Forum Discussion

StefanKi's avatar
StefanKi
Iron Contributor
Oct 09, 2020

eport why the mails were moved to the Junk

In Exchange online some mails are moved to the Junk folder. Can I get a report why the mails were moved to the Junk folder? I don't like to create large whitelists.   Thanks for your help Stefan
admin
exchange online
office 365
StefanKi's avatar
StefanKi
Iron Contributor
Oct 10, 2020

farismalaeb 

These are the Powershell results.

 

PS C:\Users\123456> Get-HostedContentFilterPolicy

Name SpamAction HighConfidenceSpamAction IsDefault
---- ---------- ------------------------ ---------
Default MoveToJmf MoveToJmf True


PS C:\Users\123456> Get-OrganizationConfig | select *scl*

SCLJunkThreshold
----------------
4

 

I could learn a lot from you. Can you recommend me a good book about Exchange online?
Thanks a lot

 

farismalaeb's avatar
farismalaeb
Steel Contributor
Oct 10, 2020

StefanKi 

Go to Protection.microsoft.com and create a new policy that fits your organization's needs, it seems that you still using the basic one.

Also if you can dump one of the email headers from the junk here we might be able to help you in finding out why the emails are marked as junk, but usually due to an increase in SCL rate, which can be caused by the message content.

SCL level is set to 4 is the default one and seems to be fine.

for the learning, I am just like you, got a lot to struggle with and googling and reading, usually Microsoft site, even though their documentation is a bit boring, but it's fine

 

  • StefanKi's avatar
    StefanKi
    Iron Contributor
    Oct 10, 2020

    farismalaeb 

    How is you process? 

    Die Kellegen senden Ihnen die Emails zu und sie analysieren die Header? Or is there a better way?

    • farismalaeb's avatar
      farismalaeb
      Steel Contributor
      Oct 10, 2020

      StefanKi 

      What I see in this email header is that SCL is set to 5 in this message and your settings are set to 4 causing this message to be spam, the reason behind this is the antispam itself and how it categorizes this message, it seems that this message is a maillist and I guess the score of this email will be increased.

      a useful link can be found here on how to check the report.

      Check this link

      https://docs.microsoft.com/en-us/exchange/monitoring/use-mail-protection-reports

      I would highly recommend to go through the Security and Compliance Center and create a new policy which fit your organization need.

       

      Hope this help

      -------------------------------

      If you find this answer helpful, Please don't forget to click best response and hit the like sign 🙂

  • StefanKi's avatar
    StefanKi
    Iron Contributor
    Oct 10, 2020

    First I need to read to build a good/better policy.

     

    Here is a email header

     

    Summary

    Subject: Newsletter Oktober 2020

    Message Id: <5e4f2c81f89ede179062bbb51.2605fd13e6.20201004092327.22f27f5817.4259941e@mail94.suw111.mcdlv.net>

    Creation time: Sun,  4 Oct 2020 09:23:33 +0000

    From: Frank Geisler <FGE@sqlpass.de>

    Reply to: Frank Geisler <FGE@sqlpass.de>

    To: <stefan.kiessig@lll.de>

     

    Received

    Hop: 1

    From: localhost (localhost [127.0.0.1])

    By: mail94.suw111.mcdlv.net (Mailchimp)

    With: ESMTP

    Id: 4C3yvz6n3Cz1wBFnH

    For: <stefan.kiessig@lll.de>

    Date: 10/4/2020 11:23:43 AM

     

    Hop: 2

    From: mail94.suw111.mcdlv.net (198.2.185.94)

    By: AM5EUR03FT016.mail.protection.outlook.com (10.152.16.142)

    With: Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

    Id: 15.20.3433.34

    Via: Frontend Transport

    Date: 10/4/2020 11:23:46 AM

    Delay: 3 seconds

    Percent: 50

     

    Hop: 3

    From: AM5EUR03FT016.eop-EUR03.prod.protection.outlook.com (2603:10a6:206:14:cafe::d5)

    By: AM5PR0301CA0022.outlook.office365.com (2603:10a6:206:14::35)

    With: Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

    Id: 15.20.3433.36

    Via: Frontend Transport

    Date: 10/4/2020 11:23:47 AM

    Delay: 1 second

    Percent: 16.666666666666668

     

    Hop: 4

    From: AM5PR0301CA0022.eurprd03.prod.outlook.com (2603:10a6:206:14::35)

    By: AM6PR08MB4198.eurprd08.prod.outlook.com (2603:10a6:20b:a7::32)

    With: Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

    Id: 15.20.3433.36

    Date: 10/4/2020 11:23:47 AM

    Delay: 0 seconds

     

    Hop: 5

    From: AM6PR08MB4198.eurprd08.prod.outlook.com (2603:10a6:20b:a7::32)

    By: DBBPR08MB4726.eurprd08.prod.outlook.com

    With: HTTPS

    Date: 10/4/2020 11:23:49 AM

    Delay: 2 seconds

    Percent: 33.333333333333336

     

    ForefrontAntiSpamReport

    Country/Region: US

    Language: de

    Spam Confidence Level: 5

    Spam Filtering Verdict: SPM

    IP Filter Verdict: NLI

    HELO/EHLO String: mail94.suw111.mcdlv.net

    PTR Record: mail94.suw111.mcdlv.net

    Connecting IP Address: 198.2.185.94

    Protection Policy Category: SPOOF

    Spam rules: (4636009)(6666004)(42882007)(7636003)(8676002)(33964004)(7596003)(16799955002)(3450700001)(356005)(5660300002)(7116003)(166002)(15974865002)(83080400001)(9686003)(336012)(76236003)(66574015)(58800400005)(6916009)(19810500001)(16670700002)(26005)(1096003)(83170400001)(7126003)(966005)(83380400001)(70420200002)

    Source header: CIP:198.2.185.94;CTRY:US;LANG:de;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail94.suw111.mcdlv.net;PTR:mail94.suw111.mcdlv.net;CAT:SPOOF;SFS:(4636009)(6666004)(42882007)(7636003)(8676002)(33964004)(7596003)(16799955002)(3450700001)(356005)(5660300002)(7116003)(166002)(15974865002)(83080400001)(9686003)(336012)(76236003)(66574015)(58800400005)(6916009)(19810500001)(16670700002)(26005)(1096003)(83170400001)(7126003)(966005)(83380400001)(70420200002);DIR:INB;

    Unknown fields: DIR:INB;

     

    AntiSpamReport

    Bulk Complaint Level: 0

    Source header: BCL:0;

     

    Other

    Authentication-Results: spf=pass (sender IP is 198.2.185.94) smtp.mailfrom=mail94.suw111.mcdlv.net; lll.de; dkim=pass (signature was verified) header.d=mailchimpapp.net;lll.de; dmarc=none action=none header.from=sqlpass.de;compauth=fail reason=001

    Received-SPF: Pass (protection.outlook.com: domain of mail94.suw111.mcdlv.net designates 198.2.185.94 as permitted sender) receiver=protection.outlook.com; client-ip=198.2.185.94; helo=mail94.suw111.mcdlv.net;

    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchimpapp.net; s=k2; t=1601803423; i=fge=3Dsqlpass.de@mailchimpapp.net; bh=VKtPPqjYq1qddhiT8Pi1rKG2XPmSvzjO2t68d6jJYJw=; h=Subject:From:Reply-To:To:Date:Message-ID:List-ID:List-Unsubscribe: Content-Type:MIME-Version; b=HCm7cw3/meDiLrkthtktvYduDaDbjClPRW2+d/eNaFdjDCqdi1gDkjSymab7xZLp+ QDQENWgA/aCsONFYmOPM+9Wx9O33ZZwY2rlZGjvmVYZUzXOy53o1Kiw32jfNHOMT1e x3sZyQx/grV9olj0EoHBBZKcjR8vJKYdvrCBqF8jN2WyK1OFzH+4XrqmTxCyOS3eAT juoY8SItrg7Y3bxjRTX12R/36u5vmmC51ggssrLQYYoidGAnZW7HCI24weCYm8SCkV uN8tNoeG1u5iUbECoqY0sEi1sesWx+s03DkQhIymUUvKRwoy96vYkya8B3Anf7X/u3 qhtODQuszpOnQ==

