Spam with high SCL going to user mailbox instead of spam quarantine

I have been having a lot problems with spam. Lots of messages that are spam are having SCL levels of 0-3 so I have resorted to setting up a spam quarantine mailbox that gets anything that is 3 and up with 8 and 9 getting deleted.

I have been catching a lot of spam so that it does not go to the users' mailbox but I still have users complaining about spam. I looked into one of their mailboxes and noticed that they are getting emails that have SCL levels of higher than 3, most of them are 6. Outlook is then processing it and marking it as spam correctly which is good. But those emails should not have gotten to the users' mailboxes in the first place. They should have gone to the spam quarantine mailbox.

I have set the organization config scljunkthreshold to 2, content filter config quarantine mailbox scl level to 3 and then delete to 8. What else can I do so that all mail that has a scl of more than 3 go to the quarantine mailbox?

August 30th, 2013 10:13am

Can you run and post the result of the following:

Get-TransportAgent "Content Filter Agent"

Get-ContentFilterConfig | FL

Free Windows Admin Tool Kit Click here and download it now
August 30th, 2013 11:26am

Can you run and post the result of the following:

Get-TransportAgent "Content Filter Agent"

Get-ContentFilterConfig | FL

Get-TransportAgent "Content Filter Agent"

Identity                                           Enabled         Priority
--------                                           -------         --------
Content Filter Agent                               True            5

Get-ContentFilterConfig | FL

RunspaceId : a2e272ef-90b6-442c-9d74-0ed75c7ee4b0

Name : ContentFilterConfig

RejectionResponse: Message rejected as spam by Content Filtering.

OutlookEmailPostmarkValidationEnabled : True

BypassedRecipients  : {}

QuarantineMailbox  : spamquarantine@local

SCLRejectThreshold  : 7

SCLRejectEnabled  : False

SCLDeleteThreshold   : 8

SCLDeleteEnabled    : True

SCLQuarantineThreshold  : 3

SCLQuarantineEnabled : True

BypassedSenders   :{}

BypassedSenderDomains  : {}

Enabled  : True

ExternalMailEnabled  : True

InternalMailEnabled   : False

AdminDisplayName    :

ExchangeVersion    : 0.1 (8.0.535.0)

DistinguishedName   : CN=ContentFilterConfig,CN=Message Hygiene,CN=Transport Settings,CN=EarthCamInc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local

Identity   : ContentFilterConfig

Guid   : 6a05affa-34ae-4b33-9326-7753aebf1b17

ObjectCategory: local/Configuration/Schema/ms-Exch-Message-Hygiene-Content-Filter-Config                                       

ObjectClass  : {top, msExchAgent, msExchMessageHygieneContentFilterConfig}

WhenChanged : 8/29/2013 5:54:38 PM

WhenCreated  : 4/2/2013 11:49:03 AM

WhenChangedUTC  : 8/29/2013 9:54:38 PM

WhenCreatedUTC : 4/2/2013 3:49:03 PM

OrganizationId  :

OriginatingServer  : dc.local

IsValid   : True

ObjectState  : Unchanged


August 30th, 2013 11:33am

Can you run and post the result of the following:

Get-TransportAgent "Content Filter Agent"

Get-ContentFilterConfig | FL

Get-TransportAgent "Content Filter Agent"

Identity                                           Enabled         Priority
--------                                           -------         --------
Content Filter Agent                               True            5

Get-ContentFilterConfig | FL

RunspaceId : a2e272ef-90b6-442c-9d74-0ed75c7ee4b0

Name : ContentFilterConfig

RejectionResponse: Message rejected as spam by Content Filtering.

OutlookEmailPostmarkValidationEnabled : True

BypassedRecipients  : {}

QuarantineMailbox  : spamquarantine@local

SCLRejectThreshold  : 7

SCLRejectEnabled  : False

SCLDeleteThreshold   : 8

SCLDeleteEnabled    : True

SCLQuarantineThreshold  : 3

SCLQuarantineEnabled : True

BypassedSenders   :{}

BypassedSenderDomains  : {}

Enabled  : True

ExternalMailEnabled  : True

InternalMailEnabled   : False

AdminDisplayName    :

ExchangeVersion    : 0.1 (8.0.535.0)

DistinguishedName   : CN=ContentFilterConfig,CN=Message Hygiene,CN=Transport Settings,CN=EarthCamInc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local

