cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exchange flagging a single user's email as spam

Will_Wilkinson
Copper Contributor

‎Aug 28 2020 01:20 AM

‎Aug 28 2020 01:20 AM

Exchange flagging a single user's email as spam

I have a very strange problem with a single e-mail address from one of our customers - email to or from this address, and only this address, is being marked as spam by Exchange - all other users on the server work normally, and the mail's flagged even when it's a plain text mail with no attachments.

The relevant X-Headers are:
X-AntiMalwareExchange-RefID: str=0001.0A782F1F.5F478388.0018,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
X-MS-Exchange-Organization-SCL: 9

Other checks pass as shown by:
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;
X-HE-SPF: PASSED
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.1
X-HE-Spam-Report: Content analysis details: (0.1 points)

Does anyone have any clues before I lodge a support ticket?

Labels:
2,918 Views
0 Likes
3 Replies
Reply
3 Replies
ExMSW4319

‎Aug 28 2020 04:16 AM

‎Aug 28 2020 04:16 AM

Re: Exchange flagging a single user's email as spam

@Will_Wilkinson - you don't have a transport rule forcing that SCL 9?

 

If on-prem had the same bad habits as ATP, I'd be looking for a matching recipient name causing a false positive phishing detection.

0 Likes
Reply
Will_Wilkinson

‎Aug 28 2020 05:07 AM

‎Aug 28 2020 05:07 AM

Re: Exchange flagging a single user's email as spam

@ExMSW4319No transport rules that could force this - it's happening on not only the customer's system but on all exchange servers that this single e-mail address communicates with - have submitted samples to Microsoft, and, as a work around, set up another address for the user - this works normally, from the same server & client, just from a different mail address. Original was of the form initial.surname@company.de, new is firstname.lastname@company.de - weird thing is that all other users don't have any problems, and this single one does, even on a new build.

0 Likes
Reply