none
Reply emails being tagged with SCL 8 by FPE

    Pertanyaan

  • I am reposting this here as it is likely a FPE issue and not an Exchange issue.

    I wonder if anyone else has experienced the following issue. This started happening on the 14th of this month (February).

    A number of users reported that they were not receiving replies to their emails. I checked the Edge server Forefront Protection for Exchange and found the messages in the quarantine. All of the emails in question are replies to messages that were originally sent from our organization. I forwarded the emails to the users, where they go directly into the junk mail folder. I disabled the quarantine for now, so I don't have to forward the several hundred email a day to the users.

    Upon looking at the headers for the email sent to junk, I noticed that all of them have a SCL rating of 8.

    This only happens to reply emails. I tested this by sending an email from my company account to my Hotmail account. When I reply from my Hotmail account, the message gets an SCL rating of 8. It doesn't seem to matter if it is HTML or plain text formatted.

    If I create a new email on my hotmail account and send it to my company account, it makes it through to my inbox and has a SCL rating of -1. I then do a reply to send it back to Hotmail, followed up by a reply from the Hotmail account, and in makes it into my inbox with SCL -1.

    It seems it is only happening when the message originates on my company account.

    There have been no changes to our environment (Exchange 2010 SP1 RU4 14.01.0323.003). The only thing that has happened recently is we were experiencing a backpressure condition due to low drive space on the system drive of our Edge servers. This has been corrected, and both Edge servers rebooted.

    I have forwarded the false positives to Cloudmark, but am not sure what good that will do.

    23 Februari 2012 13:52

Jawaban

  • Hi,

    the reason why the emails are being blocked is Cloudmark detects those emails as spam. You can see this in the signature of Cloudmark:

    X-MS-Exchange-Organization-Antispam-Report: v=1.1
    cv=ukz1dqSfJ3S3J/0bdJL5mEzALG8cic6SdYk1Eygc9yc= c=1 sm=1 p=Wv8TmvcxyzoA:10
    a=2eBvBoxqwgwA:10 a=8uJ5MO_MQBgA:10 a=E-JwmvP93WIA:10 a=qs3jR6NmdWIA:10
    a=69EAbJreAAAA:8 a=tZnmZiot9oEfMIR6stcA:9 a=wPNLvfGTeEIA:10
    a=vEwOpaGYuWQA:10 a=EfJqPEOeqlMA:10 a=1DY7g5_KOOBUihVBDEcA:9
    a=voT-CVV6WmlUdOjwtxMA:7 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10
    a=CvlzlqhRzCWVB14dZ5Uz4Q==:117;OrigIP:192.168.254.47;SCL:8

    What you can do now is to submit samples to Cloudmark (http://technet.microsoft.com/en-us/library/dd639396.aspx)

    Reporting false positives and missed spam


    Information about false negatives and false positives are used by the antispam engine maker to improve the performance of the engine.

    To submit false positive or false negative spam e-mail messages, send the e-mail as an RFC 2822 attachment.  Do not send misclassified messages by using the Forward command; this strips them of essential header information and will result in an invalid submission.

    Send the original e-mail message for analysis to:

    • For false negatives: Forefront-spam@submit.cloudmark.com
    • For false positives: Forefront-legit@submit.cloudmark.com

    To attach an e-mail message as an RFC 2822 attachment

    1. In Microsoft Outlook, create a new e-mail message.

    2. Address it to the appropriate address.

    3. Click the Attach Item button, select the e-mails that were falsely classified, and then click OK.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    24 Februari 2012 7:42

Semua Balasan

  • Hi,

    can you post the header of such an email that is blocked with SCL 8.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    23 Februari 2012 16:19
  • Here is the header from one of the false positive replies. I have replaced the domain names and addresses.

    Received: from EDG2010-02.mydomain.ca (192.168.210.30) by
     EXCH03.mydomain.ca (192.168.9.155) with Microsoft SMTP Server
     (TLS) id 14.1.323.3; Wed, 22 Feb 2012 10:39:56 -0500
    Received: from snt0-omc4-s16.snt0.hotmail.com (192.168.254.47) by
     EDG2010-02.mydomain.ca (192.168.210.30) with Microsoft SMTP Server id
     14.1.323.3; Wed, 22 Feb 2012 10:40:12 -0500
    Received: from SNT124-W65 ([65.55.90.201]) by snt0-omc4-s16.snt0.hotmail.com
     with Microsoft SMTPSVC(6.0.3790.4675);  Wed, 22 Feb 2012 07:39:54 -0800
    Message-ID: <SNT124-W652AF87EA5CC413B6ACC5E9F640@phx.gbl>
    Return-Path: myaddress@hotmail.com
    Content-Type: multipart/alternative;
     boundary="_9d2ac8c2-adec-4281-b520-f58d330634d0_"
    X-Originating-IP: [38.xxx.xxx.50]
    From: HeadBanger <myaddress@hotmail.com>
    To: HeadBanger <myaddress@mydomain.ca>
    Subject: RE: even more content filtering
    Date: Wed, 22 Feb 2012 10:39:54 -0500
    Importance: Normal
    In-Reply-To: <19E3EEEE8C841A47B36B9D3CB8F25F981D0EE521@EXCH02.mydomain.ca>
    References: <19E3EEEE8C841A47B36B9D3CB8F25F981D0EE521@EXCH02.mydomain.ca>
    MIME-Version: 1.0
    X-OriginalArrivalTime: 22 Feb 2012 15:39:54.0376 (UTC) FILETIME=[39216080:01CCF178]
    X-MS-Exchange-Organization-PRD: hotmail.com
    Received-SPF: SoftFail (EDG2010-02.mydomain.ca: domain of
     transitioning myaddress@hotmail.com discourages use of 192.168.254.47 as
     permitted sender)
    X-MS-Exchange-Organization-Antispam-Report: v=1.1
     cv=ukz1dqSfJ3S3J/0bdJL5mEzALG8cic6SdYk1Eygc9yc= c=1 sm=1 p=Wv8TmvcxyzoA:10
     a=2eBvBoxqwgwA:10 a=8uJ5MO_MQBgA:10 a=E-JwmvP93WIA:10 a=qs3jR6NmdWIA:10
     a=69EAbJreAAAA:8 a=tZnmZiot9oEfMIR6stcA:9 a=wPNLvfGTeEIA:10
     a=vEwOpaGYuWQA:10 a=EfJqPEOeqlMA:10 a=1DY7g5_KOOBUihVBDEcA:9
     a=voT-CVV6WmlUdOjwtxMA:7 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10
     a=CvlzlqhRzCWVB14dZ5Uz4Q==:117;OrigIP:192.168.254.47;SCL:8
    X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
    X-MS-Exchange-Organization-SCL: 8
    X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL
    X-MS-Exchange-Organization-AuthSource: EDG2010-02.mydomain.ca
    X-MS-Exchange-Organization-AuthAs: Anonymous

    Here is the header from one originated at hotmail, and this was processed properly.

    Received: from EDG2010-01.mydomain.ca (192.168.210.70) by
     EXCH03.mydomain.ca (192.168.9.155) with Microsoft SMTP Server
     (TLS) id 14.1.323.3; Wed, 22 Feb 2012 10:32:25 -0500
    Received: from snt0-omc4-s3.snt0.hotmail.com (192.168.254.47) by
     EDG2010-01.mydomain.ca (192.168.210.70) with Microsoft SMTP Server id
     14.1.323.3; Wed, 22 Feb 2012 10:32:43 -0500
    Received: from SNT124-W43 ([65.55.90.201]) by snt0-omc4-s3.snt0.hotmail.com
     with Microsoft SMTPSVC(6.0.3790.4675);  Wed, 22 Feb 2012 07:32:15 -0800
    Message-ID: <SNT124-W432AC6F08B143718EEF7FE9F640@phx.gbl>
    Return-Path: myaddress@hotmail.com
    Content-Type: multipart/alternative;
     boundary="_39116063-6b63-4678-9b84-611828f619b6_"
    X-Originating-IP: [38.xxx.xxx.50]
    From: HeadBanger <myaddress@hotmail.com>
    To: HeadBanger <myaddress@mydomain.ca>
    Subject: RE: content filter testing
    Date: Wed, 22 Feb 2012 10:32:15 -0500
    Importance: Normal
    In-Reply-To: <19E3EEEE8C841A47B36B9D3CB8F25F981D0EE4FF@EXCH02.mydomain.ca>
    References: <myaddress@hotmail.com discourages use of 192.168.254.47 as
     permitted sender)
    X-MS-Exchange-Organization-Antispam-Report: v=1.1
     cv=Z+M1uew7r9IJ07sR7Pxy9xHUXsCGu9ggZAZUcelUYXY= c=1 sm=1 a=2eBvBoxqwgwA:10
     a=8uJ5MO_MQBgA:10 a=E-JwmvP93WIA:10 a=-Gp7QfHLvJMA:10 a=69EAbJreAAAA:8
     a=XyDhMT3WDX7jum2vUXgA:9 a=wPNLvfGTeEIA:10 a=vEwOpaGYuWQA:10
     a=EfJqPEOeqlMA:10 a=vQecTRt7f9HgayHQbHkA:9 a=umNv76XBpSprEowG_E0A:7
     a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10
     a=CvlzlqhRzCWVB14dZ5Uz4Q==:117;OrigIP:192.168.254.47;SCL:-1
    X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
    X-MS-Exchange-Organization-SCL: -1
    X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL
    X-MS-Exchange-Organization-AuthSource: EDG2010-01.mydomain.ca
    X-MS-Exchange-Organization-AuthAs: Anonymous

