none
Event ID 4010, error, MSExchange Messaging Policies

    Question

  • Exchange 2013 CU12 in hybrid mode with Office 365 and using EOP.I receive several of these events daily in the exchange servers event logs. they all have random 5 or 6 character domain names ending in .us

    Like:

    aqdame.us
    aufdo.us
    azweus.us
    eikur.us
    ekuem.us
    ezsaex.us
    iuroqe.us
    iyeebo.us
    koinqe.us
    ociof.us
    oowkeu.us
    teeqca.us
    ubkuth.us
    uccezz.us
    unleac.us
    vafabi.us
    wpakiz.us
    wuuwl.us
    xoseiv.us
    ihoten.us
    ousqez.us
    paubug.us
    peuxoi.us
    gerdel.us
    usiikl.us
    kaofog.us
    yojwif.us

    the rest of the event looks like this:

    Transport engine failed to evaluate condition due to Filtering Service error. The rule is configured to ignore errors. Details: 'Organization: '' Message ID '<0.0.0.8D.1D1963D56A28882.172B09@kpafog.us>' Rule ID '1f84f16b-d702-4afd-9b25-0b3372cfb166' Predicate '' Action ''. FilteringServiceFailureException Error: Microsoft.Exchange.MessagingPolicies.Rules.FilteringServiceFailureException: FIPS text extraction failed with error: 'MIME content error: Cannot decode content stream because unrecognized content transfer encoding was used to encode it.'. See inner exception for details ---> Microsoft.Exchange.Data.Mime.MimeException: MIME content error: Cannot decode content stream because unrecognized content transfer encoding was used to encode it. at Microsoft.Exchange.Data.Mime.MimePart.GetContentReadStream() at Microsoft.Exchange.UnifiedContent.Exchange.EmailMessageSerializer.SerializeMimeDocument(UnifiedContentSerializer serializer, EmailMessage email, HashSet`1 serializedMimeParts) at Microsoft.Exchange.UnifiedContent.Exchange.EmailMessageSerializer.Serialize(EmailMessage message, UnifiedContentSerializer serializer, Boolean bypassTextTruncation) at Microsoft.Filtering.FipsDataStreamFilteringRequest.ToFilteringRequest(Boolean bypassBodyTextTruncation) at Microsoft.Exchange.MessagingPolicies.Rules.FipsFilteringServiceInvoker.CreateFipsRequest(ScanConfiguration config, FilteringServiceInvokerRequest filteringServiceInvokerRequest) at Microsoft.Exchange.MessagingPolicies.Rules.UnifiedContentServiceInvoker.BeginTextExtraction(FilteringServiceInvokerRequest filteringServiceInvokerRequest, TextExtractionCompleteCallback textExtractionCompleteCallback) --- End of inner exception stack trace --- at Microsoft.Exchange.MessagingPolicies.Rules.UnifiedContentServiceInvoker.GetUnifiedContentResults(FilteringServiceInvokerRequest filteringServiceInvokerRequest) at Microsoft.Exchange.MessagingPolicies.Rules.MailMessage.get_BodyContent() at Microsoft.Exchange.MessagingPolicies.Rules.MessageBodies.Microsoft.Exchange.MessagingPolicies.Rules.IContent.Matches(MultiMatcher matcher, RulesEvaluationContext context) at Microsoft.Exchange.MessagingPolicies.Rules.TextMatchingPredicate.Evaluate(RulesEvaluationContext context) at Microsoft.Exchange.MessagingPolicies.Rules.OrCondition.Evaluate(RulesEvaluationContext context) at Microsoft.Exchange.MessagingPolicies.Rules.AndCondition.Evaluate(RulesEvaluationContext context) at Microsoft.Exchange.MessagingPolicies.Rules.RulesEvaluator.EvaluateCondition(Condition condition, RulesEvaluationContext evaluationContext) at Microsoft.Exchange.MessagingPolicies.Rules.TransportRulesEvaluator.EvaluateCondition(Condition condition, RulesEvaluationContext evaluationContext). Message-Id:<0.0.0.8D.1D1963D56A28882.172B09@kpafog.us>'

    I suspect it is a type of spam/malware that EOP is not catching and FIPS cannot process either.

    I have tried to filter these out with a rule but no success yet.

    Any help would be grateful.

    Thursday, April 14, 2016 3:42 PM

All replies

  • You wouldn't be getting on-premises event log messages for EOP errors.  Do you have any filtering configured in your on-premises server?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, April 14, 2016 7:02 PM
    Moderator
  • only the native Exchange 2013 malware setting. no additional av or spam filtering.
    Thursday, April 14, 2016 9:11 PM
  • Why would you be using that when you're fronted by EOP?

    In any case, I haven't seen this error and I can't find anything on it.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, April 14, 2016 9:17 PM
    Moderator
  • I'm thinking it is malware getting past EOP and stopped by Exchange server native malware. Wouldn't it catch internal mailbox to internal mailbox malware?
    Thursday, April 14, 2016 9:27 PM
  • That's not how I read it.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, April 14, 2016 9:32 PM
    Moderator
  • Is EOP considered so good that nothing gets past it and internal to internal is not worth considering?
    Friday, April 15, 2016 2:17 PM
  • It's a lot better than what you get for free with Microsoft Exchange.  I'm not saying you don't need to scan internal-to-internal--that's your own business decision--but if you do, I'd be looking at a third-party product.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Friday, April 15, 2016 6:09 PM
    Moderator