So some email seems to be getting past the content filter and I am not sure why. When I send a test using some of the criteria it gets flagged as it is supposed to. Can anyone throw some thoughts my way?
Attached is a screenshot of one of the emails that made it past the content filter. It is supposed to trigger on the emoji lips (💋). As mentioned when I send a test email it does get caught.
This is one of those emails that come in and to not have an address in the TO: area but does have X-Rcpt-To in the source.
Below is a portion of the email source, I tried to pull out any identifiable info.
Return-Path: <annahxxxxxx4654@outlook.com>
Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-oln040092253101.outbound.protection.outlook.com [40.92.253.101]) by mail.notmyserver.com with SMTP;
Wed, 2 Dec 2020 03:47:27 -0900
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=fmE1V3vpE3M1BzOPBEwoi2s1plaWh8gfuXH+q1UkYmZWbt40gUioAakZCccolw33GXHd4pkZdduR/yxOEHx3LJkJkxSFfVydL2OHmKajLBmS/V8nzPAogGGqL9n6o8hnDjrzP19BIBs9+xkh4lrOEX75AkdgwWTyQ9MJ68fTqLgpQOpiXY4TPN4pticbu8p43PITQ/yErVXBph7WGmivuyKbfTwMqp+fU13/0srfzfDzTwoEQclAxhQVJL3AyQyY3+pkMQhSK/cEuszx8dlPi9Ql+8BA1Ow4wxowWvkU+qfCILv/GNoiimT7VvT1iJOCwayi1NFSZCT2jfJE5rDJUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=SfaIN8syfWPcc1MtDFx72OGRemmbmw79xroeeV/w2VE=;
b=WdQfNbkABR3cFSC5LpUGphJ+0hM0gsjwWZXTifSG8GrIIOl+rUOtK3Z4GI+pxEQ8JoeHsFM6X9Xndoc83q5X+Udbhivt3xffC97kEhnmQCbphjwGQuhFqZcP1SJM+6fcyN8T7aqil6n/4Qs3Bj+bdd29YgafDCM5cz3+xieuH8SsLDFk/GfP+11NDMmSPbbDEtGKycXaNHQrzvID0Es176B/tvTFEXr84P4FCtgJiRAStMnayHxeEYRSGCvtVtOvjZhssDjHGYWi1KWxhIuSjsLchqbe8+h4/bx2T1y0OQIyA4jsjWjLiV/qT5jn2giXGq2ABRLvB4e+hi88LnXcUA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=SfaIN8syfWPcc1MtDFx72OGRemmbmw79xroeeV/w2VE=;
b=ZBeytLJ/NtpdAexQHY+8GbpefGsbK6QSvykOtnQldJkkZ9PK1aJZbQ/xSAsJEyhAPCpwhgsPIGQMb7uLHjKaRixVy8po3zPacWJlYI9M/EtY1jcA7eEZwQ99KAsaKZV6NRlsIcahRUxoWBcraQ+8HeNvEFkIZll8v+5B8zRxILYE5LBE1x6pDzi0ypurSV7w5j99gArCDQRgnXeVhCBpvhmUjWPGQVZnZIjKUPLF+LfGtb6+oMSflj6VJ+4I+wNMjttPoKD7tQMhg4VK7I0G94uvK3la+h9/YiuPKNQbwtQjcaDrbIXauWjnbcmt7bvJphz6cbMi8O2T//kH/Vhz0g==
Received: from PU1APC01FT064.eop-APC01.prod.protection.outlook.com
(2a01:111:e400:7ebe::42) by
PU1APC01HT190.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebe::457)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.23; Wed, 2 Dec
2020 12:43:58 +0000
Received: from SG2PR06MB2966.apcprd06.prod.outlook.com
(2a01:111:e400:7ebe::49) by PU1APC01FT064.mail.protection.outlook.com
(2a01:111:e400:7ebe::326) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.17 via Frontend
Transport; Wed, 2 Dec 2020 12:43:58 +0000
Received: from SG2PR06MB2966.apcprd06.prod.outlook.com
([fe80::2031:eaf8:bcaa:54e6]) by SG2PR06MB2966.apcprd06.prod.outlook.com
([fe80::2031:eaf8:bcaa:54e6%6]) with mapi id 15.20.3632.017; Wed, 2 Dec 2020
12:43:58 +0000
From: Hannah nah <andsnaxxh4654@outlook.com>
Subject:
Thread-Index: AQHWyKjIuxRxqEONJUS2wmMG69Tcbg==
Date: Wed, 2 Dec 2020 12:43:58 +0000
Message-ID: <SG2PR06MB2966062C660B7EF3EB955272B7F30@SG2PR06MB2966.apcprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:E52DD37863DA384DE3CB938F4C2CC3F5A6DBEC5E7E0A882C1BD18C4F6854FE22;UpperCasedChecksum:A38AC1366B0B49AE7E31D345E7078B789D1C50E0C44F155CC2771F1B5D79B642;SizeAsReceived:19638;Count:39
