This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 23%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Hi,
I've created a mail flow rule with the intention of sending a notification to the recipient when the email is flagged as malicious with the following details:
Apply this rule if...
The sender is located: outside the organization
A message header includes: 'X-Forefront-Antispam-Report' header includes 'CAT:AMP'
Do the following...
Notify the recipient with a message...(and the message itself)
The test email i'm sending is flagged as malicious with the header flag of CAT:AMP but the email doesn't go through the mail flow rule, what am i missing?
From the message header (of the test email):
ForefrontAntiSpamReport
Country/Region: US
Language: en
Spam Confidence Level: -1
Spam Filtering Verdict: SKQ
IP Filter Verdict: NLI
HELO/EHLO String: mail-lj1-f176.google.com
PTR Record: mail-lj1-f176.google.com
Connecting IP Address: 209.85.208.176
Protection Policy Category: AMP
Spam rules: (13230001)(4636009)(166002)(86362001)(22186003)(5660300002)(6916009)(42186006)(1096003)(7116003)(55446002)(8676002)(356005)(7596003)(33964004)(26005)(7636003)(82202003)(564344004)(6666004)(3480700007)(73392003)(58800400005)(966005)(336012)(76482006)(220243001)(67856001)
Source header: CIP:209.85.208.176;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKQ;H:mail-lj1-f176.google.com;PTR:mail-lj1-f176.google.com;CAT:AMP;SFS:(13230001)(4636009)(166002)(86362001)(22186003)(5660300002)(6916009)(42186006)(1096003)(7116003)(55446002)(8676002)(356005)(7596003)(33964004)(26005)(7636003)(82202003)(564344004)(6666004)(3480700007)(73392003)(58800400005)(966005)(336012)(76482006)(220243001)(67856001);DIR:INB;
@Tomer Grega
I am writing here to confirm with you any update about this thread now.
If the suggestion below helps, please feel free to accept it as an answer for helping more people.
How is this being tested? Malware would be quarantined or dropped before it hit the transport pipeline and you would set the notifications in the anti-malware policy.
@Andy David - MVP - thanks for replying. the thing is that i've configured in the anti-malware policy a custom quarantine policy but the the minimum it will send these notifications is one day (perhaps i'm wrong) and i need immediate notification for the recipient of that email.
Have you looked at an actual message headers that has malware in the quarantine? What is set for the "X-Forefront-Antispam-Report" ?
I think this is a bit of chicken or egg thing :)
Can't say I understand what you mean here.
Sorry, what I mean is, if the message has malware, its quarantined first.
But thats why I asked if you can look in the quarantine for a message that was actually quarantined for malware.
Seems to me that the anti-spam header catagory is
CAT:MALW
not
CAT:AMP
Even with CAT:MALW it still doesn't work. also, MALW doesn't appear in the 'X-Forefront-Antispam-Report' header which is attached in the body of my original post.
and yes i can see the message in quarantine as malware
Yep. Sorry, thats what I figured. You cant have a transport catch these if they go to quarantine before the message is processed by the rules.
But you raise a valid question. I believe one day we will have the ability to to have instant or near instant quarantine notifications, but not now :(
Here is a screenshot about how EOP works on Exchange online:
If an email was judged as malware, it will be quarantined, transport tule will not work on it. So, you cannot use the transport rule to analyze message header for this email.