Inconsistent results Exchange 2013 Transport Rule

I have a client who has multiple sites. Their exchange server receives "scan to email" emails from a Canon C2020 Digital Multifunction on a different site. To stop the Exchange 2013 Spam filter blocking the emails, I set up a Transport Rule.

The rule has the following properties
1.If the Sender Address matches canon.device@gmail.com
2.Set the SCL to 3
3.Generate an incident report and email to the system admin, and inlcude the original email
4.Is the 3rd of 3 rules (the prior 2 add Disclaimers to outgoing emails depending on who the sender is)


Simple enough right.

Wrong - some staff scan to email repeatedly and the scan arrives ok in their inbox.  Others, it simply will not let the email thru, and instead places the email into the Spam Mailbox.  I open the blocked email, click on Send Again and it arrives for the user.

Is the Transport Rule functionality buggy or prone to odd behaviour.  I have sat and read through the Rule so many times it is tattooed onto my retina.

The Email addresses for all users are created by an Email address policy so all are a consistent format = Firstname + Surname 1st Initial@contoso .com.

There have been times where I have wondered if the rules are case sensitive when assessing the email addresses.

Any thoughts.

Results fr9om Get-TransportRule
[PS] C:\Windows\system32>Get-TransportRule "[Cust-sos-IN] Reset SCL on Scanner emails" | Format-List


RunspaceId                                   : 7f9c4f6e-7d35-409e-acf9-cbb272720b8c
Priority                                     : 2
DlpPolicy                                    :
DlpPolicyId                                  : 00000000-0000-0000-0000-000000000000
Comments                                     :
ManuallyModified                             : False
ActivationDate                               :
ExpiryDate                                   :
Description                                  : If the message:
                                                   Is sent to 'Accounts@contoso.com' or
                                               'Administration@contoso.com' or 'Allan@contoso.com' or
                                               'FredaM@contoso.com' or 'Client.Services.Manager@contoso.com' or
                                               'DonnyY@contoso.com' or 'ElenB@contoso.com'or...
                                                   and Includes these patterns in the From address:
                                               'canon.device@gmail.com'
                                               Take the following actions:
                                                   Set the spam confidence level (SCL) to '3'
                                                   and Send the incident report to SharonK@contoso.com, Include
                                               original mail

