Bypass reputation filtering

Dear All
i am a new user for ironport, would like to check with you all how do i set bypass a few domain from reputation filtering. There are a few client facing a problem sending mail to us was block my reputation filtering. the problem is sender mail was hosted by someone, and the sending IP is dynamic. please advice.
regards
Anthony

In addition, I wanted to add to the post, on how to best detect what hostname/domain/ip address to add to this sendergroup.
Like the previous post mentioned, you'll want to create a new sendergroup and possibly label it "Bypass_SBRS_scoring". Because the mail that you're mentioning is getting blocked, you may want to position this new sendergroup above the "Blacklist" sendergroup. Note, when incoming connections occur, the HAT Overview works in a top-down environment. In other words, it will start at the top and move on down until there's a match or else go into the default of all.
To add a domain or company as a sender in this new sendergroup, you'll need to add either the hostname, IP address, or IP address range. When you add a sender, there is a little question mark that details how you can add the sender. This is what the help says,
Enter the hosts to add. CIDR addresses such as 10.1.1.0/24 are allowed. IP address ranges such as 10.1.1.10-20 are allowed. IP subnets such as 10.2.3. are allowed. Hostnames such as crm.example.com are allowed. Partial hostnames such as .example.com are allowed.
How to locate the hostname or IP address of a sender
- When customers have difficulty obtaining the hostname or ip address of a sender to add to a sendergroup.
- Trying to obtain the SBRS score of a connecting server
How to search in the logs for the IP or hostname of a sender:
You want to find out the IP address or hostname of the sender called of the sender called "[email protected]".
1. From the command line, type:
ironport> grep -i "test.com" mail_logs
Fri Sep 7 10:06:13 2007 Info: MID 28 ready 77 bytes from
2. Then search for the "MID 28"
ironport> grep -i "MID 28" mail_logs
Fri Sep 7 10:05:51 2007 Info: Start MID 28 ICID 10
Fri Sep 7 10:05:51 2007 Info: MID 28 ICID 10 From:
Fri Sep 7 10:05:56 2007 Info: MID 28 ICID 10 RID 0 To:
Fri Sep 7 10:06:13 2007 Info: MID 28 Subject 'testing 123'
Fri Sep 7 10:06:13 2007 Info: MID 28 ready 77 bytes from
Fri Sep 7 10:06:13 2007 Info: MID 28 matched all recipients for per-recipient policy DEFAULT in the inbound table
Fri Sep 7 10:06:13 2007 Info: MID 28 interim verdict using engine: CASE spam negative
Fri Sep 7 10:06:13 2007 Info: MID 28 using engine: CASE spam negative
Fri Sep 7 10:06:13 2007 Info: MID 28 interim AV verdict using Sophos CLEAN
Fri Sep 7 10:06:13 2007 Info: MID 28 antivirus negative
Fri Sep 7 10:06:13 2007 Info: MID 28 queued for delivery
Fri Sep 7 10:06:14 2007 Info: Delivery start DCID 477 MID 28 to RID [0]
Fri Sep 7 10:06:14 2007 Info: Message done DCID 477 MID 28 to RID [0]
Fri Sep 7 10:06:14 2007 Info: MID 28 RID [0] Response 'ok: Message 57897990 accepted'
Fri Sep 7 10:06:14 2007 Info: Message finished MID 28 done
3. From the MID output, you grep for the ICID to get the hostname or IP address of the connecting server.
ironport> grep -i "ICID 10" mail_logs
Fri Sep 7 10:05:42 2007 Info: New SMTP ICID 10 interface Management (172.19.0.146) address 10.1.1.209 reverse dns host outgoing232.ispserver.com verified yes
Fri Sep 7 10:05:42 2007 Info: ICID 10 ACCEPT SG SUSPECTLIST match 10.1.1.209 SBRS 1.2
Fri Sep 7 10:05:51 2007 Info: Start MID 28 ICID 10
Fri Sep 7 10:05:51 2007 Info: MID 28 ICID 10 From:
Fri Sep 7 10:05:56 2007 Info: MID 28 ICID 10 RID 0 To:
Fri Sep 7 10:06:14 2007 Info: ICID 10 close
4. The information that I have put in BOLD above displays the information that you want.
The IP address is: 10.1.1.209
The hostname of the connecting server is: outgoing232.ispserver.com
The SBRS score of the connecting IP is: 1.2
The sendergroup that was matched was: Suspectlist
172.19.0.146 is the IP of your Ironport appliance.
So, if you wanted to whitelist the sender, [email protected] or test.com, you would add any of these to the Sendergroup:
10.1.1.209
outgoing232.ispserver.com
.ispserver.com
Use ".ispserver.com" when there are multiple outgoing servers and you want to wildcard them.

Similar Messages

Recent decrease in Reputation Filtering

Beginning yesterday (Nov 13) at about 17:00 eastern time, we have seen a drastic decrease in messages stopped by Reputation Filtering and an large increase in Spam Detected. The drop is from about 97% to 89%. Spam Detected has risen from 1.4% to 7.6%
Anyone else seeing this occur? We are using V5.1.2 of AsyncOS.

The efforts of security researchers have resulted in Mc Colo's hosting service being stopped, and this has resulted in far less spam being sent. :) However, it won't last long. Witihin a couple of wweks, the spam levels will be back to usual...
http://www.eweek.com/c/a/Security/Notorious-Web-Hosting-Service-Linked-to-Spam-Campaigns-Goes-Offline/
http://www.senderbase.org/home/detail_spam_volume?displayed=lastmonth&action=&screen=&order=
Which is about now.. I can point to www.senderbase.org and more specifically to : http://www.senderbase.org/home/detail_spam_volume
looks like spam has returned to its "normal" volumes.

MARS 6.0.4 reporting for IPS 7.0 Global Correlation Reputation Filtering

Does anyone know if there is a report available in MARS to see what IP addresses were denied by Reputation Filtering on IPS 7.0?
I found a report that shows attacks that were prevented due to global correlation score, but not for packets denied by Reputation Filtering.
Replies are greatly appreciated.
Thanks,
Mark

Thanks for the reply, but what I am looking for is reporting on what packets were dropped with Reputation Filtering(doesn't have a report in MARS) Not the GLobal Correlation risk rating blocks(Which does have a report available in MARS).

Global correlation / reputation filtering in monitoring mode

We use Cisco appliances primarily in monitoring mode. We'd like to use the IPS reputation filtering / global correlation to alert us when we have connections to "bad" IP addresses (e.g. botnet, etc). Is it even possible to use either of these features for this purpose? According the the following document is appears there may not be alerts for packets denied before signature analysis. Surely that can't be???
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_collaboration.html#wp1067283
"Note This feature only applies to global correlation inspection where the traffic is allowed if no specific signature is matched. It does not apply to reputation filtering where the packet is denied before signature analysis, and no alerts are generated when packets are denied by reputation filtering. "

Just listened to the techtalk on global correlation. about 16 minutes in...."we do not send events just to keep the load quiet". Can someone from Cisco please confirm that this completely naive and poorly engineered facet of the solution still works this way? I'm sorry to sound like an arse, but I am so completely frustrated with the value we get out of these appliances. Apparently, the ASA botnet functionality can do what we want, but not the stand alone IPS appliance....come on Cisco.

Counter changed in 6.0.0-745 for 'Reputation Filtering'?

After upgrading to 6.0.0-745 we noticed that the amount of incoming mails for 'Stopped by Reputation Filtering' is 3 x higher then before with version 5.5.1-011.
We can see the jump to the 3x higher level for the time after the upgrade.
We have checked the 'Configure Sender Reputation Multiplier' in the CLI, but this value is still on 1.
Has something changed on counting this number?

After the upgrade on the second machine, we can see this behaviour again. Maybe this picture can help to understand:
[URL=http://img393.imageshack.us/my.php?image=67250759li9.jpg][img:614f2a26ad]http://img393.imageshack.us/img393/3057/67250759li9.th.jpg[/img:614f2a26ad][/URL]
We can't believe, that the amount of
- Stopped by Reputation Filtering
and
- Stopped as Invalid Recipients
has more then doubled after the lunch (upgrade-time on 11.4.2008) :wink:

Reputation Filtering

Hi,
Im installing an eval Ironport behind a current 3rd party MTA, which will relay all mail onto Ironport.
My query is- can someone advise if this will affect reputation filtering, the fact Ironport receives mail from an internal address? And how best can i get around this issue?
Cheers :)

You can use the Ironport Incoming Relays feature to get around this.
Basically you specify how may hops back in the header to look for the ACTUAL sender IP. This works if the number of hops is always going to be consistent.
If the hops aren't a consistent predictable number then you will have to insert a custom header at your third party MTA if possible.
This is all documented in the Basic User Guide, or online here: https://support.ironport.com/docs/c_series/5.1/HTML_5.1_Compilation/Basic_Guide/wwhelp/wwhimpl/common/html/wwhelp.htm?context=Basic_Guide&file=antispam.14.5.html
:-)

A "Web Reputation Filters" key was downloadedfrom the Cisco Ironport key server.....

Recently we received an alert from our Ironport S370 appliance indicating that a new Web Reputation Filters key had been downloaded and placed into the pebnding area: EULA acceptance required. This key shows a 256 days validity however our current key still has 250 days left on it..... Why would a new key be downloaded when the old one still has so much time left on it? My undestanding is that a key is just used to enable a feature but being that the feature is already enabled and has several months of validity why would a new key be needed? I find it a little strange.
Thanks

When Web Reputation Filters (WBRS) expired, all web sites that accessed using WSA as Web proxy will not get any reputation score and the filtering in WSA policies based on reputation score will not function therefore if for example accessing web site that has bad reputation score and should be blocked automatically by WSA when WBRS in functioning will not happened and all sites will be accessible without reputation score filtering (expose threats and strongly recommend to validate the feature keys).

ByPass Content Filtering

We have several content filters setup on an incoming policy. Profanity, Image Sanning and account numbers.
We get a lot of news letters that are quarantined by these filters (mainly profanity).
I am compiling a list of sender addresses in a dictionary. How can I set this list of senders to bypass the content filtering?

Correct, if the message doesn't meet the IF condition, then the ACTION will not be applied and the message will continue evaluating the other content filters. It's a top-down design, so order of precedence is very important. The deliver() action, like the drop() action are final actions and allows you to stop processing further content filters.
Congrats on the new appliance. I'm sure your employees will see a noticable decrease in spam they normally get.
By the way, the online support portal has additional resources that you can benefit from. The Support portal knowledge base and the Email documentation section that goes over the Advanced stuff like LDAP. (joy joy)

Bypass spam filters for certain mail addresses

I am looking for a way to bypass virus checks on mail from a certain mail user (actually system mail sent from a process that we have, so we can trust it).
I have been playing with the @bypassspam_checksacl = qw( [email protected] ); entry in /etc/amavisd.conf but this doesn't seem to bypass as I would expect.
Does anyone know if this file might be over riden else where or perhaps if I can bypass in another way?
Cheers

Greetings
there is probably more than one way to skin a cat.
here is a postfix only method however i'm not sure if it will pass all before amavid. so see the snippit from the amavisd.conf below.
main.cf
smtpd_recipient_restrictions = hash:/etc/postfix/spamlovers, .....
create a file call spamlovers
[email protected] OK
biggroup.net OK
that will prevent all subsequent anti-spam checks from being applied to
the listed recipient domains/addresses. in short - they want spam, let
them eat spam.
((snip)) amavisd.conf
# %bypass_virus_checks, @bypass_virus_checks_acl and $bypass_virus_checks_re
# lookup tables:
# (this is mainly a time-saving option, unlike virus_lovers* !)
# Similar in concept to %virus_lovers, a hash %bypass_virus_checks,
# access list @bypass_virus_checks_acl and regexp list
$bypass_virus_checks_re
# are used to skip entirely the decoding, unpacking and virus checking,
# but only if ALL recipients match the lookup.
# %bypass_virus_checks/@bypass_virus_checks_acl/$bypass_virus_checks_re
# do NOT GUARANTEE the message will NOT be checked for viruses - this may
# still happen when there is more than one recipient for a message, and
# not all of them match these lookup tables. To guarantee virus delivery,
# a recipient must also match %virus_lovers/@virus_lovers_acl lookups
# (but see milter limitations above),
# NOTE: it would not be clever to base virus checks on SENDER address,
# since there are no guarantees that it is genuine. Many viruses
# and spam messages fake sender address. To achieve selective filtering
# based on the source of the mail (e.g. IP address, MTA port number, ...),
# use mechanisms provided by MTA if available.
# Similar to lookup tables controlling virus checking,
# there exist spam scanning and banned names/types control counterparts:
# %spam_lovers, @spam_lovers_acl
# %banned_files_lovers, @banned_files_lovers_acl
# and:
# %bypass_spam_checks/@bypass_spam_checks_acl/$bypass_spam_checks_re
# (but no bypass_banned_checks, as $bypass_decode_parts controls it
already)
# See README.lookups for detailsabout the syntax.
# The following example disables spam checking altogether,
# since it matches any recipient e-mail address (any address
# is a subdomain of the top-level root DNS domain):
# @bypass_spam_checks_acl = qw( . );
# See README.lookups for further detail, and examples below.
# $virus_lovers{lc("postmaster\@$mydomain")} = 1;
# $virus_lovers{lc('[email protected]')} = 1;
# $virus_lovers{lc('[email protected]')} = 1;
# $virus_lovers{lc('some.user@')} = 1; # this recipient, regardless of
domain
# $virus_lovers{lc('[email protected]')} = 0; # never, even if domain matches
# $virus_lovers{lc('example.com')} = 1; # this domain, but not its
subdomains
# $virus_lovers{lc('.example.com')}= 1; # this domain, including its
subdomains
#or:
# @virus_lovers_acl = qw( [email protected] !lab.xxx.com .xxx.com yyy.org );
# $bypass_virus_checks{lc('[email protected]')} = 1;
# @bypass_virus_checks_acl = qw( some.ddd !butnot.example.com
.example.com );
# @virus_lovers_acl = qw( [email protected] );
# $virus_lovers_re = new_RE( qr'(helpdesk|postmaster)@example\.com$'i );
# $spam_lovers{lc("postmaster\@$mydomain")} = 1;
# $spam_lovers{lc('[email protected]')} = 1;
# $spam_lovers{lc('[email protected]')} = 1;
# @spam_lovers_acl = qw( !.example.com );
# $spam_lovers_re = new_RE( qr'^user@example\.com$'i );
# don't run spam check for these RECIPIENT domains:
# @bypass_spam_checks_acl = qw( d1.com .d2.com a.d3.com );
# or the other way around (bypass check for all BUT these):
# @bypass_spam_checks_acl = qw( !d1.com !.d2.com !a.d3.com . );
# a practical application: don't check outgoing mail for spam:
# @bypass_spam_checks_acl = ( "!.$mydomain", "." );
# (a downside of which is that such mail will not count as ham in SA
bayes db)
I'm sure anyone of these methods will allow the lovers of the blessed spam to fill their hearts content. Hope you have good hard drives
--j

Reputation Filtering Rejecting a valid Host

We have a company that is not able to email us. Our ironport server says their reputation status is poor and is rejecting the message.
If you go to senderscore.org and enter the ip addresses of their server they are all 95-100 score rating.
Why are we rejecting their email?
I was able to get around this by add them to the whitelist.

this host is a 'poor' score for a reason - whether it's quasi-legitimate spam / marketing mail or a sharp statistical increase in mail volume over a short period due to some bot net or virus traffic - there's not supposed to be any misinformation or false positives. there are many reasons or factors that contribute to the score, which is mostly confidential for us (IronPort). we can tell you that it is a rolling average that is continuously correcting itself.
many cusgtomers are comfortable referring their partners or owners of incoming MTAs that have been rejected by SBRS to just RTM at senderbase.org and contact SB support teams for more info.
so in short, if you 'trust' this MTA and they don't want to contact SenderBase for help, then yes, manually add it to the whitelist. occasionally whitelisting is easier than constantly blacklisting, which is why senderbase is so cool / popular.
more info on senderbase.org and our 'Sender Base Reputation Score':
Sender Base Best Practices / Overview:
http://tinyurl.com/lvuub
Tips on Low Scores:
http://tinyurl.com/zfczg
andrew

Spam filtering

Hi all
I am getting about 15 spam emails an hour. i use apple mail junk(2.08) but its not always regognised. anyone no of a good spam fill ter i can use in addition.
thanks Michael

Hello Michael.
No spam filter will catch 100% since spammers are constantly tweaking/changing their methods to bypass spam filters.
Since you are getting 15 spam messages an hour, you need to do something else.
See my post in this thread.
http://discussions.apple.com/message.jspa?messageID=2349714#2349714

RV082 "router busy" information after enabling TrendMicro Web protection

Hi,
We have recently bought TrendMicro ProtectLink licences for our RV082 router. After enabling Web Protection (URL Filtering nad Web Reputation) on it, users inside local network began to recieve strange information (web page) during web browsing.
The information says:
"The router is very busy at the moment. Please try after a few minutes." You can press then OK or Retry - pressing OK do not help, the web page shows again "The router is very busy...".
Our network consist of one server (MS Windows 2003 SBS) and less than 15 workstations (including PCs and laptops). When we disable Web Protection on RV082, everything is OK and web browsing do not generate such information.
Anybody encountered such problem? Thank you in advance for your help.
Łukasz

Good Morning,
Typically the Trend Micro Protect Link filtering will take all the request (floods) that come into it and block them.
URL Overflow Control
Temporarily block URL requests (This is the recommended setting)
Temporarily bypass Trend Micro URL Filtering for requested URLs
You can change the setting to bypass the request or look into the traffic that you are filtering.
When you look at the log or counters what are you seeing the most blocks at.
URL Overflow Control
Temporarily block URL requests (Trend Micro recommended setting): Users will not be able to access the Internet until the current queue can accommodate more requests. Temporarily bypass Trend Micro URL verification for requested URLs: URL requests will temporarily bypass URL Filtering and Web Reputation Services. This could make your network vulnerable to threats.
You might want to look to break that category down to allow some of the traffic or educate the staff on what is allowed on the Internet.
I hope this helps out

WSA how to filter HTTPS urls without decrypting

In transparent mode HTTPS Proxy must be activated for HTTPS traffic.
If you don't want particular users to access certain https sites with out decryption , you can define those urls in custom url categories and under decryption policies :
1. Exclude that custom url category from global decryption policy
2. Create new decryption policy for those identities you want to block request and then under categories include that custom url. Default action you will get for this category is monitor .
3. If you leave it as such then it continues to evaluate the client request against other policy group control settings, such as web reputation filtering or you can use drop action if you do not want to pass the connection request to the server. The appliance does not notify the user that it dropped the connection.
HTH
"Please rate useful posts"

Dear Kush
Thanks for the reply.... you advise to start with a new Decryption Policy for Guest users. So I have now created several Decryption Policies, for Guests, Authenticated Users, VIP Users. The Guest URL Filtering is set to DROP many Categories and to Pass Through the rest, and the VIP Policy drops only the worse categories (Porn, etc) and Pass Through most. If I set the HTTPS Filter=Monitor, then it will decrypt.
I think it is working as I need it, but as a Guest User I can still bypass the Ironport block by entering http://www.youtube.com into Internet Explorer v8 (XPsp3) - However, on the same PC with Firefox v28 https://www.youtube.com is blocked. (IE8 detects the traffic as "SRCH" traffic to 74.125.21.95:443, Firefox detects category "VID" to 74.125.196.91:443)
I'll do some more testing, then feedback to the forum again...
Martin
PS. What I don't like about the solution: I need to setup two sets of URL Category Filters: for the HTTPS proxy (under Decryption Policies) and for the HTTP proxy (under Access Policies) - even though I want the same Group based filters for HTTP and HTTPS. I did not expect to have to setup two separate sets of filters.

Firefox(20.0.1) is ignoring my proxy server for google searches from website and the search box. It works for all other search engines and chrome/safari.

firefox(20.0.1)
squid (port 3128) and dansguardian (port 8080) not running in transparent mode.
I am applying blacklists and a custom url regex to apply "safe=vss", this works for all browsers and all search engines except firefox using google search engine.
Search engines tested (bing, yahoo, norton, ask, amazon, avg, ebay) - all work.
Links from the search results are blocked by content filter, but search results still appear and google images are still shown. This does not happen in Chrome(23.0.1271.97), IE9(9.0.8), Opera(12.14) or Safari(5.1.7) with the same settings.
No log entry appears in Dansguardian access.log implying proxy settings are being ignored for just this combination.

I can't think of a reason that one particular webpage would behave differently from all the others, i.e., if you are starting at google.com and running a search using the form in the page, I'm not aware of any reason for Firefox to handle that specially just because it's Google.
Does it make a difference if you disable JavaScript when using Google? If that yields the results you expect, perhaps Google's XMLHttpRequest AJAX traffic is bypassing your filters?
The search bar has its own code, so someone would need to look at that to see whether/why it bypasses your proxy if the above hypothesis does not apply.

Internal email marked as Junk - Exchange 2013

Hello,
As per the title, I have an issue whereby internal email from a reporting server is being classed as Junk in Outlook 2010 and 2013 for all recipients.
-The Junk-email filtering level for all users in Outlook is set to "Low" and is applied via group policy.
-I have anti-spam agents installed on all Exchange mailbox servers, but the "InternalMailEnabled" parameter is set to "false" for all agents.
-The receive connector used to receive internal email has the "Externally secured" flag set, which allows spam-filtering to be bypassed.
-The "InternalSMTPServers" parameter of the transport config contains the IP of the sending server.
- The email address has been added to several users "Safe Senders" list in Outlook.
-I have a transport rule set up to bypass spam filtering for the sending address of the [email protected], yet the email header on any of these messages does not contain the "SCL -1" stamp as per the below:
#↓   Header   Value
1   MIME-Version   1.0
2   From   <[email protected]>
3   To   <[email protected]>, <[email protected]>
4   Date   Tue, 10 Mar 2015 07:35:32 +0000
5   Subject    Report was executed at 10/03/2015 07:35:08
6   Content-Type   multipart/mixed; boundary="--boundary_90_638c99de-c35d-4d06-b992-536e14201c6d"
7   Message-ID   <[email protected]>
8   Return-Path   [email protected]
9   X-MS-Exchange-Organization-AuthSource   SERVER01.domain.localnet
10   X-MS-Exchange-Organization-AuthAs   Internal
11   X-MS-Exchange-Organization-AuthMechanism   10
12   X-MS-Exchange-Organization-Network-Message-Id   8d357628-f2e9-48d5-77e2-08d2291beca4
13   X-MS-Exchange-Organization-AVStamp-Enterprise   1.0
Can anyone assist in explaining why these emails are being continually marked as Junk in Outlook, and any further troubleshooting steps.
Thanks
Matt

Hello
please show transport rules settings.
sorry my english
Hello Sneff,
Transport Rule output below
Thanks
RunspaceId : 503d1c3b-4ab8-4e90-a5dd-a3eefdcbe404
Priority : 18
DlpPolicy :
DlpPolicyId : 00000000-0000-0000-0000-000000000000
Comments :
ManuallyModified : False
ActivationDate :
ExpiryDate :
Description : If the message:
Includes these patterns in the From address:
'[email protected]'
and Is received from 'Inside the organization'
Take the following actions:
Set the spam confidence level (SCL) to '-1'
RuleVersion : 15.0.0.0
Conditions : {FromAddressMatches, FromScope}
Exceptions :
Actions : {SetSCL}
State : Enabled
Mode : Enforce
RuleErrorAction : Ignore
SenderAddressLocation : HeaderOrEnvelope
RuleSubType : None
UseLegacyRegex : False
From :
FromMemberOf :
FromScope : InOrganization
SentTo :
SentToMemberOf :
SentToScope :
BetweenMemberOf1 :
BetweenMemberOf2 :
ManagerAddresses :
ManagerForEvaluatedUser :
SenderManagementRelationship :
ADComparisonAttribute :
ADComparisonOperator :
SenderADAttributeContainsWords :
SenderADAttributeMatchesPatterns :
RecipientADAttributeContainsWords :
RecipientADAttributeMatchesPatterns :
AnyOfToHeader :
AnyOfToHeaderMemberOf :
AnyOfCcHeader :
AnyOfCcHeaderMemberOf :
AnyOfToCcHeader :
AnyOfToCcHeaderMemberOf :
HasClassification :
HasNoClassification : False
SubjectContainsWords :
SubjectOrBodyContainsWords :
HeaderContainsMessageHeader :
HeaderContainsWords :
FromAddressContainsWords :
SenderDomainIs :
RecipientDomainIs :
SubjectMatchesPatterns :
SubjectOrBodyMatchesPatterns :
HeaderMatchesMessageHeader :
HeaderMatchesPatterns :
FromAddressMatchesPatterns : {[email protected]}
AttachmentNameMatchesPatterns :
AttachmentExtensionMatchesWords :
AttachmentPropertyContainsWords :
ContentCharacterSetContainsWords :
HasSenderOverride : False
MessageContainsDataClassifications :
SenderIpRanges :
SCLOver :
AttachmentSizeOver :
MessageSizeOver :
WithImportance :
MessageTypeMatches :
RecipientAddressContainsWords :
RecipientAddressMatchesPatterns :
SenderInRecipientList :
RecipientInSenderList :
AttachmentContainsWords :
AttachmentMatchesPatterns :
AttachmentIsUnsupported : False
AttachmentProcessingLimitExceeded : False
AttachmentHasExecutableContent : False
AttachmentIsPasswordProtected : False
AnyOfRecipientAddressContainsWords :
AnyOfRecipientAddressMatchesPatterns :
ExceptIfFrom :
ExceptIfFromMemberOf :
ExceptIfFromScope :
ExceptIfSentTo :
ExceptIfSentToMemberOf :
ExceptIfSentToScope :
ExceptIfBetweenMemberOf1 :
ExceptIfBetweenMemberOf2 :
ExceptIfManagerAddresses :
ExceptIfManagerForEvaluatedUser :
ExceptIfSenderManagementRelationship :
ExceptIfADComparisonAttribute :
ExceptIfADComparisonOperator :
ExceptIfSenderADAttributeContainsWords :
ExceptIfSenderADAttributeMatchesPatterns :
ExceptIfRecipientADAttributeContainsWords :
ExceptIfRecipientADAttributeMatchesPatterns :
ExceptIfAnyOfToHeader :
