Help really needed...
-
4 august 2010 17:32
I'm getting near the end of my rope, as is my boss. I'm really hoping someone can help me out.
Exchange 2010 (fully updated, NOT using the SP1 beta) and Forefront for Exchange 2010
Setup: FSE on Edge (edge subscription used) in DMZ & FSE on MB/CAS/HUB internal
Mail marked as spam on Edge is not moved into users Junk E-mail folder. In fact, as you can see from the header below, it has an SCL of -1... I know others on this forum have said they've been impressed with Forefront for Exchange. I just haven't seen it. The quantity of spam that is ending up in user inboxes is about 25 times more than with GFI MailEssentials on Exchange 2003. I can't even get FSE to block all mail from the .ru TLD. My list of problems is long, but if I can get the basics working, maybe they would fall into place and not be problems anymore.
Does anyone have documentation for how Exchange 2010 and FSE 2010 are supposed to be configured when an Edge server is involved?
Here are the headers I mentioned above. If anyone sees something glaringly wrong, please let me know.
Received: from mail.domain.com (10.100.10.201) by Exch2010srv.domain.local
(192.168.0.35) with Microsoft SMTP Server (TLS) id 14.0.702.0; Wed, 4 Aug
2010 13:03:13 -0400
Received: from mail-wy0-f177.google.com (74.125.82.177) by Exch2010Edge.domain.local
(10.100.10.201) with Microsoft SMTP Server id 14.0.702.0; Wed, 4 Aug 2010
13:02:54 -0400
Received: by wyf19 with SMTP id 19so2370144wyf.36 for
<marcs@domain.com>; Wed, 04 Aug 2010 10:03:12 -0700 (PDT)
Received: by 10.216.21.7 with SMTP id q7mr2368229weq.19.1280941392292; Wed, 04
Aug 2010 10:03:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.48.195 with HTTP; Wed, 4 Aug 2010 10:02:42 -0700 (PDT)
From: Marc <marc@outsidedomain.com>
Date: Wed, 4 Aug 2010 13:02:42 -0400
Message-ID: <AANLkTi=t4sRV6YZ+qVp4zGRFQnb_wjLs7XKAgHtr-=JA@mail.gmail.com>
Subject: SUSPECTED JUNK MAIL (edge): 100% legal
To: "CSG: Marc" <marcs@domain.com>
Content-Type: multipart/alternative; boundary="00163646db0aaa69ce048d026823"
Return-Path: marc@outsidedomain.com
X-MS-Exchange-Organization-PRD: outsidedomain.com
Received-SPF: Pass (Exch2010Edge.domain.local: domain of marc@outsidedomain.com
designates 74.125.82.177 as permitted sender) receiver=Exch2010Edge.domain.local;
client-ip=74.125.82.177; helo=mail-wy0-f177.google.com;
X-MS-Exchange-Organization-Antispam-Report: v=1.1
cv=Eydw7fhYQ2y+PoS3jzJXlFYfeAQ0ReJ3CkK+VrjeQvw= c=1 sm=1
a=FdiyZchGmDrZfPC3P0gA:9 a=jckbbbTgaJw6MPazVqDo5uehLW8A:4 a=wPNLvfGTeEIA:10
a=CPGI3CJGBj6Cb-NZWF8A:9 a=f8VNT9RiLAny5PDbu_8A:7
a=dBvIIkevT4dzuMxLVnQUgBZMTccA:4
a=TY536VeB8EqGyhb/77Hj9A==:117;OrigIP:74.125.82.177;SCL:-1
X-Junk-Mail-2010edge:
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-SenderIdResult: PASS
X-MS-Exchange-Organization-AuthSource: Exch2010Edge.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypassNotes:
1) Exchange 2010 on Edge has content filter set to ENABLE. It was disabled and I changed it to enable b/c of the MessageSecurityAntispamBypass, but that was two days ago and it's still showing bypass.
2) X-Junk-Mail-2010edge: and SUSPECTED JUNK MAIL (edge): were added by FSE on the edge server.
