Update, Dec 11/14: Exchange Server 2010 SP3 Update Rollup 8 has been temporarily pulled due to a problem.

Update, Dec 15/14: Exchange Server 2010 SP3 Update Rollup 8 v2 has been posted

While I mainly target Exchange Online Protection with this blog, a lot of customers use EOP to protect on-premises Exchange environments. As such I wanted to touch on the Exchange updates that were released today which cover Exchange Server 2007 SP3, Exchange Server 2010 SP3, Exchange Server 2013, and UM Language Packs.

Today the Exchange team announced the availability of the following updates.

  Exchange Server 2013 Cumulative Update 7 (Version 15.00.1044.025)
  UM Language Packs for Cumulative Update 7 (Version 15.00.1044.025)
  Exchange Server 2010 SP3 Update Rollup 8 (Version 14.03.0224.002) - Version 2
  Exchange Server 2007 SP3 Update Rollup 15 (Version 08.03.0389.002)

Also available today, MS14-074, which contains security updates for Exchange Server 2007 SP3, Exchange Server 2010 SP3, Exchange Server 2013 SP1 and Exchange Server 2013 CU 6.

For complete details, please see the notes on the above download links as well as the announcement posting over on the Exchange Team Blog.

From my experience, a very small number of people actually choose PowerShell over the GUI (Graphical User Interface, ie. The Office 365 Portal). But once you get a grasp of PowerShell and write some scripts, you’ll see the light and going back to your old ways will be very hard. PowerShell has two big advantages. First, once you are proficient you’ll be able to pull and modify data much faster with PowerShell than going into the portal. Second, most managers aren’t PowerShell experts, so when you are working and have your PowerShell window open they will be extra impressed with you! Don’t worry, you can thank me later.

In this article I’m going to focus on using PowerShell to obtain message trace results from the past 48 hours. The commands in this article will work for date ranges up to seven days in the past. For messages older than seven days we need to run an extended message trace, or Start-HistoricalSearch.

Typical message trace run

Let’s start by running a typical message trace in EOP which returns all results for the past 48 hours.

 
In this view we can sort based on the columns presented to us and can double click for additional information. Now let’s look at how PowerShell can improve upon this experience.

Message trace using PowerShell

You’ll see below that I’m going to be piping my results to Out-GridView. If you have not used this cmdlet before, it essentially will launch a new interactive window where you can view the results. Let’s take a look.

The following script will return the message trace results of the last 48 hours.

$dateEnd = get-date
$dateStart = $dateEnd.AddHours(-48)

Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, ToIP, FromIP, Size, MessageID, MessageTraceID | Out-GridView 

Here is what the results look like.

 
Just like with the portal message trace, we can sort by clicking the column headers. Moving onto the differences, the first difference you’ll notice here is that there are more columns presented to us, and even nicer is that we can sort and filter on these extra columns which is something you can’t do in the portal message trace. For example, in the above screenshot, I have set a filter to only show me the messages that were larger than 12 MB, something that is not possible with the portal based message trace. Yes… now we are seeing some of the power!

Next let’s look for messages from the past 48 hours that have a Status of “Failed.” Here is our script.

$dateEnd = get-date
$dateStart = $dateEnd.AddHours(-48)

Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, ToIP, FromIP, Size, MessageID, MessageTraceID | Where {$_.Status -eq "Failed"} | Out-GridView

This shows that we have five failed messages from the last 48 hours. Now let’s pipe our results to Get-MessageTraceDetail to find out more information on the failed messages. Here’s our next script to do this.

$dateEnd = get-date
$dateStart = $dateEnd.AddHours(-48)

Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd | Where {$_.Status -eq "Failed"} | Get-MessageTraceDetail | Select-Object MessageID, Date, Event, Action, Detail, Data | Out-GridView
 

And this will return the following:

Here I can see the status of those failed messages. “Hop count exceeded – possible mail loop.” In this situation, a message was destined for a mailbox that didn’t exist in the cloud, because of a connector problem the message kept looping around Exchange Online before it was finally rejected.

Also notice the Data column above. Here we can see a lot of extra information that is not present in the portal message trace.

<root><MEP Name="ConnectorId" String="To_DefaultOpportunisticTLS"/><MEP Name="DeliveryPriority" String="Normal"/><MEP Name="OutboundProxyTargetIPAddress" String="207.46.XXX.XXX"/><MEP Name="OutboundProxyTargetHostName" String="contoso.mail.protection.outlook.com"/><MEP Name="RecipientStatus" String="[{LRT=};{LED=554 5.4.6 Hop count exceeded - possible mail loop};{FQDN=};{IP=}]"/></root>

What’s highlighted in yellow is all the portal message trace will show. The rest of the data can only be obtained with PowerShell, or through an Extended Message Trace. We can see the IP that issued the 500 error, the connector that was used, and even the MX record where Exchange Online was trying to deliver the message to.

Let’s take a look at another example. This time we want to track a particular message based on its Message ID. An end user told us that a sent message resulted in an NDR so we already know it failed. The NDR provides us with the MessageID. Let’s run the following to get directly to the message trace details for this particular message.

Get-MessageTrace -MessageId c857c16bf46d4586a198ec089a710706@BN1AFFO11FD033.protection.gbl | Get-MessageTraceDetail | Select  MessageID, Date, Event, Action, Detail, Data | Out-GridView

Right away we can see the error “Unable to relay.” We can also see this message was tried to be delivered using TLS. What we are seeing here is most likely a connector problem.

Of course, you don’t have to use Out-GridView, I just find it sometimes handy for quick filtering of the results.

Lastly, the searches I have provided above are fairly open ended. The tenant I used has a very low number of message coming through it. If you are finding that Get-MessageTrace is taking too long to run or timing out, I would suggest making your search stricter. For example, here is how you would search for messages coming from joe@contoso.com between a particular time range.

Get-MessageTrace -SenderAddress john@contoso.com -StartDate “12/15/2014 21:00” -EndDate “12/15/2014 22:00”

Note that the time specified must be in UTC.

Other Benefits

PowerShell can be set to run automatically. One example would be to create a script which checks for messages with a status of “Failed.” Have a server run this script every hour and if you see a large number of results, have the script or the Scheduled Task send you an alert.

Summary

For those that have never used PowerShell before it can look a little scary. There are a lot of great tutorials online to get you started and once you get your feet wet you’ll start moving fast. Script once, run many times.

On the personal side, I have a PowerShell script to automatically log me into my tenant. Once connected, I have scripts that pull Transport Rules, Message Trace results, Connector information, and much more. This is often faster than logging directly into the portal.

Finally, I'd like to thank Brian, one of my customers, who gave me the idea for this post.

Happy scripting!

Resources

Connect to Exchange Online using remote PowerShell
Exchange Online cmdlets

Connect to Exchange Online Protection using remote PowerShell
Exchange Online Protection cmdlets

Run a Message Trace and View Results
Get-MessageTrace cmdlet
Get-MessageTraceDetail cmdlet

I only began this blog in June of this year and so it’s hard to believe that it is already six months old! Looking back over the past six months I have had a blast writing and sharing articles with the community and have received a lot of positive feedback. I have a long list of articles in the hopper that I haven’t got to yet and many more ideas for future posts. Please continue to leave comments on articles as I will always try to leave a reply, it just may not be immediate.

With that being said, I wanted to share the top 10 articles from this blog from this past year. I used to love watching David Letterman’s top 10 list, and if I had more of a budget I’d put together a list Letterman style. Alas, here‘s the list, TechNet style..

