Tuesday, 8 March 2011

Emails from "Microsoft Exchange" classed as "Outside the organization" in Transport Rules

It appears that emails from the built in "Microsoft Exchange" sender in Exchange 2007 are classed as "Outside the organization" in Exchange Transport Rules. Here's how I discovered the issue and was able to work around it:

It’s quite common at the moment for phishers to send “Your mailbox is almost full” type messages, requesting users to click on a link, ultimately compromising their email accounts. One of the methods our organization uses to block such messages is to have an Exchange Transport Rule to block emails with such subject lines and redirect the emails to a monitored mailbox, but for external senders only.

I don’t normally look after this system but I checked the monitored mailbox this morning and found it was full of genuine “Your mailbox is almost full” messages from the “Microsoft Exchange” sender. Numerous users won't have received this message and will potentially hit their quota, and not be able to send emails in the next few days.

My first port of call was the check the Transport Rule was set to only apply to external senders, or as Microsoft put it "from users Outside the organization", which it was. I assumed, therefore that the "Microsoft Exchange" sender is classed as being external as it has no real mailbox.

Comparing the message headers from a genuine "Microsoft Exchange" email and a phish email, I noticed the genuine email is automatically stamped by Exchange with an SCL of -1

X-MS-Exchange-Organization-SCL: -1

I added this as an exception to the Transport Rule using "except when the text specific words appears in a message header" using X-MS-Exchange-Organization-SCL as the message header and -1 as the value.

Messages that match the subject line but come from "Microsoft Exchange" now reach their intended recipient.