Forum Discussion

Will_Wilkinson's avatar
Will_Wilkinson
Copper Contributor
Aug 28, 2020

Exchange flagging a single user's email as spam

I have a very strange problem with a single e-mail address from one of our customers - email to or from this address, and only this address, is being marked as spam by Exchange - all other users on the server work normally, and the mail's flagged even when it's a plain text mail with no attachments.

The relevant X-Headers are:
X-AntiMalwareExchange-RefID: str=0001.0A782F1F.5F478388.0018,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
X-MS-Exchange-Organization-SCL: 9

Other checks pass as shown by:
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;
X-HE-SPF: PASSED
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.1
X-HE-Spam-Report: Content analysis details: (0.1 points)

Does anyone have any clues before I lodge a support ticket?

Exchange Server

3 Replies

  • ExMSW4319's avatar
    ExMSW4319
    Steel Contributor
    Aug 28, 2020

    Will_Wilkinson - you don't have a transport rule forcing that SCL 9?

     

    If on-prem had the same bad habits as ATP, I'd be looking for a matching recipient name causing a false positive phishing detection.

    • Will_Wilkinson's avatar
      Will_Wilkinson
      Copper Contributor
      Aug 28, 2020

      ExMSW4319No transport rules that could force this - it's happening on not only the customer's system but on all exchange servers that this single e-mail address communicates with - have submitted samples to Microsoft, and, as a work around, set up another address for the user - this works normally, from the same server & client, just from a different mail address. Original was of the form mailto:initial.surname@company.de, new is mailto:firstname.lastname@company.de - weird thing is that all other users don't have any problems, and this single one does, even on a new build.

  • ChristianBergstrom's avatar
    ChristianBergstrom
    Silver Contributor
    Aug 28, 2020

    Will_Wilkinson Hi, could be any underlying activity/analyze causing the SCL9 value. You should submit a false positive.

     

    Manually

    https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis?view=o365-worldwide#submit-false-positives-to-microsoft

     

    Admin submission

    https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide