Hi,
I recently implemented a rule to add a disclaimer to emails that are received from outside of our network. The rule is fairly simple, in it's current state it basically says If an email is sent to either of these 2 users and it came from outside of the network, prepend this disclaimer to it. The rule works, but, I've noticed that it's adding the disclaimer to email messages from application servers within the network that are using the SMTP relay service on the exchange servers. My guess is that this is happening because the SMTP relay is set for Anonymous and therefore exchange thinks these messages are originating from outside of the network and therefore applying the disclaimer rule. In an attempt to get around this, I created an exclusion that says "Except if the message sender ip addresses belong to one of these ranges" and then I've added our network ranges (I've tried adding them in CIDR format as well as listing the starting ip address and the last ip address in the subnet) but it's still applying the rule to these messages. Any suggestions? Here is the exchange powershell output of the rule I have created.
RunspaceId : c4d9efe7-7a48-441a-a138-814a58a20adfPriority : 0
DlpPolicy :
DlpPolicyId : 00000000-0000-0000-0000-000000000000
Comments :
ManuallyModified : False
ActivationDate :
ExpiryDate :
Description : If the message:
Is sent to 'user@domain.org' or 'user@domain.org'
and Is received from 'Outside the organization'
Take the following actions:
Prepend the message with the disclaimer '<p><span style="color:
#ff0000; background-color: #000000;"><strong>[ WARNING This message
originated from outside of the Company, proceed with
caution. Contact the NOC for further assistance.
]</strong></span></p>'. If the disclaimer can't be applied, take no
action.
Except if the message:
sender ip addresses belong to one of these ranges:
'172.17.0.0-172.17.255.255' or '172.18.0.0-172.18.255.255' or
'172.16.0.0-172.16.255.255'
RuleVersion : 15.0.2.0
Conditions : {SentTo, FromScope}
Exceptions : {SenderIpRanges}
Actions : {ApplyHtmlDisclaimer}
State : Enabled
Mode : Enforce
RuleErrorAction : Ignore
SenderAddressLocation : Header
RuleSubType : None
UseLegacyRegex : False
From :
FromMemberOf :
FromScope : NotInOrganization
SentTo : {User@domain.org, User@domain.org}
SentToMemberOf :
SentToScope :
BetweenMemberOf1 :
BetweenMemberOf2 :
ManagerAddresses :
ManagerForEvaluatedUser :
SenderManagementRelationship :
ADComparisonAttribute :
ADComparisonOperator :
SenderADAttributeContainsWords :
SenderADAttributeMatchesPatterns :
RecipientADAttributeContainsWords :
RecipientADAttributeMatchesPatterns :
AnyOfToHeader :
AnyOfToHeaderMemberOf :
AnyOfCcHeader :
AnyOfCcHeaderMemberOf :
AnyOfToCcHeader :
AnyOfToCcHeaderMemberOf :
HasClassification :
HasNoClassification : False
SubjectContainsWords :
SubjectOrBodyContainsWords :
HeaderContainsMessageHeader :
HeaderContainsWords :
FromAddressContainsWords :
SenderDomainIs :
RecipientDomainIs :
SubjectMatchesPatterns :
SubjectOrBodyMatchesPatterns :
HeaderMatchesMessageHeader :
HeaderMatchesPatterns :
FromAddressMatchesPatterns :
AttachmentNameMatchesPatterns :
AttachmentExtensionMatchesWords :
AttachmentPropertyContainsWords :
ContentCharacterSetContainsWords :
HasSenderOverride : False
MessageContainsDataClassifications :
SenderIpRanges :
SCLOver :
AttachmentSizeOver :
MessageSizeOver :
WithImportance :
MessageTypeMatches :
RecipientAddressContainsWords :
RecipientAddressMatchesPatterns :
SenderInRecipientList :
RecipientInSenderList :
AttachmentContainsWords :
AttachmentMatchesPatterns :
AttachmentIsUnsupported : False
AttachmentProcessingLimitExceeded : False
AttachmentHasExecutableContent : False
AttachmentIsPasswordProtected : False
AnyOfRecipientAddressContainsWords :
