EOP Spam Policy - Move to Junk

Iron Contributor

I have a custom (default) EOP Spam policy for which all types of spam and bulk is set to "Move message to Junk Email Folder".  However cloud mailbox users non of these messages are being delivered to their Junk Mail Folder instead remains in their Inbox.  I have a case open with MS support for days now but they have not been able to determine the issue.  I have two transport rules set that handles Bulk messages.  IF the BCL is 4,5 the subject is tagged with "Possible Bulk". If the BCL is >5 the subject is tagged with "Bulk High".  These two rules are working; however message remain delivered to the clients inbox. 

 

Anyone else run into this or similar problem that can provide some light on the matter?

 

Right now, as we are still testing everything, we want everything delivered to the end user; just to their junk mail folders. We will later change it to High Spam to be quarantined.

15 Replies
Is this the only policy? Are you sure that no other policy is applied to those spam emails? Are the emails marked as spam (SCL>5)?

Attach the header of such an email that should have been delivered in three JMF.

Only one policy. Yes, Emails are being marked as spam (SCL 9). The BCL is 6.

 

Including screenshot of policies.

 

Some of the headers are below. Cannot attach multiple files to this.


Reply-To: Windows IT Pro <reply@windowsitpro.com>
Date: 7 Oct 2016 10:06:17 -0400
Subject: {BULK: HIGH}Enterprise IT Event Agenda & Giveaways
Content-Type: multipart/alternative;
 boundary=--boundary_361092_ea1e4143-7257-4260-b9e2-bb8a483142dd
X-MS-Exchange-Organization-Network-Message-Id: 0e8f921d-88b6-4604-408e-08d3eebb2c17
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 020caa57-5a64-40d3-a4e7-c2b201ae4d3f:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report: CIP:204.92.19.130;IPV:NLI;CTRY:CA;EFV:NLI;SFV:SPM;SFS:(8196002)(31620200002)(2980300002)(1060300003)(438002)(596005)(286005)(359002)(497574002)(189002)(349012);DIR:INB;SFP:;SCL:9;SRVR:BN6PR03MB2530;H:mail02.tech.pentontech.com;FPR:;SPF:Pass;PTR:mail02.tech.pentontech.com;MX:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;BN1BFFO11FD006;1:/be9fCZTce9t5TCx0MpqbE0bkhUqCPot6utUf3uznzi3QYhdcoIkLbDlbrV3eKrHm4D0i04u9K+9WzBrWi32KsGBVz1rK5UFkWJwSINWT3BFYwAF1YyvvbJKBF+ru0WqK1qahjH+771yhye6D4+jUSCLKoNnDVG26//8CFXemNXorYbfRiL8AOnYNemZBBj2E4xvOK3J5vzecOxgFoR+d7ULIg+5fke+sNrK7Ea4U+yTdQ5fFxChhqPuDVUqhvg1YIGTTx8fENMhSPfO8uFZuqSLSPQyZjpP78eGkG/pKedRtIoRKkFAx0HWu3kuvtOD9PGp+8GPxNCpIH12dEhxcjsL8yVg9TPfweGrm8ZJCzl2njdvkt0lJYzTWxR5PElN3qwGO2Hqfu8LexN8m38DVfjog9/OFKv77vToqClKnXH2ZExCAmCRFA7I44eG0lomHiNiFQTHiMhdvoZqnBTMs6mPIY58ZWsWCxnvEhB1TPCv72tRYCQShah5D242utu/iJgv7GegLmIFX/Z2YB+re0pbpZiVp/3isfwpHINMFiB4zz6YCmxP0EAA6e6LA26zRviFfBLQ4fvHm+Vor4ZINunBksXtfW9atMPvRxYgk0Lcl14vztidBpFhAsRlmvhs
X-MS-Office365-Filtering-Correlation-Id: 0e8f921d-88b6-4604-408e-08d3eebb2c17
