Exchange flagging a single user's email as spam

%3CLINGO-SUB%20id%3D%22lingo-sub-1618006%22%20slang%3D%22en-US%22%3EExchange%20flagging%20a%20single%20user's%20email%20as%20spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618006%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20very%20strange%20problem%20with%20a%20single%20e-mail%20address%20from%20one%20of%20our%20customers%20-%20email%20to%20or%20from%20this%20address%2C%20and%20only%20this%20address%2C%20is%20being%20marked%20as%20spam%20by%20Exchange%20-%20all%20other%20users%20on%20the%20server%20work%20normally%2C%20and%20the%20mail's%20flagged%20even%20when%20it's%20a%20plain%20text%20mail%20with%20no%20attachments.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20relevant%20X-Headers%20are%3A%3CBR%20%2F%3EX-AntiMalwareExchange-RefID%3A%20str%3D0001.0A782F1F.5F478388.0018%2Css%3D4%2Csh%2Cre%3D0.000%2Crecu%3D0.000%2Creip%3D0.000%2Ccl%3D4%2Ccld%3D1%2Cfgs%3D0%3CBR%20%2F%3EX-MS-Exchange-Organization-SCL%3A%209%3CBR%20%2F%3E%3CBR%20%2F%3EOther%20checks%20pass%20as%20shown%20by%3A%3CBR%20%2F%3EX-Spam-Flag%3A%20NO%3CBR%20%2F%3EX-UI-Out-Filterresults%3A%20notjunk%3A1%3B%3CBR%20%2F%3EX-HE-SPF%3A%20PASSED%3CBR%20%2F%3EX-HE-Spam-Level%3A%20%2F%3CBR%20%2F%3EX-HE-Spam-Score%3A%200.1%3CBR%20%2F%3EX-HE-Spam-Report%3A%20Content%20analysis%20details%3A%20(0.1%20points)%3CBR%20%2F%3E%3CBR%20%2F%3EDoes%20anyone%20have%20any%20clues%20before%20I%20lodge%20a%20support%20ticket%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1618006%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1618038%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20flagging%20a%20single%20user's%20email%20as%20spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618038%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F690262%22%20target%3D%22_blank%22%3E%40Will_Wilkinson%3C%2FA%3E%26nbsp%3BHi%2C%20could%20be%20any%20underlying%20activity%2Fanalyze%20causing%20the%20SCL9%20value.%20You%20should%20submit%20a%20false%20positive.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EManually%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fsubmit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis%3Fview%3Do365-worldwide%23submit-false-positives-to-microsoft%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fsubmit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis%3Fview%3Do365-worldwide%23submit-false-positives-to-microsoft%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdmin%20submission%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fadmin-submission%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fadmin-submission%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1618366%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20flagging%20a%20single%20user's%20email%20as%20spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618366%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F690262%22%20target%3D%22_blank%22%3E%40Will_Wilkinson%3C%2FA%3E%26nbsp%3B-%20you%20don't%20have%20a%20transport%20rule%20forcing%20that%20SCL%209%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20on-prem%20had%20the%20same%20bad%20habits%20as%20ATP%2C%20I'd%20be%20looking%20for%20a%20matching%20recipient%20name%20causing%20a%20false%20positive%20phishing%20detection.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1618485%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20flagging%20a%20single%20user's%20email%20as%20spam%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618485%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F523058%22%20target%3D%22_blank%22%3E%40ExMSW4319%3C%2FA%3ENo%20transport%20rules%20that%20could%20force%20this%20-%20it's%20happening%20on%20not%20only%20the%20customer's%20system%20but%20on%20all%20exchange%20servers%20that%20this%20single%20e-mail%20address%20communicates%20with%20-%20have%20submitted%20samples%20to%20Microsoft%2C%20and%2C%20as%20a%20work%20around%2C%20set%20up%20another%20address%20for%20the%20user%20-%20this%20works%20normally%2C%20from%20the%20same%20server%20%26amp%3B%20client%2C%20just%20from%20a%20different%20mail%20address.%20Original%20was%20of%20the%20form%20%3CA%20href%3D%22mailto%3Ainitial.surname%40company.de%2C%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Einitial.surname%40company.de%2C%3C%2FA%3E%20new%20is%20%3CA%20href%3D%22mailto%3Afirstname.lastname%40company.de%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Efirstname.lastname%40company.de%3C%2FA%3E%20-%20weird%20thing%20is%20that%20all%20other%20users%20don't%20have%20any%20problems%2C%20and%20this%20single%20one%20does%2C%20even%20on%20a%20new%20build.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I have a very strange problem with a single e-mail address from one of our customers - email to or from this address, and only this address, is being marked as spam by Exchange - all other users on the server work normally, and the mail's flagged even when it's a plain text mail with no attachments.

The relevant X-Headers are:
X-AntiMalwareExchange-RefID: str=0001.0A782F1F.5F478388.0018,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
X-MS-Exchange-Organization-SCL: 9

Other checks pass as shown by:
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;
X-HE-SPF: PASSED
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.1
X-HE-Spam-Report: Content analysis details: (0.1 points)

Does anyone have any clues before I lodge a support ticket?

3 Replies
Highlighted
Highlighted

@Will_Wilkinson - you don't have a transport rule forcing that SCL 9?

 

If on-prem had the same bad habits as ATP, I'd be looking for a matching recipient name causing a false positive phishing detection.

Highlighted

@ExMSW4319No transport rules that could force this - it's happening on not only the customer's system but on all exchange servers that this single e-mail address communicates with - have submitted samples to Microsoft, and, as a work around, set up another address for the user - this works normally, from the same server & client, just from a different mail address. Original was of the form initial.surname@company.de, new is firstname.lastname@company.de - weird thing is that all other users don't have any problems, and this single one does, even on a new build.