Spoofed Emails coming in SCL -1


Background: Test domain spoofing rule. Have Axence NetToosl to do ping check, remove the mail settings from using the relay, Email will now appear as spoofed, should apply rule and set SCL to 8 and send to junk.

​

I have a mail transport rule to prepend a “highly possible spoofing” header, this rule also applies SCL to 8 – which should throw it into junk. When looking at a spoofed Email, SCL = -1…wth?

​

I did a trace, and it processes through rules as it should and is processed and seems to apply the SCL of 8 through this processed rule..” **Set Spam Confidence Level. Transport rule: ‎’Domain Spoof Prevention‎’,** ”

​

Looking at the message headers from my outlook client:

Received: from SERVER-UTIL3 (IP ADDRESS HERE) by

name.mail.protection.outlook.com (IP ADDRESS) with Microsoft SMTP

Server id 15.20.xxx0.2 via Frontend Transport; Thu, 7 Feb 2019 17:40:10 +0000

X-Mailer: Axence nVision http://axence.net

From: “service@domain.com” <service@domain.com>

Subject: netTools test message

To: <it@>…

&#x200B;

X-MS-Exchange-Organization-SCL: -1 …R:INB;SFP:;SCL:-1;SRV….

Received-SPF: Fail ([protection.outlook.com](https://protection.outlook.com): domain of domain.com does not

designate 207.xx.xx.xx as permitted sender) [receiver=protection.outlook.com](https://receiver=protection.outlook.com);

client-ip=207.xx.xx.xx; helo=SERVER-UTIL3;

What gives here? There is no rule allowing trust of this sender that I can see and follwing the message trace, none of the rules are changing the SCL from 8.

&#x200B;



View Reddit by Hollow3dddView Source

3 thoughts on “Spoofed Emails coming in SCL -1

  1. blaughw says:

    In addition to others saying do not whitelist your own domain, check Safe Senders list for the recipient. You will see SFV:SFE in the x-forefront-antispam header if there is a safe sender list match.

    Actually, you should check the header anyway and it will tell you what’s up. Use the Message Header Analyzer at https://testconnectivity.microsoft.com. The header in question has a link to a help article describing the values.

  2. wpzr says:

    SCL -1 is whitelist.

    Do you have your own domain whitelisted in list of allowed domains for spam filter in EXO perhaps? if that is the case none of transport rules will apply properly

Leave a Reply

Your email address will not be published. Required fields are marked *