Home » EOP » EOP Part3

A loose SPAM filter would let unwanted mails coming in resulting false –ve and a too tight one would result in false +ve i.e. genuine email getting caught as SPAM. Getting the balance position in a larger environment is something not to expect with the dynamics of SPAM messages. Exchange Transport Rule (ETR) is the tools in EOP to fine tune the things. This third post in this series would be on ETR.

ETR takes defined action(s) for messages that matches the defined condition(s) but not exception condition. From header match to content match within attachment, from increasing or decreasing the spam score of an email, encrypting a mail with RMS or o365 message encryption, ETR provides endless capability and flexibility.

 

New-TransportRule -Name ETR1 -SubjectOrBodyMatchesPatterns “this is spam” -SetSCL 5 -SetHeaderName X-check-header -SetHeaderValue “Because of ETR1” –ExceptIfSentTo prasanta@pkpnotes.com

Every transport is uniquely identified by its GUID.

Get-TransportRule “ETR1″|select guid

Guid

—-

550e75f3-53e6-44c9-8374-17ert370d41b0

Historical search, which would be in next post, gives details about the way message was proceed inside EOP. The report contains the GUID of the transport rule, if any, that was applied. However, adding setting a custom X-header and a value as part of transport rule action, makes it easy and quick to identify this by looking into message header.

Transport rules are applied one after other, by their Priority order. This can be changed by moving rules up or down as well. The importance of the order can explained in the bellow scenario

There is a rule to whitelist mails from certain sender by setting SCL value to -1. Next there is a rule that check email for SPF soft fail and sets the SCL to 5, making it detected as SPAM. For a sender matching first rule would get into SPAM category if the SFP record check fails for that domain. Worst would be case where a message supposed to be blocked get pass. One option is to use the stop processing more rules, telling EOP to stop on that ETR and move the content filter.

Maintaining ETR using browser becomes challenging once the condition like senders or recipients list grow bigger, PowerShell way would be recommended and easier. Here is an example of updating an ETR f that got few exception for sender domain. One more domain needs to be added into the list.

Get the current excepted domain list of the rule to an variable:     $myETR=(Get-TransportRule ETR1).ExceptIfSenderDomainIs

Add the pkpnotes.com domain to the list:                 $myETR.add(“pkpnotes.com”)

Update the rule with the new list:                     Set-TransportRule ETR1 -ExceptIfSenderDomainIs $myETR

 

Like content filter in last post, ETR also provides flexibility to apply only for a selected set of user or group. In addition, it provide the option to limit the scope for internal or external mail. Many of the ETR would be to filter SPAM mail and keeping the scope for outside mails would ensure internal mails are not subject to ETR action.

As content filter comes after ETR, user safesender or block sender list takes into account. If you have a ETR to set spam score value to 5 for certain subject, users with sender in safesender list would still get the mail to inbox.

 

 

 

 

2 Replies to “EOP Part3”

  1. Great post from Masterpiece!!

  2. Definitely, what a splendid website and illuminating posts, I definitely will bookmark your blog.All the Best!

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*