One of our main inbound mail accounts seems to be having a strange issue where the emails are getting marked as spam, not when they arrived, but when they are moved to a folder.
They are also all emails that are whitelisted in the spam policy. The SCL is -1 in the headers.
I had auditing enabled, but only for a few actions in each category. I can see an audit entry that looks like the 'update' action where the subject is changed:
Operation : Update
OperationResult : Succeeded
LogonType : Admin
ClientInfoString : Client=WebServices;ExchangeServicesClient/0.0.0.0;
ClientIPAddress : MICROSOFT_CIDR/16_IP
ClientIP : MICROSOFT_CIDR/16_IP
InternalLogonType : Owner
MailboxOwnerUPN : orders@MYCOMPANY.com
MailboxOwnerSid : S-1-5-21-3228079582-319387065-945654275-2122606
LogonUserDisplayName : ks365_1d855538-7387-41a8-985d-d7f43d3f7783
LogonUserSid : S-1-5-21-3228079582-319387065-945654275-3779439
DirtyProperties : MapiSubject, NormalizedSubjectInternal, ReplyForwardStatus
LastAccessed : 11/18/2019 10:11:01 AM
The email arrived at 9:14.
Our users excitingly access this mailbox. We had to set them up this way during our initial migration due to bandwidth and PC power limits (all the mailbox syncing was killing everything). So these users have this box added as a second account in Outlook, so it has its OST, but the downside of that is that most actions show up as the native user and not the particular desktop user that is interacting with the box.
The sending domain is whitelisted in our spam policy. Our spam policy is set up to only mark the header, Whappening, just sometimes after arrival.
Message Trace shows the email was Received, Processed, and Delivered correctly. There is no indication in the Trace that this was spam, and the header was altered.
The ItemInternetMessageID in Search-MailboxAuditLog matches the Message ID shown in Trace.
I am just trying to figure out what might be causing this!
