Transport rule applied false positive (Network Steve Forum)

Transport rule applied false positive

Hi everyone,

In my Org. I have Exchange 2010 and 2013 servers.

I have created two transport rule:

Block spesific attachments extensions (on Exchange 2010 - for mailboxes located on that server).

This rule also is applied on 2013 Mailbox servers.

Now I'm getting some requests from my users - the rule is applied where it should not.

Could you please explain, how can I track, WHY the rule is applied? It rejects the messages where no attachments at all..

May 21st, 2015 2:35am

Hi ,

For a checking purpose please disable the rule and ask the sender to resend the same email to the recipient to check whether that the particular rule is creating the problem or something else.

After disabling the transport rule please restart the transport service to take immediate effect.

At the same time you could do a message track in exchange which would help us to identity the reason for the message failure.

Does the NDR to sender says that the email was blocked by transport rules in exchange ?

If possible please share the entire settings of the transport rule ?

Free Windows Admin Tool Kit Click here and download it now

May 21st, 2015 3:04am

Yep I'm sure that exactly this rule is applied (i've put unique NDR code). I got NDR-message from the sender where I can see my NDR-code.

Message track (get-messagetrackinglog) says that the message just was rejected by agent:

{[{LRT=};{LED=550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy};{FQDN=};{IP=}]}

I'm searching logs with this command:

Get-MessageTrackingLog -Sender user1@domain.com -Recipients user2@domain.com -MessageId 147f40d6a44241a0881605373d3a12a0@mbx15-1.domain.local | select * | Out-GridView

Here is my rule:

[PS] C:\Windows\system32>Get-TransportRule "Executable content 2010" | fl

RunspaceId : 7abdb1a2-5443-4b11-8970-31386298930a
Priority : 1
DlpPolicy :
DlpPolicyId : 00000000-0000-0000-0000-000000000000
Comments :
ManuallyModified : False
ActivationDate :
ExpiryDate :
Description : If the message:
includes these text patterns in an attachment: '.exe$' or '.com$' or
'.pif$' or '.scr$' or '.vbs$' or '.cmd$' or '.bat$' or '.hta$' or '.chm
$' or '.cpl$' or '.crt$' or '.csh$' or '.der$' or '.hlp$' or '.inf$' or
'.ins$' or '.isp$' or '.js$' or '.jse$'or...
Take the following actions:
reject the message and include the explanation 'Rejected attachments
detected. Your message was not delivered.' with the status code: '5.7.1
'

RuleVersion : 14.0.0.0
Conditions : {AttachmentMatchesPatterns}
Exceptions :
Actions : {RejectMessage}
State : Enabled
Mode : Enforce
RuleErrorAction : Ignore
SenderAddressLocation : Header
RuleSubType : None
UseLegacyRegex : True
From :
FromMemberOf :
FromScope :
SentTo :
SentToMemberOf :
SentToScope :
BetweenMemberOf1 :
BetweenMemberOf2 :
ManagerAddresses :
ManagerForEvaluatedUser :
SenderManagementRelationship :
ADComparisonAttribute :
ADComparisonOperator :
SenderADAttributeContainsWords :
SenderADAttributeMatchesPatterns :
RecipientADAttributeContainsWords :
RecipientADAttributeMatchesPatterns :
AnyOfToHeader :
AnyOfToHeaderMemberOf :
AnyOfCcHeader :
AnyOfCcHeaderMemberOf :
AnyOfToCcHeader :
AnyOfToCcHeaderMemberOf :
HasClassification :
HasNoClassification : False
SubjectContainsWords :
SubjectOrBodyContainsWords :
HeaderContainsMessageHeader :
HeaderContainsWords :
FromAddressContainsWords :
SenderDomainIs :
RecipientDomainIs :
SubjectMatchesPatterns :
SubjectOrBodyMatchesPatterns :
HeaderMatchesMessageHeader :
HeaderMatchesPatterns :
FromAddressMatchesPatterns :
AttachmentNameMatchesPatterns :
AttachmentExtensionMatchesWords :
AttachmentPropertyContainsWords :
ContentCharacterSetContainsWords :
HasSenderOverride : False
MessageContainsDataClassifications :
SenderIpRanges :
SCLOver :
AttachmentSizeOver :
MessageSizeOver :
WithImportance :
MessageTypeMatches :
RecipientAddressContainsWords :
RecipientAddressMatchesPatterns :
SenderInRecipientList :
RecipientInSenderList :
AttachmentContainsWords :
AttachmentMatchesPatterns : {.exe$, .com$, .pif$, .scr$, .vbs$, .cmd$, .bat$, .hta$, .chm$, .cpl$, .
crt$, .csh$, .der$, .hlp$, .inf$, .ins$...}
AttachmentIsUnsupported : False
AttachmentProcessingLimitExceeded : False
AttachmentHasExecutableContent : False
AttachmentIsPasswordProtected : False
AnyOfRecipientAddressContainsWords :
AnyOfRecipientAddressMatchesPatterns :
ExceptIfFrom :
ExceptIfFromMemberOf :
ExceptIfFromScope :
ExceptIfSentTo :
ExceptIfSentToMemberOf :
ExceptIfSentToScope :
ExceptIfBetweenMemberOf1 :
ExceptIfBetweenMemberOf2 :
ExceptIfManagerAddresses :
ExceptIfManagerForEvaluatedUser :
ExceptIfSenderManagementRelationship :
ExceptIfADComparisonAttribute :
ExceptIfADComparisonOperator :
ExceptIfSenderADAttributeContainsWords :
ExceptIfSenderADAttributeMatchesPatterns :
ExceptIfRecipientADAttributeContainsWords :
ExceptIfRecipientADAttributeMatchesPatterns :
ExceptIfAnyOfToHeader :
ExceptIfAnyOfToHeaderMemberOf :
ExceptIfAnyOfCcHeader :
ExceptIfAnyOfCcHeaderMemberOf :
ExceptIfAnyOfToCcHeader :
ExceptIfAnyOfToCcHeaderMemberOf :
ExceptIfHasClassification :
ExceptIfHasNoClassification : False
ExceptIfSubjectContainsWords :
ExceptIfSubjectOrBodyContainsWords :
ExceptIfHeaderContainsMessageHeader :
ExceptIfHeaderContainsWords :
ExceptIfFromAddressContainsWords :
ExceptIfSenderDomainIs :
ExceptIfRecipientDomainIs :
ExceptIfSubjectMatchesPatterns :
ExceptIfSubjectOrBodyMatchesPatterns :
ExceptIfHeaderMatchesMessageHeader :
ExceptIfHeaderMatchesPatterns :
ExceptIfFromAddressMatchesPatterns :
ExceptIfAttachmentNameMatchesPatterns :
ExceptIfAttachmentExtensionMatchesWords :
ExceptIfAttachmentPropertyContainsWords :
ExceptIfContentCharacterSetContainsWords :
ExceptIfSCLOver :
ExceptIfAttachmentSizeOver :
ExceptIfMessageSizeOver :
ExceptIfWithImportance :
ExceptIfMessageTypeMatches :
ExceptIfRecipientAddressContainsWords :
ExceptIfRecipientAddressMatchesPatterns :
ExceptIfSenderInRecipientList :
ExceptIfRecipientInSenderList :
ExceptIfAttachmentContainsWords :
ExceptIfAttachmentMatchesPatterns :
ExceptIfAttachmentIsUnsupported : False
ExceptIfAttachmentProcessingLimitExceeded : False
ExceptIfAttachmentHasExecutableContent : False
ExceptIfAttachmentIsPasswordProtected : False
ExceptIfAnyOfRecipientAddressContainsWords :
ExceptIfAnyOfRecipientAddressMatchesPatterns :
ExceptIfHasSenderOverride : False
ExceptIfMessageContainsDataClassifications :
ExceptIfSenderIpRanges :
PrependSubject :
SetAuditSeverity :
ApplyClassification :
ApplyHtmlDisclaimerLocation :
ApplyHtmlDisclaimerText :
ApplyHtmlDisclaimerFallbackAction :
ApplyRightsProtectionTemplate :
SetSCL :
SetHeaderName :
SetHeaderValue :
RemoveHeader :
AddToRecipients :
CopyTo :
BlindCopyTo :
AddManagerAsRecipientType :
ModerateMessageByUser :
ModerateMessageByManager : False
RedirectMessageTo :
RejectMessageEnhancedStatusCode : 5.7.1
RejectMessageReasonText : Rejected attachments detected. Your message was not delivered.
DeleteMessage : False
Disconnect : False
Quarantine : False
SmtpRejectMessageRejectText :
SmtpRejectMessageRejectStatusCode :
LogEventText :
StopRuleProcessing : False
SenderNotificationType :
GenerateIncidentReport :
IncidentReportOriginalMail :
IncidentReportContent :
RouteMessageOutboundConnector :
RouteMessageOutboundRequireTls : False
ApplyOME : False
RemoveOME : False
GenerateNotification :
Identity : Executable content 2010
DistinguishedName : CN=Executable content 2010,CN=TransportVersioned,CN=Rules,CN=Transport S
ettings,CN=Alutech-Group-of-Companies,CN=Microsoft Exchange,CN=Services,
CN=Configuration,DC=alutech,DC=local
Guid : 5addae0b-fdd7-4242-bd18-4170899f895d
ImmutableId : 5addae0b-fdd7-4242-bd18-4170899f895d
OrganizationId :
Name : Executable content 2010
IsValid : True
WhenChanged : 12.05.2015 8:01:53
ExchangeVersion : 0.1 (8.0.535.0)
ObjectState : Unchanged

May 21st, 2015 3:29am

Yep I'm sure that exactly this rule is applied (i've put unique NDR code). I got NDR-message from the sender where I can see my NDR-code.

Message track (get-messagetrackinglog) says that the message just was rejected by agent:

{[{LRT=};{LED=550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy};{FQDN=};{IP=}]}

I'm searching logs with this command:

Get-MessageTrackingLog -Sender user1@domain.com -Recipients user2@domain.com -MessageId 147f40d6a44241a0881605373d3a12a0@mbx15-1.domain.local | select * | Out-GridView

Here is my rule:

[PS] C:\Windows\system32>Get-TransportRule "Executable content 2010" | fl

RunspaceId : 7abdb1a2-5443-4b11-8970-31386298930a
Priority : 1
DlpPolicy :
DlpPolicyId : 00000000-0000-0000-0000-000000000000
Comments :
ManuallyModified : False
ActivationDate :
ExpiryDate :
Description : If the message:
includes these text patterns in an attachment: '.exe$' or '.com$' or
'.pif$' or '.scr$' or '.vbs$' or '.cmd$' or '.bat$' or '.hta$' or '.chm
$' or '.cpl$' or '.crt$' or '.csh$' or '.der$' or '.hlp$' or '.inf$' or
'.ins$' or '.isp$' or '.js$' or '.jse$'or...
Take the following actions:
reject the message and include the explanation 'Rejected attachments
detected. Your message was not delivered.' with the status code: '5.7.1
'

RuleVersion : 14.0.0.0
Conditions : {AttachmentMatchesPatterns}
Exceptions :
Actions : {RejectMessage}
State : Enabled
Mode : Enforce
RuleErrorAction : Ignore
SenderAddressLocation : Header
RuleSubType : None
UseLegacyRegex : True
From :
FromMemberOf :
FromScope :
SentTo :
SentToMemberOf :
SentToScope :
BetweenMemberOf1 :
BetweenMemberOf2 :
ManagerAddresses :
ManagerForEvaluatedUser :
SenderManagementRelationship :
ADComparisonAttribute :
ADComparisonOperator :
SenderADAttributeContainsWords :
SenderADAttributeMatchesPatterns :
RecipientADAttributeContainsWords :
RecipientADAttributeMatchesPatterns :
AnyOfToHeader :
AnyOfToHeaderMemberOf :
AnyOfCcHeader :
AnyOfCcHeaderMemberOf :
AnyOfToCcHeader :
AnyOfToCcHeaderMemberOf :
HasClassification :
HasNoClassification : False
SubjectContainsWords :
SubjectOrBodyContainsWords :
HeaderContainsMessageHeader :
HeaderContainsWords :
FromAddressContainsWords :
SenderDomainIs :
RecipientDomainIs :
SubjectMatchesPatterns :
SubjectOrBodyMatchesPatterns :
HeaderMatchesMessageHeader :
HeaderMatchesPatterns :
FromAddressMatchesPatterns :
AttachmentNameMatchesPatterns :
AttachmentExtensionMatchesWords :
AttachmentPropertyContainsWords :
ContentCharacterSetContainsWords :
HasSenderOverride : False
MessageContainsDataClassifications :
SenderIpRanges :
SCLOver :
AttachmentSizeOver :
MessageSizeOver :
WithImportance :
MessageTypeMatches :
RecipientAddressContainsWords :
RecipientAddressMatchesPatterns :
SenderInRecipientList :
RecipientInSenderList :
AttachmentContainsWords :
AttachmentMatchesPatterns : {.exe$, .com$, .pif$, .scr$, .vbs$, .cmd$, .bat$, .hta$, .chm$, .cpl$, .
crt$, .csh$, .der$, .hlp$, .inf$, .ins$...}
AttachmentIsUnsupported : False
AttachmentProcessingLimitExceeded : False
AttachmentHasExecutableContent : False
AttachmentIsPasswordProtected : False
AnyOfRecipientAddressContainsWords :
AnyOfRecipientAddressMatchesPatterns :
ExceptIfFrom :
ExceptIfFromMemberOf :
ExceptIfFromScope :
ExceptIfSentTo :
ExceptIfSentToMemberOf :
ExceptIfSentToScope :
ExceptIfBetweenMemberOf1 :
ExceptIfBetweenMemberOf2 :
ExceptIfManagerAddresses :
ExceptIfManagerForEvaluatedUser :
ExceptIfSenderManagementRelationship :
ExceptIfADComparisonAttribute :
ExceptIfADComparisonOperator :
ExceptIfSenderADAttributeContainsWords :
ExceptIfSenderADAttributeMatchesPatterns :
ExceptIfRecipientADAttributeContainsWords :
ExceptIfRecipientADAttributeMatchesPatterns :
ExceptIfAnyOfToHeader :
ExceptIfAnyOfToHeaderMemberOf :
ExceptIfAnyOfCcHeader :
ExceptIfAnyOfCcHeaderMemberOf :
ExceptIfAnyOfToCcHeader :
ExceptIfAnyOfToCcHeaderMemberOf :
ExceptIfHasClassification :
ExceptIfHasNoClassification : False
ExceptIfSubjectContainsWords :
ExceptIfSubjectOrBodyContainsWords :
ExceptIfHeaderContainsMessageHeader :
ExceptIfHeaderContainsWords :
ExceptIfFromAddressContainsWords :
ExceptIfSenderDomainIs :
ExceptIfRecipientDomainIs :
ExceptIfSubjectMatchesPatterns :
ExceptIfSubjectOrBodyMatchesPatterns :
ExceptIfHeaderMatchesMessageHeader :
ExceptIfHeaderMatchesPatterns :
ExceptIfFromAddressMatchesPatterns :
ExceptIfAttachmentNameMatchesPatterns :
ExceptIfAttachmentExtensionMatchesWords :
ExceptIfAttachmentPropertyContainsWords :
ExceptIfContentCharacterSetContainsWords :
ExceptIfSCLOver :
ExceptIfAttachmentSizeOver :
ExceptIfMessageSizeOver :
ExceptIfWithImportance :
ExceptIfMessageTypeMatches :
ExceptIfRecipientAddressContainsWords :
ExceptIfRecipientAddressMatchesPatterns :
ExceptIfSenderInRecipientList :
ExceptIfRecipientInSenderList :
ExceptIfAttachmentContainsWords :
ExceptIfAttachmentMatchesPatterns :
ExceptIfAttachmentIsUnsupported : False
ExceptIfAttachmentProcessingLimitExceeded : False
ExceptIfAttachmentHasExecutableContent : False
ExceptIfAttachmentIsPasswordProtected : False
ExceptIfAnyOfRecipientAddressContainsWords :
ExceptIfAnyOfRecipientAddressMatchesPatterns :
ExceptIfHasSenderOverride : False
ExceptIfMessageContainsDataClassifications :
ExceptIfSenderIpRanges :
PrependSubject :
SetAuditSeverity :
ApplyClassification :
ApplyHtmlDisclaimerLocation :
ApplyHtmlDisclaimerText :
ApplyHtmlDisclaimerFallbackAction :
ApplyRightsProtectionTemplate :
SetSCL :
SetHeaderName :
SetHeaderValue :
RemoveHeader :
AddToRecipients :
CopyTo :
BlindCopyTo :
AddManagerAsRecipientType :
ModerateMessageByUser :
ModerateMessageByManager : False
RedirectMessageTo :
RejectMessageEnhancedStatusCode : 5.7.1
RejectMessageReasonText : Rejected attachments detected. Your message was not delivered.
DeleteMessage : False
Disconnect : False
Quarantine : False
SmtpRejectMessageRejectText :
SmtpRejectMessageRejectStatusCode :
LogEventText :
StopRuleProcessing : False
SenderNotificationType :
GenerateIncidentReport :
IncidentReportOriginalMail :
IncidentReportContent :
RouteMessageOutboundConnector :
RouteMessageOutboundRequireTls : False
ApplyOME : False
RemoveOME : False
GenerateNotification :
Identity : Executable content 2010
DistinguishedName : CN=Executable content 2010,CN=TransportVersioned,CN=Rules,CN=Transport S
ettings,CN=My-Org,CN=Microsoft Exchange,CN=Services,
CN=Configuration,DC=domain,DC=local
Guid : 5addae0b-fdd7-4242-bd18-4170899f895d
ImmutableId : 5addae0b-fdd7-4242-bd18-4170899f895d
OrganizationId :
Name : Executable content 2010
IsValid : True
WhenChanged : 12.05.2015 8:01:53
ExchangeVersion : 0.1 (8.0.535.0)
ObjectState : Unchanged

Edited by Thursday, May 21, 2015 7:29 AM

Free Windows Admin Tool Kit Click here and download it now

May 21st, 2015 7:27am

Hi,

Basis on the NDR message and transport rule configuration, it indicate that this message has trigger transport rule.
Please run below command to double check the configuration of transport rule, transport agent and message tracking log:
Get-TransportAgent | FL
Get-TransportRule | FL
Get-MessageTrackingLog Sender Recipients MessageID | FL

Meanwhile, please help collect ETL Tracing with MessagingPolicies components and send it to GBSD TN Office Information Collection(ibsexc@microsoft.com), it will more helpful for further troubleshooting

Thanks

May 23rd, 2015 1:23am

This topic is archived. No further replies will be accepted.