Share via

Exchange Online Troubleshooting: High Risk Delivery Pool

  • Article

What is High Risk Delivery Pool (HRDP)?

High Risk Delivery Pool or HRDP is a separate pool of outbound IP addresses that Exchange online protection uses for routing the outbound emails which are identified to be with high Spam confidence level.

When a customer's email system has been compromised by malware or a malicious spam attack, and it's sending outbound spam through the hosted filtering service, this can result in the IP addresses of the Office 365 data center servers being listed on third-party block lists. Destination servers that do not use the hosted filtering service, but do use these block lists, reject all email sent from any of the hosted filtering IP addresses that have been added to those lists. To prevent this, all outbound messages that exceed the spam threshold are sent through a high-risk delivery pool. This secondary outbound email pool is only used to send messages that may be of low quality. This helps to protect the rest of the network from sending messages that are more likely to result in the sending IP address being blocked.

The use of a dedicated high-risk delivery pool helps ensure that the normal outbound pool is only sending messages that are known to be of a high-quality. Using this secondary IP pool helps to reduce the probability of the normal outbound-IP pool being added to a blocked list. The possibility of the high-risk delivery pool being placed on a blocked list remains a risk and we expect the HRDP IP address to be included in one or more external RBLs.

Behavior to expect when email is being routed through HRDP

  • if the recipient server subscribes for any external RBLs where HRDP IP is listed,  Emails being routed through HRDP may be rejected by the recipient server with an undeliverable message with a message similar as listed below;
    Reported error: 550 5.0.350 Remote server returned an error -> 550 SC-001 (SNT004-MC2F13) Unfortunately, messages from 104.47.5.201 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.
  • If the emails are sent between two Office 365 tenant, emails may land in the Junk folder at the recipient end

How to confirm whether an email is being routed through HRDP or not?

  • If the customer has an email header, Review the X -Forefront-Antispam-Report header or the X-Forefront-Antispam-Report-Untrusted header to locate DIR:OUT and a spam confidence level (SCL) entry of 5 to 9 to verify that it was treated as spam.

    X-Forefront-Antispam-Report-Untrusted: SFV:SPM;SFS:(10019020)(6009001)(218001);DIR:OUT;SFP:1501;SCL:5;SRVR:DM2 PR04MB717;H:DM2PR04MB718.namprd04.prod.outlook.com;FPR:;SPF:None;MLV:ov rnspm;PTR:InfoNoRecords;

  • Use historical search in the sending tenant to confirm whether email is being routed via HRDP or not

Execute the below command from PowerShell to perform historical search of the affected email 

Start-HistoricalSearch -ReportTitle "Search" –RecipientAddress userA@contoso.com–SenderAddressuserB@contoso.com-StartDate mm/dd/yyyy -EndDate mm/dd/yyyy2 -ReportType MessageTraceDetail -NotifyAddressuserc@contoso.com

userA@contoso.com– replace it with sender email address

userB@contoso.com– replace it with recipient email address

userc@contoso.com– replace it with another mailbox where the message-trace report would be emailed.

mm/dd/yyyy1 – replace it with a relevant date.

mm/dd/yyyy2 – replace it with a relevant date.

2. Edit the historical search output

Edit the historical search output by sorting the first column titled “date_time” in ascending order so that we can have all the events in correct chronological order. Make sure to select the option “Expand the selection” while sorting so that all other columns will be sorted accordingly.

3. Analyze the data

Analyse the data in column titled “custom_data” corresponding to row “Agent Info” under “Event_ID” to confirm whether the specified email was processed by routed via HRDP or not 

If the Spam filter Verdict (SFV) shows “SFV=SPM” and SCL is 1 or higher and DI action indicates “DI=SO”, it confirms email is being routed via HRDP. For example

S:SFA=SUM|SFV=SPM|IPV=|SRV=|SFS=10019020|SFS=7916002|SFS=199003|SFS=189002|SFS=66066001|SFS=189998001|SFS=2900100001|SFS=586003|SFS=3846002|SFS=102836003|SFS=77096005|

SFS=16236675004|SFS=122556002|SFS=2906002|SFS=4326007|SFS=15975445007|SFS=19580405001|SFS=19580395003|SFS=2950100002|SFS=50986999|SFS=76176999|SFS=19617315012|SFS=6116002|

SFS=54356999|SFS=1076002|SFS=97736004|SFS=3660700001|SFS=3280700002|SFS=101416001|SFS=11100500001|SFS=3900700001|SFS=8936002|SFS=10400500002|SFS=36756003|SFS=92566002|

SFS=7736002|SFS=7846002|SFS=18206015028|SFS=6916009|SFS=7906003|SFS=81166006|SFS=5002640100001|SFS=5660300001|SFS=103116003|SFS=106116001|SFS=106356001|SFS=224303003

|SFS=81156014|SFS=100306002|SFS=110136003|SFS=68736007|SFS=9886003|SFS=19618635001|SFS=87936001|SFS=105586002|SFS=86362001|SFS=50929005|SFS=7099028|SFS=50939005|SCL=5|SCORE=58|

LIST=1|DI=SO|RD=|H=VI1PR0601MB2544.eurprd06.prod.outlook.com|CIP=|SFP=1501|ASF=0|HCTFP=|CTRY=|CLTCTRY=GB|LANG=fr|LAT=445|LAT=395|LAT=44|FPR=7C9DF9AF.2CC4944D.B4F06D6F.D6AE8DDD.20284|

DIR=OUT;S:PCFA=OROU|dkim=0|URLRW=0;S:SDA=SDG|RV=1:22;S:CompCost=|AMA=0|SFA=0;S:DeliveryPriority=Low;S:PrioritizationReason=SpamFilter-Message-Spam;S:AccountForest=EURPR06A002.prod.outlook.com

Troubleshooting to be performed to confirm why email is being routed via HRDP 

  • Have the sender send a blank message with just a signature to see if it's still marked as spam. If the message is still marked as spam the signature may be the problem.
  • Have the sender send a blank message with no signature or disclaimer. If the message is still marked as spam there may be a reputation problem with the sending domain
  • Have the sender send the same message but with the signature disabled. If the message is still marked as spam the problem is likely in the message content.
  • Check public reputation lists for the sending domain, or any URLs included in the message

Actions to be taken to prevent legitimate emails from being routed via HRDP

Report the false positive incidents to the protection team following below steps

Collect the original sample of the email from the sender’s sent item folder and submit the sample to our protection team following below steps:

  1. Create a new, blank email.
  2. Address the email to the Microsoft team that reviews messages at not_junk@office365.microsoft.com.
  3. Copy and paste the affected message into that email (as an attachment).
  4. Make sure all information, including mail header information is included
  5. Click Send.

 Allow 24 hours for the filters to be updated and in case the issue persists contact the Support team.