5
Content Filter being bypassed
Question asked by Jason Wilhelm - 12/2/2020 at 9:49 AM
Unanswered
So some email seems to be getting past the content filter and I am not sure why. When I send a test using some of the criteria it gets flagged as it is supposed to. Can anyone throw some thoughts my way?

Attached is a screenshot of one of the emails that made it past the content filter. It is supposed to trigger on the emoji lips (💋). As mentioned when I send a test email it does get caught.

This is one of those emails that come in and to not have an address in the TO: area but does have X-Rcpt-To in the source.

Below is a portion of the email source, I tried to pull out any identifiable info.

Return-Path: <annahxxxxxx4654@outlook.com>

Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-oln040092253101.outbound.protection.outlook.com [40.92.253.101]) by mail.notmyserver.com with SMTP;

   Wed, 2 Dec 2020 03:47:27 -0900

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;

 b=fmE1V3vpE3M1BzOPBEwoi2s1plaWh8gfuXH+q1UkYmZWbt40gUioAakZCccolw33GXHd4pkZdduR/yxOEHx3LJkJkxSFfVydL2OHmKajLBmS/V8nzPAogGGqL9n6o8hnDjrzP19BIBs9+xkh4lrOEX75AkdgwWTyQ9MJ68fTqLgpQOpiXY4TPN4pticbu8p43PITQ/yErVXBph7WGmivuyKbfTwMqp+fU13/0srfzfDzTwoEQclAxhQVJL3AyQyY3+pkMQhSK/cEuszx8dlPi9Ql+8BA1Ow4wxowWvkU+qfCILv/GNoiimT7VvT1iJOCwayi1NFSZCT2jfJE5rDJUQ==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;

 s=arcselector9901;

 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

 bh=SfaIN8syfWPcc1MtDFx72OGRemmbmw79xroeeV/w2VE=;

 b=WdQfNbkABR3cFSC5LpUGphJ+0hM0gsjwWZXTifSG8GrIIOl+rUOtK3Z4GI+pxEQ8JoeHsFM6X9Xndoc83q5X+Udbhivt3xffC97kEhnmQCbphjwGQuhFqZcP1SJM+6fcyN8T7aqil6n/4Qs3Bj+bdd29YgafDCM5cz3+xieuH8SsLDFk/GfP+11NDMmSPbbDEtGKycXaNHQrzvID0Es176B/tvTFEXr84P4FCtgJiRAStMnayHxeEYRSGCvtVtOvjZhssDjHGYWi1KWxhIuSjsLchqbe8+h4/bx2T1y0OQIyA4jsjWjLiV/qT5jn2giXGq2ABRLvB4e+hi88LnXcUA==

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;

 dkim=none; arc=none

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;

 s=selector1;

 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

 bh=SfaIN8syfWPcc1MtDFx72OGRemmbmw79xroeeV/w2VE=;

 b=ZBeytLJ/NtpdAexQHY+8GbpefGsbK6QSvykOtnQldJkkZ9PK1aJZbQ/xSAsJEyhAPCpwhgsPIGQMb7uLHjKaRixVy8po3zPacWJlYI9M/EtY1jcA7eEZwQ99KAsaKZV6NRlsIcahRUxoWBcraQ+8HeNvEFkIZll8v+5B8zRxILYE5LBE1x6pDzi0ypurSV7w5j99gArCDQRgnXeVhCBpvhmUjWPGQVZnZIjKUPLF+LfGtb6+oMSflj6VJ+4I+wNMjttPoKD7tQMhg4VK7I0G94uvK3la+h9/YiuPKNQbwtQjcaDrbIXauWjnbcmt7bvJphz6cbMi8O2T//kH/Vhz0g==

Received: from PU1APC01FT064.eop-APC01.prod.protection.outlook.com

 (2a01:111:e400:7ebe::42) by

 PU1APC01HT190.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebe::457)

 with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.23; Wed, 2 Dec

 2020 12:43:58 +0000

Received: from SG2PR06MB2966.apcprd06.prod.outlook.com

 (2a01:111:e400:7ebe::49) by PU1APC01FT064.mail.protection.outlook.com

 (2a01:111:e400:7ebe::326) with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.17 via Frontend

 Transport; Wed, 2 Dec 2020 12:43:58 +0000

Received: from SG2PR06MB2966.apcprd06.prod.outlook.com

 ([fe80::2031:eaf8:bcaa:54e6]) by SG2PR06MB2966.apcprd06.prod.outlook.com

 ([fe80::2031:eaf8:bcaa:54e6%6]) with mapi id 15.20.3632.017; Wed, 2 Dec 2020

 12:43:58 +0000

From: Hannah nah <andsnaxxh4654@outlook.com>

Subject: 

Thread-Index: AQHWyKjIuxRxqEONJUS2wmMG69Tcbg==

Date: Wed, 2 Dec 2020 12:43:58 +0000

Message-ID: <SG2PR06MB2966062C660B7EF3EB955272B7F30@SG2PR06MB2966.apcprd06.prod.outlook.com>

Accept-Language: en-US

Content-Language: en-US

X-MS-Has-Attach: yes

X-MS-TNEF-Correlator: 

x-incomingtopheadermarker: OriginalChecksum:E52DD37863DA384DE3CB938F4C2CC3F5A6DBEC5E7E0A882C1BD18C4F6854FE22;UpperCasedChecksum:A38AC1366B0B49AE7E31D345E7078B789D1C50E0C44F155CC2771F1B5D79B642;SizeAsReceived:19638;Count:39

x-tmn: [5AKk9ND/0NizLsSpbJshAkUW6Hm7tuS9RDkh1lpD0TI=]

x-ms-publictraffictype: Email

x-incomingheadercount: 39

x-eopattributedmessage: 0

x-ms-office365-filtering-correlation-id: fde30973-79b2-47da-111e-08d896bff026

x-ms-exchange-slblob-mailprops: gYnnzhvmiKoP9h9mebEoqktnCH1VRH8M47bzoUlMalvuklrTpJ09RBxIB9vgAcv/Z1cV2SOjLrWs4v+eqaRUtB7dFXiCmFwC7Li2EOt32bPGExiuM6GgAe+oV8Wwd8Nf/iHyhN9W8vKyLLqxI7g9JUjueS/KMsoMOpN5PpV3fX7iW5WXi/8wP835gEsBVSUfqJ2qnkPv0lGYSZ3NSPC8Ak67DvCqdRB1SnKh5wqPwO7NQYyZvPU/hjlXs1fmNOZ2JSPYHCR0IrHza0pKUzyWoBhSMAm86Hnm7+nnWzXHiX8Bqqs8dciswp+vYiHIN07db3iXeBmCjfiB/TRnKNe7tO1UhiCkGju9Ujk7OFjF2I6O+Xdb8jN2HHLjc85k2u6mBUGKp99ZCKOv/TItcCP7pYgPxk5INySZGHLkqiDNoFZ1mTzpqyHmTXVAZaJzJVzgVTgA6mJoJa5HdV5oT9JxsK4UNbb5jpE8d82T/9psFrT1cBoOaNxV0xQjy/GtBuvT0IZfD9/kWo1E85aS6QzmlfCsmdOxXFZk7hfL5Yv2Cy/P8Hgs5/HtIWgCq0xepX+4qJrEFaKl7W8=

x-ms-traffictypediagnostic: PU1APC01HT190:

x-microsoft-antispam: BCL:0;

x-microsoft-antispam-message-info: 7lrGXJ0Zjsqk2jbIKEWo2EUjQOBBb/9bFTJTmLvriKfYEYlLuXk4hsvP2deWFHLhOZLLFS+l22y/CTGFgQctd9CLAXV0C280RXJWCbyGi9CrT1WylDka6TLzhZ3rsgVkAwewRGhqVm7d2K3olCveJ26yff/HeRXkRvvGWfgwmMManRapv/ndsbB7lZxT7uErqrDhR/SUWQjWK0ZFJqr8FMe+8ounkERS9zSfRl9DkH7Cad7f78sS6epzoMXWMRNV

x-ms-exchange-antispam-messagedata: W5RL4gIBo/lSN4nElDtYJ/6VgnvO4zbZlVwLSkkT0000QMQ4JEGp1iEjfUuIu7Ndxvzj0JiQZqz7521tpm5SOd+znTsy2hr9whnZ4+HkVzq+040knMS/RlpQgYUwE7122VaFO9yi1oqPnEU7Wfhvag==

x-ms-exchange-transport-forked: True

Content-Type: multipart/mixed;

    boundary="_006_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_"

MIME-Version: 1.0

X-OriginatorOrg: outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-AuthSource: PU1APC01FT064.eop-APC01.prod.protection.outlook.com

X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-CrossTenant-Network-Message-Id: fde30973-79b2-47da-111e-08d896bff026

X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2020 12:43:58.3522

 (UTC)

X-MS-Exchange-CrossTenant-fromentityheader: Internet

X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-Transport-CrossTenantHeadersStamped: PU1APC01HT190

X-Rcpt-To: <jason@notmyserver.com>

X-SmarterMail-Spam: Cyren [Unknown]: 0, Message Sniffer [code:0]: 0, ISpamAssassin [raw:0]: 1, SPF [Pass]: -2, DKIM [Pass]: -2