x-tmn: [5AKk9ND/0NizLsSpbJshAkUW6Hm7tuS9RDkh1lpD0TI=]
x-ms-publictraffictype: Email
x-incomingheadercount: 39
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: fde30973-79b2-47da-111e-08d896bff026
x-ms-exchange-slblob-mailprops: gYnnzhvmiKoP9h9mebEoqktnCH1VRH8M47bzoUlMalvuklrTpJ09RBxIB9vgAcv/Z1cV2SOjLrWs4v+eqaRUtB7dFXiCmFwC7Li2EOt32bPGExiuM6GgAe+oV8Wwd8Nf/iHyhN9W8vKyLLqxI7g9JUjueS/KMsoMOpN5PpV3fX7iW5WXi/8wP835gEsBVSUfqJ2qnkPv0lGYSZ3NSPC8Ak67DvCqdRB1SnKh5wqPwO7NQYyZvPU/hjlXs1fmNOZ2JSPYHCR0IrHza0pKUzyWoBhSMAm86Hnm7+nnWzXHiX8Bqqs8dciswp+vYiHIN07db3iXeBmCjfiB/TRnKNe7tO1UhiCkGju9Ujk7OFjF2I6O+Xdb8jN2HHLjc85k2u6mBUGKp99ZCKOv/TItcCP7pYgPxk5INySZGHLkqiDNoFZ1mTzpqyHmTXVAZaJzJVzgVTgA6mJoJa5HdV5oT9JxsK4UNbb5jpE8d82T/9psFrT1cBoOaNxV0xQjy/GtBuvT0IZfD9/kWo1E85aS6QzmlfCsmdOxXFZk7hfL5Yv2Cy/P8Hgs5/HtIWgCq0xepX+4qJrEFaKl7W8=
x-ms-traffictypediagnostic: PU1APC01HT190:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7lrGXJ0Zjsqk2jbIKEWo2EUjQOBBb/9bFTJTmLvriKfYEYlLuXk4hsvP2deWFHLhOZLLFS+l22y/CTGFgQctd9CLAXV0C280RXJWCbyGi9CrT1WylDka6TLzhZ3rsgVkAwewRGhqVm7d2K3olCveJ26yff/HeRXkRvvGWfgwmMManRapv/ndsbB7lZxT7uErqrDhR/SUWQjWK0ZFJqr8FMe+8ounkERS9zSfRl9DkH7Cad7f78sS6epzoMXWMRNV
x-ms-exchange-antispam-messagedata: W5RL4gIBo/lSN4nElDtYJ/6VgnvO4zbZlVwLSkkT0000QMQ4JEGp1iEjfUuIu7Ndxvzj0JiQZqz7521tpm5SOd+znTsy2hr9whnZ4+HkVzq+040knMS/RlpQgYUwE7122VaFO9yi1oqPnEU7Wfhvag==
x-ms-exchange-transport-forked: True
Content-Type: multipart/mixed;
boundary="_006_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-AuthSource: PU1APC01FT064.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: fde30973-79b2-47da-111e-08d896bff026
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2020 12:43:58.3522
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PU1APC01HT190
X-Rcpt-To: <jason@notmyserver.com>
X-SmarterMail-Spam: Cyren [Unknown]: 0, Message Sniffer [code:0]: 0, ISpamAssassin [raw:0]: 1, SPF [Pass]: -2, DKIM [Pass]: -2
X-SmarterMail-SpamDetail: 0.0 MIME_BASE64_TEXT Message text disguised using base64 encoding
X-SmarterMail-SpamDetail: 0.0 HTML_MESSAGE HTML included in message
X-SmarterMail-SpamDetail: 0.9 MISSING_HEADERS Missing To: header
X-SmarterMail-SpamDetail: 0.0 T_IMAGE_MISMATCH Contains wrong image format for MIME header
X-CTCH-RefId: str=0001.0A742F1E.5FC78CE4.0001,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-MessageSniffer-ResultCode: 0
X-SmarterMail-TotalSpamWeight: -3
--_006_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_
Content-Type: multipart/alternative;
boundary="_000_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_"
--_000_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
SGVsbG8gRGVhci4uLg0KDQpDYW4gaSBtZWV0IHlvdS7wn5iNIElmIHlvdSByZWFsbHkgd2FudCB0
byBoYXZlIGZ1biB3aXRoIG1lLg0KDQooIENvbnRhY3QgbWUgPGh0dHBzOi8vc2l0ZXMuZ29vZ2xl
LmNvbS92aWV3L21pbGZzLXVubGltaXRlZC1leGNsdXNpdmUteC9ob21lPiAp8J+SiyBJ4oCZbSBP
bmxpbmUgTm934oCm4oCm4oCmLj8/Pw0KDQo=
--_000_SG2PR06MB2966062C660B7EF3EB955272B7F30SG2PR06MB2966apcp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64