none
FSE Marking ALL Inbound Email as Spam due to Content

    Question

  • New installation. All inbound mails are marked as Spam by Cloudmark for Content. From anyone:  Yahoo, Gmail, Hotmail, O365... all mail(even when testing from the Edge server itself to itself by telnet 127.0.0.1 25).

    New, greenfield installation:

    • Windows Server 2012 DC's, Windows Server 2012 functional level
    • Exchange 2013 All roles (CAS/Mailbox) on Windows Server 2012
    • Exchange 2010 Edge Server with Forefront Protection for Exchange 2010 on Windows 2008R2
    • Cloudmark engine is updating successfully and shows today's date as the version.

    ALL emails inbound

    Logs show: 

    • When I set Forefront to stamp and continue processing (it goes into junk mail):  "FSE Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,9"
    • When I reject:  "FSE Content Filter Agent,OnEndOfData,RejectMessage,550 5.7.1 Message rejected due to content restrictions,SclAtOrAboveRejectThreshold,9,v=2.1 cv=M6V0dUAs c=0 sm=1 tr=0 p=PdbawN1DAAAA:8 a=mFs5E60Zd2Jof9JknIyuNg==:117 a=dOjwkhujJHM2b/QMFULrXQ==:17 a=nDghuxUhq_wA:10 a=UzMy6eNlxVsA:10 a=pGLkceISAAAA:8 a=1XWaLZrsAAAA:8"
    • When I quarantine: "FSE Content Filter Agent,OnEndOfData,QuarantineMessage,550 5.2.1 Content Filter agent quarantined this message,SclAtOrAboveQuarantineThreshold,9,v=2.1 cv=ep3mkOZX c=0 sm=1 tr=0 p=PdbawN1DAAAA:8 a=WkljmVdYkabdwxfqvArNOQ==:117 a=8rjiAUXplIkA:10 a=YaFYD9Hhv54A:10 a=uBmvdUkjAAAA:8"

    Messages are simply "This is a test" messages.

    Product appears to be activated.


    • Edited by Bob Peck Thursday, August 22, 2013 10:06 AM
    Thursday, August 22, 2013 12:39 AM

Answers

All replies

  • Hi

    I think you have encountered a problem that all of incoming mails were treated as SPAM. The information that you provided indicates that these mails were marked as SCL rating 9 which will be deleted, rejected or quarantine . However, normal mails should be mark as SCL-1 and these mails usually  can be forwarded.

    Please check the configuration with following steps:

    1. What are the allow words or block words you defined before ?
    2. How did you dispatch SCL rating  for different mails ?
    3. How were the mails treated in each SCL rating ?

    You are able to get more information about  “SPAM content filter” by the link below:

    Understanding Anti-Spam and Antivirus Mail Flow

    http://technet.microsoft.com/en-us/library/aa997242.aspx

    Configuring spam filtering

    http://technet.microsoft.com/en-us/library/dd441022.aspx#contentf

    Microsoft Forefront Protection 2010 for Exchange Server

    http://technet.microsoft.com/en-us/library/cc482977.aspx

    Monday, August 26, 2013 1:30 AM
    Moderator
  • I am having the same problem: Windows 2008 R2, Exchange 2010 - a single Exchange Server performing all roles.

    Since I had a power outage 2 nights ago, ALL email is getting marked as SCL 9.

    I did not change ANY FSE/Cloudmark definitions for over a year.

    What do I do now?

    regards,

    mlavie

    Monday, March 24, 2014 2:16 PM
  • Hi Malvie,

    you don't get Cloudmark definitions because it uses online signatures.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Tuesday, March 25, 2014 6:07 AM
  • Hi Christian,

    When I said I hadn't changed Cloudmark definitions, I meant that I hadn't changed my allowed/blocked list content filtering settings. Yet, ALL incoming email is being blocked.

    Regards,

    mlavie

    Tuesday, March 25, 2014 7:30 AM
  • Hi,

    is it working, when you disable the contentfilter?

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Tuesday, March 25, 2014 7:46 AM
  • Hi Christian -  disabling content filter allows all the emails in.

    Again, the problem seems to have started at about the same time that I had a power outage on the server. I did not make any configuration changes nor did I install any new software recently whatsoever on that server recently.

    mlavie

    Tuesday, March 25, 2014 7:53 AM
  • Hi,

    what you can try is to move all items of the folder "C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Engines\amd64\Cloudmark" into another directory and restart the services of FPE. After that update the engines this forces the Cloudmark engine to be downloaded again.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Tuesday, March 25, 2014 8:28 PM
  • Hi Christian,

    I actually did an entire uninstall/install of FSE. Still no joy. So I had to disable content filtering. As I am currently traveling, I haven't had the chance to open a support incident with Microsoft.

    However - I have a question: I was using an MX backup service, whose MX server was itself blacklisted on one of the blacklists on which Cloudmark relies - LashBack. Could this have been causing the behavior that all incoming email was being rejected? I ask because this about the same time that Verion.net (who relies on Cloudmark, allegedly) stopped letting my emails through to their customers.

    Regards,

    mlavie

    Wednesday, April 02, 2014 2:46 AM
  • Hi,

    if the mails have been delivered over the backup MX than this could be the cause. Have you tried to remove the backup mx record for your domain?

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Wednesday, April 02, 2014 3:58 PM
  • Hi,

    I think I may have solved this. After nearly giving up, I noticed that about the same time, Verizon.net (a large USA ISP) started rejecting emails from my server. I contacted Verizon support, who told me I had been blacklisted. They would not tell me who runs their blacklists, but some Googling showed it to (apparently) be...

    ...

    ... Cloudmark.

     

    After I did everything Verizon recommended to do, I was no longer on their blacklist -and - my server started letting in email again.

    It would appear that Forefront for Exchange was being told by Cloudmark that its own Exchange Server was a threat, and therefore blocked anything coming through it. On one hand, this makes sense. On the other hand, if I am correct, then Forefront should have given an indication of the reason for this exceptional situation.

     

    Regards,

    mlavie

    Thursday, April 10, 2014 2:05 PM