FPE issue where all spam is missed

The most common reason we do not filter spam in FPE is that we honor the ms-exch-bypass-anti-spam permission on connectors.

The most common scenario is that the bypass is enabled for anonymous connections.

This is simple to fix with some PowerShell commands to remove the permissions from the connectors.

In exchange PowerShell.

Get-ReceiveConnector

Take the names you get and run
Get-ReceiveConnector " Receive_Connector_name" | Get-ADPermission -User "NT Authority\Anonymous Logon"|fl

You are looking for this

You can then remove the right for bypass by running the following on any connector with the bypass right
Get-ReceiveConnector " Receive_Connector_name" | Remove-ADPermission -User "NT Authority\Anonymous Logon" -ExtendedRight ms-exch-bypass-anti-spam

 

Checking again with Get-ReceiveConnector " Receive_Connector_name" | Get-ADPermission -User "NT Authority\Anonymous Logon"|fl shows that bypass has been removed from the rights for anonymous.

You can then do the same thing for each connector and recycle transport to make the changes take effect.

Comments

• Anonymous
  January 01, 2003
  I like this and it looks really helpful,but to remove Anonymous Logon from all Receive Connectors at once, I have just run:
  
  Get-ReceiveConnector | Remove-ADPermission -User "NT AuthorityAnonymous Logon" -ExtendedRight ms-exch-bypass-anti-spam
  
  Selecting Yes (Y) lets you approve the change for each connector.
  You'll get an error that the ACE isn't present for any Receive Connectors where the permission was not already present but the permission will be gone for the ones where it was present.
  
• Anonymous
  February 13, 2015
  what's the SECOND most common reason for SCL -1? Because I checked and this property isn't set but a lot of spam still comes through as SCL -1.