Identity   : ContentFilterConfig

Guid   : 6a05affa-34ae-4b33-9326-7753aebf1b17

ObjectCategory: local/Configuration/Schema/ms-Exch-Message-Hygiene-Content-Filter-Config                                       

ObjectClass  : {top, msExchAgent, msExchMessageHygieneContentFilterConfig}

WhenChanged : 8/29/2013 5:54:38 PM

WhenCreated  : 4/2/2013 11:49:03 AM

WhenChangedUTC  : 8/29/2013 9:54:38 PM

WhenCreatedUTC : 4/2/2013 3:49:03 PM

OrganizationId  :

OriginatingServer  : dc.local

IsValid   : True

ObjectState  : Unchanged


  • Edited by dom8925 Friday, August 30, 2013 3:29 PM
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2013 6:29pm
Anyone?
September 9th, 2013 4:37pm
Are you able to post the headers of a message that should have been blocked at the Exchange level that made it through to the user's Mailbox?
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2013 3:57pm

Here is one:

Received: from MAIL2 (x.x.x.x) by MAIL2 (x.x.x.x) with Microsoft SMTP Server (TLS) id 15.0.620.29 via Mailbox Transport; Tue, 10 Sep 2013 17:46:57 -0400

Received: from MAIL1 (x.x.x..y) by mail2 (x.x.x.x) with Microsoft SMTP Server (TLS) id 15.0.620.29; Tue, 10 Sep 2013 17:46:53 -0400

Received: from brtkass.biz (27.20.189.66) by mail1.com (y.y.y.y) with Microsoft SMTP Server id 15.0.620.29 via Frontend Transport; Tue, 10 Sep 2013 17:46:52 -0400

Date: Wed, 11 Sep 2013 05:46:28 +0800

From: =?utf-8?B?6a2P5bWL5ZOF?= <xexjjoxaj@brtkass.biz>

To: postmaster <postmaster@company.com>

Subject: =?utf-8?B?54+t57uE6ZW/566h55CG55qE5LqU5aSn5YmR5rOVZWFydGhjYW0uYw==?=

                =?utf-8?B?b20=?=

X-Priority: 3

X-Mailer: Foxmail 7.0.1.91[cn]

MIME-Version: 1.0

Message-ID: <201309110546357316564@brtkass.biz>

Content-Type: multipart/mixed;               boundary="----=_000_NextPart453158728363_=----"

Return-Path: xexjjoxaj@brtkass.biz

X-MS-Exchange-Organization-PRD: brtkass.biz

X-MS-Exchange-Organization-SenderIdResult: Fail

Received-SPF: Fail (mail2: domain of xexjjoxaj@brtkass.biz does not designate 27.20.189.66 as permitted sender)

 receiver=mail2; client-ip=27.20.189.66; helo=brtkass.biz;

X-MS-Exchange-Organization-Network-Message-Id: b16a260d-2e54-4280-9067-08d07c866772

X-MS-Exchange-Organization-SCL: 6

X-MS-Exchange-Organization-PCL: 2

X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus Fail;OrigIP:27.20.189.66

X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0

X-Auto-Response-Suppress: DR, OOF, AutoReply

X-MS-Exchange-Organization-AuthSource: mail1

X-MS-Exchange-Organization-AuthAs: Anonymous

September 11th, 2013 4:44pm

Could this link possible help?

https://blogs.technet.com/b/exchange/archive/2009/11/13/3408814.aspx?Redirected=true

Refer to Myth 3.

Free Windows Admin Tool Kit Click here and download it now
September 13th, 2013 10:04am

Could this link possible help?

https://blogs.technet.com/b/exchange/archive/2009/11/13/3408814.aspx?Redirected=true

Refer to Myth 3.

It's actually myth 1. Thanks for the link. It explains it all! I have a transport rule that sets the SCL to 6 if spf failed. Anyway to modify the pipeline to make the transport agent rule run before the content filter agent?
  • Edited by dom8925 20 hours 10 minutes ago
September 13th, 2013 10:42am

Could this link possible help?

https://blogs.technet.com/b/exchange/archive/2009/11/13/3408814.aspx?Redirected=true

Refer to Myth 3.

It's actually myth 1. Thanks for the link. It explains it all! I have a transport rule that sets the SCL to 6 if spf failed. Anyway to modify the pipeline to make the transport agent rule run before the content filter agent?
  • Edited by dom8925 Friday, September 13, 2013 2:39 PM
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2013 5:38pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics