none
Exchange 2013 transport rule RRS feed

  • Question

  • I've created a spoof prevention rule in Exchange. It's working and has caught a few offenders, but I can't seem to add a second header rule. A screen shot is attached, which shows the issue I'm facing.

    When you add an exception for a message header, for example the "Received" header, I can't find a way (greyed out) to add an additional exception for another header, say "Content-Type" or "In-Reply-To".

    Anyone else seeing this? Or know of a way around it so I can add another header exception?

    Thanks.

    Friday, November 4, 2016 3:42 PM

Answers

  • There may be a way, but I have to ask - are these internal messages, or external ones?  If they are internal, you would use one setup, and if they are external, you would use another.  But they have the same flow and require several separate transport rules:

    1. In the first rule, if the message had the "Content-Transfer-Encoding" value of "quoted-printable", you save a special classification to the message that you have defined
    2. In the second rule, if the message had that special classification and if it had "Content-Type" value of "text/html".  If it did, you would do the stuff you needed to do to it.
    3. In the third rule, you would check for the classification, then remove it - it would no longer be necessary

    You can try these to see if they do what you need - I'm not 100% sure it will work, but it gives you something you can test.  Make sure to keep these rules together and in this order all the time (give them names to make it more obvious they are together, sequential, and shouldn't be separated).  And test it in a lab before you do it in your production system.  For more information on this, search the following TechNet article (on Ex2013 Set-TransportRule) for the ApplyClassification parameter:  https://technet.microsoft.com/en-us/library/bb123534(v=exchg.150).aspx


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })


    Friday, November 11, 2016 2:14 PM

All replies

  • PowerShell.  You can do a lot of stuff in PowerShell that isn't available in the GUI.

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Friday, November 4, 2016 5:05 PM
  • I've created a spoof prevention rule in Exchange. It's working and has caught a few offenders, but I can't seem to add a second header rule. A screen shot is attached, which shows the issue I'm facing.

    When you add an exception for a message header, for example the "Received" header, I can't find a way (greyed out) to add an additional exception for another header, say "Content-Type" or "In-Reply-To".

    Anyone else seeing this? Or know of a way around it so I can add another header exception?

    Thanks.

    This isnt really the way to do this. Instead leverage DMARC and SPF and then create a transport rule based on the DMARC failure


    Blog:    Twitter:   

    Friday, November 4, 2016 5:34 PM
    Moderator
  • I'm trying to modify a test rule (with the same settings in place) with PowerShell.

    When I run the following command it overwrites the exception instead of adding it:

    set-transportrule -identity "Inspect Attachments" -ExceptIfHeaderContainsMessageHeader "X-Disclaimer" -ExceptIfHeaderContainsWords "1"

    How would I go about adding instead of replacing?

    I tried the following command but it fails with the error: Set-TransportRule : Cannot bind parameter because parameter 'ExceptIfHeaderContainsMessageHeader' is specified more than once.

    set-transportrule -identity "Inspect Attachments" -ExceptIfHeaderContainsMessageHeader "X-Disclaimer" -ExceptIfHeaderContainsWords "1" -ExceptIfHeaderContainsMessageHeader "X-Disclaimer2" -ExceptIfHeaderContainsWords "2"

    Friday, November 4, 2016 7:12 PM
  • You need to add the two desired headers together - everything needs to be included in the ExceptHeaderContainsWords field.  If you know both of the headers you want, use:

    set-transportrule -identity "Inspect Attachments" -ExceptIfHeaderContainsMessageHeader "X-Disclaimer" -ExceptIfHeaderContainsWords "1","2"

    If you don't know what's in it, do the following

    $CurrentRule = Get-TransportRule -Identity "Inspect Attachments"
    $CurrentRule.ExceptIfHeaderContainsWords += "2"
    set-transportrule -identity "Inspect Attachments" -ExceptIfHeaderContainsMessageHeader "X-Disclaimer" -ExceptIfHeaderContainsWords $CurrentRule.ExceptIfHeaderContainsWords
    
    There are also other ways you might be able to do this, but I'd have to test them to see if they worked.  I have never had problems using this way, though.


