2.1.3.1.1.20.35 Property: X-MICROSOFT-CDO-OWNERAPPTID

Hello Keith,

From the content filter rules of message body or attachment, it would not be looking into the headers of the emails.

(as per my tests using the similar rule).

As you have a case open with a Cisco Engineer, please let us know what is found -

Regards,

Matthew

Ok the cisco analyst gave me the following bit of information.  I have yet to implement it though.

Here is a new filter that you can create just above the ABANumber filter, to get it skipped-

Go to CLI:

--------

skip_ABANumber: if (header("X-MICROSOFT-CDO-OWNERAPPTID") == "[0-9]{9}")

{

skip-filters();

}

.

Commit the changes.

Hello Keith,

This filter will work to allow the email to bypass other message filters.

But from what I've read you're currently using a content filter with ABA smart identifier is that correct?

If you tested an email without any message attachment and just with the header; does it still trigger on the content filter?

The content filter rules would not look into these custom X headers to be matched.

There may be something else within the email that is matching it.

If you could edit your content filter with an additional action "Add Log Entry" and the text box put "$MatchedContent"

Then submit and commit this and attempt to replicate it.

It may show us what bit of the email is matching it.

Regards,

Matthew

Its difficult to recreate the issue.  This occurred from a calendar invite sent outside from Outlook.  Exchange server applies a random id number to that property in the header.  I guess the ID number for the VP (It's ALWAYS upper management with these kind of issues!) happened to be some banks ABA number.  I'm not sure how it knows its an ABA number, like if it uses some kind of online service to see if its owned by any particular financial institution. 

So to test I would have to send basically thousands of calendar invites out and hope one of the counters or message ID's ends up being the same as some banks' ABA number.

I verified in message tracking that it was this header value triggered.  It shows the number triggered and when you download the entire message, all parts and do CTRL+F for that number in only hits in that one place, X-MICROSOFT-CDO-OWNERAPPTID.

Hello Keith,

From testing I was unable to get message headers to trigger on my filters.

If these calender emails had any form of additional attachments, the filters (should it be scanning in attachments or files that is not plain text on the body) will look into the actual source coding of the files which may be the trigger.

Are you able to get a sample of this calender invite that triggered in it's original format for me to have a quick look?

Thanks,

Matthew

He just sent it as a calendar invite using Outlook 2010.  Nothing in the body except our standard email signature and disclaimer that is applied from CodeTwo exchange rules.

Attached is the message part containing the matched content '279017439'.  In Message tracking there are three message parts.  This is the third one called [unnamed file] at 2.83 K text/plain.

The first one [message body] is simply the text format of the signature / confidentiality statement in text/plain.  The second one [message body] is the HTML version of the signature / confidentiality statement.  So it was the third message part which I guess is a part of a calendar invite.

Its luck of the draw though because you never know if the random number that Exchange generates for the ID in the calendar invite is going to end up becoming the same as some financial institutions ABA number.  Its almost like winning the lottery.

Hello Keith,

I would suggest enabling a log-entry action on your content filter with $MatchedContent so we can see the exact string that caused the match as well

And if possible obtain the original email that was matched with all it's contents, change it to .eml so you can open the raw source of the email and locate this string if it's apart of the text body of the calender or if it was within the embedded mime coding of the calender attachment.

If it's the latter where the actual MIME source is causing the match, we can alter the scanning procedures on your ESA to not look into the MIME source if required for attachments, but you'll need to speak with microsoft for the MIME type or fingerprinting of the calender to bypass scanning

(From a google search)

The type for vCalendar seems to be text/x-vcalendar (source: original standard.)

For iCalendar (the newer format), the answer is text/calendar (source: RFC5545).
 

Or if this is not known, there is a setting to not scan the fingerprinting/mime structure of all attachments (But not recommended)


These changes can be done in CLI > scanconfig > setup > And skip by MIME type.