Tuesday, September 27, 2016

EOP not Moving Messages to Junk Email On-Premises

Exchange Online Protection (EOP) is Microsoft's solution for anti-spam and anti-malware. It is included as part of Office 365/Exchange Online and you can subscribe to it for on-premises Exchange.

When you implement EOP, you configure the MX records for your domain to deliver messages to EOP, and then EOP forwards to your Exchange server. If a message contains mailware or is obvious spam, it is typically blocked and not forwarded to your Exchange server. It can be quarantined in EOP or discarded.

Where is gets a bit tricky is the messages that might or might not be spam. They're spammy, but might be legitimate email. In Office 365, those messages are automatically moved to your Junk Email folder. For spammy messages to be moved to your Junk Email folder in on-premises Exchange, you need to create a couple of transport rules.

EOP adds an X-Forefront-Antispam-Report header to messages after they are evaluated. You need to create transport rules in your on-premises Exchange to read the value in this header and set the SCL (spam confidence level) value for the message. Exchange Server uses the SCL value to determine whether a message is moved to the Junk Email folder.

Microsoft indicates that you should create the following two rules:
New-TransportRule "EOPSpam1" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SPM"
-SetSCL 6
New-TransportRule "EOPSpam2" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SKS"
-SetSCL 6

Notice that these rules set the SCL value  to 6. Which means that, by default, Exchange Server will mark the messsages as spam and send them to the Junk Email folder.

However, I recently had a client where after configuring these rules, there were obvious spam messages still not going into Junk Email. At some point, this organization had changed the threshold for the SCL value that identifies spam. They had a value of 8.

So, when you implement these rules, you should also verify the SCLJunkThreshold configured for the Exchange organization. You can view the SCLJunkThreshold with the following command:
Get-OrganizationConfig | FL SCL*

If you need to change the SCLJunkThreshold, use the following command:
Set-OrganizationConfig -SCLJunkThreshold 6

Microsoft article about the creating the transport rules for Junk Email processing:
X-ForeFront-Antispam-Report Values:

No comments:

Post a Comment