    I can't see any substantial differences between the two messages other than the Anti-Spam report and SCL rating.

    As a temporary fix, I have created a hub transport rule to strip out the X-MS-Exchange-Organization-SCL header line out of inbound messages. This will stop Exchange from putting the false positive in the junk mail folder, but also keeps Exchange from putting junk in there as well. The users will have to put up with a little extra junk mail in their inbox until I figure this out.

    23 Februari 2012 20:23
  • Hi,

    the reason why the emails are being blocked is Cloudmark detects those emails as spam. You can see this in the signature of Cloudmark:

    X-MS-Exchange-Organization-Antispam-Report: v=1.1
    cv=ukz1dqSfJ3S3J/0bdJL5mEzALG8cic6SdYk1Eygc9yc= c=1 sm=1 p=Wv8TmvcxyzoA:10
    a=2eBvBoxqwgwA:10 a=8uJ5MO_MQBgA:10 a=E-JwmvP93WIA:10 a=qs3jR6NmdWIA:10
    a=69EAbJreAAAA:8 a=tZnmZiot9oEfMIR6stcA:9 a=wPNLvfGTeEIA:10
    a=vEwOpaGYuWQA:10 a=EfJqPEOeqlMA:10 a=1DY7g5_KOOBUihVBDEcA:9
    a=voT-CVV6WmlUdOjwtxMA:7 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10
    a=CvlzlqhRzCWVB14dZ5Uz4Q==:117;OrigIP:192.168.254.47;SCL:8

    What you can do now is to submit samples to Cloudmark (http://technet.microsoft.com/en-us/library/dd639396.aspx)

    Reporting false positives and missed spam


    Information about false negatives and false positives are used by the antispam engine maker to improve the performance of the engine.

    To submit false positive or false negative spam e-mail messages, send the e-mail as an RFC 2822 attachment.  Do not send misclassified messages by using the Forward command; this strips them of essential header information and will result in an invalid submission.

    Send the original e-mail message for analysis to:

    • For false negatives: Forefront-spam@submit.cloudmark.com
    • For false positives: Forefront-legit@submit.cloudmark.com

    To attach an e-mail message as an RFC 2822 attachment

    1. In Microsoft Outlook, create a new e-mail message.

    2. Address it to the appropriate address.

    3. Click the Attach Item button, select the e-mails that were falsely classified, and then click OK.

    Greetings

    Christian


    Christian Groebner MVP Forefront

    24 Februari 2012 7:42
  • Hi Christian. Thanks for the responce. I sent a few of them to Cloudmark already, as stated in my original post.

    Does it help if I send more? How long does it take them to correct the issue? Should I expect anyone from Cloudmark to contact me, or do they hide behind an email firewall?

    I have excluded myself and a couple of more people in my department from the transport rule, so we can test and monitor the condition.

    Hopefully the issue is resolved soon, so I can disable the rule and re-enable the quarantine.

    24 Februari 2012 14:26
  • Hi,

    in my opinion submitting more samples will support Cloudmark in adjusting their patterns, but I would not expect someone from Cloudmark contacting you.

    I've submitted some samples to Cloudmark and within one or two weeks in my case the spam was away.

    Greetings

    Christian


    Christian Groebner MVP Forefront


    24 Februari 2012 20:14
  • I have been testing the condition every day, and emailing the false positives to Cloudmark. This mornings test was successful, so it looks like my submissions to Cloudmark have been accepted and processed.

    02 Maret 2012 19:06
  • Hi,

    good to hear that Cloudmark has processed your samples and it's working right now!

    Thanks for your feedback.

    Greetings
    Christian


    Christian Groebner MVP Forefront

    05 Maret 2012 10:25