1. Outbound Connector Smart Host Behavior
2. P2 Headers Now Respected for End User Safe and Blocked Senders Lists
3. TLS, Connectors, and You
4. Prevent DLs From Receiving ESNs
5. Quarantine and PowerShell
6. On-Premises Delivery Failover
7. Is X-Microsoft-Antispam a New EOP Header
8. Remote Desktop Connection Manager updated to v2.7
9. The Resolver
10. Verifying ESN Delivery

I hope that you have a wonderful holiday season and keep up with me in the New Year!

Cheers!

Andrew

This is typically a slow week for people, so what better time than to post something fun about Exchange Online Protection!

Back in May I presented a session on EOP at TechEd North America 2014 which took place in Houston. To be a little different, I wrote a poem about EOP which I read to kick the presentation off. I have always enjoyed poetry and thought I'd try something different by beginning my EOP session with some rhymes. Here's that poem.

Hello to you my TechEd friends,
Thank you for joining me here.
Today we will learn of a wondrous service,
And you'll see, there's nothing to fear.
 
Email can sometimes come with spam,
And if you're not careful, a computer infection.
Lucky for you, we can prevent those two,
With Exchange Online Protection.
 
EOP is a breeze to deploy,
There's really nothing to it.
Listen closely and don't leave early,
You'll soon learn how to do it.
 
Add one domain or up to nine hundred,
Then create a connector or two.
Now point your MX over to us,
And like that, we're protecting you.
 
Now let's begin this break out session,
Silence those phones in your pocket.
And next time you log in to O365,
You'll really be able to rock it.

If you are interested in watching the session, which covers configuration and some interesting tidbits about EOP, it can be viewed on Channel 9.

See you in the new year!

On TechNet we publish the range of IP addresses that are used when sending mail out of a custom EOP connector. If you have created an EOP on-premises connector to deliver inbound mail to your on-premises mail environment, or an EOP partner connector to deliver mail to a partner, the IPs used in these situations are the ones we publish. These published ranges DO NOT include the IPs that are used to deliver mail that does not leave through a custom EOP connector.

Effective as of January 1, 2015, additional IP ranges have been added to support the growth of the service. For organizations that lock down their on-premises mail environment to only accept mail from EOP, you will need to allow these additional IP ranges. This also applies for organizations that accept mail from you through a custom EOP outbound connector, if they lockdown their inbound mail from you to the published EOP IP ranges.

As we have noted on the TechNet page, organizations that started using EOP prior to January 1, 2015, do not need to take immediate action, but we recommend that you add these new IP ranges to your environment as soon as you can.

As of today, January 6, 2015, the range of IPs used by custom EOP connectors are as follows.

23.103.132.0/22
23.103.144.0/22
23.103.191.0/24
23.103.198.0/23
23.103.200.0/21
23.130.136.0/21
64.4.22.64/26
65.55.83.128/27
65.55.88.0/24
65.55.169.0/24
94.245.120.64/26
104.47.0.0/17
134.170.132.0/24
134.170.140.0/24
134.170.171.0/24
157.55.133.160/27
157.55.158.0/23
157.55.206.0/23
157.55.234.0/24
157.56.73.0/24
157.56.87.192/26
157.56.108.0/24
157.56.110.0/24
157.56.111.0/24
157.56.112.0/24
157.56.206.0/24
157.56.208.0/22
207.46.51.64/26
207.46.100.0/24
207.46.101.128/26
207.46.163.0/24
213.199.154.0/24
213.199.180.128/26
216.32.180.0/24
216.32.181.0/24

2a01:111:f400:7c00::/54
2a01:111:f400:fc00::/54

Current EOP IP ranges for custom connectors can be found at the links below.

Resources

Exchange Online Protection IP addresses
Change notification for EOP IP addresses

The ability to send a notification to the recipient when a transport rule triggers. This is a request that we have received from a lot of customers, and I’m happy to let you know that it is now rolling out in the form of an action in EOP transport rules. Sweet!

Recipient Notifications

Let’s say you have a transport rule that quarantines all inbound messages with an executable attachment. In the past there was no way to automatically notify your users that a message destined to them had been redirected to the quarantine because of your transport rule. Now, with Recipient Notifications, your transport rules can send a notification to the recipient when they trigger.

