Inconsistent results Exchange 2013 Transport Rule

I have a client who has multiple sites. Their exchange server receives "scan to email" emails from a Canon C2020 Digital Multifunction on a different site. To stop the Exchange 2013 Spam filter blocking the emails, I set up a Transport Rule.

The rule has the following properties
1.If the Sender Address matches
2.Set the SCL to 3
3.Generate an incident report and email to the system admin, and inlcude the original email
4.Is the 3rd of 3 rules (the prior 2 add Disclaimers to outgoing emails depending on who the sender is)

Simple enough right.

Wrong - some staff scan to email repeatedly and the scan arrives ok in their inbox.  Others, it simply will not let the email thru, and instead places the email into the Spam Mailbox.  I open the blocked email, click on Send Again and it arrives for the user.

Is the Transport Rule functionality buggy or prone to odd behaviour.  I have sat and read through the Rule so many times it is tattooed onto my retina.

The Email addresses for all users are created by an Email address policy so all are a consistent format = Firstname + Surname 1st Initial@contoso .com.

There have been times where I have wondered if the rules are case sensitive when assessing the email addresses.

Any thoughts.

Results fr9om Get-TransportRule
[PS] C:\Windows\system32>Get-TransportRule "[Cust-sos-IN] Reset SCL on Scanner emails" | Format-List

RunspaceId                                   : 7f9c4f6e-7d35-409e-acf9-cbb272720b8c
Priority                                     : 2
DlpPolicy                                    :
DlpPolicyId                                  : 00000000-0000-0000-0000-000000000000
Comments                                     :
ManuallyModified                             : False
ActivationDate                               :
ExpiryDate                                   :
Description                                  : If the message:
                                                   Is sent to '' or
                                               '' or '' or
                                               '' or '' or
                                               '' or ''or...
                                                   and Includes these patterns in the From address:
                                               Take the following actions:
                                                   Set the spam confidence level (SCL) to '3'
                                                   and Send the incident report to, Include
                                               original mail

