pronto 6 Posted January 27, 2020 Posted January 27, 2020 (edited) Servus Community, I try to figure out why an email is moved to the end users Junk Mail folder in Outlook. Note that we are working an Exchange 2016 DAG with two nodes. An example mail header lokks like the following: X-MS-Exchange-Organization-MessageDirectionality: Incoming X-ESET-AS: R=OK;S=0;OP=CALC;TIME=1580052250;VERSION=7846;MFE-VER=58;MC=2416161006;TRN=2002;CRV=0;IPC=54.240.0.225 X-ESET-Antispam: OK Old-X-EsetResult: clean, is OK Old-X-EsetId: 37303A29666CC669677661 X-MS-Exchange-Organization-Network-Message-Id: 269bf092-eb36-4fb7-8920-08d7a273caf8 X-EsetResult: clean, is OK X-EsetId: 37303A294BD8CC69677661 X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0 X-MS-Exchange-Organization-AuthSource: UNIVERSE-3.DOMAIN.local X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5779049 X-MS-Exchange-Processed-By-BccFoldering: 15.01.1847.001 On the Mail Security policy side we are using a standard policy with only two user defined changes: First we configured a white list in the 'Approved sender list in the 'Filitering and Verification section', but we configured it after the false positiv detection and second, we changed the behaviour of the 'Action to take if cleaning not possible' from 'Truncate to zero length' to 'Replace content with action information'. In the header of a false positive example above, we see an 'X-ESET-Antispam: OK' tag, which menas to me, that ESET didn't apply any anti spam action but the question remains, why this E-Mail was moved to the users Junk-Mail folder. Please note that this was an Amazon e-mail, not related to a specific order but offering products for promotional purposes. So it is not that important but a good example how to learn how the anti spam filter works... Is there a documetation about the single values of the 'X-ESET-Antispam' tag? I guess I understand some of the values, like the versions and the receive yes and send no, as well as the time stamp but MC= for example and TRN=, CRV= and IPC= isn't clear to me... Thx in advance & Bye Tom Edited January 27, 2020 by pronto
ESET Staff M.K. 22 Posted January 28, 2020 ESET Staff Posted January 28, 2020 Hi Tom, "we see an 'X-ESET-Antispam: OK' tag, which menas to me, that ESET didn't apply any anti spam action": you are right, based on this ESET Mail Security is not responsible for placing the email to the Junk folder. It could be Oulook's state-of-art antispam, or one of the Exchange server's default antispam agents. Check the X-MS-Exchange-Organization-SCL header. The format of X-ESET-AS header is not public, it's used for diagnostic purposes. Matej
pronto 6 Posted January 28, 2020 Author Posted January 28, 2020 28 minutes ago, M.K. said: you are right, based on this ESET Mail Security is not responsible for placing the email to the Junk folder. It could be Oulook's state-of-art antispam, or one of the Exchange server's default antispam agents. Check the X-MS-Exchange-Organization-SCL header Servus Matej, according to the policy, ESET should remove the SCL, and apparently it does, as there is no longer one in the header. Of course I don't know now if Exchange will evaluate the SCL before ESET deletes it. Is there any other overlap where Exchange Server might still be doing things that ESET doesn't know about? What is the order in which an e-mail passes through the individual filters? Anyway, I noticed that since we got the new Exchangers with ESET, only these Amazon mails are now in my junk mail directory. So I guess that ESET checks the mail before Exchange Server does and has already filtered out all spam and a filter behind ESET, classifies this Amazon mail as spam. Then it really looks like a filter in Exchange server. But then it looks like ESET is responsible for the fact that in principle no more spam mails can be found in the junk mail directories of the users. Is it possible to setup that spam mails will be delivered in the Junk Mail folder again. Our users are so used to it... Thx & Bye Tom
ESET Staff M.K. 22 Posted January 30, 2020 ESET Staff Posted January 30, 2020 Hi Tom, in general multiple transport agents can act on an email independently, in order based on their priority (see cmdlet Get-TransportAgent, or https://help.eset.com/emsx/7.1/en-US/idh_agent_priority2.html). Ad "Is it possible to setup that spam mails will be delivered in the Junk Mail folder again": Yes, for example set the action to take on spam to "No action" and configure a rule to set the SCL header (https://help.eset.com/emsx/7.1/en-US/idh_wizard_rule_action.html). By default Exchange will then move all emails with SCL above threshold to Junk folder (https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/configure-antispam-settings?view=exchserver-2019). Matej
Recommended Posts