Reply emails being tagged with SCL 8 by FPE

Ask a question

Thursday, February 23, 2012 1:52 PM

0

I am reposting this here as it is likely a FPE issue and not an Exchange issue.

I wonder if anyone else has experienced the following issue. This started happening on the 14th of this month (February).

A number of users reported that they were not receiving replies to their emails. I checked the Edge server Forefront Protection for Exchange and found the messages in the quarantine. All of the emails in question are replies to messages that were originally sent from our organization. I forwarded the emails to the users, where they go directly into the junk mail folder. I disabled the quarantine for now, so I don't have to forward the several hundred email a day to the users.

Upon looking at the headers for the email sent to junk, I noticed that all of them have a SCL rating of 8.

This only happens to reply emails. I tested this by sending an email from my company account to my Hotmail account. When I reply from my Hotmail account, the message gets an SCL rating of 8. It doesn't seem to matter if it is HTML or plain text formatted.

If I create a new email on my hotmail account and send it to my company account, it makes it through to my inbox and has a SCL rating of -1. I then do a reply to send it back to Hotmail, followed up by a reply from the Hotmail account, and in makes it into my inbox with SCL -1.

It seems it is only happening when the message originates on my company account.

There have been no changes to our environment (Exchange 2010 SP1 RU4 14.01.0323.003). The only thing that has happened recently is we were experiencing a backpressure condition due to low drive space on the system drive of our Edge servers. This has been corrected, and both Edge servers rebooted.

I have forwarded the false positives to Cloudmark, but am not sure what good that will do.
- Reply
- Quote

All Replies

Thursday, February 23, 2012 4:19 PM

0

Hi,

can you post the header of such an email that is blocked with SCL 8.

Greetings

Christian
Christian Groebner MVP Forefront
- Reply
- Quote
Thursday, February 23, 2012 8:23 PM

0

Here is the header from one of the false positive replies. I have replaced the domain names and addresses.

Received: from EDG2010-02.mydomain.ca (192.168.210.30) by
EXCH03.mydomain.ca (192.168.9.155) with Microsoft SMTP Server
(TLS) id 14.1.323.3; Wed, 22 Feb 2012 10:39:56 -0500
Received: from snt0-omc4-s16.snt0.hotmail.com (192.168.254.47) by
EDG2010-02.mydomain.ca (192.168.210.30) with Microsoft SMTP Server id
14.1.323.3; Wed, 22 Feb 2012 10:40:12 -0500
Received: from SNT124-W65 ([65.55.90.201]) by snt0-omc4-s16.snt0.hotmail.com
with Microsoft SMTPSVC(6.0.3790.4675); Wed, 22 Feb 2012 07:39:54 -0800
Message-ID: <SNT124-W652AF87EA5CC413B6ACC5E9F640@phx.gbl>
Return-Path: myaddress@hotmail.com
Content-Type: multipart/alternative;
boundary="_9d2ac8c2-adec-4281-b520-f58d330634d0_"
X-Originating-IP: [38.xxx.xxx.50]
From: HeadBanger <myaddress@hotmail.com>
To: HeadBanger <myaddress@mydomain.ca>
Subject: RE: even more content filtering
Date: Wed, 22 Feb 2012 10:39:54 -0500
Importance: Normal
In-Reply-To: <19E3EEEE8C841A47B36B9D3CB8F25F981D0EE521@EXCH02.mydomain.ca>
References: <19E3EEEE8C841A47B36B9D3CB8F25F981D0EE521@EXCH02.mydomain.ca>
MIME-Version: 1.0
X-OriginalArrivalTime: 22 Feb 2012 15:39:54.0376 (UTC) FILETIME=[39216080:01CCF178]
X-MS-Exchange-Organization-PRD: hotmail.com
Received-SPF: SoftFail (EDG2010-02.mydomain.ca: domain of
transitioning myaddress@hotmail.com discourages use of 192.168.254.47 as
permitted sender)
X-MS-Exchange-Organization-Antispam-Report: v=1.1
cv=ukz1dqSfJ3S3J/0bdJL5mEzALG8cic6SdYk1Eygc9yc= c=1 sm=1 p=Wv8TmvcxyzoA:10
a=2eBvBoxqwgwA:10 a=8uJ5MO_MQBgA:10 a=E-JwmvP93WIA:10 a=qs3jR6NmdWIA:10
a=69EAbJreAAAA:8 a=tZnmZiot9oEfMIR6stcA:9 a=wPNLvfGTeEIA:10
a=vEwOpaGYuWQA:10 a=EfJqPEOeqlMA:10 a=1DY7g5_KOOBUihVBDEcA:9
a=voT-CVV6WmlUdOjwtxMA:7 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10
a=CvlzlqhRzCWVB14dZ5Uz4Q==:117;OrigIP:192.168.254.47;SCL:8
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-MS-Exchange-Organization-SCL: 8
X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL
X-MS-Exchange-Organization-AuthSource: EDG2010-02.mydomain.ca
X-MS-Exchange-Organization-AuthAs: Anonymous

