If a user continuously sends emails that are classified as spam from Office 365, they will be restricted from sending email, but will still be able to receive it. The user will be listed in the service as a bad outbound sender and will receive a Non-Delivery Report (NDR) that states:
“Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance. Remote Server returned ‘550 5.1.8 Access denied, bad outbound sender.”
Estimated time to complete: 5 minutes
You need to be assigned permissions before you can perform this procedure or procedure. To see what permissions you need, see the “Anti-spam entry in the Feature Permissions in Exchange Online topic.
The following procedure can also be performed via remote PowerShell. Use the Get-BlockedSenderAddress cmdlet to get the list of restricted users and Remove-BlockedSenderAddress to remove the restriction. To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.
You complete this task in the Security & Compliance Center (SCC). Go to the Security & Compliance Center for more details about SCC. You need to be in the Organization Management or the Security Administrator role group in order to perform these functions. Go to Permissions in the Security & Compliance Center for more details about SCC role groups.
A “User restricted from sending email” alert is available as a policy under the Office 365 Security & Compliance Alert policies page. This was formerly the outbound spam policy but is now native to the Office 365 alerting platform. Go to Alert policies in the Security & Compliance Center for more information on alerts.
For alerts to work, audit log search must to be turned on. See how to Turn Office 365 audit log search on or off for more information.
The policy for this alert is a default one and comes with every Office 365 tenant and does not need to be set up. It is considered a High severity alert and will email the configured TenantAdmins group when the alert is fired whenever a user has been restricted from sending mail. Admins can update the group notified when this alert happens by going to the alert under the SCC portal > Alerts > Alert policies > Users restricted from sending email.
You will be able to Edit the alert to:
The PowerShell commands for Restricted Users are:
Get-BlockedSenderAddress: Run to retrieve the list of users that are restricted from sending email
Remove-BlockedSenderAddress: Run to remove user(s) from being restricted