orca icon indicating copy to clipboard operation
orca copied to clipboard

Published 20 hours ago verified publisher icon cammurray

Get-ORCAReport stalls at - Getting MX Reports for all domains

Open dcaddick opened this issue 4 years ago • 2 comments

Hi Cam,

Awesome tool BTW, but currently checking on large Edu tenant and getting stalled at: Getting MX Reports for all domains - consistently stopping here for 30 - 50 mins plus

12/14/2020 15:23:50 Getting Anti-Spam Settings 12/14/2020 15:23:53 Getting Tenant Settings 12/14/2020 15:23:54 Getting Anti Phish Settings 12/14/2020 15:23:55 Getting Anti-Malware Settings 12/14/2020 15:23:56 Getting Transport Rules 12/14/2020 15:23:58 Getting ATP Policies 12/14/2020 15:23:59 Getting Accepted Domains 12/14/2020 15:24:00 Getting DKIM Configuration 12/14/2020 15:24:01 Getting Connectors 12/14/2020 15:24:01 Getting MX Reports for all domains

Tried running Get-ORCAReport -Collections Get-AcceptedDomain more or less to try "something" and it seemed to get past it - but now reporting that ATP is not installed in Tenant?

12/14/2020 15:50:17 Performing ORCA Version check... 12/14/2020 15:50:26 Analysis - Anti-Spam Policies - Anti-Spam Policy Rules 12/14/2020 15:50:26 Analysis - Anti-Spam Policies - Safety Tips 12/14/2020 15:50:26 Analysis - Anti-Spam Policies - Phish Action 12/14/2020 15:50:26 Analysis - Anti-Spam Policies - Bulk Complaint Level 12/14/2020 15:50:26 Analysis - Anti-Spam Policies - High Confidence Spam Action 12/14/2020 15:50:26 Analysis - Anti-Spam Policies - Allowed Senders 12/14/2020 15:50:26 Analysis - Anti-Spam Policies - Bulk Action 12/14/2020 15:50:27 Analysis - Anti-Spam Policies - IP Allow Lists 12/14/2020 15:50:27 Analysis - Anti-Spam Policies - Domain Whitelisting 12/14/2020 15:50:27 Analysis - Anti-Spam Policies - Quarantine retention period 12/14/2020 15:50:27 Analysis - Anti-Spam Policies - Outbound spam filter policy settings 12/14/2020 15:50:27 Analysis - Anti-Spam Policies - High Confidence Phish Action 12/14/2020 15:50:27 Analysis - Anti-Spam Policies - Mark Bulk as Spam 12/14/2020 15:50:27 Analysis - Anti-Spam Policies - Spam Action 12/14/2020 15:50:27 Analysis - Anti-Spam Policies - Advanced Spam Filter (ASF) 12/14/2020 15:50:27 Analysis - Anti-Spam Policies - End-user Spam notifications 12/14/2020 15:50:27 Analysis - Connectors - Domains 12/14/2020 15:50:27 Analysis - Connectors - Enhanced Filtering Configuration 12/14/2020 15:50:27 Analysis - DKIM - Signing Configuration 12/14/2020 15:50:27 Analysis - DKIM - DNS Records 12/14/2020 15:50:27 Analysis - Malware Filter Policy - Malware Filter Policy Policy Rules 12/14/2020 15:50:27 Analysis - Malware Filter Policy - Internal Sender Notifications 12/14/2020 15:50:27 Analysis - Malware Filter Policy - Common Attachment Type Filter 12/14/2020 15:50:27 Analysis - Malware Filter Policy - External Sender Notifications 12/14/2020 15:50:27 Analysis - Tenant Settings - Unified Audit Log 12/14/2020 15:50:27 Analysis - Transport Rules - Domain Whitelisting 12/14/2020 15:50:27 Analysis - Zero Hour Autopurge - Zero Hour Autopurge Enabled for Malware 12/14/2020 15:50:27 Analysis - Zero Hour Autopurge - Zero Hour Autopurge Enabled for Phish 12/14/2020 15:50:27 Analysis - Zero Hour Autopurge - Zero Hour Autopurge Enabled for Spam 12/14/2020 15:50:27 Analysis - Zero Hour Autopurge - Supported filter policy action 12/14/2020 15:50:27 Generating Output 12/14/2020 15:50:27 Output - HTML 12/14/2020 15:50:28 Complete! Output is in C:\Users...... ORCA--202012141550.zip

dcaddick avatar Dec 14 '20 08:12 dcaddick

Just checked in other parts of the Admin console - this customer has 149 different domains (Schools) - guessing this might be a limitation somewhere?

dcaddick avatar Dec 14 '20 08:12 dcaddick

Hey @dcaddick - yeh, the speed of ORCA for tenants with a large amount of domains went down drastically after the addition of the enhanced filtering/skip listing check. This is because that check needs to know if the MX is pointed to EOP or a third-party, and it uses the Get-MxRecordReport command to do that, which can take a minute or so per domain.

We could, either:

  1. Have an option to disable the check
  2. Instead of using the Get-MxRecordReport command, poll the MX records directly on the client. The issue here though is that quite a few customers have split DNS configured with an internal zone for their domains (so the MX record on the polling client may not be accurate). This is the least favorite option because it will generate false positives.

cammurray avatar Jan 24 '21 21:01 cammurray

Closing this out, because it's expected that the Get-MXReport will take a long time when there are a large qty. of domains - and it's outside the control of ORCA (that's something to do with Exchange Online itself). The MX reports are required for SPF, DKIM, Enhanced Filtering checks, etc, so it's not something I think we want to bypass.

cammurray avatar May 03 '23 03:05 cammurray