Here is the header from one originated at hotmail, and this was processed properly.

Received: from EDG2010-01.mydomain.ca (192.168.210.70) by
EXCH03.mydomain.ca (192.168.9.155) with Microsoft SMTP Server
(TLS) id 14.1.323.3; Wed, 22 Feb 2012 10:32:25 -0500
Received: from snt0-omc4-s3.snt0.hotmail.com (192.168.254.47) by
EDG2010-01.mydomain.ca (192.168.210.70) with Microsoft SMTP Server id
14.1.323.3; Wed, 22 Feb 2012 10:32:43 -0500
Received: from SNT124-W43 ([65.55.90.201]) by snt0-omc4-s3.snt0.hotmail.com
with Microsoft SMTPSVC(6.0.3790.4675); Wed, 22 Feb 2012 07:32:15 -0800
Message-ID: <SNT124-W432AC6F08B143718EEF7FE9F640@phx.gbl>
Return-Path: myaddress@hotmail.com
Content-Type: multipart/alternative;
boundary="_39116063-6b63-4678-9b84-611828f619b6_"
X-Originating-IP: [38.xxx.xxx.50]
From: HeadBanger <myaddress@hotmail.com>
To: HeadBanger <myaddress@mydomain.ca>
Subject: RE: content filter testing
Date: Wed, 22 Feb 2012 10:32:15 -0500
Importance: Normal
In-Reply-To: <19E3EEEE8C841A47B36B9D3CB8F25F981D0EE4FF@EXCH02.mydomain.ca>
References: <myaddress@hotmail.com discourages use of 192.168.254.47 as
permitted sender)
X-MS-Exchange-Organization-Antispam-Report: v=1.1
cv=Z+M1uew7r9IJ07sR7Pxy9xHUXsCGu9ggZAZUcelUYXY= c=1 sm=1 a=2eBvBoxqwgwA:10
a=8uJ5MO_MQBgA:10 a=E-JwmvP93WIA:10 a=-Gp7QfHLvJMA:10 a=69EAbJreAAAA:8
a=XyDhMT3WDX7jum2vUXgA:9 a=wPNLvfGTeEIA:10 a=vEwOpaGYuWQA:10
a=EfJqPEOeqlMA:10 a=vQecTRt7f9HgayHQbHkA:9 a=umNv76XBpSprEowG_E0A:7
a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10
a=CvlzlqhRzCWVB14dZ5Uz4Q==:117;OrigIP:192.168.254.47;SCL:-1
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL
X-MS-Exchange-Organization-AuthSource: EDG2010-01.mydomain.ca
X-MS-Exchange-Organization-AuthAs: Anonymous

I can't see any substantial differences between the two messages other than the Anti-Spam report and SCL rating.

As a temporary fix, I have created a hub transport rule to strip out the X-MS-Exchange-Organization-SCL header line out of inbound messages. This will stop Exchange from putting the false positive in the junk mail folder, but also keeps Exchange from putting junk in there as well. The users will have to put up with a little extra junk mail in their inbox until I figure this out.
- Reply
- Quote
Friday, February 24, 2012 7:42 AM

0
Hi,

the reason why the emails are being blocked is Cloudmark detects those emails as spam. You can see this in the signature of Cloudmark:

X-MS-Exchange-Organization-Antispam-Report: v=1.1
cv=ukz1dqSfJ3S3J/0bdJL5mEzALG8cic6SdYk1Eygc9yc= c=1 sm=1 p=Wv8TmvcxyzoA:10
a=2eBvBoxqwgwA:10 a=8uJ5MO_MQBgA:10 a=E-JwmvP93WIA:10 a=qs3jR6NmdWIA:10
a=69EAbJreAAAA:8 a=tZnmZiot9oEfMIR6stcA:9 a=wPNLvfGTeEIA:10
a=vEwOpaGYuWQA:10 a=EfJqPEOeqlMA:10 a=1DY7g5_KOOBUihVBDEcA:9
a=voT-CVV6WmlUdOjwtxMA:7 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10
a=CvlzlqhRzCWVB14dZ5Uz4Q==:117;OrigIP:192.168.254.47;SCL:8

What you can do now is to submit samples to Cloudmark (http://technet.microsoft.com/en-us/library/dd639396.aspx)

Reporting false positives and missed spam

Information about false negatives and false positives are used by the antispam engine maker to improve the performance of the engine.

To submit false positive or false negative spam e-mail messages, send the e-mail as an RFC 2822 attachment. Do not send misclassified messages by using the Forward command; this strips them of essential header information and will result in an invalid submission.

Send the original e-mail message for analysis to:
- For false negatives: Forefront-spam@submit.cloudmark.com
- For false positives: Forefront-legit@submit.cloudmark.com
To attach an e-mail message as an RFC 2822 attachment
1. In Microsoft Outlook, create a new e-mail message.
2. Address it to the appropriate address.
3. Click the Attach Item button, select the e-mails that were falsely classified, and then click OK.
Greetings

Christian
Christian Groebner MVP Forefront
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Tuesday, February 28, 2012 6:50 AM
- Reply
- Quote
Friday, February 24, 2012 2:26 PM

0

Hi Christian. Thanks for the responce. I sent a few of them to Cloudmark already, as stated in my original post.

Does it help if I send more? How long does it take them to correct the issue? Should I expect anyone from Cloudmark to contact me, or do they hide behind an email firewall?

I have excluded myself and a couple of more people in my department from the transport rule, so we can test and monitor the condition.

Hopefully the issue is resolved soon, so I can disable the rule and re-enable the quarantine.
- Reply
- Quote
Friday, February 24, 2012 8:14 PM

0
Hi,

in my opinion submitting more samples will support Cloudmark in adjusting their patterns, but I would not expect someone from Cloudmark contacting you.

I've submitted some samples to Cloudmark and within one or two weeks in my case the spam was away.

Greetings

Christian

Christian Groebner MVP Forefront
- Edited by Christian Groebner [MVP]MVP Friday, February 24, 2012 8:15 PM
- Reply
- Quote
Friday, March 02, 2012 7:06 PM

0

I have been testing the condition every day, and emailing the false positives to Cloudmark. This mornings test was successful, so it looks like my submissions to Cloudmark have been accepted and processed.
- Reply
- Quote
Monday, March 05, 2012 10:25 AM

0

Hi,

good to hear that Cloudmark has processed your samples and it's working right now!

Thanks for your feedback.

Greetings
Christian
Christian Groebner MVP Forefront
- Reply
- Quote

Reply emails being tagged with SCL 8 by FPE

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?