Thursday, 26 January 2012

Antispam agents in Exchange 2010 SP1 /Hosting mode

Hi,

If you have played with unfortunate Exchange 2010 SP1 /Hosting mode installation or you are a real hoster that runs it in the production, then you maybe had problems with getting Antispam agents to work on your Hub transport server.

This special mode of Exchange 2010 SP1 installation has some limitations when compared to the regular Exchange 2010 installation. One of them is that you cannot use Exchange 2010 Edge Server role with EdgeSync. This means that you will have to use install-AntispamAgents.ps1 Powershell script to enable Antispam agents on your Hub transport servers.

The script works well, transport agents get installed and enabled. But you will soon notice that e-mail messages don't get stamped with SCL even if you have correctly configured the Content Filtering agent. Furthermore, if you have enabled Recipient Filtering agent too, you will see that all recipient addresses, even the existing ones in your tenant organizations will get rejected with "user unknown" message.

This is becase the Antispam agents simply do not work with Exhange 2010 SP1 /Hosting mode installation. Don't let this article fool you as it did me: http://technet.microsoft.com/en-us/library/ff923278.aspx

Here is an example of a behaviour you will notice with Content Filtering agent. The Get-AgentLog Powershell output on your Hub transport will show this:


RunspaceId      : 018024ed-1c5a-498a-8c15-087b1c81ed2e
Timestamp       : 1/24/2012 7:07:28 AM
SessionId       : 08CEA824BF825A40
IPAddress       : 111.222.111.222
MessageId       : <E9F3014D-C9FF-427F-91EA-0B4E253784A7@span.hr>
P1FromAddress   : Dinko.Fabricni@span.hr
P2FromAddresses : {Dinko.Fabricni@span.hr}
Recipients      : {dfabricni@example.net}
Agent           : Content Filter Agent
Event           : OnEndOfData
Action          : AcceptMessage
SmtpResponse    :
Reason          : SCL
ReasonData      : 0
Diagnostics     :

You can see that agent does its thing, but when you check the message headers in Outlook you will see that actually no SCL is provided:


X-MS-Exchange-Organization-AuthSource: EXHUBEXT01.cloud.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: span.hr
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (EXHUBEXT01.cloud.local: Dinko.Fabricni@span.hr does not
designate permitted sender hosts)
X-MS-Exchange-Organization-Antispam-Report: SCLNotProvided

To make it even worse, ALL messages, even those that are 100% spam messages will receive SCL rating of 0 and you will see the SCLNotProvided in message headers.

We did raise this incident to Microsoft and got a confirmation that Antispam agents really do not work and that the documentation on Technet website (the article I linked) is misleading.