Export (0) Print
Expand All

Transport rule conditions (predicates)

Exchange 2013
 

Applies to: Exchange Online Protection

Topic Last Modified: 2014-11-24

Transport rule conditions and exceptions are used to define when a transport rule is applied. For example, when adding a disclaimer, you could define the conditions to only add the disclaimer to messages containing specific words, to messages from a specific person or group, or to all messages except those from a specific group.

Looking for:

Contents

Conditions and condition properties

Condition property values

To determine whether a transport rule should be applied to a message, most conditions have one or more properties for which you must specify a value. For example, the The sender is condition requires that you specify the sender for the message. Some conditions have two properties. For example, the A message header includes any of these words condition requires one property to specify the header to examine, such as To, From, Received, or Content-Type, and a second property for the text to look for in the specified message header. Others don't have properties. For example, the Any attachment has executable content condition simply inspects whether any attachment in a message has executable content, and therefore doesn't require any values.

NoteNote:
If the property is a string, trailing spaces are not allowed.

To assign a value to a condition in the Exchange admin center (EAC), you can use the drop-down lists and secondary dialog boxes that are displayed in the Transport rule page. These help you select the correct property types and valid values for those property types. If you’re using the Shell to define conditions, see the descriptions in Condition property types.

The following table lists the conditions that can be used with transport rules in Exchange Online Protection.

NoteNote:
Each condition listed in the following table also has an equivalent exception that can be selected in the EAC. In the Shell, conditions that can be used as exceptions start with ExceptIf. For example, for the FromMemberOf condition, the parameter that can be used as an exception in transport rule cmdlets is called ExceptIfFromMemberOf.
The same condition object contains the logic for use in both transport rule conditions and exceptions. Therefore, when you use the Get-TransportRuleCondition cmdlet to list conditions, exceptions aren't listed as separate conditions.

 

Condition name in Exchange admin centerCondition name in ShellPropertiesDescription

The sender is

From

Addresses

This condition matches messages sent by the specified mailboxes, mail-enabled users, or contacts.

The sender is located

FromScope

FromUserScope

This condition matches messages that are sent by senders within the specified scope.

The sender is a member of

FromMemberOf

Addresses

This condition matches messages where the sender is a member of the specified distribution group.

The sender address includes

FromMemberOf

Words

This condition matches messages that contain the specified words in the sender's address.

The sender address matches

FromMemberOf

Patterns

This condition matches messages that contain text patterns in the sender's address that match the specified regular expression.

The sender's specified properties include any of these words

SenderADAttributeContainsWords

Words

This condition matches messages where the specified attribute of the sender contains specified words.

NoteNote:
When matching a country using CountryOrRegion, you must use the ISO country code, rather than the country name. For example, to match all senders from Germany:
Set-TransportRule MyRule -SenderADAttributeContainsWords "CountryOrRegion:DE"

The sender's specified properties match these text patterns

SenderADAttributeMatchesPatterns

Patterns

This condition matches messages where the specified attribute of the sender contains text patterns that match the specified regular expression.

Sender's IP address is in the range

SenderIpRanges

IPRanges

This condition matches messages where the sender's IP address falls within the specified ranges.

The sender's domain is

SenderDomainIs

Domain name

This condition matches messages where the sender's domain matches the specified domain name.

The recipient is

SentTo

Addresses

This condition matches messages where one of the recipients is the specified mailbox, mail-enabled user, or contact. The specified recipients can be listed in the To, Cc, or Bcc fields.

NoteNote:
You can't specify a distribution group with this condition. If you need to create a rule that takes action on messages sent to a distribution group, use the To box contains (AnyOfToHeader) condition instead.

The recipient is located

SentToScope

ToUserScope

This condition matches messages that are sent to recipients within the specified scope.

The recipient is a member of

SentToMemberOf

Addresses

This condition matches messages that contain recipients who are members of the specified distribution group. The distribution group can be listed in the To, Cc, or Bcc fields.

The recipient address includes

RecipientAddressContainsWords

Words

This condition matches messages where a recipient's address contains any of the specified words.

The recipient address matches

RecipientAddressMatchesPatterns

Patterns

This condition matches messages where a recipient's address matches a specified regular expression.

The recipient's specified properties include any of these words

RecipientADAttributeContainsWords

Words

This condition matches messages where the specified attribute of a recipient contains any of the specified words..

The recipient's specified properties match these text patterns

RecipientADAttributeMatchesPatterns

Patterns

This condition matches messages where the specified attribute of a recipient matches the specified regular expression.

A recipient's domain is

RecipientDomainIs

Domain Name

This condition matches messages where the domain of any recipient of the message matches the specified domain name.

The subject or body includes

SubjectOrBodyContainsWords

Words

This condition matches messages that have the specified words in the Subject field or message body.

The subject or body matches

SubjectOrBodyMatchesPatterns

Patterns

This condition matches messages where text patterns in the Subject field or message body match a specified regular expression.

The subject includes

SubjectContainsWords

Words

This condition matches messages that have the specified words in the Subject field.

The subject matches

SubjectMatchesPatterns

Patterns

This condition matches messages where text patterns in the Subject field match a specified regular expression.

Any attachment's content includes

AttachmentContainsWords

Words

This condition matches messages with attachments that contain a specified string.

Any attachment's content matches

AttachmentMatchesPatterns

Patterns

This condition matches messages with attachments that contain a text pattern that matches a specified regular expression.

NoteNote:
Only the first 150 KB of the attachment is scanned when trying to match a pattern.

Any attachment's content can't be inspected

AttachmentIsUnsupported

Not applicable

This condition matches messages with attachments that aren't supported.

Any attachment's file name matches

AttachmentNameMatchesPatterns

Patterns

This condition matches messages that contain text patterns in an attachment file name that matches a specified regular expression.

Any attachment's file extension matches

AttachmentExtensionMatchesWords

Words

This condition matches messages that contain an attachment whose extension matches any of the specified words. The service uses auto-detection of file types by inspecting file properties rather than the actual file extension, thus preventing spammers from being able to bypass transport rule filtering by renaming the file extension.

Any attachment size is greater than or equal to

AttachmentSizeOver

Size

This condition matches messages that contain attachments greater than or equal to the specified value.

The message didn't complete scanning

AttachmentProcessingLimitExceeded

Not applicable

This condition matches messages for which the rules engine couldn't complete scanning of the attachments. This condition can be used to create rules that work together with other attachment processing rules and gives you the ability to handle messages whose content couldn't be fully scanned.

Any attachment has executable content

AttachmentHasExecutableContent

Not applicable

This condition matches messages that contain executable files as attachments.

Any attachment is password protected

AttachmentIsPasswordProtected

Not applicable

This condition matches messages that contain compressed archive attachments that are password protected, and therefore cannot be scanned.

The To box contains

AnyOfToHeader

Addresses

This condition matches messages where the To field includes any of the specified recipients.

The To box contains a member of

AnyOfToHeaderMemberOf

Addresses

This condition matches messages where the To field contains a recipient who is a member of the specified distribution group.

The Cc box contains

AnyOfCcHeader

Addresses

This condition matches messages where the Cc field includes any of the specified recipients.

The Cc box contains a member of

AnyOfCcHeaderMemberOf

Addresses

This condition matches messages where the Cc field contains a recipient who is a member of the specified distribution group.

The To or Cc box contains

AnyOfToCcHeader

Addresses

AnyOfToCcHeader matches messages where the To or Cc fields include any of the specified recipients.

The To or Cc box contains a member of

AnyOfToCcHeaderMemberOf

Addresses

This condition matches messages where the To or Cc fields contains a recipient who is a member of the specified distribution group.

The message size is greater than or equal to

MessageSizeOver

Size

This condition matches messages whose overall size is greater than or equal to the specified value.

The message character set name includes any of these words

ContentCharacterSetContainsWords

Character Sets

This condition matches messages that have any of the character set names specified.

The sender is one of the recipients'

SenderManagementRelationship

ManagementRelationship

This condition matches messages where the sender has the specified management relationship with a recipient.

The message is between members of these groups

BetweenMemberOf1and BetweenMemberOf2

First property: Addresses (BetweenMemberOf1)

Second property: Addresses (BetweenMemberOf2)

This condition matches messages that are sent between members of two distribution groups.

The manager of the sender or recipient is

ManagerForEvaluatedUser and ManagerAddresses

First property: EvaluatedUser (ManagerForEvaluatedUser)

Second property: Addresses (ManagerAddresses)

This condition matches messages where the specified user's (sender or recipient) manager exists in the list of specified addresses.

The sender's and any recipient's property compares as

ADAttributeComparisonAttribute and ADComparisonOperator

First property: ADAttribute (ADComparisonAttribute)

Second property: (ADComparisonOperator)

This condition matches messages where the sender's specified Active Directory attribute matches or doesn't match (as specified in the Evaluation property) the same attribute of any recipient.

The message type is

MessageTypeMatches

MessageType

This condition matches messages of the specified type.

The message has an SCL greater than or equal to

SCLOver

SclValue

This condition matches messages that are assigned a spam confidence level (SCL) matching or exceeding the specified value.

The message importance is set to

WithImportance

Importance

This condition matches messages marked with the specified priority.

A message header includes

HeaderContainsMessageHeader and HeaderContainsWords

First property: MessageHeader (HeaderContainsMessageHeader)

Second property: Words (HeaderContainsWords)

This condition matches messages where the specified message header contains one of the specified words.

A message header matches

HeaderMatchesMessageHeader and HeaderMatchesPatterns

First property: MessageHeader (HeaderMatchesMessageHeader)

Second property: Patterns (HeaderMatchesPatterns)

This condition matches messages where the specified message header contains a text pattern that matches a specified regular expression.

Each property that you use to define a transport rule condition requires a value. Here’s a list of values for each condition property in Exchange Online Protection.