X-Microsoft-Exchange-Diagnostics: 1;BN6PR03MB2530;2:PlT7eIztWe3XBpb4H1YQZFECzvi1e+Gwn8NsStiuSGnaq7H7U9FpUBol0rab6RBTUjLiujCj3uaBePpDOoBkUvjDsch9L8KtOm9bllSPO1mu3N3gwUtl5ooXqTZ+JGfh5NyVQ5pJiNBwe28k5uZXNa4EtKqU2rSHxuGQYpUeWk3LwfOV+9n27pKTDL7VjBHpS5E7acGd+1dLwAmN0zMvog==;3:Njp3WunIdc/jPk04cljeTzG5VG2cQnzLf4JCPgolowBnTa+Ejt9rzZB0JATySO7Q5ZtFi2uA5GWQmK4k1M1rUmxbyOFwG3Fr4UTUjSsidR7LNXjBdLJ2K3+6dfrnJGUC+2n/mZqEnRwlq3rURrB1i5Ex5Jg1gvPZOJR/nTk0jCyaXdDKgu2WOsZigNVZc8N1/m2sD4PdXQXJgH9K7bfx+CYCdGUjeNswCXrOb8ItjpYq7TBLgl/9ataqGdEeb1KmEyVTvkAHGKm2/acED9zNc8nwaFcRawEWnRGP7hLYZ/GtTWcIfkSP/uF68CvCOU6NUO2YkHVJEKqGR34yVq6m5JNMYKGcI4XXUCXQ6T42Rl8gjihX9YQEzgL2YOC+NGIG
X-DkimResult-Test: Passed
X-Microsoft-Antispam: UriScan:;BCL:6;PCL:0;RULEID:(421252002)(8251501002)(3001016)(71701004)(71702002);SRVR:BN6PR03MB2530;
X-Microsoft-Exchange-Diagnostics: 1;BN6PR03MB2530;25:vQ0l6T/dbvM2b6/I3/y4KeHUBF+IvETqYSFDzMquxpQn0IlIZ4KK5JwGsREgPe7q33IvSlPpU/FfWIKFeKXQflsM7iYJQnStRFpQZrS5JzQSuN8HVm3NyaO6g6Mg4sDPJpEylFhlmIsMHqhHaeQ3DQcydC/oXG3/6aaAplAkKB/zW8p1gZ2re7XfPKJ/Fw4oMoowxbkhz9cE9gWOi8FyS8cVpKEMRNVE/rYz4duL5nmlxQ2tmNJSMeWOvIYvkRwNKlB7pv60NIZ95mVG2iibzSkpKb0D/cNLuLNcYwmihiHfyeHJDvucQYmGtL72ifqAvWve6WKvs0NCtT/GKLDxbxxL29OMK9KqTmNrXyJuwxYpbW+7ZKeaXdpi00YuisGCjUNSdGfnf3+mwQPWS5Z1AGKETBATOiuXn38q4An3W1vEJ1NcJczuMbgsHhFHyGeC;31:cVlPc0rFlFJvCXNz0d0Idu7529dHTd8K6R7XQSbA6AUN5BfhTFOfUl4pp/NCx1PgJS1yb5crq+c+Ptr5KAEVNe+Tn3vwaT1wTh8RJp/zp6AUyhWqVc0eRf/LxjXsTknLzy/j24fYbDyA9DWi/rUCnydNTiRLydN+NAUBvC/atV1Wo6bqrgjN6TkXBnP2QpNFQza3V75ibFSqQFO3CZR9uufBaE/eIA2xphg5i6gs3ykFUEOMujYq5duFPrKDoMrIlWmxG3q5MFNr9kLtTxfNzg==
X-MS-Exchange-Organization-AVStamp-Service: 1.0
X-Microsoft-Exchange-Diagnostics: 1;BN6PR03MB2530;20:XPg1JGthFzWs20R5UBAZjzFx0xkQvR0lxJpAN2G1ovgYLtdD4Z1T5R7lI/0fAhnJlBAPiQSA3/hzpOmqBgXCmAV1e7CvvAYo189ZW66TxwU0WevMrnNrL8pifRjKdYFoYN36kf+QVmUk1CKPrGrykM3gtZBf4TIjam2BJd8vFaepMzuoBA1SuIn5fMZZivoQbAu0OHSDBDxmbsEvSm4nU0hfN6S/MvLTj3j70kPMql+mejffSNJ4CZVRzX8JycYFyvS2BrOxyAqAqc20sDnEaRpOKQ08MQ170O6WMT3WMHqChkwM/Vi7IgwU71/1Z7MqnIjEq3f/o7fAtiPis3nQHiPeTbwch9iTE1xx/0g35pvek5FYRFE7HdkXY1WL74FkuukQcjjGHrxJxzLWl/CKkI/OF9ysZtFiNBWOnNiniUM=
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(148322886591682)(116415991822766)(81227570615382);
X-Exchange-Antispam-Report-CFA-Test: BCL:6;PCL:0;RULEID:(9101531078)(601004)(701104)(2401047)(8121501046)(13024025)(13018025)(1201001)(13016025)(9101536074)(3002001)(10201501046);SRVR:BN6PR03MB2530;BCL:6;PCL:0;RULEID:;SRVR:BN6PR03MB2530;
X-Microsoft-Exchange-Diagnostics: 1;BN6PR03MB2530;4:aLpDX7vod9smwweaLfiRHYlAbV6/pecjKaYVwBkfcpFR4YgEzuH0mYzs2YsqUDBNy8hJ73KvY7aFa69Twny/pSU+Zrxxi5DVD7aFLPjO9US/HCgohO+ZvRgks2tF2qC4Rijj59QYxXg/fCpodgnzKIhg0i+WiInjGTR63wFw3iMmsc1Nkd/H61Ke3u0/9gzj3yTcv9uf6d3+mlL5dcpEmFiHAW0xhruCB/bVMHno2T6VaC+++y1hb4fQ6nMeOLgL9G+XDjis0Gje0K1XL6WWrl3IYDdAjUVFCWs3lDTFfuUHUAmPZ3CGcxjo4sH+Y07SsD52Oh2hDcrNbJDttNEWNlknOT2BOf7DKtZuJJ6xnprdsKX13PpkO1w73569eG8lVwuBHYKb3+CkrH7ldLLyyjpOdmZM9d0xE6l/iSzoAqtlG1S0zEtWZCPahR/tWJXe4ggf5U2C7th9DDKLmBTNCN+5PMJk4ElIFZNkRDJaMDTnLN+0Q3s8VhZLznunUG2V2ZRMv4IPuNxnhTH8eLZZB4zwL73j1MFLBNvtV+DBgybfFSyhnUcG4UggFtagVScQGlKUeKHCxoOyYznxkOL1/8GCZrjX9vlJVOyDZv9mDnC7wVq6Vl87Maizg00jRvGAg5k0dXS2UgqiZ1zWH2y4/g==
X-MS-Exchange-Organization-SCL: 9
X-CustomSpam: Bulk Mail | Bulk Mail