Toate mesajele
-
4 august 2010 21:24 On Wed, 4 Aug 2010 17:32:57 +0000, csgmarc wrote:>I'm getting near the end of my rope, as is my boss. I'm really hoping someone can help me out.>>Exchange 2010 (fully updated, NOT using the SP1 beta) and Forefront for Exchange 2010>>Setup: FSE on Edge (edge subscription used) in DMZ & FSE on MB/CAS/HUB internal>>Mail marked as spam on Edge is not moved into users Junk E-mail folder. In fact, as you can see from the header below, it has an SCL of -1... I know others on this forum have said they've been impressed with Forefront for Exchange. I just haven't seen it. The quantity of spam that is ending up in user inboxes is about 25 times more than with GFI MailEssentials on Exchange 2003. I can't even get FSE to block all mail from the .ru TLD. My list of problems is long, but if I can get the basics working, maybe they would fall into place and not be problems anymore.>>Does anyone have documentation for how Exchange 2010 and FSE 2010 are supposed to be configured when an Edge server is involved?I guess the 1st thing to understand is that FSE has no spam filer. FPEdoes.>Here are the headers I mentioned above. If anyone sees something glaringly wrong, please let me know.Sure. How about this:X-MS-Exchange-Organization-Antispam-Report:MessageSecurityAntispamBypassAccording to that X-Header, you've whitelisted the mail somehow. Itcould be because you added 10.100.10.201 as a trusted IP address onyour Hub Transport, or you trust marc@outsidedomain.com (you may beusing safe-list aggregation, or you've checked the "ExternallySecured" box on the Receive Connector.If you stop trusting whatever you've trusted then the SCL should beset to whatever the edge server sets it to.---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP- Propus ca răspuns de Nick Gu - MSFTMicrosoft Contingent Staff, Moderator 15 august 2010 02:31
-
5 august 2010 16:09I guess the 1st thing to understand is that FSE has no spam filer. FPEdoes.>Here are the headers I mentioned above. If anyone sees something glaringly wrong, please let me know.Sure. How about this:X-MS-Exchange-Organization-Antispam-Report:MessageSecurityAntispamBypassAccording to that X-Header, you've whitelisted the mail somehow. Itcould be because you added 10.100.10.201 as a trusted IP address onyour Hub Transport, or you trust marc@outsidedomain.com (you may beusing safe-list aggregation, or you've checked the "ExternallySecured" box on the Receive Connector.If you stop trusting whatever you've trusted then the SCL should beset to whatever the edge server sets it to.---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVPRich,
Thanks for the response.
My bad about FSE vs FPE. It is FPE that I have installed.
And you are right, my concern is the MessageSecurityAntispamBypass. Every piece of mail has that.
When you say 'trusted ip', are you referring to the IP Allow List? It is enabled, but there is nothing in it.
I checked the receive connectors and "Externally Secured" check box is not checked.
I do have safe-list aggregation configured, but marcs@outsidedomain.com is not on my safe senders list (outlook is not configured to auto safe list addresses that are emailed and contacts are not included in the safe senders list.)
Any other thoughts?
Your help and suggestions are greatly appreciated.
-
5 august 2010 18:56On Thu, 5 Aug 2010 16:09:12 +0000, csgmarc wrote:[ snip ]>And you are right, my concern is the MessageSecurityAntispamBypass. Every piece of mail has that.>>When you say 'trusted ip', are you referring to the IP Allow List? It is enabled, but there is nothing in it.Which one are you referring to? The one in FPE or the one in Exchange?---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP -
5 august 2010 19:02On Thu, 5 Aug 2010 16:09:12 +0000, csgmarc wrote:[ snip ]>And you are right, my concern is the MessageSecurityAntispamBypass. Every piece of mail has that.>>When you say 'trusted ip', are you referring to the IP Allow List? It is enabled, but there is nothing in it.Which one are you referring to? The one in FPE or the one in Exchange?---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Both actually. Neither is populated with anything though. -
6 august 2010 21:42On Thu, 5 Aug 2010 19:02:34 +0000, csgmarc wrote:>On Thu, 5 Aug 2010 16:09:12 +0000, csgmarc wrote: [ snip ] >And you are right, my concern is the MessageSecurityAntispamBypass. Every piece of mail has that. > >When you say 'trusted ip', are you referring to the IP Allow List? It is enabled, but there is nothing in it. Which one are you referring to? The one in FPE or the one in Exchange? --- Rich Matheisen MCSE+I, Exchange MVP>--- Rich Matheisen MCSE+I, Exchange MVPBoth actually. Neither is populated with anything though.Okay, how about picking one mailbox that always gets e-mail with thatheader and:get-mailbox <mailbox-name> | fl anti*---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP -
10 august 2010 17:39Okay, how about picking one mailbox that always gets e-mail with thatheader and:get-mailbox <mailbox-name> | fl anti*
--- Rich Matheisen MCSE+I, Exchange MVP
Sorry, I got side tracked by another problem...This is the output:
[PS] C:\Windows\system32>get-mailbox marcs | fl anti*
Creating a new session for implicit remoting of "Get-Mailbox" command...
AntispamBypassEnabled : FalseHere are the headers from a recent message that FPE on the edge server determined was junk.
- Note, I now have a transport rule setup on the CAS/MB/HUB to add "X-MS-Exchange-Organization-SCL: 6" line to any email that has "X-Junk-Mail: 2010edge:" in the header. That's what FPE on the edge server adds to the header.
