Hi everyone, thanks for reading.
We have set up an Exchange 2016 server next to the old 2010 installation. All external mail arrives at a Linux machine first which does some virus scanning and then sends the mail to Exchange 2016, after which it gets delivered in the mailboxes which are still on 2010. Our employees are now complaining about lots of spam arriving in their mailbox, while anti-spam is enabled (sender and content filtering) and configured on Exchange 2016. Somehow, in the mail headers, I see the following information for a mail that's definitely spam (I have replaced the real server names with "TheLinuxServer" and "Exchange2016Server"):
14 X-Virus-Scanned-By "TheLinuxServer". Result: CLEAN.
15 X-Spam-Score 14.348 (**************) BAYES_99,BAYES_999,FSL_HELO_BARE_IP_1,RCVD_NUMERIC_HELO,RDNS_NONE,STOX_REPLY_TYPE,STOX_REPLY_TYPE_WITHOUT_QUOTES,SUBJECT_NEEDS_ENCODING,SUBJ_ILLEGAL_CHARS,TVD_RCVD_IP,TVD_RCVD_IP4,URI_ONLY_MSGID_MALF
16 X-Scanned-By MIMEDefang 2.73 on 18.104.22.168
17 Return-Path "SpammersMailAddress"
18 X-MS-Exchange-Organization-SCL 7
19 X-MS-Exchange-Organization-PCL 2
20 X-MS-Exchange-Organization-Antispam-Report DV:3.3.5705.600;OrigIP:"SpammersIP"
21 X-MS-Exchange-Organization-AuthSource "Exchange2016Server"
22 X-MS-Exchange-Organization-AuthAs Anonymous
23 X-MS-Exchange-Organization-Antispam-Report MessageSecurityAntispamBypass
24 X-MS-Exchange-Organization-AVStamp-Mailbox MSFTFF;1;0;0 0 0
Why does it have the Antispam-Report twice and why does the second report say the message bypassed the anti-spam, with a spam score of +14 and an SCL of 7? It didn't do that before we had 2016 anti-spam...
If you need more info, feel free to ask. I don't want to make this post longer than necessary... Thanks in advance!