SOLVED

Transport rule for authenticated sender

%3CLINGO-SUB%20id%3D%22lingo-sub-1508912%22%20slang%3D%22en-US%22%3ETransport%20rule%20for%20authenticated%20sender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1508912%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20exchange%20transport%20and%20EOP%20experts.%3C%2FP%3E%3CP%3EI%20have%20a%20transport%20rule%20in%20exchange%20online.%20The%20rule%20says%20that%20messages%20from%20authenticated%20sender%20%22randomdude%40somecompanynamehere.com%22%20should%20bypass%20spam%20filtering.%20Now%20I%20check%20message%20trace%20and%20see%20that%20some%20messages%20from%20this%20sender%20still%20get%20sent%20to%20Junk%20Folder.%20Messages%20get%20SCL-1%2C%20Spam%20Filtering%20Verdict%20SKN%2C%20IPV%3ANLI%2C%20BCL%200%2C%20spf%3Dpass%2C%26nbsp%3Bcompauth%3Dpass%20reason%3D109%20even%26nbsp%3Bdkim%3Dpass%20(signature%20was%20verified)%20and%20so%20on%2C%20all%20looks%20good.%20But%20why%20is%20it%20still%20marked%20as%20spam%20%3F%3C%2FP%3E%3CP%3EIt%20was%20not%20moved%20to%20Junk%20Mail%20folder%20by%20Outlook%20(I%20see%20it%20in%20Message%20trace).%3C%2FP%3E%3CP%3EThe%20sender%20is%20not%20in%20user's%20%22BlockedSendersAndDomains%22..%3C%2FP%3E%3CP%3EAny%20ideas%20appreciated%20!%20BR%2C%20Ruslan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1508912%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509620%22%20slang%3D%22en-US%22%3ERe%3A%20Transport%20rule%20for%20authenticated%20sender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509620%22%20slang%3D%22en-US%22%3E%3CP%3ESince%20you've%20already%20checked%20both%20message%20trace%20and%20the%20relevant%20headers%2C%20I'd%20suggest%20opening%20a%20support%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1511677%22%20slang%3D%22en-US%22%3ERe%3A%20Transport%20rule%20for%20authenticated%20sender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1511677%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3EThanks%20for%20the%20input.%20I%20might%20just%20have%20found%20the%20answer..%3C%2FP%3E%3CP%3ERan%20Extended%20message%20trace%20and%20found%20this%20%22DefaultFolderType%3AJunkEmail-Mailbox%20Rules%20Agent%22%20in%20the%20column%20%22recipient_status%22.%3C%2FP%3E%3CP%3EChecked%20recipient%20mailbox%20and%20found%20inbox%20rules%20that%20check%20for%20some%20random%20words%20in%20message%20body%26nbsp%3B%20and%20move%20the%20message%20to%20Junk%20Mail%20folder.%20This%20was%20probably%20in%20place%20as%20a%20form%20for%20protection%20against%20spam%20in%20pre-EOP%20times.%3C%2FP%3E%3CP%3ERemoved%20the%20inbox%20rule%2C%20hoping%20the%20problem%20is%20solved.%3C%2FP%3E%3CP%3EAnd%20i%20now%20notice%20the%20difference%20in%20headers%20between%20messages%20that%20were%20affected%20by%20this%20rule.%3C%2FP%3E%3CP%3EMessage%20in%20inbox%3A%20X-Microsoft-Antispam-Mailbox-Delivery%3A%20ucf%3A0%3Bjmr%3A0%3Bauth%3A0%3Bdest%3A%3CSTRONG%3EI%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EMessage%20in%20junk%3A%20X-Microsoft-Antispam-Mailbox-Delivery%3A%20ucf%3A1%3Bjmr%3A0%3Bauth%3A0%3Bdest%3A%3CSTRONG%3EJ%3BOFR%3ACustomRules%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWould%20be%20nice%20to%20see%20X-Microsoft-Antispam-Mailbox-Delivery%20documented%2C%20but%20this%20is%20probably%20not%20happening%20soon.%20%3A)%3C%2Fimg%3E%20BR%2C%20Ruslan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hello exchange transport and EOP experts.

I have a transport rule in exchange online. The rule says that messages from authenticated sender "randomdude@somecompanynamehere.com" should bypass spam filtering. Now I check message trace and see that some messages from this sender still get sent to Junk Folder. Messages get SCL-1, Spam Filtering Verdict SKN, IPV:NLI, BCL 0, spf=pass, compauth=pass reason=109 even dkim=pass (signature was verified) and so on, all looks good. But why is it still marked as spam ?

It was not moved to Junk Mail folder by Outlook (I see it in Message trace).

The sender is not in user's "BlockedSendersAndDomains"..

Any ideas appreciated ! BR, Ruslan

 

2 Replies
Highlighted

Since you've already checked both message trace and the relevant headers, I'd suggest opening a support case.

Highlighted
Best Response confirmed by RNalivaika (Contributor)
Solution

@Vasil MichevThanks for the input. I might just have found the answer..

Ran Extended message trace and found this "DefaultFolderType:JunkEmail-Mailbox Rules Agent" in the column "recipient_status".

Checked recipient mailbox and found inbox rules that check for some random words in message body  and move the message to Junk Mail folder. This was probably in place as a form for protection against spam in pre-EOP times.

Removed the inbox rule, hoping the problem is solved.

And i now notice the difference in headers between messages that were affected by this rule.

Message in inbox: X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;auth:0;dest:I

Message in junk: X-Microsoft-Antispam-Mailbox-Delivery: ucf:1;jmr:0;auth:0;dest:J;OFR:CustomRules

Would be nice to see X-Microsoft-Antispam-Mailbox-Delivery documented, but this is probably not happening soon. :) BR, Ruslan