cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

EXO Transport pipeline and ForwardingSMTPaddress on mailboxes redirect behavior

Bosco Joseph
Copper Contributor

‎Jan 27 2018 08:14 AM

‎Jan 27 2018 08:14 AM

EXO Transport pipeline and ForwardingSMTPaddress on mailboxes redirect behavior

Question related to the transport pipeline in EXO with ATP

Scenario:

We have shared mailboxes that are set with forwardingAddress/forwardingSMTP addresses.

Issue:

Malicious/spam  messages directed to the mailbox is quarantined however the redirect to the external recipient is happening early in the transport pipeline and performs a redirect before the actual message is deemed spam/malicious and sent to EUQ.

Sample trace:

Date                                              Event                                            Detail
----                                              -----                                            ------
1/25/2018 8:50:21 PM                              Receive                                          Message received by: MWHPR0101MB3086
1/25/2018 8:50:21 PM                              Redirect                                         The message was directed to extuser@abc.c.
1/25/2018 8:50:26 PM                              Spam                                             No detail information available.
1/25/2018 8:50:27 PM                              Receive                                          Message received by: BY2NAM05HT086
1/25/2018 8:50:28 PM                              Send                                             Message sent to mytenant.mail.protection.o...
1/25/2018 8:50:28 PM                              Send                                             Message sent to quarantine.

 

Question:

Is this normal behavior ?. Would think that the message should be held for a redirect event till EOP/ATP deems the message is safe before it is redirected to the forwarding address.

The behavior is causing us some pain as spam messages directed to the mailboxes get to the ext recipients which in our is case is a salesforce email to case platform, causing it to create non relevant saleforce cases.

Looking for inputs on this behavior. Appreciate your feedback. Thanks.

 

1,981 Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Jan 27 2018 10:04 AM

‎Jan 27 2018 10:04 AM

Re: EXO Transport pipeline and ForwardingSMTPaddress on mailboxes redirect behavior

How did the message get there in the first place, is it perhaps internal mail or affected by any form of anti-spam bypass (safe senders, safe domains, internal connectors, Mail Flow rule setting the SCL, etc)? My point being, the events you see from the trace might the be *outbound* spam processing, which of course will take place after the message was redirected.

 

In any case, get the header information and the trace results and open a support case, they should be able to give you proper answer.

0 Likes
Reply
Bosco Joseph

‎Jan 29 2018 07:27 AM

‎Jan 29 2018 07:27 AM

Re: EXO Transport pipeline and ForwardingSMTPaddress on mailboxes redirect behavior

Thank you Vasil for your inputs. Appreciate it.

The message is coming in from external  and EOP stamps and recognizes the message as spam and sends it to quarantine, however the redirect event of the message happens early in the pipeline which forwards the message to the external recipient. which is what we are trying to avoid.

See attached trace

Is there a way to have the redirect occur after the spam verdict or have it dropped from being sent to the external recipient if the EOP categorizes the message as spam ?

The hosted mailbox is stamped with a ForwardingAddress to an external recipient . Will having a forwardingSMTPaddress instead behave any differently in this case?

Preview file
46 KB
0 Likes
Reply
Vasil Michev

‎Jan 29 2018 10:49 AM

‎Jan 29 2018 10:49 AM

Re: EXO Transport pipeline and ForwardingSMTPaddress on mailboxes redirect behavior

I'm not sure that's the EOP processing though, the Spam diagnostics event most likely reflects the built-in Exchange engine. Another possibility is that the event is added with some delay, due to the processing latency. In any case, checking the message headers should give you an answer whether EOP processed it and whether it flagged it as spam.

 

Open a support case to get a definitive answer on the order of events?

0 Likes
Reply