Configuration

When creating a transport rule, you will notice a new action called “Notify the recipient with a message…”

 
As an example, if we want to quarantine messages destined to our users that contain executable content, and want to notify them when this happens, our transport rule could look like this.

 
In this rule contoso.com is our own domain. Here’s what the notification text looks like in the above rule.

A company policy blocked an inbound message to you - Executable content not permitted.<br><br>

Date: %%MessageDate%% UTC<br>
From: %%From%%<br>
To: %%To%%<br>
CC: %%Cc%%<br>
Subject: %%Subject%%

And here is what the notification looks like that the recipient will receive when this rule triggers.

 
You’ll notice that I was able to insert information from the original message into the notification using variables. Let’s look next at what customization is possible.

Notification customization

Variables can be added into the notification text to include information from the original message. The following variables are supported for recipient notifications.

Summary

If you don’t see the recipient notification action yet in your transport rules don’t panic. This feature only just lit up in my test tenant this past week and will still be rolling out. Enjoy this new capability!

Resources

TechNet documentation has not been updated yet, but once it has I will post links here.

I've recently seen an increase in cases that involve incorrectly published SPF records that have resulted in sent mail failing the SPF check. Ensuring your SPF record is up to date is great proactive work that can help prevent issues with SPF checks. In this article I'm going to go over how to properly set your SPF record if you are using Exchange Online or Exchange Online Protection.

There is also a common mistake that organizations sometimes make in their SPF record when they are smart hosting mail out through EOP which I will also highlight.

I have recently seen a large number of cases where an organization’s own domain was spoofed to send that company phishing messages. This isn’t all that uncommon, but what was concerning for me was the method used in these cases to do the spoofing. In these cases, only the 5322.From header was spoofed, which cannot be detected by an SPF check.

When troubleshooting mail flow it is often important to determine where a message is handed off from a partner to your Office 365 tenant, or from your Office 365 tenant to a partner. This is easy to see in a message header, just look for the receiving host with the domain mail.protection.outlook.com, as this will indicate Office 365 servers.

But what if your partner is also an Office 365 tenant, then how can we tell when a message left their tenant and entered yours, or vice versa? If troubleshooting a mail delay, this is crucial information as this will let us know which tenant is experiencing the delay.

I recently worked on a very interesting case that I wanted to share. This organization had set EOP to deliver all spam messages to end users junk mail folder.

This worked great for most users, but a small number experienced EOP delivering spam messages directly to their inbox, as if they weren’t being scanned at all. Very peculiar indeed. Let’s go through the troubleshooting process to figure out what’s happening here. 

This is a quick public service announcement before the weekend starts. Exchange Online Protection has been allocated a new IP range. Starting in 30 days, EOP will add 40.107.0.0/16 to the IP pool that is used to deliver mail that passes through custom connectors (ex. EOP outbound connector which routes inbound mail to your on-premises environment). 

I typically avoid the Internet like the plague on April fools day, but this morning I peaked and came across MS-DOS Mobile and just couldn't help but share. This April fools day app brings DOS directly to your Windows phone! Let's take a trip down memory lane and see what we can do with this app.

Update (April 7, 2015): More content and examples have been added to this article since the original posting.

PowerShell can be used to quickly search for rules matching specific criteria. This can be incredibly valuable for a tenant that contains a lot of rules. While possible to search for transport rules in the EOP portal, PowerShell offers a more comprehensive (and cooler) way to accomplish this. There are also some rule properties that can only be searched for with PowerShell.

In case you missed it, we have something new coming to Exchange Online. Last week on Office Mechanics, Shobhit Sahay, technical product manager for the Office 365 team, introduced a new service coming to Exchange Online Protection (EOP), Advanced Threat Protection.

Advance Threat Protection (ATP) adds another layer of security and protection on top of EOP, targeting specific types of advanced threats.