RuleVersion                                  :
Conditions                                   : {SentTo, FromAddressMatches}
Exceptions                                   :
Actions                                      : {SetSCL, GenerateIncidentReport}
State                                        : Enabled
Mode                                         : Enforce
RuleSubType                                  : None
UseLegacyRegex                               : False
From                                         :
FromMemberOf                                 :
FromScope                                    :
SentTo                                       : {,,
SentToMemberOf                               :
SentToScope                                  :
BetweenMemberOf1                             :
BetweenMemberOf2                             :
ManagerAddresses                             :
ManagerForEvaluatedUser                      :
SenderManagementRelationship                 :
ADComparisonAttribute                        :
ADComparisonOperator                         :
SenderADAttributeContainsWords               :
SenderADAttributeMatchesPatterns             :
RecipientADAttributeContainsWords            :
RecipientADAttributeMatchesPatterns          :
AnyOfToHeader                                :
AnyOfToHeaderMemberOf                        :
AnyOfCcHeader                                :
AnyOfCcHeaderMemberOf                        :
AnyOfToCcHeader                              :
AnyOfToCcHeaderMemberOf                      :
HasClassification                            :
HasNoClassification                          : False
SubjectContainsWords                         :
SubjectOrBodyContainsWords                   :
HeaderContainsMessageHeader                  :
HeaderContainsWords                          :
FromAddressContainsWords                     :
SubjectMatchesPatterns                       :
SubjectOrBodyMatchesPatterns                 :
HeaderMatchesMessageHeader                   :
HeaderMatchesPatterns                        :
FromAddressMatchesPatterns                   : {}
AttachmentNameMatchesPatterns                :
AttachmentExtensionMatchesWords              :
HasSenderOverride                            : False
MessageContainsDataClassifications           :
SenderIpRanges                               :
SCLOver                                      :
AttachmentSizeOver                           :
MessageSizeOver                              :
WithImportance                               :
MessageTypeMatches                           :
RecipientAddressContainsWords                :
RecipientAddressMatchesPatterns              :
SenderInRecipientList                        :
RecipientInSenderList                        :
AttachmentContainsWords                      :
AttachmentMatchesPatterns                    :
AttachmentIsUnsupported                      : False
AttachmentProcessingLimitExceeded            : False
AttachmentHasExecutableContent               : False
AnyOfRecipientAddressContainsWords           :
AnyOfRecipientAddressMatchesPatterns         :
ExceptIfFrom                                 :
ExceptIfFromMemberOf                         :
ExceptIfFromScope                            :
ExceptIfSentTo                               :
ExceptIfSentToMemberOf                       :
ExceptIfSentToScope                          :
ExceptIfBetweenMemberOf1                     :
ExceptIfBetweenMemberOf2                     :
ExceptIfManagerAddresses                     :
ExceptIfManagerForEvaluatedUser              :
ExceptIfSenderManagementRelationship         :
ExceptIfADComparisonAttribute                :
ExceptIfADComparisonOperator                 :
ExceptIfSenderADAttributeContainsWords       :
ExceptIfSenderADAttributeMatchesPatterns     :
ExceptIfRecipientADAttributeContainsWords    :
ExceptIfRecipientADAttributeMatchesPatterns  :
ExceptIfAnyOfToHeader                        :
ExceptIfAnyOfToHeaderMemberOf                :
ExceptIfAnyOfCcHeader                        :
ExceptIfAnyOfCcHeaderMemberOf                :
ExceptIfAnyOfToCcHeader                      :
ExceptIfAnyOfToCcHeaderMemberOf              :
ExceptIfHasClassification                    :
ExceptIfHasNoClassification                  : False
ExceptIfSubjectContainsWords                 :
ExceptIfSubjectOrBodyContainsWords           :
ExceptIfHeaderContainsMessageHeader          :
ExceptIfHeaderContainsWords                  :
ExceptIfFromAddressContainsWords             :
ExceptIfSubjectMatchesPatterns               :
ExceptIfSubjectOrBodyMatchesPatterns         :
ExceptIfHeaderMatchesMessageHeader           :
ExceptIfHeaderMatchesPatterns                :
ExceptIfFromAddressMatchesPatterns           :
ExceptIfAttachmentNameMatchesPatterns        :
ExceptIfAttachmentExtensionMatchesWords      :
ExceptIfSCLOver                              :
ExceptIfAttachmentSizeOver                   :
ExceptIfMessageSizeOver                      :
ExceptIfWithImportance                       :
ExceptIfMessageTypeMatches                   :
ExceptIfRecipientAddressContainsWords        :
ExceptIfRecipientAddressMatchesPatterns      :
ExceptIfSenderInRecipientList                :
ExceptIfRecipientInSenderList                :
ExceptIfAttachmentContainsWords              :
ExceptIfAttachmentMatchesPatterns            :
ExceptIfAttachmentIsUnsupported              : False
ExceptIfAttachmentProcessingLimitExceeded    : False
ExceptIfAttachmentHasExecutableContent       : False
ExceptIfAnyOfRecipientAddressContainsWords   :
ExceptIfAnyOfRecipientAddressMatchesPatterns :
ExceptIfHasSenderOverride                    : False
ExceptIfMessageContainsDataClassifications   :
ExceptIfSenderIpRanges                       :
PrependSubject                               :
SetAuditSeverity                             :
ApplyClassification                          :
ApplyHtmlDisclaimerLocation                  :
ApplyHtmlDisclaimerText                      :
ApplyHtmlDisclaimerFallbackAction            :
ApplyRightsProtectionTemplate                :
SetSCL                                       : 3
SetHeaderName                                :
SetHeaderValue                               :
RemoveHeader                                 :
AddToRecipients                              :
CopyTo                                       :
BlindCopyTo                                  :
AddManagerAsRecipientType                    :
ModerateMessageByUser                        :
ModerateMessageByManager                     : False
RedirectMessageTo                            :
RejectMessageEnhancedStatusCode              :
RejectMessageReasonText                      :
DeleteMessage                                : False
Disconnect                                   : False
Quarantine                                   : False
SmtpRejectMessageRejectText                  :
SmtpRejectMessageRejectStatusCode            :
LogEventText                                 :
StopRuleProcessing                           : False
SenderNotificationType                       :
GenerateIncidentReport                       :
IncidentReportOriginalMail                   : IncludeOriginalMail
RouteMessageOutboundConnector                :
RouteMessageOutboundRequireTls               : False
Identity                                     : [Cust-sos-IN] Reset SCL on Scanner emails
DistinguishedName                            : CN=[Cust-sos-IN] Reset SCL on Scanner
Guid                                         : 5d1dbc9b-3718-4874-9552-296e8b98d874
ImmutableId                                  : 5d1dbc9b-3718-4874-9552-296e8b98d874
OrganizationId                               :
Name                                         : [Cust-sos-IN] Reset SCL on Scanner emails
IsValid                                      : True
WhenChanged                                  : 17/03/2015 2:37:06 PM
ExchangeVersion                              : 0.1 (8.0.535.0)
ObjectState                                  : Unchanged
Who is Participating?
Jian An LimSolutions ArchitectCommented:
Apparently the first email is from internal network
the second email is from external.

from my guess, the sequence of the transport agent have changed.
Content Filter agent has higher priority then your transport rules agent

if you run Get-TransportAgent
you will see the content filtering should be higher.

