Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-07-02
In Microsoft Exchange Server 2003, the spam confidence level (SCL) threshold defines when the content filter feature takes a specific action on a specific message, such as rejecting a message or deleting a message.
In Exchange Server 2007, we've improved the SCL threshold functionality so that you can adjust the SCL to a more precise level. You can define three specific actions according to SCL thresholds. For example, you can define different thresholds for rejecting, deleting, or quarantining a message on a computer that has the Edge Transport server role installed.
The combination of this SCL threshold configuration on the Edge Transport server and the SCL Junk E-mail folder configuration on the user mailbox helps you implement a more comprehensive and precise anti-spam strategy. This more precise and detailed SCL threshold adjustment functionality in Exchange 2007 can help you reduce the overall cost of deploying and maintaining an anti-spam solution across your organization.
The SCL threshold configuration is used by the Content Filter agent, one of the default anti-spam agents that are included with Exchange 2007. The Content Filter agent uses Microsoft SmartScreen technology to assess the contents of a message and to assign an SCL rating to each message.
The Content Filter agent performs this function late in the anti-spam cycle, after other anti-spam agents have processed any inbound messages. Many of the other anti-spam agents that process inbound messages before they are processed by the Content Filter agent are deterministic in how they act on a message. For example, the Connection Filter agent rejects any message that is sent from an IP address that is on a real-time block list (RBL). The Sender Filter agent and Recipient Filtering agent process messages in a similarly deterministic manner.
In Exchange 2007, these deterministic anti-spam agents process messages first and therefore greatly reduce the number of messages that must be processed by the Content Filter agent. For more information about the order in which anti-spam agents process messages, see Anti-Spam and Antivirus Functionality.
Because content filtering is not an exact, deterministic process, the ability to adjust the action that the Content Filter agent performs on different SCL values is important. By carefully adjusting the SCL threshold configuration, you can minimize the following:
- The size of the spam quarantine storage
- The number of legitimate e-mail messages that are mistakenly
quarantined
- The number of legitimate e-mail messages that reach the
Microsoft Office Outlook user's Junk E-mail folder
- The number of offensive spam e-mail messages that reach the
Outlook user's Inbox or Junk E-mail folder
- The number of spam e-mail messages that reach the Outlook
user's Inbox
SCL Threshold Actions in
Exchange 2007
In Exchange 2003, you configure a single action, such as delete or reject, for a single SCL threshold value. In Exchange 2007, by adjusting SCL threshold actions, you can escalate the content filtering action that is taken on messages that have a greater risk of being spam. To understand this new functionality, it is helpful to understand the different SCL threshold actions and how they are implemented.
- SCL delete threshold When the SCL value
for a specific message is equal to or higher than the SCL delete
threshold, the Content Filter agent deletes the message. There is
no protocol-level communication that tells the sending system or
sender that the message was deleted. If the SCL value for a message
is lower than the SCL delete threshold value, the Content Filter
agent does not delete the message. Instead, the Content Filter
agent compares the SCL value to the SCL reject threshold.
- SCL reject threshold When the SCL value
for a specific message is equal to or higher than the SCL reject
threshold, the Content Filter agent deletes the message and sends a
rejection response to the sending system. You can customize the
rejection response. In some cases, a non-delivery report (NDR) is
sent to the original sender of the message. If the SCL value for a
message is lower than the SCL delete and SCL reject threshold
values, the Content Filter agent does not delete or reject the
message. Instead, the Content Filter agent compares the SCL value
to the SCL quarantine threshold.
- SCL quarantine threshold When the SCL
value for a specific message is equal to or higher than the SCL
quarantine threshold, the Content Filter agent sends the message to
a quarantine mailbox. E-mail administrators must periodically
review the quarantine mailbox. For more information about how to
manage the spam quarantine, see Configuring and Managing
Spam Quarantine. If the SCL value for a message is lower than
the SCL delete, reject, and quarantine threshold values, the
Content Filter agent does not delete, reject, or quarantine the
message. Instead, the Content Filter agent sends the message to the
appropriate Mailbox server, where the per-recipient SCL Junk E-mail
folder threshold value of the message is evaluated.
