Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Português (Portugal) Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

Exciting changes are coming! We are retiring the Knowledge Base community feature to launch the new KnowBe4 Community in June 2023. We hope to see you there!

What does the Connection Filter do in Exchange / O365

Avatar
Dan Seals

This isn't necessarily a complaint of KnowBe4, but I am trying to understand O365 Spam filtering... Essentially, I do NOT understand why Section 2 and Section 3 are necessary on this page:

https://support.knowbe4.com/hc/en-us/articles/218134997-Whitelisting-by-IP-Address-in-Exchange-2013-2016-or-Office-365#”IP”

So in essence, when an IP address is whitelisted... what happens? Because Section 2 and Section 3 of the instructions above suggest that it isn't actually whitelisted. 

Can anyone show me any Microsoft Documentation that explains why the IP Connection Whitelist exists and what it actually does?

For instance, example headers originating from KnowBe4 Servers:

X-Forefront-Antispam-Report:
 CIP:23.21.109.212;IPV:NLI;CTRY:US;EFV:NLI;SFV:SPM;
SFS:(10001)(8206002)(2980300002)(189003)(199004)(5000100001)
(2351001)(72206003)(106002)(42882007)(3450700001)(8676002)
(7636002)(71190400001)(1096003)(246002)(564344004)
(4290300010);DIR:INB;SFP:;SCL:5;SRVR:BN8PR19MB2803;
H:phishtest.knowbe4.com;FPR:;SPF:Pass;
LANG:en;PTR:phishtest.knowbe4.com;MX:1;A:1;CAT:SPM;

In the headers above you can see "CIP: 23.21.109.212" which I have in my connection filter in O365 as a Whitelisted Sender based on KnowBe4's documentation, and as such, I should see:

IPV:CAL based on this info... 

  • IPV: it shows anti-spam checks related to the IP address of the sender. Values of this can be either:
    • IPV:CAL > The message was allowed through the spam filters because the IP address was specified in an IP Allow list in the connection filter.
    • IPV:NLI > The IP address was not listed on any IP reputation list.

But I do not, and I do not understand why. 

I've read through this blog: https://blog.ahasayen.com/eop-exchange-online-protection-architecture/

And the info there states:

  • Connection Filter Allow/Block List [Static Entries by EOP Admin]:
    • If the CIP  value in the message header matches an entry in the IP Connection Filter block list, then the message will be deleted.
    • If the CIP  value in the message header matches an entry in the IP Connection Filter Allow list, then the  IPV  value in the message header will be set to IPV:CAL . This means [The message was allowed through the spam filters because the IP address was specified in an IP Allow list in the connection filter]. Also SCL will be set to SCL=-1  and SFV will be set to SFV:SKN [This means the message will never be inspected by EOP SPAM content Filter]. Then the message then exits the EOP Perimeter Protection phase.
    • If the CIP value in the message header does not match any entry in the IP Connection Allow/Block lists, then move to the next phase.

I realize this isn't necessarily KnowBe4 territory, but understanding how this all works will make us better at catching real phishing and what not. Also, I assume KnowBe4 has had to deal with this since their documentation specifically tells us to do 3 different sections. So my question is... 

What does the Connection Filter in Exchange / O365 do ??

1

Comments

1 comment

Sort by Date Votes

Please sign in to leave a comment.

Didn't find what you were looking for?

New post