We often encounter scenarios where we have to identify whether a specified email is processed by a transport rule or not. For example: user reporting emails getting quarantined despite of transport rule to bypass spam filtering.

 

Below steps will assist you to identify whether the specified is email is being processed by the associated transport rule.

 

  1. Execute the below command from PowerShell to collect the details of transport rules created.

Get-TransportRule | fl identity, guid , actions

 

  1. Make a note of the GUID attribute of transport rule involved

 

Identity : append subject microsoft.com

Guid     : 1cbee381-1f7f-4542-b408-bce503e945b6

Actions  : {Microsoft.Exchange.MessagingPolicies.Rules.Tasks.PrependSubjectActi

           on}

 

  1. Execute the below command from PowerShell to perform historical search of the affected email

 

Start-HistoricalSearch -ReportTitle "Search" –RecipientAddress userA@contoso.com –SenderAddress userB@contoso.com -StartDate 06/25/2014 -EndDate 06/26/2014 -ReportType MessageTraceDetail  -NotifyAddress userc@contoso.com

 

userA@contoso.com – replace it with sender email address

userB@contoso.com – replace it with recipient email address

userc@contoso.com – replace it with another mailbox where the message-trace report would be emailed.

06/25/2014 – replace it with a relevant date.

06/26/2014 – replace it with a relevant date.

 

 

  1. Edit the historical search output by sorting the first column titled “date_time” in ascending order so that we can have all the events in correct chronological order . Make sure to select the option “Expand the selection” while sorting so that all other columns will be sorted accordingly.

 

                  

 

  1. Analyze the data in column titled “custom_data” to confirm whether the specified email was processed by transport rule or not.

 

Tip: Copy the data in column titled “custom_data” to a notepad file. Each event in custom data section of message trace will start with “S:”. Separating the lines starting with “S:” will help you analyze the message trace log better.

 

                Look for the attribute “S:TRA=ETR” in the Custom data section. If the email is processed by transport rule, it will show the GUID of the rule with "Action" applied in this attribute as below:

 

                S:AMA=SUM|v=0|action=|error=|atch=0;S:AMA=EV|engine=M|v=0|sig=1.191.1707.0|name=|file=;S:AMA=EV|engine=A|v=0|sig=201501071028|name=|file=;S:AMA=EV|engine=K|v=0|sig=7.1.2015 13:17:0|name=|file=;S:TRA=ETR|ruleId=1cbee381-1f7f-4542-b408-bce503e945b6|st=1/7/2015 3:29:41 PM|action=PrependSubject|sev=1|mode=Enforce;S:CFA=SUM|sfv=NotSpam|rsk=Low|scl=0|bcl=0|score=|sfs=|sfp=0|fprx=|mlc=|mlv=;S:CFA=SUM|sfv=NotSpam|rsk=Low|scl=0|bcl=0|score=|sfs=|sfp=0|fprx=|mlc=|mlv=;S:SFA=SUM|SFV=NSPM|IPV=NLI|SRV=|SFS=438002|SFS=199003|SFS=28505001|SFS=38314003|SFS=189002|SFS=252514010|SFS=512954002|SFS=46102003|SFS=84326002|SFS=20776003|SFS=66066001|SFS=110136001|SFS=86612001|SFS=64706001|SFS=15395725005|SFS=16236675004|SFS=2501002|SFS=19625215002|SFS=4396001|SFS=92566001|SFS=71186001|SFS=31966008|SFS=15198665003|SFS=55846006|SFS=21056001|SFS=106466001|SFS=107046002|SFS=2351001|SFS=107886001|SFS=229853001|SFS=102836002|SFS=1720100001|SFS=77156002|SFS=62966003|SFS=2900100001|SFS=2920100001|SFS=2930100002|SFS=15975445007|SFS=450100001|SFS=19580395003|SFS=19300405004|SFS=19580405001|SFS=87836001|SFS=86146001|SFS=19617315012|SFS=33656002|SFS=2656002|SFS=120916001|SFS=85426001|SFS=99396003|SFS=6806004|SFS=50986999|SFS=54356999|SFS=86362001|SFS=15843345004|SFS=10090945008|SCL=1|SCORE=0|LIST=0|DI=|RD=|H=na01-bn1be.outbound.protection.outlook.com|CIP=157.56.110.140|SFP=0|ASF=0|HCTFP=|CTRY=US|CLTCTRY=|LANG=en|LAT=273|LAT=139|LAT=120|FPR=F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=19002800102_|FPRX=19000800102_EA47FE93.3AF44C6.5A540E80.66EC7ADA.20014|FPRX=20000800102_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=7049001001_951ABC78.5231C422.C05C0287.2242C645.2005C|FPRX=805040000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=855040000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=286010000101_8B8F2D85.30D49CCD.BDC41BD5.E2C27241.201D2|FPRX=785040000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=263050000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=802040000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=711040000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=728040000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=726040000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=265050000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=190060000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=818040000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=926040000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=941040000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=7029011051_A58AFEE8.92B0840D.95740201.50748562.2001D|FPRX=2009001003_7B2A5EA4.85782B1.B456D036.C7F5CD30.2004F|FPRX=78030000101_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=80030000201_F8EE7449.AC3F530B.C75DBF88.148DBCF3.201DA|FPRX=288010000201_951ABC78.5231C422.C05C0287.2242C645.2005C|FPRX=370010000301_B8F2D85.30D49C8D.BDC41BD5.D2C27261.201C1|FPRX=280060000101_8B8F2D85.30D49CCD.BDC41BD5.E2C27241.201D2|FPRX=2009003091_A58AFEE8.92B0840D.95740201.50748562.2001D|FPRX=289010000301_941ABC34.5021C4AE.C37C0387.22824681.2005A|DIR=INB|MLC=LRPRD-2185|MLV=sfv;S:CompCost=|AMA=0|ETR=0|SFA=0;S:DeliveryPriority=Normal;S:AccountForest=NAMPR02A001.prod.outlook.com

 

                The “Action” section highlighted will give you information on the action performed by the rule.