AnyOfRecipientAddressMatchesPatterns :
ExceptIfFrom :
ExceptIfFromMemberOf :
ExceptIfFromScope :
ExceptIfSentTo :
ExceptIfSentToMemberOf :
ExceptIfSentToScope :
ExceptIfBetweenMemberOf1 :
ExceptIfBetweenMemberOf2 :
ExceptIfManagerAddresses :
ExceptIfManagerForEvaluatedUser :
ExceptIfSenderManagementRelationship :
ExceptIfADComparisonAttribute :
ExceptIfADComparisonOperator :
ExceptIfSenderADAttributeContainsWords :
ExceptIfSenderADAttributeMatchesPatterns :
ExceptIfRecipientADAttributeContainsWords :
ExceptIfRecipientADAttributeMatchesPatterns :
ExceptIfAnyOfToHeader :
ExceptIfAnyOfToHeaderMemberOf :
ExceptIfAnyOfCcHeader :
ExceptIfAnyOfCcHeaderMemberOf :
ExceptIfAnyOfToCcHeader :
ExceptIfAnyOfToCcHeaderMemberOf :
ExceptIfHasClassification :
ExceptIfHasNoClassification : False
ExceptIfSubjectContainsWords :
ExceptIfSubjectOrBodyContainsWords :
ExceptIfHeaderContainsMessageHeader :
ExceptIfHeaderContainsWords :
ExceptIfFromAddressContainsWords :
ExceptIfSenderDomainIs :
ExceptIfRecipientDomainIs :
ExceptIfSubjectMatchesPatterns :
ExceptIfSubjectOrBodyMatchesPatterns :
ExceptIfHeaderMatchesMessageHeader :
ExceptIfHeaderMatchesPatterns :
ExceptIfFromAddressMatchesPatterns :
ExceptIfAttachmentNameMatchesPatterns :
ExceptIfAttachmentExtensionMatchesWords :
ExceptIfAttachmentPropertyContainsWords :
ExceptIfContentCharacterSetContainsWords :
ExceptIfSCLOver :
ExceptIfAttachmentSizeOver :
ExceptIfMessageSizeOver :
ExceptIfWithImportance :
ExceptIfMessageTypeMatches :
ExceptIfRecipientAddressContainsWords :
ExceptIfRecipientAddressMatchesPatterns :
ExceptIfSenderInRecipientList :
ExceptIfRecipientInSenderList :
ExceptIfAttachmentContainsWords :
ExceptIfAttachmentMatchesPatterns :
ExceptIfAttachmentIsUnsupported : False
ExceptIfAttachmentProcessingLimitExceeded : False
ExceptIfAttachmentHasExecutableContent : False
ExceptIfAttachmentIsPasswordProtected : False
ExceptIfAnyOfRecipientAddressContainsWords :
ExceptIfAnyOfRecipientAddressMatchesPatterns :
ExceptIfHasSenderOverride : False
ExceptIfMessageContainsDataClassifications :
ExceptIfSenderIpRanges : {172.17.0.0-172.17.255.255, 172.18.0.0-172.18.255.255,
172.16.0.0-172.16.255.255}
PrependSubject :
SetAuditSeverity :
ApplyClassification :
ApplyHtmlDisclaimerLocation : Prepend
ApplyHtmlDisclaimerText : <p><span style="color: #ff0000; background-color: #000000;"><strong>[
WARNING This message originated from outside of the Company,
proceed with caution. Contact the NOC for further assistance.
]</strong></span></p>
ApplyHtmlDisclaimerFallbackAction : Ignore
ApplyRightsProtectionTemplate :
SetSCL :
SetHeaderName :
SetHeaderValue :
RemoveHeader :
AddToRecipients :
CopyTo :
BlindCopyTo :
AddManagerAsRecipientType :
ModerateMessageByUser :
ModerateMessageByManager : False
RedirectMessageTo :
RejectMessageEnhancedStatusCode :
RejectMessageReasonText :
DeleteMessage : False
Disconnect : False
Quarantine : False
SmtpRejectMessageRejectText :
SmtpRejectMessageRejectStatusCode :
LogEventText :
StopRuleProcessing : False
SenderNotificationType :
GenerateIncidentReport :
IncidentReportOriginalMail :
IncidentReportContent :
RouteMessageOutboundConnector :
RouteMessageOutboundRequireTls : False
ApplyOME : False
RemoveOME : False
GenerateNotification :
Identity : External E-mail Notification
DistinguishedName : CN=External E-mail
Notification,CN=TransportVersioned,CN=Rules,CN=Transport
Settings,CN=Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=org
Guid : 2e4fcd6e-4b48-485e-9c70-b7f7b087e740
ImmutableId : 2e4fcd6e-4b48-485e-9c70-b7f7b087e740
OrganizationId :
Name : External E-mail Notification
IsValid : True
WhenChanged : 11/20/2018 3:36:20 PM
ExchangeVersion : 0.1 (8.0.535.0)
ObjectState : Unchanged
I'm not even supposed to be here today.