none
Incoming Messages bypassing Transport rules

    Question

  • Hello all,

    we are dealing with a very strange case where some messages from a specific sender seem to bypass a whole set of transport rules.

    More specifically this contact sends many emails daily to our organization - most of them are getting classifications and redirections to other users through transport rules. That is the basic design and it works good.

    We have analyzed those "offending" messages and found out that a mail header is missing - the X-Authenticated-Sender. This header isn't a standard one (RFC wise) and as far as I understand it, it is being put by the sender's server to declare an authentication between the original sender and their server (for spam avoidance purposes).

    In front of the Exchange there is a Sophos UTM (Mail gateway, Firewall) appliance which receives incoming traffic, scans it and then forwards it to the Exchange server - this is transparent to the Exchange server.

    Also the sender's domain seems to be in a blacklist (according to MX-Toolbox Header Analyzer). But in general their messages are being received without a problem.

    When this happens (mails not being processed through transport rules) nothing relevant is logged into the  Event Viewer.

    This happens in a low frequency - say in 1 message out of 50.

    Why do these messages have this behavior? Is that header important by any means to Exchange 2013?

    What else should I look to investigate further?

    Friday, October 16, 2015 12:14 AM

All replies

  • What would help answer the question would be if you were to post the settings of the transport rule in question.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, October 28, 2015 4:09 PM
    Moderator
  • Hello Ed and thanks for your reply.

    There is a number of rules involved, let me give some examples. When sender domain is 'domain.com' then put the 'domain1' header value on the 'domain' header. So that all messages from this domain are marked with a specific header and its corresponding value.

    Or...

    When message is received by 'Distr_Grp1' BCC it to 'Distr_Grp2'.

    The above rules in the scenario I describe do not work. It seems as the offending message is bypassing all rules.

    One more thing I would like to add. The organization in question has deployed some sort of 'disaster recovery site on the cloud' which may involve live replication of the exchange machine on their recovery site on the internet. Could this be a potential source of such strange issues? 


    Thursday, October 29, 2015 4:43 PM
  • Please post the settings from "Get-TransportRule | FL" for the relevant rules.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, October 29, 2015 4:56 PM
    Moderator
  • Hello,

    Please compare the message header of a good email example with a problematic sample. Is there any differences?

    Thanks,

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Simon Wu
    TechNet Community Support

    Monday, November 2, 2015 7:09 AM
    Moderator
  • Please post the settings from "Get-TransportRule | FL" for the relevant rules.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Hello again Ed. This has nothing to do with rules configuration and possible conflicts - if it is that you suspect. I have created a rule with priority 0 (top) where all mails coming from senders in "domain.com" get a header "domain.com" with value "true". Out of nine legit mails (the header and its value are marked on the message), one goes through this rule and of course all the rest.

    - Please compare the message header of a good email example with a problematic sample. Is there any differences?

    Hello Simon. At the beginning I was comparing these cases against valid samples as I reported in my opening post. But then I found examples from senders with similar headers (via Analysis in MX-Toolbox) so that made things even more complicated. 

    This installation has been working flawlessly for 5 months. To my experience Exchange is a solid platform and doesn't go crazy on its own. :-)

    So that's when I started looking for other changes on the system and found out about the "disaster recovery site on the cloud" replication. It worries because first as far as I know Microsoft does not support Exchange on a Virtualized Cluster (instead it recommends a DAG for high availability) and second I 've searched quite a lot for technical documentation on the above (VMWARE) solution and haven't found enough, not to say almost nothing about live replicating Exchange on the cloud.

    PS - as a last resort measure we are thinking of activating pipeline tracing but I am not very optimistic about the outcome of that action.

    Thank you all for your ideas and interest on this issue.

    Monday, November 2, 2015 11:38 PM
  • Unless you have another rule that fires before the one you're expecting to fire.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, November 3, 2015 1:57 AM
    Moderator