• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1190
  • Last Modified:

Problems with Exchange 2010 transportrule based whitelist

I have created an transportrule to whitelist emails from specific senders.

Condition:  When the ‘From’ matches ‘@example.nl’
Action:     Set the spam confidence level to ‘-1’

For some reason several emails are still blocked by their original SCL value.

Below an email header from a not recognized email while the text ‘@vakmedianet.nl’ is in the whitelist condition.

Does anyone know why this email is not recognized by the whitelist transportrule?


-- Start email header ---------------------------------------------------------------------------------------------------------

[Received: from mail64.us4.mcsv.net (205.201.128.64) by mailserver.abcd.nl
 (213.163.67.230) with Microsoft SMTP Server id 14.1.421.2; Tue, 29 Jan 2013
 08:06:41 +0100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail64.us4.mcsv.net;
 h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=vakinformatie=3Dvakmedianet.nl@mail64.us4.mcsv.net;
 bh=Cxwj8TbNCLBTjnBou2mrXh7TqFg=;
 b=tP/2ac/1s+X9l0ddRye4Zyloz7hXo7CabcoNm68nunHNF+pdhUqWa7ZJXV36EyzvLHiXtTpImssC
   RBvqYUVs2lGKqq26oRIYRzHzbgsTIKwZYwl41yW9eTD/ZkllMyIzBuXmoQwRvO/D9TTOPkNkpxfo
   eMH9p2c/5vspKoNHKqo=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail64.us4.mcsv.net;
 b=E940+6zqJfDTReKayX5X6fmjLFGQFs32kVlu7dVILQMdKfsFL2PtIVafw2Z6Bh6wx+nfiSpSIOR/
   xudJVY0WeTSlYQ26p6SvcZZVTMcZaWTFWPVbQh347FuZKYRD7kTb+TAseaPw05I3XJoJY6o5Bkag
   S1FPd/YRAlLY4lW9Tlo=;
Received: from (127.0.0.1) by mail64.us4.mcsv.net id h0tqg214huom for
 <medewerker@abcd.nl>; Tue, 29 Jan 2013 07:06:27 +0000 (envelope-from
 <bounce-mc.us1_883425.1243737-medewerker=abcd.nl@mail64.us4.mcsv.net>)
Subject: Uw eigen plan van aanpak voor Het Nieuwe Werken
From: =?utf-8?Q?Platform=20Over=20Het=20Nieuwe=20Werken?=
      <vakinformatie@vakmedianet.nl>
Reply-To: =?utf-8?Q?Platform=20Over=20Het=20Nieuwe=20Werken?=
      <vakinformatie@vakmedianet.nl>
To: =?utf-8?Q??= <medewerker@abcd.nl>
Date: Tue, 29 Jan 2013 07:06:27 +0000
Message-ID: <d0b0b3cc44b2b15b838dabb92f75e19d3f8.20130129070610@mail64.us4.mcsv.net>
X-Mailer: MailChimp Mailer - **CIDedbd0c3b96f75e19d3f8**
X-Campaign: mailchimpd0b0b3cc44b2b15b838dabb92.edbd0c3b96
X-campaignid: mailchimpd0b0b3cc44b2b15b838dabb92.edbd0c3b96
X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=d0b0b3cc44b2b15b838dabb92&id=edbd0c3b96&e=f75e19d3f8
x-accounttype: pd
List-Unsubscribe: <mailto:unsubscribe-d0b0b3cc44b2b15b838dabb92-edbd0c3b96-f75e19d3f8@mailin1.us2.mcsv.net?subject=unsubscribe>, <http://vakmedianet.us1.list-manage.com/unsubscribe?u=d0b0b3cc44b2b15b838dabb92&id=7604c27550&e=f75e19d3f8&c=edbd0c3b96>
Sender: Platform Over Het Nieuwe Werken
      <vakinformatie=vakmedianet.nl@mail64.us4.mcsv.net>
x-mcda: FALSE
Content-Type: multipart/alternative;
      boundary="_----------=_MCPart_1314170861"
MIME-Version: 1.0
Return-Path: bounce-mc.us1_883425.1243737-medewerker=abcd.nl@mail64.us4.mcsv.net
X-MS-Exchange-Organization-AuthSource: mailserver.abcd.nl
X-MS-Exchange-Organization-AuthAs: Anonymous
X-ESET-AS: SCORE=70
X-MS-Exchange-Organization-SCL: 7
X-EsetResult: clean, is OK
X-EsetId: C5A8343C3AD2183397EF6F

