Jan 27 2018 08:14 AM
Question related to the transport pipeline in EXO with ATP
Scenario:
We have shared mailboxes that are set with forwardingAddress/forwardingSMTP addresses.
Issue:
Malicious/spam messages directed to the mailbox is quarantined however the redirect to the external recipient is happening early in the transport pipeline and performs a redirect before the actual message is deemed spam/malicious and sent to EUQ.
Sample trace:
Date Event Detail
---- ----- ------
1/25/2018 8:50:21 PM Receive Message received by: MWHPR0101MB3086
1/25/2018 8:50:21 PM Redirect The message was directed to extuser@abc.c.
1/25/2018 8:50:26 PM Spam No detail information available.
1/25/2018 8:50:27 PM Receive Message received by: BY2NAM05HT086
1/25/2018 8:50:28 PM Send Message sent to mytenant.mail.protection.o...
1/25/2018 8:50:28 PM Send Message sent to quarantine.
Question:
Is this normal behavior ?. Would think that the message should be held for a redirect event till EOP/ATP deems the message is safe before it is redirected to the forwarding address.
The behavior is causing us some pain as spam messages directed to the mailboxes get to the ext recipients which in our is case is a salesforce email to case platform, causing it to create non relevant saleforce cases.
Looking for inputs on this behavior. Appreciate your feedback. Thanks.
Jan 27 2018 10:04 AM
How did the message get there in the first place, is it perhaps internal mail or affected by any form of anti-spam bypass (safe senders, safe domains, internal connectors, Mail Flow rule setting the SCL, etc)? My point being, the events you see from the trace might the be *outbound* spam processing, which of course will take place after the message was redirected.
In any case, get the header information and the trace results and open a support case, they should be able to give you proper answer.
Jan 29 2018 07:27 AM
Thank you Vasil for your inputs. Appreciate it.
The message is coming in from external and EOP stamps and recognizes the message as spam and sends it to quarantine, however the redirect event of the message happens early in the pipeline which forwards the message to the external recipient. which is what we are trying to avoid.
See attached trace
Is there a way to have the redirect occur after the spam verdict or have it dropped from being sent to the external recipient if the EOP categorizes the message as spam ?
The hosted mailbox is stamped with a ForwardingAddress to an external recipient . Will having a forwardingSMTPaddress instead behave any differently in this case?
Jan 29 2018 10:49 AM
I'm not sure that's the EOP processing though, the Spam diagnostics event most likely reflects the built-in Exchange engine. Another possibility is that the event is added with some delay, due to the processing latency. In any case, checking the message headers should give you an answer whether EOP processed it and whether it flagged it as spam.
Open a support case to get a definitive answer on the order of events?