- SCL Junk E-mail folder threshold If the
SCL value for a specific message exceeds the SCL Junk E-mail folder
threshold, the Mailbox server puts the message in the Outlook
user's Junk E-mail folder. If the SCL value for a message is lower
than the SCL delete, reject, quarantine, and Junk E-mail folder
threshold values, the Mailbox server puts the message in the user's
Inbox.
For example, if you set the SCL delete threshold to 8, the SCL reject threshold to 7, the SCL quarantine threshold to 6, and the SCL Junk E-mail folder threshold to 5, all e-mail with an SCL of 5 or lower will be delivered to the user's Inbox.
As you plan and deploy your strategy for adjusting the SCL threshold, it's important to understand that the Content Filter agent and the SCL Junk E-mail folder process the SCL threshold value differently. The Content Filter agent takes action on the SCL threshold value that you configure. The SCL Junk E-mail folder takes action on the SCL threshold value that you configure plus 1. For example, if you configure the Delete action to an SCL of 4 on the Content Filter agent, all messages with an SCL of 4 or greater are deleted. However, if you configure the Delete action to an SCL of 4 on the SCL Junk E-mail folder, all messages with an SCL of 5 or greater are deleted.
To configure the SCL Junk E-mail folder threshold on individual user mailboxes, you must use the Set-Mailbox command in the Exchange Management Shell. You can configure the SCL delete, reject, and quarantine thresholds in two locations:
- On the content filter configuration (per-transport server
SCL configuration) We recommend that you set
the organization-wide SCL thresholds on the content filter
configuration on the Edge Transport server. If you run anti-spam
agents on the Hub Transport server, set the organization-wide SCL
thresholds on the Hub Transport server. By applying the same SCL
thresholds across all transport servers, you can establish a
consistent baseline level of SCL functionality across the
organization. Over time, as you analyze the spam functionality and
metrics that are provided by the anti-spam logging and reporting
features, you can make additional adjustments to these SCL
threshold configurations as needed.
- On user mailboxes (per-recipient SCL
configuration) You can use the
Set-Mailbox command to set per-recipient SCL delete, reject,
and quarantine thresholds on individual user mailboxes. As
mentioned earlier in this topic, you set the SCL Junk E-mail folder
threshold on individual user mailboxes by using the
Set-Mailbox command. The per-recipient SCL delete, reject,
and quarantine thresholds are stored in the Active Directory
directory service and are replicated to the Edge Transport servers
by the Microsoft Exchange EdgeSync service. The per-recipient SCL
threshold configurations are used by the Content Filter agent even
if you have set per-transport server SCL configurations. Therefore,
if you have set per-recipient SCL thresholds, the Content Filter
agent uses the per-recipient SCL thresholds for specific users
instead of the SCL configuration on the Content Filter agent.
For more information about how to use the Set-Mailbox command, see Set-Mailbox.
Best Practice for Setting Up and
Adjusting SCL Thresholds
We recommend that you set up and adjust the SCL thresholds as follows:
- Enable the SCL delete, reject, and quarantine thresholds on the
content filter configuration on each Edge Transport server. We
recommend that you start with the default values for these SCL
thresholds. The default values were set by the Exchange Server
team according to real-world data from the Microsoft IT messaging
department and from Exchange 2007 early adopter feedback. The
default values are optimized for large, global enterprise
deployments. For more information about how to set the SCL
thresholds on the content filter configurations, see Configuring Content
Filtering.
- Enable and configure per-recipient SCL thresholds. At a
minimum, you should enable and set the SCL Junk E-mail folder
threshold on each user's mailbox. You can also configure the SCL
delete, reject, and quarantine thresholds on a per-recipient
configuration. Also, you can set exceptions on each user's mailbox
so that messages to that mailbox bypass all anti-spam scanning on
the Edge Transport server. For more information, see How to Configure
Anti-Spam Features on a Mailbox.
- Monitor spam reports and logs closely for the first week after
you enable the SCL thresholds. If the data indicates that you must
make immediate adjustments, reconfigure the SCL thresholds.
Otherwise, collect data and analyze the spam reporting to determine
whether adjustments are required.
For More Information
For more information, see the following topics: