none
Transport rule to detect Reply-To header

    Question

  • I would like to make a transport rule in Exchange online, that can detect if an email has a Reply-To header.

    In the same rule I am already using the condition "A message header matches..." to look for certain values in Authentication-Results - This works well.
    Additionally I would like to check for presense of the Reply-To header. Ideeally I would like to check if it is different than the From address, but I doubt I can do this. Second best is to just detect if it is there.

    So far I tried to use the condition "A message header includes..." (because I cannot use same condition twice) with parameters 'Reply-To' header includes @ However, even when the header is present and has an email address in it, the rule does not apply. I tried to look for many different strings like *@*, ., co etc. It is like I have to specify more then a few characters for this condition to work...

    Any suggestions how I can detect Reply-To, when the condition "A message header matches..." is already used?

    Friday, February 5, 2016 2:30 PM

Answers

  • Another option would be to create another rule for the second check and test if that works better. In the first rule, add a custom x-header that stamps the message if the condition is met, then check for the existence of the x-header in the second rule and what ever other condition you want. 

    Blog:    Twitter:   

    Tuesday, February 9, 2016 11:52 AM

All replies

  • What business problem are you trying to solve? If you trying to detect spoofing, you should be looking at implementing DMARC instead and have your transport rules test for failures.

    Some examples:

    http://no-one-uses-email-anymore.com/transport-rules-versus-safe-sender-lists-in-office-365eop-quien-es-mas-macho/


    Blog:    Twitter:   

    Friday, February 5, 2016 3:53 PM
  • Yes, I am trying to detect spoofing.

    I am looking at DMARC also, and made another rule as described at that page.

    Spoofers however, doesn't always use my registerd domains. At a number of occasions we see they use our company name, but adds somehing before or after.
    For this reason I check the Authentication-Results header to see if if the domain has our name in it, and it says dmarc=none (failed and no record in DNS). This alone causes some false positives, so I would like to include a check for Reply-To being present and containing an email address.

    Friday, February 5, 2016 4:38 PM
  • Can you post the exact rule you creating?


    Blog:    Twitter:   

    Friday, February 5, 2016 6:01 PM
  • Hi,

    I notice that you want to check the From field. You can configure DMARC in Office 365 and use Transport rule to prevent spoofing as Andy mentioned. For your reference:
    Using DMARC to Prevent Spoofing: https://blogs.technet.microsoft.com/eopfieldnotes/2015/02/26/using-dmarc-to-prevent-spoofing/
    Using DMARC in Office 365: http://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Monday, February 8, 2016 9:31 AM
    Moderator
  • The rule has the following conditions:

    The sender is located...  Outside the organization
     and
    A message header includes...   'Reply-To' header includes "@"
     and
    A message header matches...    'Authentication-Results' header matches 'dmarc=none action=none header\.from=\S*company'

    The "message header includes" does not match anything even if it includes @.
    The "message header matches" is working very well.

    I found out if I check Reply-To with "message header matches" it will match a regex and can detect a value in this.
    This leaves me with a problem checking the Authentication-Results header. But I guess I will have to split it in two conditions.

    Monday, February 8, 2016 4:30 PM
  • Another option would be to create another rule for the second check and test if that works better. In the first rule, add a custom x-header that stamps the message if the condition is met, then check for the existence of the x-header in the second rule and what ever other condition you want. 

    Blog:    Twitter:   

    Tuesday, February 9, 2016 11:52 AM