    X-Mailer: MailChimp Mailer - **CID22f27f58172605fd13e6**

    X-Campaign: mailchimp5e4f2c81f89ede179062bbb51.22f27f5817

    X-campaignid: mailchimp5e4f2c81f89ede179062bbb51.22f27f5817

    X-Report-Abuse: Please report abuse for this campaign here: https://mailchimp.com/contact/abuse/?u=5e4f2c81f89ede179062bbb51&id=22f27f5817&e=2605fd13e6

    X-MC-User: 5e4f2c81f89ede179062bbb51

    Feedback-ID: 41713949:41713949.2063253:us10:mc

    List-ID: 5e4f2c81f89ede179062bbb51mc list <5e4f2c81f89ede179062bbb51.309913.list-id.mcsv.net>

    X-Accounttype: pd

    List-Unsubscribe: <https://sqlpass.us10.list-manage.com/unsubscribe?u=5e4f2c81f89ede179062bbb51&id=9c25e1e776&e=2605fd13e6&c=22f27f5817>, <mailto:unsubscribe-mc.us10_5e4f2c81f89ede179062bbb51.22f27f5817-2605fd13e6@mailin.mcsv.net?subject=unsubscribe>

    List-Unsubscribe-Post: List-Unsubscribe=One-Click

    Content-Type: multipart/alternative; boundary="_----------=_MCPart_876561490"

    MIME-Version: 1.0

    Return-Path: bounce-mc.us10_41713949.2063253-2605fd13e6@mail94.suw111.mcdlv.net

    X-MS-Exchange-Organization-ExpirationStartTime: 04 Oct 2020 09:23:46.9199 (UTC)

    X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit

    X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000

    X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit

    X-MS-Exchange-Organization-Network-Message-Id: 5fe4b9d7-915b-4a26-1b30-08d868473253

    X-EOPAttributedMessage: 0

    X-EOPTenantAttributedMessage: d1794c7e-c5bd-4cb5-97d8-a24c2d32e2e2:0

    X-MS-Exchange-Organization-MessageDirectionality: Incoming

    X-Matching-Connectors: 132462770269308931;(c6818461-f3df-4f51-3041-08d5a06fda1b);()

    X-MS-PublicTrafficType: Email

    X-MS-Exchange-Organization-AuthSource: AM5EUR03FT016.eop-EUR03.prod.protection.outlook.com

    X-MS-Exchange-Organization-AuthAs: Anonymous

    X-MS-Office365-Filtering-Correlation-Id: 5fe4b9d7-915b-4a26-1b30-08d868473253

    X-MS-TrafficTypeDiagnostic: AM6PR08MB4198:

    X-MS-Exchange-AtpMessageProperties: SA

    X-MS-Oob-TLC-OOBClassifiers: OLM:327;

    X-MS-Exchange-Organization-SCL: 5

    X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Oct 2020 09:23:46.6903 (UTC)

    X-MS-Exchange-CrossTenant-Network-Message-Id: 5fe4b9d7-915b-4a26-1b30-08d868473253

    X-MS-Exchange-CrossTenant-Id: d1794c7e-c5bd-4cb5-97d8-a24c2d32e2e2

    X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT016.eop-EUR03.prod.protection.outlook.com

    X-MS-Exchange-CrossTenant-AuthAs: Anonymous

    X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

    X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4198

    X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.3220394

    X-MS-Exchange-Processed-By-BccFoldering: 15.20.3433.042

    X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:1;auth:0;dest:J;ENG:(20160513016)(750128)(520011016)(944506458)(944626604);

