Mail flow rule anti spam message header

Tomer Grega 1 Reputation point

I've created a mail flow rule with the intention of sending a notification to the recipient when the email is flagged as malicious with the following details:
Apply this rule if...
The sender is located: outside the organization
A message header includes: 'X-Forefront-Antispam-Report' header includes 'CAT:AMP'
Do the following...
Notify the recipient with a message...(and the message itself)

The test email i'm sending is flagged as malicious with the header flag of CAT:AMP but the email doesn't go through the mail flow rule, what am i missing?

From the message header (of the test email):
Country/Region: US
Language: en
Spam Confidence Level: -1
Spam Filtering Verdict: SKQ
IP Filter Verdict: NLI
PTR Record:
Connecting IP Address:
Protection Policy Category: AMP
Spam rules: (13230001)(4636009)(166002)(86362001)(22186003)(5660300002)(6916009)(42186006)(1096003)(7116003)(55446002)(8676002)(356005)(7596003)(33964004)(26005)(7636003)(82202003)(564344004)(6666004)(3480700007)(73392003)(58800400005)(966005)(336012)(76482006)(220243001)(67856001)

Source header: CIP:;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKQ;;;CAT:AMP;SFS:(13230001)(4636009)(166002)(86362001)(22186003)(5660300002)(6916009)(42186006)(1096003)(7116003)(55446002)(8676002)(356005)(7596003)(33964004)(26005)(7636003)(82202003)(564344004)(6666004)(3480700007)(73392003)(58800400005)(966005)(336012)(76482006)(220243001)(67856001);DIR:INB;

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,426 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 143.6K Reputation points MVP

    How is this being tested? Malware would be quarantined or dropped before it hit the transport pipeline and you would set the notifications in the anti-malware policy.