question

MariannaCsirmaz avatar image
0 Votes"
MariannaCsirmaz asked LucasLiu-MSFT commented

Transport Rule - false positive

Hello,

I have a problem where I set up a transport rule to block xlsm attachments sent to a distribution group, however at times it blocks pdf-s as well.

I checked the message tracking log and sometimes pdf-s arrive, sometimes not. Each fail contains the transport rule rejection reason.

Exchange version 2016 CU 19

I couldn't find anything more specific, or a debug logging of transport rules.
Could you help out why such a specific transport rule can result in a false positive? Is there some sort of a bug?

Thank you in advance!

Message tracking:

 RunspaceId              : e939e06b-1823-4dbe-8803-8dafea667cef
 Timestamp               : 4/6/2021 2:46:03 PM
 ClientIp                :
 ClientHostname          : ***
 ServerIp                :
 ServerHostname          :
 SourceContext           : Transport Rule Agent
 ConnectorId             :
 Source                  : AGENT
 EventId                 : FAIL
 InternalMessageId       : 80762565034851
 MessageId               : <AM0PR0402MB3874C11845084391DFF9628C96769@AM0PR0402MB3874.eurprd04.prod.outlook.com>
 NetworkMessageId        : 8e9b967e-b07a-46d7-081f-08d8f8f9f041
 Recipients              : {***}
 RecipientStatus         : {[{LED=550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy};{MSG=};{FQDN=};{IP=};{LRT=}]}
 TotalBytes              : 799707
 RecipientCount          : 1
 RelatedRecipientAddress :
 Reference               :
 MessageSubject          : ***
 Sender                  : ***
 ReturnPath              : ***
 Directionality          : Incoming
 TenantId                :
 OriginalClientIp        :
 MessageInfo             : 2021-04-06T12:46:03.426Z;SRV=***,TOTAL-HUB=0.453|SMR=0.209(SMRDI=0.049(SMREH=0.009(SMREH-Sender Filter
                           Agent=0.007)|SMRED=0.001)|SMRC=0.159(SMRCL=0.159|X-SMRCR=0.156))|CAT-PEN=0.251(CATOS=0.007(CATSM=0.005(CATSM-Unified Group Post Sent Item Routing
                           Agent=0.003))|CATRESL=0.002|CATORES-PEN=0.241(CATRS-PEN=0.241(CATRS-Transport Rule Agent-PEN=0.240)))
 MessageLatency          :
 MessageLatencyType      : None
 EventData               : {[E2ELatency, 0.453], [DeliveryPriority, Normal], [AccountForest, ***]}
 TransportTrafficType    : Email
 SchemaVersion           : 15.01.2176.009

Rule configuration:

 SerializationData                             : {0, 1, 0, 0, 0, 255, 255, 255, 255, 1, 0, 0, 0, 0, 0, 0...}
 RunspaceId                                    : e939e06b-1823-4dbe-8803-8dafea667cef
 Priority                                      : 3
 DlpPolicy                                     :
 DlpPolicyId                                   : 00000000-0000-0000-0000-000000000000
 Comments                                      :
 ManuallyModified                              : False
 ActivationDate                                :
 ExpiryDate                                    :
 Description                                   : If the message:
                                                     Is sent to a member of group 'distribution group address'
                                                     and has an attachment with a file extension that matches one of these values: 'xlsm'
                                                 Take the following actions:
                                                     reject the message and include the explanation 'Delivery not authorized, message refused by Transport Rules' with the status code:
                                                 '5.7.1'
    
 RuleVersion                                   : 15.0.1.1
 Conditions                                    : {Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SentToMemberOfPredicate,
                                                 Microsoft.Exchange.MessagingPolicies.Rules.Tasks.AttachmentExtensionMatchesWordsPredicate}
 Exceptions                                    :
 Actions                                       : {Microsoft.Exchange.MessagingPolicies.Rules.Tasks.RejectMessageAction}
 State                                         : Enabled
 Mode                                          : Enforce
 RuleErrorAction                               : Ignore
 SenderAddressLocation                         : Header
 RuleSubType                                   : None
 UseLegacyRegex                                : False
 From                                          :
 FromMemberOf                                  :
 FromScope                                     :
 SentTo                                        :
 SentToMemberOf                                : {*distribution group address*}
 SentToScope                                   :
 BetweenMemberOf1                              :
 BetweenMemberOf2                              :
 ManagerAddresses                              :
 ManagerForEvaluatedUser                       :
 SenderManagementRelationship                  :
 ADComparisonAttribute                         :
 ADComparisonOperator                          :
 SenderADAttributeContainsWords                :
 SenderADAttributeMatchesPatterns              :
 RecipientADAttributeContainsWords             :
 RecipientADAttributeMatchesPatterns           :
 AnyOfToHeader                                 :
 AnyOfToHeaderMemberOf                         :
 AnyOfCcHeader                                 :
 AnyOfCcHeaderMemberOf                         :
 AnyOfToCcHeader                               :
 AnyOfToCcHeaderMemberOf                       :
 HasClassification                             :
 HasNoClassification                           : False
 SubjectContainsWords                          :
 SubjectOrBodyContainsWords                    :
 HeaderContainsMessageHeader                   :
 HeaderContainsWords                           :
 FromAddressContainsWords                      :
 SenderDomainIs                                :
 RecipientDomainIs                             :
 SubjectMatchesPatterns                        :
 SubjectOrBodyMatchesPatterns                  :
 HeaderMatchesMessageHeader                    :
 HeaderMatchesPatterns                         :
 FromAddressMatchesPatterns                    :
 AttachmentNameMatchesPatterns                 :
 AttachmentExtensionMatchesWords               : {xlsm}
 AttachmentPropertyContainsWords               :
 ContentCharacterSetContainsWords              :
 HasSenderOverride                             : False
 MessageContainsDataClassifications            :
 MessageContainsAllDataClassifications         :
 SenderIpRanges                                :
 SCLOver                                       :
 AttachmentSizeOver                            :
 MessageSizeOver                               :
 WithImportance                                :
 MessageTypeMatches                            :
 RecipientAddressContainsWords                 :
 RecipientAddressMatchesPatterns               :
 SenderInRecipientList                         :
 RecipientInSenderList                         :
 AttachmentContainsWords                       :
 AttachmentMatchesPatterns                     :
 AttachmentIsUnsupported                       : False
 AttachmentProcessingLimitExceeded             : False
 AttachmentHasExecutableContent                : False
 AttachmentIsPasswordProtected                 : False
 AnyOfRecipientAddressContainsWords            :
 AnyOfRecipientAddressMatchesPatterns          :
 ExceptIfFrom                                  :
 ExceptIfFromMemberOf                          :
 ExceptIfFromScope                             :
 ExceptIfSentTo                                :
 ExceptIfSentToMemberOf                        :
 ExceptIfSentToScope                           :
 ExceptIfBetweenMemberOf1                      :
 ExceptIfBetweenMemberOf2                      :
 ExceptIfManagerAddresses                      :
 ExceptIfManagerForEvaluatedUser               :
 ExceptIfSenderManagementRelationship          :
 ExceptIfADComparisonAttribute                 :
 ExceptIfADComparisonOperator                  :
 ExceptIfSenderADAttributeContainsWords        :
 ExceptIfSenderADAttributeMatchesPatterns      :
 ExceptIfRecipientADAttributeContainsWords     :
 ExceptIfRecipientADAttributeMatchesPatterns   :
 ExceptIfAnyOfToHeader                         :
 ExceptIfAnyOfToHeaderMemberOf                 :
 ExceptIfAnyOfCcHeader                         :
 ExceptIfAnyOfCcHeaderMemberOf                 :
 ExceptIfAnyOfToCcHeader                       :
 ExceptIfAnyOfToCcHeaderMemberOf               :
 ExceptIfHasClassification                     :
 ExceptIfHasNoClassification                   : False
 ExceptIfSubjectContainsWords                  :
 ExceptIfSubjectOrBodyContainsWords            :
 ExceptIfHeaderContainsMessageHeader           :
 ExceptIfHeaderContainsWords                   :
 ExceptIfFromAddressContainsWords              :
 ExceptIfSenderDomainIs                        :
 ExceptIfRecipientDomainIs                     :
 ExceptIfSubjectMatchesPatterns                :
 ExceptIfSubjectOrBodyMatchesPatterns          :
 ExceptIfHeaderMatchesMessageHeader            :
 ExceptIfHeaderMatchesPatterns                 :
 ExceptIfFromAddressMatchesPatterns            :
 ExceptIfAttachmentNameMatchesPatterns         :
 ExceptIfAttachmentExtensionMatchesWords       :
 ExceptIfAttachmentPropertyContainsWords       :
 ExceptIfContentCharacterSetContainsWords      :
 ExceptIfSCLOver                               :
 ExceptIfAttachmentSizeOver                    :
 ExceptIfMessageSizeOver                       :
 ExceptIfWithImportance                        :
 ExceptIfMessageTypeMatches                    :
 ExceptIfRecipientAddressContainsWords         :
 ExceptIfRecipientAddressMatchesPatterns       :
 ExceptIfSenderInRecipientList                 :
 ExceptIfRecipientInSenderList                 :
 ExceptIfAttachmentContainsWords               :
 ExceptIfAttachmentMatchesPatterns             :
 ExceptIfAttachmentIsUnsupported               : False
 ExceptIfAttachmentProcessingLimitExceeded     : False
 ExceptIfAttachmentHasExecutableContent        : False
 ExceptIfAttachmentIsPasswordProtected         : False
 ExceptIfAnyOfRecipientAddressContainsWords    :
 ExceptIfAnyOfRecipientAddressMatchesPatterns  :
 ExceptIfHasSenderOverride                     : False
 ExceptIfMessageContainsDataClassifications    :
 ExceptIfMessageContainsAllDataClassifications :
 ExceptIfSenderIpRanges                        :
 PrependSubject                                :
 SetAuditSeverity                              :
 ApplyClassification                           :
 ApplyHtmlDisclaimerLocation                   :
 ApplyHtmlDisclaimerText                       :
 ApplyHtmlDisclaimerFallbackAction             :
 ApplyRightsProtectionTemplate                 :
 SetSCL                                        :
 SetHeaderName                                 :
 SetHeaderValue                                :
 RemoveHeader                                  :
 AddToRecipients                               :
 CopyTo                                        :
 BlindCopyTo                                   :
 AddManagerAsRecipientType                     :
 ModerateMessageByUser                         :
 ModerateMessageByManager                      : False
 RedirectMessageTo                             :
 RejectMessageEnhancedStatusCode               : 5.7.1
 RejectMessageReasonText                       : Delivery not authorized, message refused by Transport Rules
 DeleteMessage                                 : False
 Disconnect                                    : False
 Quarantine                                    : False
 SmtpRejectMessageRejectText                   :
 SmtpRejectMessageRejectStatusCode             :
 LogEventText                                  :
 StopRuleProcessing                            : False
 SenderNotificationType                        :
 GenerateIncidentReport                        :
 IncidentReportContent                         :
 RouteMessageOutboundConnector                 :
 RouteMessageOutboundRequireTls                : False
 ApplyOME                                      : False
 RemoveOME                                     : False
 OMEExpiryDays                                 : 0
 GenerateNotification                          :
 Identity                                      : TO <domain>CONTAINS xlsm BLOCK
 DistinguishedName                             : CN=TO <domain> CONTAINS xlsm BLOCK,CN=TransportVersioned,CN=Rules,CN=Transport Settings,CN=...,CN=Microsoft
                                                 Exchange,CN=Services,CN=Configuration,
 Guid                                          : a49971d3-
 ImmutableId                                   : a49971d3-
 OrganizationId                                :
 Name                                          : TO <domain> CONTAINS xlsm BLOCK
 IsValid                                       : True
 WhenChanged                                   : 3/24/2021 10:37:11 AM
 ExchangeVersion                               : 0.1 (8.0.535.0)
 ObjectState                                   : Unchanged





office-exchange-server-administration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered

Hi @MariannaCsirmaz ,
After your email with pdf-s attachment is rejected, will the message non-delivery report also contain the "Delivery not authorized, message refused by Transport Rule" you set?
Are there any simialr transport rules in the Exchange server?

According to my test in lab environment, I create the same transport rule as you, but I did not succeed in reproducing this issue, I can always successfully receive all emails except for the attachment type .xlsm.

Please try to add an exceptions in the transport rule, and send the email again to see if it be delivered successfully. But please noted that if we set the exceptions, when an email contains both PDF-S and xlsm, it will not be rejected.
85506-3.png



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.





3.png (29.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MariannaCsirmaz avatar image
0 Votes"
MariannaCsirmaz answered LucasLiu-MSFT commented

Hello Lucas,

thank you for your detailed answer.

We made some more investigations with my customer and found out that the sender was ACTUALLY sending 1 pdf and 1 xlsm. It's annoying because they "swore" they sent 2 pdf-s and nothing else :(

Thank you for your time! It might be that the customer will ask me to set the rule up in a way that it'd allow through pdf+xlsm combos and I'd make good use of your idea then.

Kind regards,
Marianna

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @MariannaCsirmaz ,
I’m glad that you have found the root cause. It’s good to find out in time : )

0 Votes 0 ·