    X-Microsoft-Antispam-Message-Info: KXhyTJSHBABVJ1XDyhfaJEb30NtICLiTdLrSsQEH0vnenUa9bHQxUHHEjCQNNdTmYqoMP4qX1V2jH6ssm2NckuLlkGWySIUnHxXXTB0U3UkDulWGhvip9wOofUklpD/7JfJYUGaiALOaQPBdfhDRO2Bufj4pxjpQmA4Kbe+Qbuka5jT9ofoGyNL0q2C2UgRYFbx/HEeD2TiEnl8olLntpfa9Ihc5HAujlofhr+KQiw/Xcqi+eJXqpT4pJwL1+ouaqLQUvBALuONHaLIa+LrW0NG65VRqs+/7uIrjxTevH36ubh2Wx5ZL2T8z1PQx4F/T2Y+1J5k9DcNhWrd0tMXl3K1rr3mSEbAZY1YMRQHICEgt8lrz8+z3EC+G5PpLUyZKCptzbT1hJPBQ3m7gsjucLXJiOLaH40uYZPUPAxwfLR/GM87OKhdkNyU2i/422g8iAt93pUn9EYOGX2Bsmh41QoJCayCjMR8Vb/ljHZye5t4JwIyaIp7pK0qHpeQ8evYyQEizSJv4n9sF9KIzj154N5y8rqrM1422W3iJTQea5InfXukjVHDX9rmHnJ2ukbevrg9H/1I+nnL64p079zjldRdUwpPnIEcq2znQEIWHBU3Zx8Fmvwny/8zmsDm3tADH3Stp70U1ClNNY/ddMqRN7rSqtxQgeivjvacfZTiB3PcD9Oaugev2Qs9LOJ7hNNSIg9+YEOAQiA6117bY/Z8NrWeu19S0d1Vn7kS7MDsG45SyIORUTftTh1XC8KfWbSnzzi/bTlKNzL5v9+DGNM+ZaR6hCTbPnR8sUxzNJ5HWrrGV3OlCAClEuHW0V3bnZv1ZcOlly7kFiNmcFDYOpMWBBguMTOW8RayBE5f+jJfF4wij3Ha+uS+iloZGyvYBO2F7FcsrIHxwaNxgCQXdKI8zkNYcg9hsT5bGca0T0g/kLAxO+eBs5PmRg9K7W8ot9koM/547XFu2eN/uVWJT7lDQhtepOwCSr0g5CRnx4sQrfgm4Jn93ELPLUNLqArx2kbWSHgnVlegResxdf/Up9HrmYLbCF4QPPYdMeEg2WFytdpiDZurir2qD6s2KtKm2SvH3PRt1CC2yKACD9c26UPWiftKlPOxPb5ZQLbas+AYtuDoU/oclMGLxgm0JsfUbjjReUI/v6am9QHT99uPb1uHPHQSUX1iFhBcY6vbBMN7kwspF6vFyb4x7ydcMcaIi0D3hw3Z/EaPqPLYaidcQBNvXCm4RrcOowdr4AAIsOQYMGtwbMrFK72U5g/Fuy8Ct329ZOk28XKNaqOhUasCbDKE5fiuYMUmNeqjGQC8BgdFsiR8mjWYS1UeyfVEg8N5VfUFRIVYTxLqdzgugBbi3r9YBa22VPYM6JEHRkVhjG1ZyhHLLD2OpnAxegZyWsnbdkTe+shYeqylIJ/ciyml8vL73shXUv9UYtccYRQfBkg7zsGBjp73FdP7drsMNnUb450vYEaYsQ16tXo3kZ36e8I6u0JITJKQM/EF4bPz13RbAb2RzPSnhztFpwrEFr9zGFCzFJOqYQi6yrFmrIvXFUkHV5UXxsrBTZ97Tj1pdHOJ8l/2xmr1sVLf5GRADhEFu9Ya/c5S5snWzTmLDfdmEgrgPC/17t/fs2LtO7+VzJwRoBqLjAguQBLCdOCzSaYwqkbNXWQdTb4tDRPdwvNWswMows0pSGlcsH3dneSFNbaVSK79s3pzAn37o6W3UP/ZmMo45aVMoziwclyp3RG4pKoWJNRm9/ppw5i7EuBCM8yXX+hGx/wnGFrzmzHqJl0SAe4MXaAUcDHTzq7zn+2SnXr2PUdSi98a3Icxv/8DruhWWHTJnR7VeJDrfAXBY2M7XIIY5xw4Vhq1IWpkOIuMnJwm4foV0ljG3jqPJUMUn+NOGG/bEpjL+w1CPbwlaXVxQueyt9EMbhCaglmxgLAVMql+mQiDApef9UZub6FKlwAGnEOoljK0evERnO61bVbWhzCeYh/JRO0TM+NDNlJbBZnVgbgu66Y0thvxbpje426WAKPtNUnhYFJYq3x4HI/NkyZIL/xSQ4DXMfd/Lm3lVOKTwOU9uKJwQJ96OLvCPckI4ugY=