What you need to do is to reprioritise your transport rule agent higher than content filtering

if not, you can use
Set-ContentFilterConfig -BypassedRecipients <all email address that you want to exclude them from SCL>
Simon Butler (Sembee)ConsultantCommented:
The first thing you need to do is open one of the messages that is in the Junk Email Filter folder and see whether it has an SCL value or not.
That will tell you if the rule is firing correctly.

mbkitmgrAuthor Commented:
Thanks Simon,  those that get blocked come thru with an SCL of 7.  That certainly explains why they get classified as Spam, but why only some.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Simon Butler (Sembee)ConsultantCommented:
Change the rule to set the SCL value as -1.
See whether that improves things.

mbkitmgrAuthor Commented:
Hi Simon, I am guessing I am going to have to do this via the shell, as -1 isn't available via EAC (0-9)
Jian An LimSolutions ArchitectCommented:

I saw your biggest problem.
You are claiming to send from a gmail address!!! thats a bad idea.

If you own the scanner and MFP, change it to <printer>

by doing so, any email that are sending from internal domain by default are consider "whitelist"

also, configure your receive connector to be "Exchange servers" and "Externally Secured"

you can also run
Set-ContentFilterConfig -BypassedRecipients <all email address that you want to exclude them from SCL>


PIck one of them (all of them meet the requirement but of course certainly some of them have cons/pros between them)
i reckon the set-contentfilterconfig is the easiest if you know what email address it sending from...
mbkitmgrAuthor Commented:
Thanks Limjianan.  

Canon themselves set the address when they established the machine, and the device is on a different site to the Exchange server.  The device sends the 'scan' email via the internet, no VPN.

I do agree about gmail - Canon have twice chosen to use a fictitious email address which in itself created issues.

It still doesn't clarify why say receives them unrestricted, yet gets blocked by the same Transport filter, from the same device.
Jian An LimSolutions ArchitectCommented:
well, if you check your message header on both, do you see them flowing through the same servers?

GUESSING game start.
what would be your Exchange design? multiple HUB or single hub?
could it because on of your mailbox servers do not have transport rules turn on?
how long ago you last change? within 4 hours ?(by default, all modify take 4 hours to update unless you stop start the transport services to make it effective)
is the message being protected? (rules can't process protected message)

the list goes on and on.
mbkitmgrAuthor Commented:
Hi Limjianan,

Excellent questions
1 Exchange 2013 Server only
I reset the Transport service when I update the rules, other times changes are made at night, and I wait and see the result the next morning
I've turned on logging but nothing is being logged
Jian An LimSolutions ArchitectCommented:
can you attached the message header, success and failed one ?
mbkitmgrAuthor Commented:
Message Id: <20150319100119.0001.CanonTxNo.1311@Canon4C9CD4.home>
Subject: Your Scanned File
To: Admin,
Severity: Low
Override: No
False Positive: No
Rule Hit: [Cust-contoso-IN] Reset SCL on Scanner emails, Action: SetHeader, GenerateIncidentReport

Diagnostic information for administrators:
Generating server: Server1.Contoso.LOCAL
#550 5.2.1 Content Filter agent quarantined this message ##
Original message headers:
Received: from ( by ( with Microsoft SMTP Server (TLS) id
 15.0.516.32; Mon, 16 Mar 2015 10:10:46 +1100
Received: by pdjy10 with SMTP id y10so30564766pdj.1        for
 <>; Sun, 15 Mar 2015 16:10:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113;
X-Received: by with SMTP id b6mr68708438pdj.28.1426461044160;
        Sun, 15 Mar 2015 16:10:44 -0700 (PDT)
Return-Path: <>
Received: from Canon4C9CD4.home (
 [])        by with ESMTPSA id
 oq7sm13974300pac.32.2015.        for
 <>        (version=SSLv3 cipher=RC4-SHA
 bits=128/128);        Sun, 15 Mar 2015 16:10:42 -0700 (PDT)
X-Priority: 3 (Normal)
From: <>
To: Admin <>
Subject: Your Scanned File
Date: Mon, 16 Mar 2015 10:15:28 +1100
Message-ID: <20150316101528.0001.CanonTxNo.1281@Canon4C9CD4.home>
MIME-Version: 1.0
X-Mailer: Canon MFP
Content-Type: multipart/mixed; boundary="BAADNPAHDCDIDADFDADBBMAPAKAA"
Received-SPF: Pass (SERVER1.CONTOSO.LOCAL: domain of
 designates as permitted sender)
 receiver=SERVER11.CONTOSO.LOCAL; client-ip=;;
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.