X-SmarterMail-SpamDetail: 0.0 MIME_BASE64_TEXT Message text disguised using base64 encoding

X-SmarterMail-SpamDetail: 0.0 HTML_MESSAGE HTML included in message

X-SmarterMail-SpamDetail: 0.9 MISSING_HEADERS Missing To: header

X-SmarterMail-SpamDetail: 0.0 T_IMAGE_MISMATCH Contains wrong image format for MIME header

X-CTCH-RefId: str=0001.0A742F1E.5FC78CE4.0001,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0

X-MessageSniffer-ResultCode: 0

X-SmarterMail-TotalSpamWeight: -3


--_006_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_

Content-Type: multipart/alternative;

    boundary="_000_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_"


--_000_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_

Content-Type: text/plain; charset="utf-8"

Content-Transfer-Encoding: base64


SGVsbG8gRGVhci4uLg0KDQpDYW4gaSBtZWV0IHlvdS7wn5iNIElmIHlvdSByZWFsbHkgd2FudCB0

byBoYXZlIGZ1biB3aXRoIG1lLg0KDQooIENvbnRhY3QgbWUgPGh0dHBzOi8vc2l0ZXMuZ29vZ2xl

LmNvbS92aWV3L21pbGZzLXVubGltaXRlZC1leGNsdXNpdmUteC9ob21lPiAp8J+SiyBJ4oCZbSBP

bmxpbmUgTm934oCm4oCm4oCmLj8/Pw0KDQo=


--_000_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_

Content-Type: text/html; charset="utf-8"

Content-Transfer-Encoding: base64


10 Replies

Reply to Thread
0
Derek Curtis Replied
Employee Post
Have you checked the delivery log for the message, to see how SmarterMail handled it? Like, see if another content filter did something first? Remember, content filters work top down: so if one filter interacts with a message, any other filter will be bypassed. Just a thought...
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
0
Jason Wilhelm Replied
Derek,
 Good morning. Below is the delivery log info for the email. I do not believe a filter touched it.


[2020.12.02] 03:47:27.609 [47825] Delivery started for annxxxah4654@outlook.com at 3:47:27 AM
[2020.12.02] 03:47:33.672 [Cyren Client] Start Scanning Message. Enabled Services: All, MailFrom: annxxxah4654@outlook.com, SenderIP: 40.92.253.101, MessagePath: f:\SmarterMail\Spool\SubSpool5\64347825.eml
[2020.12.02] 03:47:36.610 [47825] Delivery for annxxxah4654@outlook.com to me@myemail.com has completed (Delivered) Filter: None
[2020.12.02] 03:47:39.611 [47825] Delivery finished for annxxxah4654@outlook.com at 3:47:39 AM    [id:64347825]
0
Derek Curtis Replied
Employee Post
Just to be sure, you can move that content filter to the top of your list. Also, how is the filter set up? What are the conditions? Is it a user filter or a domain filter? 
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
1
Michael Replied
0
Jason Wilhelm Replied
Derek,
 Thanks. I am attaching some screenshots for your questions.
  • Filter is on the domain.
  • We have a few filters setup, this one is at the bottom of the list.
  • We have the filter setup so if there is a match to specific terms it reroutes the email to a special box we monitor for manual review.




5
Michael Replied
Right it seems you're using Domain level filters.

We have an open support ticket on this also. We're told it's in the queue but not being worked on yet. Bummer, but we hope it can get a fix. We're holding on upgrading until this is done.

My guess is many others are also affected, but aren't realizing it yet.
1
Ionel Aurelian Rau Replied
Hello,
We still have a lot of complains on this issue. We tried different content filter rules and are getting inconsistent results. Most of the times, the rules do not work and emails go to Inbox even for such simple rules as "move all mails from xyz@abc.com to XYZ folder".
1
Michael Replied
As I understand it, this issue is still open and may have been present for many versions going back to v15.x. I'm not clear why it's just coming up now. Perhaps new users to SM? Maybe people are just noticing now? That part to me is odd. When I connected with support back in December there was no available ETA. I'm not sure if this is currently being worked on.
2
Ionel Aurelian Rau Replied
Well, in our case we`ve had constant complaints about this, but we kept promising that the issue is being worked on. Then at some point (1-2 builds back) we told our users that some improvements have been made as we noticed that in some cases the filters were working (and interestingly enough, running them manually works as well). However, people reconfigured their filters and waited for them to work but didn't so complaints start piling up again just like emails in the Inbox.
0
cannon eva Replied
great

Reply to Thread