-- End email header ----------------------------------------------------------------------------------------------------------
0
ErikE01
Asked:
ErikE01
  • 6
  • 6
1 Solution
 
wshtyCommented:
do you use the exchange antispam feature? / have it activated?

if that is so my guess might be that the antispam feature takes action even before the message is handled by the transportrules.

try setting the sender to the whitelist in the antispam section.

regards
0
 
ErikE01Author Commented:
Thanks for your quick response.

I have installed the antispam feature but all options are disabled. This problem also occurred before installation of this feature.
0
 
Simon Butler (Sembee)ConsultantCommented:
If it was happening before you installed the antispam agents then it isn't Exchange setting the SCL value. I am aware that other products do that as well - Trend is one I believe, but others do so. If the agents are disabled, then Exchange isn't doing the filtering.

Simon.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
ErikE01Author Commented:
Hallo Simon,

The example email is received with an ICL=7. The part of the senders email address (= '@vakmedianet.nl’) is defined in the whitelist transportrule. So the transportrule should recognize the sender as whitelisted and change the SCL to -1.

Do you mean that another application changed the SCL back to 7 after the whitelist transportrule changed it to -1?
0
 
Simon Butler (Sembee)ConsultantCommented:
That is exactly what I am saying.
You said the problem occured before installing the agents. That means it wasn't Exchange writing the header.

Simon.
0
 
ErikE01Author Commented:
Have you any idea what kind of application this could be???
0
 
Simon Butler (Sembee)ConsultantCommented:
Antispam or AV with built in Antispam - I gave some suggestions above.

Simon.
0
 
ErikE01Author Commented:
Yes, the SCL code is added to the emails by the virus checker NOD32. This happens before the transportrules are checking the email. So I still do not understand why the whitelist transportrule does not recognize the sender and does not reset the SCL value to -1???
0
 
Simon Butler (Sembee)ConsultantCommented:
Probably because Exchange didn't do it. I don't know, as I haven't used the NOD32 product.

Simon.
0
 
ErikE01Author Commented:
Does anyone have a solution?
0
 
Simon Butler (Sembee)ConsultantCommented:
You cannot "Bump" questions on this site - the only people who who see that are those that have already posted. I gave you what I believe to be the solution - the SCL value is being placed on the emails by something other than Exchange.

Simon.
0
 
ErikE01Author Commented:
Thank for your reaction and the effort you put in my question. I appreciate it, but I do not think your  input  is a solution for my problem. As I wrote before, this problem only happening with some emails.  For all the other emails ,who also got their SCL-value from NOD32, it is working well.
On the other hand, I think that the real problem is that the transportrule does not recognize some email address from the whitelist (condition: when the From matches ….). For all the other emails it is working well. So my question is why not always?
As an extra check I add a special message classification in the whitelist transportrule to the email that is recognized as whitelisted.  Again some (not all!) emails that are on the whitelist, are not recognized by the transportrule (the SCL <> -1 an the massage has no classification). So the problem is not the SCL from NOD32.
Do you agree?
0
 
Simon Butler (Sembee)ConsultantCommented:
If you have a third party product that is writing to the headers as well as Exchange then you are going to get problems. The only way I would troubleshoot it is to remove the third party product, reboot and see if the problem continues. Disabling it is not enough, because it still has its hooks in Exchange.
Almost all "odd" behaviour I see in Exchange is caused by third party products, so is always the first thing that I will remove.

Simon.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now