__________
Received: from mail.domain.com (10.100.10.201) by Exch2010srv.domain.local
(192.168.0.35) with Microsoft SMTP Server (TLS) id 14.0.702.0; Mon, 9 Aug
2010 17:05:29 -0400
Received: from mail1418.interact.ingrammicro.com (208.85.54.155) by
Exch2010Edge.domain.local (10.100.10.201) with Microsoft SMTP Server id 14.0.702.0;
Mon, 9 Aug 2010 17:04:36 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=spop; d=interact.ingrammicro.com;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; i=ingrammicro@interact.ingrammicro.com;
bh=+5IIAzZkO5oBZ0HapJogcSDlrjA=;
b=mGVAXrxHu/nQXjbXCek37oj4kGANf6IXbpMDg8dLh5S/LTMWQ4lCDjtj1rA2+8CJAd9FXj83vjbo
kWcjKmU4rA==
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=spop; d=interact.ingrammicro.com;
b=HHamk2hl9l6q8laByL2PZVi25V8aG4JNzYpVBcDQIJsEKgR86XfYXVPNfN0shEjEi7JdWD3rXsSa
h1UtP13Dkg==;
Received: by mail1418.interact.ingrammicro.com (PowerMTA(TM) v3.5r13) id
hc1mnk0iiks1 for <marcs@domain.com>; Mon, 9 Aug 2010 17:03:21 -0400
(envelope-from
<v-efbpfi_bfgnedojf_jkaepgi_jkaepgi_a@bounce.interact.ingrammicro.com>)
Date: Mon, 9 Aug 2010 17:03:20 -0400
From: Ingram Micro eFlash <ingrammicro@interact.ingrammicro.com>
Reply-To: <ingrammicro@interact.ingrammicro.com>
To: <marcs@domain.com>
Message-ID: <13230448.54803661281387800949.JavaMail.?@rbg01.pdkp1>
Subject: SUSPECTED JUNK MAIL: Week of August 9, 2010
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_27311_23435146.1281387773002"
x-mid: 4530008
List-Unsubscribe: <mailto:v-efbpfi_bfgnedojf_jkaepgi_jkaepgi_a@bounce.interact.ingrammicro.com?subject=Unsubscribe>
Return-Path: v-efbpfi_bfgnedojf_jkaepgi_jkaepgi_a@bounce.interact.ingrammicro.com
X-MS-Exchange-Organization-PRD: interact.ingrammicro.com
Received-SPF: Pass (Exch2010Edge.domain.local: domain of
ingrammicro@interact.ingrammicro.com designates 208.85.54.155 as permitted
sender) receiver=Exch2010Edge.domain.local; client-ip=208.85.54.155;
helo=mail1418.interact.ingrammicro.com;
X-MS-Exchange-Organization-Antispam-Report: v=1.1
cv=onrBA0Hzl7N6gu5xCUcMKYfYOJxGZ3u9YsveBKUHUZM= c=1 sm=1
a=XD4mPpD6a73UYxf65J3v7g==:17 a=UVxFiTE3AAAA:8 a=PW3zOkXglNDA8mYHCB4A:9
a=pGqD99ouFLEMKf3wWJMA:7 a=9XL_d6J_qsk1qbq1C3aZwF0UpBUA:4 a=CjuIK1q_8ugA:10
a=r1H3yrHQrCkA:10 a=Z3QmZcWOb8EA:10 a=-TmK3VsKQa8A:10 a=zf0Hijh95qVZJK-m:21
a=wMJ4Na7cZrnb7bdt:21 a=FIA4VO2zAAAA:8 a=mYiEHx9iAAAA:8
a=0Mb9k824wKP-uYgkCAwA:9 a=G6gJnLhGyn6ibI4fBdMA:7
a=nv37dbBxxf3mUxWXcyFE9bfYi00A:4 a=PUjeQqilurYA:10 a=2EnjnGPa1ugA:10
a=X33-jdNGzPMlwOX3:21 a=Vs8cxoM4udytmy_l:21
a=XD4mPpD6a73UYxf65J3v7g==:117;OrigIP:208.85.54.155;SCL:-1
X-Junk-Mail: 2010edge:
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-MS-Exchange-Organization-SCL: 6
X-MS-Exchange-Organization-SenderIdResult: PASS
X-MS-Exchange-Organization-AuthSource: Exch2010Edge.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypassMarc
-
15 august 2010 02:32Moderator
Hi,
I would like to suggest that you contact Microsoft Product Support Services via telephone so that a dedicated Support Professional can assist with this request.
To obtain the phone numbers for specific technology request please take a look at the web site listed below.
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
If you are outside the US please see http://support.microsoft.com for regional support phone numbers.
Thank you for your patience and understanding.
Regards,
Nick Gu - MSFT- Marcat ca răspuns de Nick Gu - MSFTMicrosoft Contingent Staff, Moderator 15 august 2010 02:33
-
28 ianuarie 2011 02:49
What was the fix?? I'm having the same issue.
Thanks, Cole.
.png)