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Tuesday, November 8, 2016 11:25 AM
  • Will,

    Thank you, but all that did was add "2" as an additional exception to the X-Disclaimer header (screen shot attached).

    Ultimately what I'm trying to do is add an additional header, not an exception to one that's already listed (X-Disclaimer).

    For example, looking at an email header, let's say I wanted an exception for the "X-Katharion-ID:" portion of a header, which wouldn't be included in the "X-Disclaimer" exception.

    Does that make sense? It's like there should be another line under "X-Disclaimer" where I can add "X-Katharion-ID:" and then list its exceptions.

    Maybe I'm misunderstanding the format of the rule and where I have "X-Disclaimer" is actually just a friendly name and not part of the actual rule, then in the exception list is where "X-Disclaimer: 1" or "X-Disclaimer: 2" or "X-Katharion-ID:37364" should be (second screen shot, which was formed for display purposes in this forum).

    What has me confused is that it reads 'X-Disclaimer' header includes ... and 'MailHeader' header includes...

    It seems like they're asking us to specify header text and not just name it. The problem (why I'm here) is that there's not a way to add another exception.

    Any thoughts? Thanks again for your help.



    • Edited by RSCorpMike Tuesday, November 8, 2016 8:02 PM
    Tuesday, November 8, 2016 8:00 PM
  • So you are trying to add the same rule twice, in effect.  You are right, this can't be done - but you can add two rules.  However, it looks like you need both of your above exceptions to be in the same rule.

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Wednesday, November 9, 2016 11:29 AM
  • Will,

    Maybe it would be easier to lay out an example instead of trying to explain. Below is some text from an actual email header:

    Date: Wed, 9 Nov 2016 03:29:43 -0800

    Subject: [Forums] Exchange 2013 transport rule

    Content-Type: text/html; charset="us-ascii"

    Content-Transfer-Encoding: quoted-printable

    For simplicity, let’s pretend I want the transport rule to exclude emails that have the “Content-Transfer-Encoding” value of “quoted-printable” AND ALSO “Content-Type” value of “text/html”. How would I do that? There doesn’t seem to be a way.

    Wednesday, November 9, 2016 9:40 PM
  • There may be a way, but I have to ask - are these internal messages, or external ones?  If they are internal, you would use one setup, and if they are external, you would use another.  But they have the same flow and require several separate transport rules:

    1. In the first rule, if the message had the "Content-Transfer-Encoding" value of "quoted-printable", you save a special classification to the message that you have defined
    2. In the second rule, if the message had that special classification and if it had "Content-Type" value of "text/html".  If it did, you would do the stuff you needed to do to it.
    3. In the third rule, you would check for the classification, then remove it - it would no longer be necessary

    You can try these to see if they do what you need - I'm not 100% sure it will work, but it gives you something you can test.  Make sure to keep these rules together and in this order all the time (give them names to make it more obvious they are together, sequential, and shouldn't be separated).  And test it in a lab before you do it in your production system.  For more information on this, search the following TechNet article (on Ex2013 Set-TransportRule) for the ApplyClassification parameter:  https://technet.microsoft.com/en-us/library/bb123534(v=exchg.150).aspx


    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })


    Friday, November 11, 2016 2:14 PM
  • Will,

    Thank you! Much appreciated.

    They are external messages so I'll set up separate transport rules like in your example. That will work. I still think there should be a way to do this within one rule (don't you?), but the workaround will suffice.

    Friday, November 11, 2016 3:18 PM
  • Since you are using one requirement, it would be hard to get it to work.  I guess a hash table with two elements for the "header" and "the certain text" would work, but they'd have to rewrite how the transport rule was built to get that implemented.  That'd be a bit of work.

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Friday, November 11, 2016 4:54 PM