Removing untrusted header applied by Office 365 - AntiSpam False Positive

book

Article ID: 169776

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

Email Security.cloud customer emails are being blocked by AntiSpam service when sending or receiving from Office 365. Recently Microsoft has made changes to the information they store in the email headers which has caused in some cases for the header to be greater than 42000 characters. This will affect inbound and outbound emails when using the Email Security.cloud service.

There are some known cases where the recipient firewall drops the mail due to size limit as well. Reducing the character size in the e-mail header will resolve this issue also.

When performing a Track and Trace search, the mail will simply show as blocked by "Anti-Spam Service".  In order to confirm if it's actually being stopped by Rule 107 you will need provide support with the message reference to confirm the issue.

Cause

Recently Microsoft has made changes to the information they store in the mail headers which has caused in some cases for the header to be greater than 42000 characters.

Environment

Microsoft Office 365

Resolution

You may create an Exchange Transport rule to remove "X-Microsoft-Exchange-Diagnostics-untrusted" headers. This will allow all e-mails to flow from Office 365 to Email Security.cloud without the character restriction rule being applied. Please keep in mind if a 3rd party is sending to you using Office 365 they will need to apply the same rule on their server for all outbound mails or all emails.

To create the rule follow the steps below:

1) Log into Exchange Admin Center > Mail Flow > Rules > Create a new rule > Rule Name: Remove Exchange-Diagnostics-Untrusted header

2) Apply this rule if:  Apply to all messages

3) Do the following: Remove this header (To this see this option select "More options" then select "Modify the message properties" then select "Remove this header" and type the following:  X-Microsoft-Exchange-Diagnostics-untrusted)

4) And: Set the message header to this value (To see this option choose "Modify the message properties") "X-Microsoft-Exchange-Diagnostics-untrusted" to the value "Removed" 

 

Apply for: 

  1. X-Microsoft-Exchange-Diagnostics-untrusted
  2. Set the message header 'X-Microsoft-Exchange-Diagnostics-untrusted' to the value 'Removed'

Attachments