Exchange not putting mail to Junk despite SCL header value

Question

Problem

I am setting the SCL value via Exchange-based rules. The rules are applied correctly when desired conditions are matched and the SCL value is properly set, as evidenced in message headers. Also, the SCL value set (6) matches Junk SCL threshold (default value, 5).

However, the Exchange server does not put message into Junk folder.

I'm looking either for tip on what may be wrong, what might be disrupting the proper workflow, anything. Or any tips on additional diagnostic steps to be performed.

Scenario

I'm currently staging a migration to Exchange 2016 in a following scenario (example values):

1. DNS MX record directs sender to old server,
2. old server performs spam analysis via SpamAssassin and adds corresponding headers to message, including X-Spam-Score,
3. messages to recipients that are not known to old servers (ie. migrated mailboxes) are forwarded to Exchange,
4. Exchange applies a rule on X-Spam-Score header value, matching pattern [+]{4} (four or more + characters, which are equivalent to 4.0+ score), setting SCL level to 6.

The exact configuration for rule (based on Get-TransportRule display):

HeaderMatchesMessageHeader                    : X-Spam-Score
HeaderMatchesPatterns                         : {[+]{4}}
SetSCL                                        : 6

I know that this works so far, as the recieved messages with X-Spam-Score matching the pattern DO get the X-MS-Exchange-Organization-SCL: 6 header.

Yet the message ends up in Inbox instead being forwarded to Junk folder :(

Sample resultant set of headers in the delivered message:

X-Spam-Score: 8.0 (++++++++)
X-MS-Exchange-Organization-SCL: 6
X-MS-Exchange-Organization-AuthSource: mbx-a.example.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.0250276
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1531.003

Additional info

The above configuration is basically an analogue of standard Exchange Online Protection configuration, in which the EOP server could be seen as an equivalent of old server with SpamAssassin. In this regard, EOP documentation suggest a very similar configuration, differing only on the source headers used to determine message status. The further deployment schedule assumes deploying EOP before old server, and afterwards removing old server with it's spam protection role.

The server configuration regarding the junk/delete/reject SCL thresholds is pretty much default so far, in detail:

Get-OrganizationConfig:

SCLJunkThreshold                                          : 4

Get-ContentFilterConfig:

SCLRejectThreshold                    : 7
SCLRejectEnabled                      : True
SCLDeleteThreshold                    : 9
SCLDeleteEnabled                      : False
SCLQuarantineThreshold                : 9
SCLQuarantineEnabled                  : False

The Exchange setup does not include Edge Transport servers, and AntiSpam Agents are not installed/enabled on Mailbox servers, but Microsoft documentation does not mention anywhere such requirement, eg:

• https://docs.microsoft.com/.../ensure-that-spam-is-routed-to-each-user-s-junk-email-folder
• https://docs.microsoft.com/en-us/exchange/edge-transport-servers

Update 1

I've installed Antispam Agents on all nodes and performed following tests:

1. sending a fabricated mail to trigger SenderID fail;
2. sending a fabricated mail to trigger high SCL result without triggering upfront rejection.

Both tests did result in SCL6 message being delivered, but again, to Inbox instead of Junk folder.

This proves that the issue is not relevant to Transport Rules. Regardless of which mechanism raises/sets SCL level, message ends up in Inbox.

Answer 1

I have found the direct cause of the problem.

The junk messages are moved to the Junk folder by the Inbox Rules mechanism, the equivalent of Transport Rules but on the mailbox level - the one configurable via Mail > Automatic processing > Inbox and sweep rules options card.

Each mailbox comes by default with a hidden Inbox Rule named Junk E-mail Rule - it's existence might be revealed via PowerShell:

PS > Get-InboxRule -Mailbox "test@contoso.com" -IncludeHidden

Name             Enabled Priority RuleIdentity
----             ------- -------- ------------
Junk E-mail Rule True    1        4028702183896383681

In case of our server, a significant amount of mailboxes (75% of accounts created with a single PowerShell batch) were missing this rule.

While the underlying issue causing the rule to be missing is yet unknown and will be investigated, the temporary solution is to regenerate the rule by switching the Junk mail filtering off and on again:

Set-MailboxJunkEmailConfiguration $MailBox -Enabled $False
Set-MailboxJunkEmailConfiguration $MailBox -Enabled $True

This might be applied on all affected mailboxes:

Get-Mailbox -ResultSize Unlimited | %{

    $Rule = Get-InboxRule -Mailbox $MailBox -IncludeHidden | ? Name -eq "Junk E-mail Rule"

    If ( $Rule -eq $null ) {
        Set-MailboxJunkEmailConfiguration $MailBox -Enabled $False
        Set-MailboxJunkEmailConfiguration $MailBox -Enabled $True
    }
}

Note that until the underlying issue gets solved, this procedure will need to be implemented in all workflows regarding exchange accounts creation.

Answer 2

All recipients receive the junk mails in inbox folder or the specific ones?

Please access OWA and check if the configuration like below screenshot is correct.