Share via

Apply transport rule per Junk mail category to prepend subject line

Stephan van Helden 31 Reputation points
2020-10-14T06:19:44.59+00:00

Exchange Online Protection adds anti-spam message headers as described here: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers?view=o365-worldwide

I tried to create transport rules to prepend subject lines accordingly. So if a mail was filtered as category SPM or HSPM, subject should be prepended with "[SPAM]"; if it was filtered as category "SPOOF" it should be prepended with "[SPOOF]" etc.

My test message contains "CAT:HSPM" in "X-Forefront-Antispam-Report" header:

32207-image.png

Accordingly this transport rule should apply to it:

32208-image.png

But this is not the case. The transport rule is not applied. But other transport rules (with "higher" priority, so more down in the list) are correctly applied.

Is the Forefront header added at a later stage? What am I doing wrong?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,606 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 147.6K Reputation points MVP
    2020-10-14T17:45:31.063+00:00
    1 person found this answer helpful.
  2. Andy David - MVP 147.6K Reputation points MVP
    2020-10-14T20:30:40.067+00:00

    I tested this and see the same results as you. This is expected from what I can tell. The rules are applied before the anti-spam checks.
    This doc confirms this:

    ****If you want to mark specific messages as spam before they're even scanned by spam filtering,** or mark messages so they'll skip spam filtering, you can create mail flow rules (also known as transport rules)** to identify the messages and set the spam confidence level (SCL). For more information about the SCL, see Spam confidence level (SCL) in EOP.

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages?view=o365-worldwide

    So I think you will have to use the anti-spam to set this as I mentioned above.
    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide#use-the-security--compliance-center-to-create-anti-spam-policies

    Hope this helps!

    1 person found this answer helpful.
    0 comments
  3. KyleXu-MSFT 26,256 Reputation points
    2020-10-15T05:28:26.5+00:00

    @Stephan van Helden
    This picture below may be useful to you(From this article: Exchange Online Protection overview):
    32523-tp-emailprocessingineopt3.png

    The mail flow rule works before content filtering (also known as Anti-spam)

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
  4. Stephan van Helden 31 Reputation points
    2020-10-15T03:42:32.037+00:00

    anonymous userDavid Thanks, but if I understand this article correctly, this doesn't help:

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined?view=o365-worldwide

    32410-image.png

    The anti-spam policy has only one field for the text to prepend. But I wanted to preprend text depending on the spam category.

    I could define multiple policies (one for Spam, one for Phishing, one for Bulk), but per this article, only the first of these would be applied.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.