Need to get a list of all messages that triggered a particular transport rule, or do you want to see all rules that have been triggered by a particular sender? This information can be easily found using the Get-MailDetailTransportRuleReport cmdlet. Looking past the name being much too long, this cmdlet can provide very insightful information about your transport rules.

What better way to show off this cmdlet than with examples. Here we go.

There was a lot of Exchange Online / EOP and Office 365 news in April and I wanted to pull them all together in one place, here! The stories range from product updates all the way to announcing new services. I have placed the articles that directly relate to Exchange Online towards the top of the list.

Last week was Microsoft’s Ignite conference in Chicago. There were many product announcements made and over 670 sessions delivered! 

I’ve made a list of some of the most popular sessions relating to Exchange Online, Exchange on-premises, and Office 365 which you’ll find below.

Exchange Online / Exchange Online Protection

• First look at Advanced Threat Protection in Office 365 to Stop Unknown Malware and Phishing Attacks
• Exchange Online Protection, Mailflow, and Encryption: Notes from the Field
• Behind the Curtain: Running Exchange Online
• Using Connectors & Mail Routing in Office 365
• Mail Flow and Transport Deep Dive
• Tame Your Inbox: Clutter in Office 365
• Deep Dive into How Microsoft Handles Spam and Advanced Email Threats
• Advanced Exchange Hybrid Topologies
• Exchange Hybrid: Make Office 365 Work for You
  
  

Exchange

• Meet Exchange Server 2016
• Deploying Exchange Server 2016
• Automating Microsoft Exchange Server 2013 Configuration with PowerShell Desired State Configuration
• Exchange Server Preferred Architecture
• Servicing Microsoft Exchange Server: Update Your Knowledge
• Shut the Front Door! Securing your Messaging Environment
• Tools and Techniques for Exchange Performance Troubleshooting
  
  

Office 365

• Next generation Office 365 Controls, Extensibility and Team Productivity
• Ten Ways to Secure Your Office 365 Tenants
• Meet Office 365 Compliance Center: Your One Stop Shop for Everything Compliance
• Identity Management Is Easy in Office 365
• Office 365 Security and Control
• Your Encryption Controls in Office 365: Across Devices and Platforms
• The New Knowledge Management Portal in Office 365
• Optimizing and Troubleshooting Your Performance with the Microsoft Cloud
• Office 365 Administration Best Practices
• The Power of the Shell: Advanced Administration of Office 365 with Windows PowerShell
• Microsoft Office 365 Groups Deep Dive
  
  

If you are looking for a way to mass download sessions, there is a great PowerShell script that you can use, Channel9 Session Downloader.

I was tipped on to this script by Rhoderick Milne who writes a great Exchange TechNet blog, 250 Hello.

The complete list of on demand sessions can be found over at Ignite on Demand. Enjoy the sessions!

Welcome to the first episode in a new series called Support Hot Topics for Exchange Online Protection. This series will consist of short videos which will each cover a trending topic relating to Exchange Online Protection. These videos are designed to give you a quick blast of information on a specific topic when you need to learn fast.

Just a quick note in what will probably be my shortest blog post ever. Advanced threat Protection, a new filtering service that complements Exchange Online Protection, is now available for purchase. This service adds new features to EOP to help detect and defend against advanced types of threats. More information about this new service can be found in the following links.

Introducing Exchange Online Advanced Threat Protection– Blog article
Exchange Online Advanced Threat Protection is now available– Blog article
Exchange Online Advanced Threat Protection– Product Page

I have recently seen a lot of zero-day malware attacks and interestingly, these attacks aren’t even trying to be covert. In these cases, the malware is attached to an email in the form of an executable file and the recipient is asked to run the attachment. Being in the technology works, people like you and me don’t fall for this, but a lot of less technical users do and execute the attachment.

In this article we’ll explore proactive actions that can help prevent zero-day malware from landing in in your employee’s mailboxes.