Mail flow rule doesn't always work RRS feed

  • Question

  • I have an Exchange 2016 server, and an Anti-spam SMTP server.

    The Anti-spam SMTP server suffixes the subject of spam messages:
    eg. subject: Spam message [spam]

    I have created an Exchange Mail flow rule that triggers if an email's subject contains the "[spam]" text and is received from 'Outside the organisation'  (I have also tried using senders ip is the ip of our anti-spam SMTP server, with the same result)

    The rule marks them with a spam confidence level of 9, and prepends a disclaimer warning that they are likely spam.

    The rule works sometimes, and not at other times.

    When it doesn't work:
    The emails are received through our Anti-spam SMTP server, they are from external people (the from address is external) and they have the [spam] subject.

    But they are not going to Junk Mail, and they are not being prepended with the disclaimer.

    I have a hunch it might be occurring while the server is running its backup (so it is under heavy load) but nothing definite.

    Has anyone experienced this (or something similar) before?

    Thursday, August 25, 2016 4:58 AM

All replies

  • Hi, 

    Please check the transport agent to make sure they are enabled via the following command:


    You can also displays the list of SMTP on events and what transport agents will be triggered at each event with the following command:


    It’s also recommended to use theGet-MailboxTransportService cmdlet to show the configuration for the Transport service on a Mailbox or Edge Transport server.

    For examining the pipelinetracing log we can using the command:

    Set-TransportService “mailbox server name” -PipelineTracingEnabled $True –PipelineTracingSenderAddress “test1@test.com”

    to see the Transport Rule Agent is configured to fire on the OnResolvedMessage SMTP event.

    The logs for this email can be found under the C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\PipelineTracing

    Once you have examined the logs, and found the reason for your problem, the pipeline tracing should be turned off via the following command:

    Set-TransportService “mailbox server name” -PipelineTracingEnabled $False

    Last step you can recreate this transport rule and restart the transport service and check the results.

    Hope it helps.

    Best Regards,

    Jason Chao
    TechNet Community Support

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Jason.Chao Friday, August 26, 2016 2:25 AM
    • Proposed as answer by Jason.Chao Monday, August 29, 2016 9:17 AM
    • Marked as answer by Jason.Chao Friday, September 2, 2016 7:45 AM
    • Unmarked as answer by djorchard Thursday, October 6, 2016 10:29 PM
    • Unproposed as answer by djorchard Thursday, October 6, 2016 11:55 PM
    Friday, August 26, 2016 2:24 AM
  • Hi,


    Would you please provide us with an update on the status of your issue? If the solution helped, if so, please help to mark as answer, it'll be helpful and easily to search for others, thanks for your time.

    Best Regards,

    Jason Chao
    TechNet Community Support

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 29, 2016 9:17 AM
  • Hi Jason,

    Sorry about the delay, I lost this thread.
    Thanks for taking the time to help.

    Unfortunately my issue is still occurring.

    Shows all enabled:

    Identity                                           Enabled         Priority
    --------                                           -------         --------
    Transport Rule Agent                               True            1
    DLP Policy Agent                                   True            2
    Malware Agent                                      True            3
    Text Messaging Routing Agent                       True            4
    Text Messaging Delivery Agent                      True            5
    System Probe Drop Smtp Agent                       True            6
    System Probe Drop Routing Agent                    True            7

    I assume I am looking for what event triggers the Transport Rule agent?
    This appears to be the OnResolvedMessage:

    Event                                              TransportAgents
    -----                                              ---------------
    OnConnectEvent                                     {}
    OnHeloCommand                                      {}
    OnEhloCommand                                      {}
    OnStartTlsCommand                                  {}
    OnAuthCommand                                      {}
    OnProcessAuthentication                            {}
    OnEndOfAuthentication                              {}
    OnXSessionParamsCommand                            {}
    OnMailCommand                                      {Inbound Trust Agent}
    OnRcptCommand                                      {}
    OnDataCommand                                      {}
    OnEndOfHeaders                                     {Inbound Trust Agent}
    OnProxyInboundMessage                              {FrontendProxyAgent}
    OnEndOfData                                        {Inbound Trust Agent}
    OnHelpCommand                                      {}
    OnNoopCommand                                      {}
    OnReject                                           {}
    OnRsetCommand                                      {}
    OnDisconnectEvent                                  {}
    OnSubmittedMessage                                 {RMS Decryption Agent, Shared Mailbox Sent Item...
    OnResolvedMessage                                  {Prioritization Agent, Transport Rule Agent, DL...
    OnRoutedMessage                                    {RMS Encryption Agent, Prelicense Agent, Journa...
    OnCategorizedMessage                               {System Probe Drop Routing Agent, Journal Repor...

    I have turned the pipeline tracing on (for all messages for now), and I will let you know once I we have the issue again.



    I thought I had turned pipeline tracing on, but now I am unsure.
    When i run the command again, I get:

    [PS] C:\Windows\system32>Set-TransportService servername -pipelinetracingenabled $true
    WARNING: The command completed successfully but no settings of 'servername' have been modified.

    But when i run the below command it says enabled : false!!

    [PS] C:\Windows\system32>get-mailboxtransportservice servername | format-list

    PipelineTracingEnabled                         : False
    ContentConversionTracingEnabled                : False
    PipelineTracingPath                            : C:\Program Files\Microsoft\Exchange
    PipelineTracingSenderAddress                   :

    So is that because I didn't specify a sender address? I can't really supply one because the sender is never the same for the issue I am trying to diagnose.

    Kind Regards

    • Edited by djorchard Friday, October 7, 2016 12:12 AM removing private information
    Thursday, October 6, 2016 11:55 PM
  • @Jason.Chao:  What is the Inbound Trust Agent?  Can you link to an article regarding that, as I can't find any information on it.  This agent isn't listed in @djorchard's get-transportagent listing.  Neither is content filter agent for that matter.
    Thursday, March 22, 2018 3:20 PM