 

Property Valid values Description

ADAttribute

One of the Active Directory attributes available for use

ADAttribute accepts the name of one of the following Active Directory attributes:

  • DisplayName

  • FirstName

  • Initials

  • LastName

  • Office

  • PhoneNumber

  • OtherPhoneNumber

  • Email

  • Street

  • POBox

  • City

  • State

  • ZipCode

  • Country

  • UserLogonName

  • HomePhoneNumber

  • OtherHomePhoneNumber

  • PagerNumber

  • MobileNumber

  • FaxNumber

  • OtherFaxNumber

  • Notes

  • Title

  • Department

  • Company

  • Manager

  • CustomAttribute1 - CutomAttribute15

Addresses

Array of Active Directory mailbox, contact, or distribution group objects

Addresses accepts one or more mailbox, contact, mail-enabled user, or distribution group object.

Character Sets

Array of valid character set names

Character Sets is a list of names of specific content character sets that can be found in a message. For example, if you wanted to create a rule that checks messages for character sets used in Microsoft ForeFront Online Protection for Exchange, you would use the following list:

  • Arabic/iso-8859-6

  • Chinese/big5

  • Chinese/euc-cn

  • Chinese/euc-tw

  • Chinese/gb2312

  • Chinese/iso-2022-cn

  • Cyrillic/iso-8859-5

  • Cyrillic/koi8-r

  • Cyrillic/windows-1251

  • Greek/iso-8859-7

  • Hebrew/iso-8859-8

  • Japanese/euc-jp

  • Japanese/iso-022-jp

  • Japanese/shift-jis

  • Korean/euc-kr

  • Korean/johab

  • Korean/ks_c_5601-1987

  • Turkish/windows-1254

  • Turkish/iso-8859-9

  • Vietnamese/tcvn

Domain Name

Any valid SMTP domain name

Domain Name is the FQDN for any valid SMTP domain.

EvaluatedUser

Single value of Sender or Recipient

EvaluatedUser is used to determine whether the value specified in the ManagerAddresses parameter is the manager of the sender or one of the recipients.

Evaluation

Single value of Equal or NotEqual

Evaluation is used when comparing the Active Directory attributes of the sender and recipients.

FromUserScope

Single value of InOrganization or NotInOrganization

FromUserScope specifies whether the message is sent by a sender who is considered to be inside the organization or external to the organization. The following values can be used:

  • InOrganization   A sender is considered to be inside the organization if either of the following conditions is true:

    • The sender is a mailbox, mail-enabled user, distribution group, or public folder that exists in the organization's Active Directory.

    • The domain of the sender is an accepted domain in the Exchange organization, but isn't an ExternalRelay domain. Also, the message must be sent or received by using an authenticated connection.

  • NotInOrganization   A sender is considered to be outside the organization if the sender's domain isn't an accepted domain in the Exchange organization, or is in an accepted domain that is configured as an ExternalRelay domain.

Importance

Single value of High, Low, or Normal

Importance specifies the message priority.

IPRanges

Array of IP ranges

IPRanges is used to specify one or more IP address ranges.

ManagementRelationship

Single value of Manager or DirectReport

ManagementRelationship specifies the relationship between two evaluated users, for example the sender and the recipient. The evaluated user's Active Directory information is located to determine the manager and direct reports.

MessageHeader

Single string

MessageHeader accepts a string that can be used to specify the SMTP message header to examine. This property is used together with the Words or Patterns properties, which specify the value of the header field to match.

MessageType

Single message type name

MessageType accepts one of the following message types:

  • OOF

  • AutoForward

  • Encrypted

  • Calendaring

  • PermissionControlled

  • Voicemail

  • Signed

  • ApprovalRequest

  • ReadReceipt

Patterns

Array or regular expressions

Patterns accepts one or more regular expressions that can be used to match text that follows an identifiable pattern..

SclValue

Single integer

SclValue accepts an integer that can be used to match the spam confidence level (SCL) assigned to a message. SCL values range from -1 through 9.

Size

Single integer with quantifier such as KB or MB

Size accepts an integer that specifies the size of an email attachment or the overall message. The value specified is in kilobytes.

ToUserScope

One of the following values:

  • InOrganization

  • NotInOrganization

  • ExternalPartner

  • ExternalNonPartner

ToUserScope specifies the scope of the recipients. The InOrganization and NotInOrganization values are evaluated similar to the FromUserScope property, but in the context of the recipient. The following is a description of the other possible values:

  • ExternalPartner   These domains are configured to send mail to an external domain by using Domain Secure security

  • ExternalNonPartner   These represent all other domains that aren't considered ExternalPartner domains.

Words

Array of strings

Words accepts one string or an array of strings. It's used in all conditions that inspect different parts of a message for specific words or strings.

Only instances of the word without a prefix or suffix are matched. For example, if you specify the word "contoso", the rule will fire only if an exact match is found. The following variations where the word appears as a suffix, a prefix, or between other characters (other than the space character) aren't considered an exact match:

  • Acontoso

  • Contosoa

  • Acontosob

The property isn't case-sensitive. The asterisk (*) is treated as a literal character, and not used as a wildcard character.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft