5
Content Filter being bypassed
Question asked by Jason Wilhelm - 12/2/2020 at 9:49 AM
Unanswered
So some email seems to be getting past the content filter and I am not sure why. When I send a test using some of the criteria it gets flagged as it is supposed to. Can anyone throw some thoughts my way?

Attached is a screenshot of one of the emails that made it past the content filter. It is supposed to trigger on the emoji lips (💋). As mentioned when I send a test email it does get caught.

This is one of those emails that come in and to not have an address in the TO: area but does have X-Rcpt-To in the source.

Below is a portion of the email source, I tried to pull out any identifiable info.

Return-Path: <annahxxxxxx4654@outlook.com>

Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-oln040092253101.outbound.protection.outlook.com [40.92.253.101]) by mail.notmyserver.com with SMTP;

   Wed, 2 Dec 2020 03:47:27 -0900

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;

 b=fmE1V3vpE3M1BzOPBEwoi2s1plaWh8gfuXH+q1UkYmZWbt40gUioAakZCccolw33GXHd4pkZdduR/yxOEHx3LJkJkxSFfVydL2OHmKajLBmS/V8nzPAogGGqL9n6o8hnDjrzP19BIBs9+xkh4lrOEX75AkdgwWTyQ9MJ68fTqLgpQOpiXY4TPN4pticbu8p43PITQ/yErVXBph7WGmivuyKbfTwMqp+fU13/0srfzfDzTwoEQclAxhQVJL3AyQyY3+pkMQhSK/cEuszx8dlPi9Ql+8BA1Ow4wxowWvkU+qfCILv/GNoiimT7VvT1iJOCwayi1NFSZCT2jfJE5rDJUQ==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

 s=arcselector9901;

 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

 bh=SfaIN8syfWPcc1MtDFx72OGRemmbmw79xroeeV/w2VE=;

 b=WdQfNbkABR3cFSC5LpUGphJ+0hM0gsjwWZXTifSG8GrIIOl+rUOtK3Z4GI+pxEQ8JoeHsFM6X9Xndoc83q5X+Udbhivt3xffC97kEhnmQCbphjwGQuhFqZcP1SJM+6fcyN8T7aqil6n/4Qs3Bj+bdd29YgafDCM5cz3+xieuH8SsLDFk/GfP+11NDMmSPbbDEtGKycXaNHQrzvID0Es176B/tvTFEXr84P4FCtgJiRAStMnayHxeEYRSGCvtVtOvjZhssDjHGYWi1KWxhIuSjsLchqbe8+h4/bx2T1y0OQIyA4jsjWjLiV/qT5jn2giXGq2ABRLvB4e+hi88LnXcUA==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;

 dkim=none; arc=none

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;

 s=selector1;

 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

 bh=SfaIN8syfWPcc1MtDFx72OGRemmbmw79xroeeV/w2VE=;

 b=ZBeytLJ/NtpdAexQHY+8GbpefGsbK6QSvykOtnQldJkkZ9PK1aJZbQ/xSAsJEyhAPCpwhgsPIGQMb7uLHjKaRixVy8po3zPacWJlYI9M/EtY1jcA7eEZwQ99KAsaKZV6NRlsIcahRUxoWBcraQ+8HeNvEFkIZll8v+5B8zRxILYE5LBE1x6pDzi0ypurSV7w5j99gArCDQRgnXeVhCBpvhmUjWPGQVZnZIjKUPLF+LfGtb6+oMSflj6VJ+4I+wNMjttPoKD7tQMhg4VK7I0G94uvK3la+h9/YiuPKNQbwtQjcaDrbIXauWjnbcmt7bvJphz6cbMi8O2T//kH/Vhz0g==

Received: from PU1APC01FT064.eop-APC01.prod.protection.outlook.com

 (2a01:111:e400:7ebe::42) by

 PU1APC01HT190.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebe::457)

 with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.23; Wed, 2 Dec

 2020 12:43:58 +0000

Received: from SG2PR06MB2966.apcprd06.prod.outlook.com

 (2a01:111:e400:7ebe::49) by PU1APC01FT064.mail.protection.outlook.com

 (2a01:111:e400:7ebe::326) with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.17 via Frontend

 Transport; Wed, 2 Dec 2020 12:43:58 +0000

Received: from SG2PR06MB2966.apcprd06.prod.outlook.com

 ([fe80::2031:eaf8:bcaa:54e6]) by SG2PR06MB2966.apcprd06.prod.outlook.com

 ([fe80::2031:eaf8:bcaa:54e6%6]) with mapi id 15.20.3632.017; Wed, 2 Dec 2020

 12:43:58 +0000

From: Hannah nah <andsnaxxh4654@outlook.com>

Subject: 

Thread-Index: AQHWyKjIuxRxqEONJUS2wmMG69Tcbg==

Date: Wed, 2 Dec 2020 12:43:58 +0000

Message-ID: <SG2PR06MB2966062C660B7EF3EB955272B7F30@SG2PR06MB2966.apcprd06.prod.outlook.com>

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach: yes

X-MS-TNEF-Correlator: 

x-incomingtopheadermarker: OriginalChecksum:E52DD37863DA384DE3CB938F4C2CC3F5A6DBEC5E7E0A882C1BD18C4F6854FE22;UpperCasedChecksum:A38AC1366B0B49AE7E31D345E7078B789D1C50E0C44F155CC2771F1B5D79B642;SizeAsReceived:19638;Count:39

x-tmn: [5AKk9ND/0NizLsSpbJshAkUW6Hm7tuS9RDkh1lpD0TI=]

x-ms-publictraffictype: Email

x-incomingheadercount: 39

x-eopattributedmessage: 0

x-ms-office365-filtering-correlation-id: fde30973-79b2-47da-111e-08d896bff026

x-ms-exchange-slblob-mailprops: gYnnzhvmiKoP9h9mebEoqktnCH1VRH8M47bzoUlMalvuklrTpJ09RBxIB9vgAcv/Z1cV2SOjLrWs4v+eqaRUtB7dFXiCmFwC7Li2EOt32bPGExiuM6GgAe+oV8Wwd8Nf/iHyhN9W8vKyLLqxI7g9JUjueS/KMsoMOpN5PpV3fX7iW5WXi/8wP835gEsBVSUfqJ2qnkPv0lGYSZ3NSPC8Ak67DvCqdRB1SnKh5wqPwO7NQYyZvPU/hjlXs1fmNOZ2JSPYHCR0IrHza0pKUzyWoBhSMAm86Hnm7+nnWzXHiX8Bqqs8dciswp+vYiHIN07db3iXeBmCjfiB/TRnKNe7tO1UhiCkGju9Ujk7OFjF2I6O+Xdb8jN2HHLjc85k2u6mBUGKp99ZCKOv/TItcCP7pYgPxk5INySZGHLkqiDNoFZ1mTzpqyHmTXVAZaJzJVzgVTgA6mJoJa5HdV5oT9JxsK4UNbb5jpE8d82T/9psFrT1cBoOaNxV0xQjy/GtBuvT0IZfD9/kWo1E85aS6QzmlfCsmdOxXFZk7hfL5Yv2Cy/P8Hgs5/HtIWgCq0xepX+4qJrEFaKl7W8=

x-ms-traffictypediagnostic: PU1APC01HT190:

x-microsoft-antispam: BCL:0;

x-microsoft-antispam-message-info: 7lrGXJ0Zjsqk2jbIKEWo2EUjQOBBb/9bFTJTmLvriKfYEYlLuXk4hsvP2deWFHLhOZLLFS+l22y/CTGFgQctd9CLAXV0C280RXJWCbyGi9CrT1WylDka6TLzhZ3rsgVkAwewRGhqVm7d2K3olCveJ26yff/HeRXkRvvGWfgwmMManRapv/ndsbB7lZxT7uErqrDhR/SUWQjWK0ZFJqr8FMe+8ounkERS9zSfRl9DkH7Cad7f78sS6epzoMXWMRNV

x-ms-exchange-antispam-messagedata: W5RL4gIBo/lSN4nElDtYJ/6VgnvO4zbZlVwLSkkT0000QMQ4JEGp1iEjfUuIu7Ndxvzj0JiQZqz7521tpm5SOd+znTsy2hr9whnZ4+HkVzq+040knMS/RlpQgYUwE7122VaFO9yi1oqPnEU7Wfhvag==

x-ms-exchange-transport-forked: True

Content-Type: multipart/mixed;

    boundary="_006_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_"

MIME-Version: 1.0

X-OriginatorOrg: outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-AuthSource: PU1APC01FT064.eop-APC01.prod.protection.outlook.com

X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-CrossTenant-Network-Message-Id: fde30973-79b2-47da-111e-08d896bff026

X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2020 12:43:58.3522

 (UTC)

X-MS-Exchange-CrossTenant-fromentityheader: Internet

X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-Transport-CrossTenantHeadersStamped: PU1APC01HT190

X-Rcpt-To: <jason@notmyserver.com>

X-SmarterMail-Spam: Cyren [Unknown]: 0, Message Sniffer [code:0]: 0, ISpamAssassin [raw:0]: 1, SPF [Pass]: -2, DKIM [Pass]: -2

X-SmarterMail-SpamDetail: 0.0 MIME_BASE64_TEXT Message text disguised using base64 encoding

X-SmarterMail-SpamDetail: 0.0 HTML_MESSAGE HTML included in message

X-SmarterMail-SpamDetail: 0.9 MISSING_HEADERS Missing To: header

X-SmarterMail-SpamDetail: 0.0 T_IMAGE_MISMATCH Contains wrong image format for MIME header

X-CTCH-RefId: str=0001.0A742F1E.5FC78CE4.0001,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0

X-MessageSniffer-ResultCode: 0

X-SmarterMail-TotalSpamWeight: -3


--_006_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_

Content-Type: multipart/alternative;

    boundary="_000_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_"


--_000_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_

Content-Type: text/plain; charset="utf-8"

Content-Transfer-Encoding: base64


SGVsbG8gRGVhci4uLg0KDQpDYW4gaSBtZWV0IHlvdS7wn5iNIElmIHlvdSByZWFsbHkgd2FudCB0

byBoYXZlIGZ1biB3aXRoIG1lLg0KDQooIENvbnRhY3QgbWUgPGh0dHBzOi8vc2l0ZXMuZ29vZ2xl

LmNvbS92aWV3L21pbGZzLXVubGltaXRlZC1leGNsdXNpdmUteC9ob21lPiAp8J+SiyBJ4oCZbSBP

bmxpbmUgTm934oCm4oCm4oCmLj8/Pw0KDQo=


--_000_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_

Content-Type: text/html; charset="utf-8"

Content-Transfer-Encoding: base64


6 Replies

Reply to Thread
0
Derek Curtis Replied
Employee Post
Have you checked the delivery log for the message, to see how SmarterMail handled it? Like, see if another content filter did something first? Remember, content filters work top down: so if one filter interacts with a message, any other filter will be bypassed. Just a thought...
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
0
Jason Wilhelm Replied
Derek,
 Good morning. Below is the delivery log info for the email. I do not believe a filter touched it.


[2020.12.02] 03:47:27.609 [47825] Delivery started for annxxxah4654@outlook.com at 3:47:27 AM
[2020.12.02] 03:47:33.672 [Cyren Client] Start Scanning Message. Enabled Services: All, MailFrom: annxxxah4654@outlook.com, SenderIP: 40.92.253.101, MessagePath: f:\SmarterMail\Spool\SubSpool5\64347825.eml
[2020.12.02] 03:47:36.610 [47825] Delivery for annxxxah4654@outlook.com to me@myemail.com has completed (Delivered) Filter: None
[2020.12.02] 03:47:39.611 [47825] Delivery finished for annxxxah4654@outlook.com at 3:47:39 AM    [id:64347825]
0
Derek Curtis Replied
Employee Post
Just to be sure, you can move that content filter to the top of your list. Also, how is the filter set up? What are the conditions? Is it a user filter or a domain filter? 
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
1
Michael Replied
0
Jason Wilhelm Replied
Derek,
 Thanks. I am attaching some screenshots for your questions.
  • Filter is on the domain.
  • We have a few filters setup, this one is at the bottom of the list.
  • We have the filter setup so if there is a match to specific terms it reroutes the email to a special box we monitor for manual review.




5
Michael Replied
Right it seems you're using Domain level filters.

We have an open support ticket on this also. We're told it's in the queue but not being worked on yet. Bummer, but we hope it can get a fix. We're holding on upgrading until this is done.

My guess is many others are also affected, but aren't realizing it yet.

Reply to Thread