Indeed, the message is marked as spam and, according to your spam filter policy, it should be delivered in the junk mail folder. Maybe you have an Outlook addin or an inbox rule that puts thos emails in the inbox folder. You could try to send a Gtube test email (http://spamassassin.apache.org/gtube/) from a 3rd party mailbox to your O365 mailbox when Outlook is closed and use OWA to check if the email is delivered in junk.

I am glad to see someone agrees that this should be working. As far as Addin (Addons). I have only the basic addons, and addins I have Message Header Analyser, Yelp and Package Tracker. Addons: Exchange Add-in, SharePOint Server Collegue, VBA for Outlook, Scoail Connect and Skype Meeting Addons.  Rules, nothing concerning.

 

To add, this happens to my co-worker, that is also in the cloud. On-Premise users seem to be fine or at least better. Which would seen to be the opposite as one has to create an On-Premise Transport Rule (which I have) to handle junk mail filting.

 

Go Figure.

Can you check if the junk email is enabled on your mailbox? Run Get-MailboxJunkEmailConfiguration <mbx> and see if it's enabled.

 

One more thing that crossed my mind. Journaling might play a role in this situation. Is, by any chance, your mailbox set as journaling ndr recipient?

Originally I had the Junk Mail Processing disabled by GPO (No Automatic filtering).  However, I since turned that back on and set it to Low but that has not helped.  I am moving from an IronPort Device to EOP and with the IronPort, the transport rules on our On-Premise mail server worked great for filting items to individual Junk Mail folders. Since moving to the cloud, this has not worked.

 

As far as Journalling, we do have this enabled (we use GFI); however I do not believe I am a recipient for NDR reports.

I just tested in my tenant the theory about journaling NDR recipient and is valid. When I'm setting my mailbox as recipient for undeliverable journal reports, even if I don't have any journaling rules, even high confidence spam is delivered in Inbox.
Where do I turn this off?
You can do it in the EAC>Compliance>Journaling (or something like this) or by running Set-TransportConfig -JournalingReportNdrTo $null

Thanks! I was in fact set to the NDR for journaling. Will report back later today. However, the odd thing is, I have a co-worker that is also in the cloud and their mailbox also does not work as intended with the Spam Filters. Same issue.  And only one person can be set to the NDR.

So, is it working OK for your mailbox now?

For your co-worker you should check all that we discussed here until now.

Yes. It is indeed working for me now. My co-worker is still having issues but only with certain emails which is odd as he does not have any junk mail or rules that apply. Still attacking that one. Thanks for your help/

I'm glad I was able to help and I hope others will also read this conversation when they have similar issues.

Not sure if you resolved this but it appears you need to set auto processing of junk mail on the OWA or Outlook for Web settings. The FAT client Outlook 2016 should be off. In my testing the policy tags it as spam but to perform the move operation the OWA setting needs to be on.