none
Allow Duplicates to ONLY Spam Quarantine Mailbox

    Question

  • Dear Exchange Gurus,

    i have in Mys Setup Exchange Server 2007 with CCR and a CASHUB Server.

    Mail Flow/Security is set ,by Public DNS records and Real IP Addresses,Through: External Sender> Cloud 3rd Party Email Security Solution>our Data-center Firewall>Exchange CASHUB with Content Filter with Quarantine Mailbox>User Mailbox.

    Recently , i discovered a Strange issue.

    an Email To a User ,CC a manager , Reached the Manager but Not the User.

    With Deep Investigation, i found that the Cloud 3rd Party Sent the Message for the TWO Recipients to Exchange , however EX 2007 CASHUB detected the message to the User as duplicate and Deleted it.

    This is Because Content Filter has found message to be possible SPAM and Set the Recipient to SPAM Quarantine Mailbox and Thus it became indeed Two Duplicate Messages for One Single User ( Spam filter Mailbox)

    This is a Severe Problem , as it seems it happened to other users with the same scenario.

    I Need to keep using Exchange Content filter as Second Layer of Security Behind Cloud but at the Same time  Allow Duplicate to ONLY to the Spam Quarantine Mailbox ( not to all Mailboxes).

    i am aware this is a forum for 2013 and i am working on upgrading to it, but i really will appreciate your help solving this issue in my 2007.



    Thursday, November 23, 2017 11:24 AM

All replies

  • Hi,

    Does the message which theirs SCL value exceeds the SCLQuarantineThreshold experience this issue?

    To troubleshooting this issue, please:
    1. View SCL value of problematic email.
    2. Check the SCLQuarantineThreshold, SCLDeleteThreshold and SCLDeleteThreshold setting (also QuarantineMailbox):
    Get-ContentFilterConfig | FL Identity,SCL*,QuarantineMailbox

    As a workaround that I can consider in your situation, we can add Spam Quarantine Mailbox into BypassedRecipients list. For example (tiffany is spam quarantine mailbox):
    Set-ContentFilterConfig -BypassedRecipients tiffany@contoso.com

    Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, November 24, 2017 10:23 AM
    Moderator
  • Thanks a lot Allen for your care and Reply.

    I tried your workaround and still monitoring to verify the effect and will update you.

    but i have a question, How would bypassing Quarantine mailbox affect the Issue of Duplicate Emails received from External Users to Multiple Internal Users and The Considered Duplicate because the content filter make them to One destination ( Quarantine Mailbox) with same Message ID ?

    Tuesday, November 28, 2017 9:56 AM
  • Good question, I confuse this issue also.
    The message will redirect to Spam Quarantine mailbox if the SCL value exceed the setting in content filter, and stop deliver message to other recipient.

    However, current question is that message mark as Spam, move to Spam Quarantine mailbox, but remain deliver to other mailbox.

    Therefore, I want to double check the Spam Quarantine mailbox, and whether this issue only occurs when send message to Spam Quarantine mailbox.
    Please help to list the content filter setting:
    Get-ContentFilterConfig | FL Identity,SCL*,QuarantineMailbox

    Also, I recommend to post the whole message deliver process in Message Tracking log. For example:
    Get-MessageTrackingLog -MessageID <xxxxxxxx@contoso.com> | FL
    Note: remove sensitive message from log.

    Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, November 29, 2017 3:16 AM
    Moderator
  • Dear Allen, thanks again for Your Care

    below are the Log Information After i replaces Sensitive Info

    As you will see the issue was 2 SMTP Messages Received from Partner through our CLoud ANti-SPAM , one Intended for a User and the Other for Manager.

    However only one of them, the Manager's, was Stored in Quarantine Mailbox, which i released later, while the Other, The User's, was considered Duplicate and did Not Reach Quarantine Mailbox

    Get-ContentFilterConfig | FL Identity,SCL*,QuarantineMailbox

    Identity               : ContentFilterConfig
    SCLRejectThreshold     : 8
    SCLRejectEnabled       : False
    SCLDeleteThreshold     : 9
    SCLDeleteEnabled       : False
    SCLQuarantineThreshold : 7
    SCLQuarantineEnabled   : True
    QuarantineMailbox      : SpamFilter@our-domain.com

    Get-MessageTrackingLog -MessageID 511101d35d21$31dda6b0$9598f410$@partner-domain.net | FL

    Timestamp               : 11/14/2017 10:10:48 AM
    ClientIp                : Cloud_Anti-Spam-IP
    ClientHostname          :
    ServerIp                : CASHUB-IP
    ServerHostname          : CASHUB
    SourceContext           : 08D49B7543418238;2017-11-14T08:10:40.008Z;0
    ConnectorId             : CASHUB\Default CASHUB
    Source                  : SMTP
    EventId                 : RECEIVE
    InternalMessageId       : 9669694
    MessageId               : <511101d35d21$31dda6b0$9598f410$@partner-domain.net>
    Recipients              : {}
    RecipientStatus         : {}
    TotalBytes              : 479447
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : COMPLAINT
    Sender                  : partner@partner-domain.net
    ReturnPath              : partner@partner-domain.net
    MessageInfo             : 00A:

    Timestamp               : 11/14/2017 10:10:48 AM
    ClientIp                : Cloud_Anti-Spam-IP
    ClientHostname          :
    ServerIp                : CASHUB-IP
    ServerHostname          : CASHUB
    SourceContext           : 08D49B7543418239;2017-11-14T08:10:40.132Z;0
    ConnectorId             : CASHUB\Default CASHUB
    Source                  : SMTP
    EventId                 : RECEIVE
    InternalMessageId       : 9669695
    MessageId               : <511101d35d21$31dda6b0$9598f410$@partner-domain.net>
    Recipients              : {}
    RecipientStatus         : {}
    TotalBytes              : 479445
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : COMPLAINT
    Sender                  : partner@partner-domain.net
    ReturnPath              : partner@partner-domain.net
    MessageInfo             : 00A:

    Timestamp               : 11/14/2017 10:10:48 AM
    ClientIp                :
    ClientHostname          :
    ServerIp                :
    ServerHostname          : CASHUB
    SourceContext           : Quarantine
    ConnectorId             :
    Source                  : DSN
    EventId                 : DSN
    InternalMessageId       : 9669696
    MessageId               : <511101d35d21$31dda6b0$9598f410$@partner-domain.net>
    Recipients              : {SpamFilter@our-domain.com}
    RecipientStatus         : {}
    TotalBytes              : 490588
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               : {<511101d35d21$31dda6b0$9598f410$@partner-domain.net>}
    MessageSubject          : Undeliverable: RE: COMPLAINT
                              on
    Sender                  : Postmaster@our-domain.com
    ReturnPath              : <>
    MessageInfo             :

    Timestamp               : 11/14/2017 10:10:48 AM
    ClientIp                :
    ClientHostname          :
    ServerIp                :
    ServerHostname          : CASHUB
    SourceContext           : Quarantine
    ConnectorId             :
    Source                  : DSN
    EventId                 : DSN
    InternalMessageId       : 9669697
    MessageId               : <511101d35d21$31dda6b0$9598f410$@partner-domain.net>
    Recipients              : {SpamFilter@our-domain.com}
    RecipientStatus         : {}
    TotalBytes              : 490579
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               : {<511101d35d21$31dda6b0$9598f410$@partner-domain.net>}
    MessageSubject          : Undeliverable: RE: COMPLAINT
                              on
    Sender                  : Postmaster@our-domain.com
    ReturnPath              : <>
    MessageInfo             :

    Timestamp               : 11/14/2017 10:10:49 AM
    ClientIp                :
    ClientHostname          : CASHUB
    ServerIp                :
    ServerHostname          : MAILBOX
    SourceContext           :
    ConnectorId             :
    Source                  : STOREDRIVER
    EventId                 : DELIVER
    InternalMessageId       : 9669697
    MessageId               : <511101d35d21$31dda6b0$9598f410$@partner-domain.net>
    Recipients              : {SpamFilter@our-domain.com}
    RecipientStatus         : {}
    TotalBytes              : 490754
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : Undeliverable: RE: COMPLAINT
                              on
    Sender                  : Postmaster@our-domain.com
    ReturnPath              : <>
    MessageInfo             :

    Timestamp               : 11/14/2017 10:10:49 AM
    ClientIp                :
    ClientHostname          : CASHUB
    ServerIp                :
    ServerHostname          : MAILBOX
    SourceContext           :
    ConnectorId             :
    Source                  : STOREDRIVER
    EventId                 : DUPLICATEDELIVER
    InternalMessageId       : 9669696
    MessageId               : <511101d35d21$31dda6b0$9598f410$@partner-domain.net>
    Recipients              : {SpamFilter@our-domain.com}
    RecipientStatus         : {}
    TotalBytes              : 490763
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : Undeliverable: RE: COMPLAINT
                              on
    Sender                  : Postmaster@our-domain.com
    ReturnPath              : <>
    MessageInfo             :

    Timestamp               : 11/14/2017 10:15:00 AM
    ClientIp                : fe80::d4fe:79c8:1cbc:b966
    ClientHostname          : MAILBOX.our-domain.com.eg
    ServerIp                : fe80::4d90:80f:859e:3ed%10
    ServerHostname          : CASHUB
    SourceContext           :
    ConnectorId             :
    Source                  : STOREDRIVER
    EventId                 : RECEIVE
    InternalMessageId       : 9669738
    MessageId               : <511101d35d21$31dda6b0$9598f410$@partner-domain.net>
    Recipients              : {Manager@our-domain.com}
    RecipientStatus         : {}
    TotalBytes              : 281926
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : COMPLAINT
    Sender                  : partner@partner-domain.net
    ReturnPath              : partner@partner-domain.net
    MessageInfo             : 04A:

    Timestamp               : 11/14/2017 10:15:01 AM
    ClientIp                :
    ClientHostname          : CASHUB
    ServerIp                :
    ServerHostname          : MAILBOX
    SourceContext           :
    ConnectorId             :
    Source                  : STOREDRIVER
    EventId                 : DELIVER
    InternalMessageId       : 9669738
    MessageId               : <511101d35d21$31dda6b0$9598f410$@partner-domain.net>
    Recipients              : {Manager@our-domain.com}
    RecipientStatus         : {}
    TotalBytes              : 282099
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : COMPLAINT
    Sender                  : partner@partner-domain.net
    ReturnPath              : partner@partner-domain.net
    MessageInfo             : 11/14/2017 10:15:00 AM



    [PS] C:\Windows\system32>

    Thursday, November 30, 2017 10:09 AM
  • Thanks for your response.

    From the message tracking log, I notice two points:
    1. RecipientCount: 1, means only one recipient.
    2. Event "DUPLICATEDELIVER" occurs when Postmaster@our-domain.com send NDR to SpamFilter@our-domain.com.

    Just for testing, please disable content filter temporary and restart transport service, then re-send effect message again and check the result.

    Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, December 1, 2017 3:12 AM
    Moderator
  • Dear Allen,

    Thanks for your Care and reply.

    as it is a sensitive business issue with the partner, i could not ask them to resend and re-test.

    if you can suggest a method to re-simulate the issue using my own external and internal email addresses, will most appreciate it.

    Saturday, December 9, 2017 9:35 AM
  • Hi Hamdeen,

    The Content filter works with SCL value, thus I suppose that it's hard to re-simulate it by a public email address (which has a valid SPF record).
    Or you can build a lab if you want, create a send connector to deliver message to Internet, then send message to your product environment for testing.

    Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, December 11, 2017 1:56 AM
    Moderator