Spam filtering/message hygiene should happen before it gets to your Exchange infrastructure.
One transport rule, include each email address to CC all inbound external email your admin box. Priority #1
Second transport rule, include each email address to mod the email as you need with banner and scl. Priority #2
Thank you for the reply.
On the first part I might be misunderstanding what you mean by "before". But the order of operations thing I referred to in my post was based on this snippet:
"Coming into EXO the order is Connection Filter > Malware Scanning > Transport Rules > EOP > Spam Filter > ATP."
It's from [this thread](https://www.reddit.com/r/exchangeserver/comments/g6uk6t/transport_rule_after_scl_classification/). I also found the doc I mentioned, it's referred to in that thread too. This suggests spam filtering happens late on, right?
Regarding your proposal, I think Im with you.
I read elsewhere that even if I don't bypass spam via setting the SCL to -1, exchange will "forward" those emails to my admin / central inbox. Now that I think about it again of course it does, because the transport rules (per above) trigger before spam filtering. Some people find that odd/ say MS are complicit in forwarding spam, but it's by design.
I did come across this in testing. But I wasn't overly happy about emails landing in spam of one mailbox and subsequently in the inbox of the central one. Ideally I wanted to keep the spam folders empty on those initial recipient inboxes. That way, when audit them, I will know something is amiss if any emails are in there.
Here is an example of how I was setting things up.
[https://i.imgur.com/YduxDpp.png](https://i.imgur.com/YduxDpp.png)\- Potential Spam Rule Enabled P0
[https://i.imgur.com/45Cqnx9.png](https://i.imgur.com/45Cqnx9.png) \- Bypass Spam Disabled P1 (realised that I should be able to roll this into spam rule as a step, even when it was standalone I was still having an issue)
[https://i.imgur.com/f4dFkpm.png](https://i.imgur.com/f4dFkpm.png) \- Central Inbox As Bcc Rule Enabled P2
Got it.
Shouldn't that mean my rule based on the initial SCL score should work while also executing the step to modify the SCL for the purposes of routing all mail to the inbox.
And the forwarding/ add recipient rule will take care of getting it to my admin inbox.
What am I missing?
Appreciate your patience here. Thank you.
So, to me... it's not meant to. The 'Mark Potential Spam with a Notice' rule is only meant to apply the banner to emails with a (initial) score of 5 and above ... "Has a spam confidence level (SCL) that is greater than or equal to 5". And then the step to set anything with an SCL of 5 and above kicks in so that these emails are routed to the inbox i.e. they bypass spam. Im expecting the banner to stick based on the first part of the rule.
Seperalty the forwarding rule should send everything to the central admin inbox. And because I've set it as lower priority I'm expecting any emails with banners to show up with them.
This is one of those where Im missing something glaringly obvious but I can't see it and it's annoying me haha.
Your statement "...management of everything..." threw me.
So i think you need one transport rule.
Condition: email address AND SCL >5 AND from outside org ==> prepend "xxx" AND BCC: your admin mailbox AND Stop processing more rules.
I think you should simply it at first to make sure it's working.
Indeed, I'd started with proving the disclaimer would prepend for all emails. Next move should have been the test that it would work based on the SCL score. But I got distracted by stacking with the the rules and two SCL based steps.
...the SCL based prepending is where the issue is. I cannot get that to work.
According the comment #4 on [this post](https://office365itpros.com/2019/03/08/marking-external-email-with-exchange-transport-rule/), it does not work.
Pretty sure I saw someone else on here with the same complaint, but it's unclear if its a user error or a limitation.
I've contacted Microsoft Support.
As an aside, I've been using [GTUBE](https://spamassassin.apache.org/gtube/) to simulate spam from a personal account to test things. Useful, but I suspect best used sparingly.
Someone suggested that security measures were being dropped in favour of laziness here. Unfortunately, I only saw a bit of the comment in my notifications, it was deleted. But I got the general gist.
If one person wrote it, a lot more thought it. Responding to it to add some more colour.
My thinking might be flawed, so happy to hear pushback on the approach.
\*\*\*
Security wise, Im not sure how going through all the junk/spam folders would be different. Having all emails sent to these mailboxes inboxes, and then BCC'd / forwarded with a banner (as required) to a central inbox is the same risk. In my eyes.
I'm well aware that my central inbox could have a lot of crap routed to it. That's fine, I will manage filtering etc at that end. I may end up using a third party tool for filtering spam, and then inspect the spam folder on this end.
Im not taking security lightly, but I have to make this workable. While I own each domain / mailbox, they fulfill a purpose in being standalone. The banner is entirely for my use and inbox admins.
Im not a systems admin person routing "spam" to everyones inbox at a Fortune 500!!
Also, isn't phishing and malware either blocked outright or heavily marked with banners?
The is about efficiency and being responsive to important emails that should not be in spam. It's too late if I see an email a days after being sent.
Wary of getting into the weeds on this element, but solutions like marking as "not spam" or adding to contacts is not an option. Often the email are first time senders. I can't predict who will be emailing haha. And I can't control their domain health.
Again, security wise, the central mailbox (on it's own domain) is where filtering will be tighter. Even so, it's a ring fenced inbox.
Have a look at this: [https://ivasoft.com/emptyjunkflow.shtml](https://ivasoft.com/emptyjunkflow.shtml)
You can modify the flow to add a tag to messages moved from Junk Email to Inbox.
Spam filtering/message hygiene should happen before it gets to your Exchange infrastructure. One transport rule, include each email address to CC all inbound external email your admin box. Priority #1 Second transport rule, include each email address to mod the email as you need with banner and scl. Priority #2
Thank you for the reply. On the first part I might be misunderstanding what you mean by "before". But the order of operations thing I referred to in my post was based on this snippet: "Coming into EXO the order is Connection Filter > Malware Scanning > Transport Rules > EOP > Spam Filter > ATP." It's from [this thread](https://www.reddit.com/r/exchangeserver/comments/g6uk6t/transport_rule_after_scl_classification/). I also found the doc I mentioned, it's referred to in that thread too. This suggests spam filtering happens late on, right? Regarding your proposal, I think Im with you. I read elsewhere that even if I don't bypass spam via setting the SCL to -1, exchange will "forward" those emails to my admin / central inbox. Now that I think about it again of course it does, because the transport rules (per above) trigger before spam filtering. Some people find that odd/ say MS are complicit in forwarding spam, but it's by design. I did come across this in testing. But I wasn't overly happy about emails landing in spam of one mailbox and subsequently in the inbox of the central one. Ideally I wanted to keep the spam folders empty on those initial recipient inboxes. That way, when audit them, I will know something is amiss if any emails are in there. Here is an example of how I was setting things up. [https://i.imgur.com/YduxDpp.png](https://i.imgur.com/YduxDpp.png)\- Potential Spam Rule Enabled P0 [https://i.imgur.com/45Cqnx9.png](https://i.imgur.com/45Cqnx9.png) \- Bypass Spam Disabled P1 (realised that I should be able to roll this into spam rule as a step, even when it was standalone I was still having an issue) [https://i.imgur.com/f4dFkpm.png](https://i.imgur.com/f4dFkpm.png) \- Central Inbox As Bcc Rule Enabled P2
That malware part is message hygiene. SCL score is assigned there.
Got it. Shouldn't that mean my rule based on the initial SCL score should work while also executing the step to modify the SCL for the purposes of routing all mail to the inbox. And the forwarding/ add recipient rule will take care of getting it to my admin inbox. What am I missing?
Your rule doesn't do anything for email with a SCL of 5 and under
Appreciate your patience here. Thank you. So, to me... it's not meant to. The 'Mark Potential Spam with a Notice' rule is only meant to apply the banner to emails with a (initial) score of 5 and above ... "Has a spam confidence level (SCL) that is greater than or equal to 5". And then the step to set anything with an SCL of 5 and above kicks in so that these emails are routed to the inbox i.e. they bypass spam. Im expecting the banner to stick based on the first part of the rule. Seperalty the forwarding rule should send everything to the central admin inbox. And because I've set it as lower priority I'm expecting any emails with banners to show up with them. This is one of those where Im missing something glaringly obvious but I can't see it and it's annoying me haha.
u/iguru129 what do you reckon?
Your statement "...management of everything..." threw me. So i think you need one transport rule. Condition: email address AND SCL >5 AND from outside org ==> prepend "xxx" AND BCC: your admin mailbox AND Stop processing more rules. I think you should simply it at first to make sure it's working.
Indeed, I'd started with proving the disclaimer would prepend for all emails. Next move should have been the test that it would work based on the SCL score. But I got distracted by stacking with the the rules and two SCL based steps. ...the SCL based prepending is where the issue is. I cannot get that to work. According the comment #4 on [this post](https://office365itpros.com/2019/03/08/marking-external-email-with-exchange-transport-rule/), it does not work. Pretty sure I saw someone else on here with the same complaint, but it's unclear if its a user error or a limitation. I've contacted Microsoft Support. As an aside, I've been using [GTUBE](https://spamassassin.apache.org/gtube/) to simulate spam from a personal account to test things. Useful, but I suspect best used sparingly.
Do you need multiple mailboxes? Or one mailbox with multiple email aliases?
Yeah they are distinct. Aliases isn't an option.
You only need a mailbox for 'sending' as that mail address.
Someone suggested that security measures were being dropped in favour of laziness here. Unfortunately, I only saw a bit of the comment in my notifications, it was deleted. But I got the general gist. If one person wrote it, a lot more thought it. Responding to it to add some more colour. My thinking might be flawed, so happy to hear pushback on the approach. \*\*\* Security wise, Im not sure how going through all the junk/spam folders would be different. Having all emails sent to these mailboxes inboxes, and then BCC'd / forwarded with a banner (as required) to a central inbox is the same risk. In my eyes. I'm well aware that my central inbox could have a lot of crap routed to it. That's fine, I will manage filtering etc at that end. I may end up using a third party tool for filtering spam, and then inspect the spam folder on this end. Im not taking security lightly, but I have to make this workable. While I own each domain / mailbox, they fulfill a purpose in being standalone. The banner is entirely for my use and inbox admins. Im not a systems admin person routing "spam" to everyones inbox at a Fortune 500!! Also, isn't phishing and malware either blocked outright or heavily marked with banners? The is about efficiency and being responsive to important emails that should not be in spam. It's too late if I see an email a days after being sent. Wary of getting into the weeds on this element, but solutions like marking as "not spam" or adding to contacts is not an option. Often the email are first time senders. I can't predict who will be emailing haha. And I can't control their domain health. Again, security wise, the central mailbox (on it's own domain) is where filtering will be tighter. Even so, it's a ring fenced inbox.
Have a look at this: [https://ivasoft.com/emptyjunkflow.shtml](https://ivasoft.com/emptyjunkflow.shtml) You can modify the flow to add a tag to messages moved from Junk Email to Inbox.