RuleVersion                                  : 15.0.2.0
Conditions                                   : {SentTo, FromAddressMatches}
Exceptions                                   :
Actions                                      : {SetSCL, GenerateIncidentReport}
State                                        : Enabled
Mode                                         : Enforce
RuleSubType                                  : None
UseLegacyRegex                               : False
From                                         :
FromMemberOf                                 :
FromScope                                    :
SentTo                                       : {Accounts@contoso.com, Administration@contoso.com,
                                               AmandaC@contoso.com, AshleyM@contoso.com,
                                               Client.Services.Manager@contoso.com, DonnaY@contoso.com,
                                               EbonieB@contoso.com, FranR@contoso.com, Intake@contoso.com,
                                               JoP@contoso.com, LenoreL@contoso.com, MarinaL@contoso.com,
                                               NatashaS@contoso.com, NiamhS@contoso.com, UnaG@contoso.com,
                                               Helpdesk@Acontoso.com...}
SentToMemberOf                               :
SentToScope                                  :
BetweenMemberOf1                             :
BetweenMemberOf2                             :
ManagerAddresses                             :
ManagerForEvaluatedUser                      :
SenderManagementRelationship                 :
ADComparisonAttribute                        :
ADComparisonOperator                         :
SenderADAttributeContainsWords               :
SenderADAttributeMatchesPatterns             :
RecipientADAttributeContainsWords            :
RecipientADAttributeMatchesPatterns          :
AnyOfToHeader                                :
AnyOfToHeaderMemberOf                        :
AnyOfCcHeader                                :
AnyOfCcHeaderMemberOf                        :
AnyOfToCcHeader                              :
AnyOfToCcHeaderMemberOf                      :
HasClassification                            :
HasNoClassification                          : False
SubjectContainsWords                         :
SubjectOrBodyContainsWords                   :
HeaderContainsMessageHeader                  :
HeaderContainsWords                          :
FromAddressContainsWords                     :
SubjectMatchesPatterns                       :
SubjectOrBodyMatchesPatterns                 :
HeaderMatchesMessageHeader                   :
HeaderMatchesPatterns                        :
FromAddressMatchesPatterns                   : {canon.sos@gmail.com}
AttachmentNameMatchesPatterns                :
AttachmentExtensionMatchesWords              :
HasSenderOverride                            : False
MessageContainsDataClassifications           :
SenderIpRanges                               :
SCLOver                                      :
AttachmentSizeOver                           :
MessageSizeOver                              :
WithImportance                               :
MessageTypeMatches                           :
RecipientAddressContainsWords                :
RecipientAddressMatchesPatterns              :
SenderInRecipientList                        :
RecipientInSenderList                        :
AttachmentContainsWords                      :
AttachmentMatchesPatterns                    :
AttachmentIsUnsupported                      : False
AttachmentProcessingLimitExceeded            : False
AttachmentHasExecutableContent               : False
AnyOfRecipientAddressContainsWords           :
AnyOfRecipientAddressMatchesPatterns         :
ExceptIfFrom                                 :
ExceptIfFromMemberOf                         :
ExceptIfFromScope                            :
ExceptIfSentTo                               :
ExceptIfSentToMemberOf                       :
ExceptIfSentToScope                          :
ExceptIfBetweenMemberOf1                     :
ExceptIfBetweenMemberOf2                     :
ExceptIfManagerAddresses                     :
ExceptIfManagerForEvaluatedUser              :
ExceptIfSenderManagementRelationship         :
ExceptIfADComparisonAttribute                :
ExceptIfADComparisonOperator                 :
ExceptIfSenderADAttributeContainsWords       :
ExceptIfSenderADAttributeMatchesPatterns     :
ExceptIfRecipientADAttributeContainsWords    :
ExceptIfRecipientADAttributeMatchesPatterns  :
ExceptIfAnyOfToHeader                        :
ExceptIfAnyOfToHeaderMemberOf                :
ExceptIfAnyOfCcHeader                        :
ExceptIfAnyOfCcHeaderMemberOf                :
ExceptIfAnyOfToCcHeader                      :
ExceptIfAnyOfToCcHeaderMemberOf              :
ExceptIfHasClassification                    :
ExceptIfHasNoClassification                  : False
ExceptIfSubjectContainsWords                 :
ExceptIfSubjectOrBodyContainsWords           :
ExceptIfHeaderContainsMessageHeader          :
ExceptIfHeaderContainsWords                  :
ExceptIfFromAddressContainsWords             :
ExceptIfSubjectMatchesPatterns               :
ExceptIfSubjectOrBodyMatchesPatterns         :
ExceptIfHeaderMatchesMessageHeader           :
ExceptIfHeaderMatchesPatterns                :
ExceptIfFromAddressMatchesPatterns           :
ExceptIfAttachmentNameMatchesPatterns        :
ExceptIfAttachmentExtensionMatchesWords      :
ExceptIfSCLOver                              :
ExceptIfAttachmentSizeOver                   :
ExceptIfMessageSizeOver                      :
ExceptIfWithImportance                       :
ExceptIfMessageTypeMatches                   :
ExceptIfRecipientAddressContainsWords        :
ExceptIfRecipientAddressMatchesPatterns      :
ExceptIfSenderInRecipientList                :
ExceptIfRecipientInSenderList                :
ExceptIfAttachmentContainsWords              :
ExceptIfAttachmentMatchesPatterns            :
ExceptIfAttachmentIsUnsupported              : False
ExceptIfAttachmentProcessingLimitExceeded    : False
ExceptIfAttachmentHasExecutableContent       : False
ExceptIfAnyOfRecipientAddressContainsWords   :
ExceptIfAnyOfRecipientAddressMatchesPatterns :
ExceptIfHasSenderOverride                    : False
ExceptIfMessageContainsDataClassifications   :
ExceptIfSenderIpRanges                       :
PrependSubject                               :
SetAuditSeverity                             :
ApplyClassification                          :
ApplyHtmlDisclaimerLocation                  :
ApplyHtmlDisclaimerText                      :
ApplyHtmlDisclaimerFallbackAction            :
ApplyRightsProtectionTemplate                :
SetSCL                                       : 3
SetHeaderName                                :
SetHeaderValue                               :
RemoveHeader                                 :
AddToRecipients                              :
CopyTo                                       :
BlindCopyTo                                  :
AddManagerAsRecipientType                    :
ModerateMessageByUser                        :
ModerateMessageByManager                     : False
RedirectMessageTo                            :
RejectMessageEnhancedStatusCode              :
RejectMessageReasonText                      :
DeleteMessage                                : False
Disconnect                                   : False
Quarantine                                   : False
SmtpRejectMessageRejectText                  :
SmtpRejectMessageRejectStatusCode            :
LogEventText                                 :
StopRuleProcessing                           : False
SenderNotificationType                       :
GenerateIncidentReport                       : SharonK@contoso.com
IncidentReportOriginalMail                   : IncludeOriginalMail
RouteMessageOutboundConnector                :
RouteMessageOutboundRequireTls               : False
Identity                                     : [Cust-sos-IN] Reset SCL on Scanner emails
DistinguishedName                            : CN=[Cust-sos-IN] Reset SCL on Scanner
                                               emails,CN=TransportVersioned,CN=Rules,CN=Transport
                                               Settings,CN=Contoso,CN=Microsoft
                                               Exchange,CN=Services,CN=Configuration,DC=CONTOSO,DC=LOCAL
Guid                                         : 5d1dbc9b-3718-4874-9552-296e8b98d874
ImmutableId                                  : 5d1dbc9b-3718-4874-9552-296e8b98d874
OrganizationId                               :
Name                                         : [Cust-sos-IN] Reset SCL on Scanner emails
IsValid                                      : True
WhenChanged                                  : 17/03/2015 2:37:06 PM
ExchangeVersion                              : 0.1 (8.0.535.0)
ObjectState                                  : Unchanged
LVL 8
mbkitmgrAsked:
Who is Participating?
 
