none
users mailing groups receive mail from the outside

    Question

  • Hello,

    is checked "Only senders inside my organization", but email is delivered. 
    how to fix?

    Friday, July 8, 2016 6:41 AM

Answers

  • Hi,

    According to message header, it indicate that SPF check failed, however the IP address of sender is 10.10.10.92, and it seems a internal IP address.

    Please double check the IP range of receive connector, and confirm whether other application disguise as 10.10.10.92 to send e-mail.

    For now, you can use transport rule to block message which message header contains "softfail". For example:

    Name       : SPF-SoftFail
    State      : Enabled
    Description:
    If the message:
                'Received-SPF' header matches the following patterns: 'SoftFail'
                and Is received from 'Outside the organization'           
    Take the following actions:
                reject the message and include the explanation 'SPAM (SPF failed)' with the status code: '5.7.1'

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Tuesday, July 12, 2016 2:41 AM
    Moderator

All replies

  • What is checked?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, July 8, 2016 4:28 PM
    Moderator
  • Hi,

    Do you means that external sender remain can send to group even though "Only senders inside my organization" enabled?
    If I mislead your concern, please feel free to let me know.

    Would you please open one problematic message then check the message header? The external message should show as "X-MS-Exchange-Organization-AuthAs: Anonymous".

    Then, you might be use message tracking log and protocol log to check thismessage delivery process.
    Note: please check the accepted domain and the remote IP range of open relay connector.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Monday, July 11, 2016 8:05 AM
    Moderator
  • Hi,

    Message header with the problem

    Return-Path: user@mail.ru
    X-MS-Exchange-Organization-PRD: mail.ru
    X-MS-Exchange-Organization-SenderIdResult: SoftFail
    Received-SPF: SoftFail (MOS-MBX02.contoso.local: domain of transitioning
    user@mail.ru discourages use of 10.10.10.92 as permitted sender)
    X-MS-Exchange-Organization-Network-Message-Id: a178a6d0-3102-4248-97b9-08d399da84c7
    X-MS-Exchange-Organization-SCL: 0
    X-MS-Exchange-Organization-PCL: 2
    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus
    SoftFail;OrigIP:10.10.10.92
    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
    X-MS-Exchange-Organization-AuthSource: MOS-CAS01.contoso.local
    X-MS-Exchange-Organization-AuthAs: Anonymous


    10.10.10.92 -Symantec Webmail Gateway

    Monday, July 11, 2016 8:28 AM
  • Hi,

    According to message header, it indicate that SPF check failed, however the IP address of sender is 10.10.10.92, and it seems a internal IP address.

    Please double check the IP range of receive connector, and confirm whether other application disguise as 10.10.10.92 to send e-mail.

    For now, you can use transport rule to block message which message header contains "softfail". For example:

    Name       : SPF-SoftFail
    State      : Enabled
    Description:
    If the message:
                'Received-SPF' header matches the following patterns: 'SoftFail'
                and Is received from 'Outside the organization'           
    Take the following actions:
                reject the message and include the explanation 'SPAM (SPF failed)' with the status code: '5.7.1'

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Tuesday, July 12, 2016 2:41 AM
    Moderator
  • What the reason of Distrubution Group gets mail from external sender with active option "Only senders inside my organisation"?

    The rules also don't work if there are "Outside the organisation" mentioned as a sender. 

    Exchange think that all of them are internal senders.
    Tuesday, July 12, 2016 6:48 AM
  • Hi,

    Transport rule is temporary solution before we find "Who" (app or anti-virus) disguise as internal user, and use 10.10.10.92 to send message to DG. Therefore, please check IP address and find the root cause.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Wednesday, July 13, 2016 1:24 AM
    Moderator