail is not going to get scanned. It is trivial to setup an SPF record that says that mail can be allowed to be sent from any IP; spammers do this routinely - they even setup detailed SPF records. – Semicolon Feb 08 '19 at 17:05

1 Answers1

1

There's no real way to prevent this behavior as long as you send out loads of individual emails with links back to a server you run on premises. Any self-respecting mail gateway, is going to scan all URLs contained in the messages and review the returned content, malicious or otherwise. You can either omit the links from your UCE, or host your content elsewhere (or at least the content related to the mass marketing emails).

Does anyone know what they're looking for? How we should respond to the requests? Any documentation I can read?

As for the "ZW1haWwtdW" URL, it is anybody's guess. Anything short of a direct response from Microsoft, Proofpoint (who I believe is behind the scenes with EOP/ATP), and other mail gateway/security vendors is going to be an educated guess. Vendors of these services are usually (and rightfully) tight-lipped about their exact practices they use when checking links and why each step is performed. Simply put, you are not going to get a handbook from Microsoft of how to properly respond to their EOP-initiated scans.

One can assume that this is a check for either a particular threat or to perform an analysis on what happens when a (supposed) bad URL is visited. That is, does this website return a 404 (which one would expect), or does it redirect to a generic landing page which may be suspect. Using the same pattern does seem a little odd, though, you would think that after a while a bad actor would catch onto this and could modify the site behavior to address this.

The company wants to be a good net 'citizen' and accommodate anything that assists in enhancing 'trust' regarding our email marketing so dropping the traffic is not an option.

To these ends, I would suggest leveraging a good third-party mailing service - and use a subdomain of your normal domain for these campaigns. Running marketing campaigns from your production email infrastructure is a good way to end up on some blacklists, interrupt your normal mail traffic, and (actually) probably doesn't provide you the kind of insight into campaign effectiveness as you could see from a third-party.

Thoughts?

If some mail-related scanning is toppling your web servers, its probably fair to say that its not a great experience for your customers (if they opted to check out your content), so that's probably not giving them a good impression either (on top of the fact that they just received an unsolicited email).

I would suggest using a third-party marketing service to handle your bulk commercial emails. I would also suggest looking at some kind of elastic web hosting service to handle your web traffic (or at least the web traffic related to the content you are serving with your marketing email). These are both relatively common practices.

Semicolon
  • 1,775
  • 8
  • 7