Jian An LimSolutions ArchitectCommented:
Apparently the first email is from internal network
the second email is from external.

from my guess, the sequence of the transport agent have changed.
Content Filter agent has higher priority then your transport rules agent

if you run Get-TransportAgent
you will see the content filtering should be higher.


What you need to do is to reprioritise your transport rule agent higher than content filtering

if not, you can use
Set-ContentFilterConfig -BypassedRecipients <all email address that you want to exclude them from SCL>
0
 
Simon Butler (Sembee)ConsultantCommented:
The first thing you need to do is open one of the messages that is in the Junk Email Filter folder and see whether it has an SCL value or not.
That will tell you if the rule is firing correctly.

Simon.
0
 
mbkitmgrAuthor Commented:
Thanks Simon,  those that get blocked come thru with an SCL of 7.  That certainly explains why they get classified as Spam, but why only some.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Simon Butler (Sembee)ConsultantCommented:
Change the rule to set the SCL value as -1.
See whether that improves things.

Simon.
0
 
mbkitmgrAuthor Commented:
Hi Simon, I am guessing I am going to have to do this via the shell, as -1 isn't available via EAC (0-9)
0
 
Jian An LimSolutions ArchitectCommented:
hi,

I saw your biggest problem.
You are claiming to send from a gmail address!!! thats a bad idea.

If you own the scanner and MFP, change it to <printer>@contoso.com

by doing so, any email that are sending from internal domain by default are consider "whitelist"

#############33
also, configure your receive connector to be "Exchange servers" and "Externally Secured"
#############


you can also run
Set-ContentFilterConfig -BypassedRecipients <all email address that you want to exclude them from SCL>

############

PIck one of them (all of them meet the requirement but of course certainly some of them have cons/pros between them)
i reckon the set-contentfilterconfig is the easiest if you know what email address it sending from...
0
 
mbkitmgrAuthor Commented:
Thanks Limjianan.  

Canon themselves set the address when they established the machine, and the device is on a different site to the Exchange server.  The device sends the 'scan' email via the internet, no VPN.

I do agree about gmail - Canon have twice chosen to use a fictitious email address which in itself created issues.

It still doesn't clarify why say UnaG@contoso.com receives them unrestricted, yet NiamhS@contoso.com gets blocked by the same Transport filter, from the same device.
0
 
Jian An LimSolutions ArchitectCommented:
well, if you check your message header on both, do you see them flowing through the same servers?

GUESSING game start.
what would be your Exchange design? multiple HUB or single hub?
could it because on of your mailbox servers do not have transport rules turn on?
how long ago you last change? within 4 hours ?(by default, all modify take 4 hours to update unless you stop start the transport services to make it effective)
is the message being protected? (rules can't process protected message)

the list goes on and on.
0
 
mbkitmgrAuthor Commented:
Hi Limjianan,

Excellent questions
1 Exchange 2013 Server only
I reset the Transport service when I update the rules, other times changes are made at night, and I wait and see the result the next morning
I've turned on logging but nothing is being logged
0
 
Jian An LimSolutions ArchitectCommented:
can you attached the message header, success and failed one ?
0
 
mbkitmgrAuthor Commented:
Successful
Message Id: <20150319100119.0001.CanonTxNo.1311@Canon4C9CD4.home>
Sender: canon.device@gmail.com
Subject: Your Scanned File
To: Admin, administration@contoso.com
Severity: Low
Override: No
False Positive: No
Rule Hit: [Cust-contoso-IN] Reset SCL on Scanner emails, Action: SetHeader, GenerateIncidentReport

Failed:
Diagnostic information for administrators:
Generating server: Server1.Contoso.LOCAL
administration@contoso.com
#550 5.2.1 Content Filter agent quarantined this message ##
Original message headers:
Received: from mail-pd0-f194.google.com (209.85.192.194) by
 mail.askitee.com.au (192.168.0.5) with Microsoft SMTP Server (TLS) id
 15.0.516.32; Mon, 16 Mar 2015 10:10:46 +1100
Received: by pdjy10 with SMTP id y10so30564766pdj.1        for
 <administration@contoso.com>; Sun, 15 Mar 2015 16:10:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:to:subject:date:message-id:mime-version:content-type;
        bh=FL9LwcqhlnrphLhWaVjFKu2BCVn+77DqOGVMzAK0+kE=;
        b=dONr1k+Q9L5bPiKej5ZxxrgfvJNk8B1KDlBOeoHO5LV0Pvk1zVXuuPvkqD9Qr1bYgG
         yY3EqaXqoaommTo0s+yUbPh1yRU3NvRcUlXA+Sg95Xv4Tgi5/9lMVGBlsIKxSq3rEJrM
         0wsLFjlr+Vjot3vjNWmiv1GVATFjQsqoMCoWP5BFL2i9txIvNTz/4+Qu64t9Hk7k6cLw
         YItgvtqycXhnedGKttGwR82kAtcPTgHQB09YdoPwjqoN0IO7E4cLdcAR4MDWvVaBJhnj
         LI6UDX4DXbzXkvb9Y9lKI5KzIqHz08xnJZSR6+itJ8ENr3kIIDJYnBi2jn4QmDlkFlP7
         6ggw==
X-Received: by 10.70.34.198 with SMTP id b6mr68708438pdj.28.1426461044160;
        Sun, 15 Mar 2015 16:10:44 -0700 (PDT)
Return-Path: <canon.device@gmail.com>
Received: from Canon4C9CD4.home (mur1247300.lnk.telstra.net.
 [120.150.189.147])        by mx.google.com with ESMTPSA id
 oq7sm13974300pac.32.2015.03.15.16.10.37        for
 <administration@contoso.com>        (version=SSLv3 cipher=RC4-SHA
 bits=128/128);        Sun, 15 Mar 2015 16:10:42 -0700 (PDT)
X-Priority: 3 (Normal)
From: <canon.device@gmail.com>
To: Admin <administration@contoso.com>
Subject: Your Scanned File
Date: Mon, 16 Mar 2015 10:15:28 +1100
Message-ID: <20150316101528.0001.CanonTxNo.1281@Canon4C9CD4.home>
MIME-Version: 1.0
X-Mailer: Canon MFP
Content-Type: multipart/mixed; boundary="BAADNPAHDCDIDADFDADBBMAPAKAA"
Received-SPF: Pass (SERVER1.CONTOSO.LOCAL: domain of canon.device@gmail.com
 designates 209.85.192.194 as permitted sender)
 receiver=SERVER11.CONTOSO.LOCAL; client-ip=209.85.192.194;
 helo=mail-pd0-f194.google.com;
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.