ExceptIfAnyOfToHeaderMemberOf :
ExceptIfAnyOfCcHeader :
ExceptIfAnyOfCcHeaderMemberOf :
ExceptIfAnyOfToCcHeader :
ExceptIfAnyOfToCcHeaderMemberOf :
ExceptIfHasClassification :
ExceptIfHasNoClassification : False
ExceptIfSubjectContainsWords :
ExceptIfSubjectOrBodyContainsWords :
ExceptIfHeaderContainsMessageHeader :
ExceptIfHeaderContainsWords :
ExceptIfFromAddressContainsWords :
ExceptIfSenderDomainIs :
ExceptIfRecipientDomainIs :
ExceptIfSubjectMatchesPatterns :
ExceptIfSubjectOrBodyMatchesPatterns :
ExceptIfHeaderMatchesMessageHeader :
ExceptIfHeaderMatchesPatterns :
ExceptIfFromAddressMatchesPatterns :
ExceptIfAttachmentNameMatchesPatterns :
ExceptIfAttachmentExtensionMatchesWords :
ExceptIfAttachmentPropertyContainsWords :
ExceptIfContentCharacterSetContainsWords :
ExceptIfSCLOver :
ExceptIfAttachmentSizeOver :
ExceptIfMessageSizeOver :
ExceptIfWithImportance :
ExceptIfMessageTypeMatches :
ExceptIfRecipientAddressContainsWords :
ExceptIfRecipientAddressMatchesPatterns :
ExceptIfSenderInRecipientList :
ExceptIfRecipientInSenderList :
ExceptIfAttachmentContainsWords :
ExceptIfAttachmentMatchesPatterns :
ExceptIfAttachmentIsUnsupported : False
ExceptIfAttachmentProcessingLimitExceeded : False
ExceptIfAttachmentHasExecutableContent : False
ExceptIfAttachmentIsPasswordProtected : False
ExceptIfAnyOfRecipientAddressContainsWords :
ExceptIfAnyOfRecipientAddressMatchesPatterns :
ExceptIfHasSenderOverride : False
ExceptIfMessageContainsDataClassifications :
ExceptIfSenderIpRanges :
PrependSubject :
SetAuditSeverity :
ApplyClassification :
ApplyHtmlDisclaimerLocation :
ApplyHtmlDisclaimerText :
ApplyHtmlDisclaimerFallbackAction :
ApplyRightsProtectionTemplate :
SetSCL : -1
SetHeaderName :
SetHeaderValue :
RemoveHeader :
AddToRecipients :
CopyTo :
BlindCopyTo :
AddManagerAsRecipientType :
ModerateMessageByUser :
ModerateMessageByManager : False
RedirectMessageTo :
RejectMessageEnhancedStatusCode :
RejectMessageReasonText :
DeleteMessage : False
Disconnect : False
Quarantine : False
SmtpRejectMessageRejectText :
SmtpRejectMessageRejectStatusCode :
LogEventText :
StopRuleProcessing : False
SenderNotificationType :
GenerateIncidentReport :
IncidentReportOriginalMail :
IncidentReportContent :
RouteMessageOutboundConnector :
RouteMessageOutboundRequireTls : False
ApplyOME : False
RemoveOME : False
GenerateNotification :
Identity : SQLReportingServices
DistinguishedName : CN=SQLReportingServices,CN=TransportVersioned,CN=Rules,CN=Transport
Settings,CN=Domain,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=localnet
Guid : 11f1083e-9e12-45d1-8e8f-3b878d4ca183
ImmutableId : 11f1083e-9e12-45d1-8e8f-3b878d4ca183
OrganizationId :
Name : SQLReportingServices
IsValid : True
WhenChanged : 10/03/2015 13:23:11
ExchangeVersion : 0.1 (8.0.535.0)
ObjectState : Unchanged
Matt

Bypass reputation filtering

Similar Messages

Maybe you are looking for