How is this being tested? Malware would be quarantined or dropped before it hit the transport pipeline and you would set the notifications in the anti-malware policy.
Mail flow rule anti spam message header
Hi,
I've created a mail flow rule with the intention of sending a notification to the recipient when the email is flagged as malicious with the following details:
Apply this rule if...
The sender is located: outside the organization
A message header includes: 'X-Forefront-Antispam-Report' header includes 'CAT:AMP'
Do the following...
Notify the recipient with a message...(and the message itself)
The test email i'm sending is flagged as malicious with the header flag of CAT:AMP but the email doesn't go through the mail flow rule, what am i missing?
From the message header (of the test email):
ForefrontAntiSpamReport
Country/Region: US
Language: en
Spam Confidence Level: -1
Spam Filtering Verdict: SKQ
IP Filter Verdict: NLI
HELO/EHLO String: mail-lj1-f176.google.com
PTR Record: mail-lj1-f176.google.com
Connecting IP Address: 209.85.208.176
Protection Policy Category: AMP
Spam rules: (13230001)(4636009)(166002)(86362001)(22186003)(5660300002)(6916009)(42186006)(1096003)(7116003)(55446002)(8676002)(356005)(7596003)(33964004)(26005)(7636003)(82202003)(564344004)(6666004)(3480700007)(73392003)(58800400005)(966005)(336012)(76482006)(220243001)(67856001)
Source header: CIP:209.85.208.176;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKQ;H:mail-lj1-f176.google.com;PTR:mail-lj1-f176.google.com;CAT:AMP;SFS:(13230001)(4636009)(166002)(86362001)(22186003)(5660300002)(6916009)(42186006)(1096003)(7116003)(55446002)(8676002)(356005)(7596003)(33964004)(26005)(7636003)(82202003)(564344004)(6666004)(3480700007)(73392003)(58800400005)(966005)(336012)(76482006)(220243001)(67856001);DIR:INB;