Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-20

When you use anti-spam filters, there is always a chance that the filters will identify false positives. In the context of spam filtering, a false positive exists when a spam filter incorrectly identifies a message from a legitimate sender as spam. In Microsoft Exchange Server 2007, you can reduce the risk of false positives and the potential loss of valuable messages if you use the Content Filter agent to quarantine messages that have been identified as potential spam. When the Content Filter agent is enabled and configured, all messages that have a spam confidence level (SCL) rating equal to or greater than the SCL quarantine threshold but less than the SCL delete threshold or SCL reject threshold are delivered to a mailbox that you have identified as the spam quarantine mailbox. When you enable multiple SCL threshold actions to work together, consider the following requirements:

For example, if you have set the SCL quarantine threshold to 6 and the SCL reject threshold to 8, a message that has a SCL rating of 7 will be quarantined. A message that has an SCL rating of 8 will be rejected.

You can review quarantined messages and, as appropriate, release them by using the Send Again feature in Microsoft Outlook. For more information, see How to Recover Quarantined Messages from the Spam Quarantine Mailbox. In addition, you can configure the spam quarantine mailbox to delete items that you do not release after a specified period of time. For more information, see Managing Messaging Records Management.

Important:
By the nature of the feature, the IT administrator who is responsible for the spam quarantine mailbox can view potentially private and sensitive messages and send mail on behalf of anybody in the Exchange organization.

Configuring Spam Quarantine

To configure spam quarantine, you must follow these steps:

  1. Enable content filtering.

  2. Create a spam quarantine mailbox.

  3. Specify the spam quarantine mailbox.

  4. Set the SCL quarantine threshold.

  5. Manage the spam quarantine mailbox.

  6. Adjust the SCL quarantine threshold as needed.

Enabling Content Filtering

You must enable content filtering before you can apply a spam quarantine. By default, the Content Filter agent filters all external messages that come through all Receive connectors on the computer on which the Content Filter feature is enabled.

Important:
Configuration changes that you make to the Content Filter agent by using the Exchange Management Console or the Exchange Management Shell are made only to the local computer that has the Edge Transport server role installed. If multiple instances of the Edge Transport server role are running in your organization, you must apply sender reputation configuration changes to each computer.

For more information, see How to Enable or Disable Content Filtering.

Creating a Spam Quarantine Mailbox

You must create a spam quarantine mailbox before you can enable the feature. To set up a spam quarantine mailbox, you must follow these steps:

  • Create a dedicated Exchange database   We recommend that you create a dedicated database for the spam quarantine mailbox. The spam quarantine mailbox should have a large database, because if the storage quota limit is reached, messages will be lost. For more information, see How to Create a New Mailbox Database.

  • Create an Active Directory user   We recommend that you create a separate Active Directory user for the spam quarantine mailbox. You may apply different recipient policies, such as messaging records management and mailbox size, and delegation rights, according to your organization's compliance policies and needs.

  • Create a new user mailbox   You must create a mailbox that you can use as the spam quarantine mailbox with an appropriate messaging records management policy that includes mailbox size and the number of days that messages will be saved before they are deleted. For more information, see Managing Messaging Records Management.

    Note:
    If a quarantined message is rejected because of a storage quota, the message will be lost. Exchange does not generate non-delivery reports (NDRs) for quarantined messages because the quarantined messages are wrapped as NDRs.
    For more information, see How to Create a Mailbox for a New User.

  • Set up the Outlook account profile   You must configure management or delegation of the Outlook account to meet the needs of your organization. In addition, to help with the account management, we recommend that you configure the Outlook profile to expose the original Sender[#0x0069001E], Recipient[#0x0E04001E], and Bcc[#0x0E02001E] fields in the Message view. For more information, see How to Recover Quarantined Messages from the Spam Quarantine Mailbox.

Specifying a Spam Quarantine Mailbox

After you set up the spam quarantine mailbox, you must specify the spam quarantine mailbox in the content filter configuration. You use the Set-ContentFilterConfig command in the Exchange Management Shell to specify a spam quarantine mailbox. The QuarantineMailbox parameter takes the Simple Mail Transfer Protocol (SMTP) address of the spam quarantine mailbox. 

Important:
You must specify the spam quarantine mailbox on all servers that have the Edge Transport server role installed and in the Active Directory directory service where user mailboxes are located. To specify the spam quarantine mailbox in Active Directory, run the Set-ContentFilterConfig cmdlet on a Hub Transport server. You do not have to have Content Filtering enabled on the Hub Transport server to specify a spam quarantine mailbox in Active Directory.

For more information, see How to Specify a Spam Quarantine Mailbox.

Configuring the SCL Quarantine Threshold

The SCL quarantine threshold is the value at which a particular message that is identified as potential spam is delivered to the spam quarantine mailbox. You can set the SCL quarantine threshold to a value between 0 and 9, where 0 is considered less likely to be spam, and 9 is considered most likely to be spam.

For more information about how to adjust SCL thresholds to suit your organization's requirements and how to adjust per-recipient SCL thresholds, see How to Enable and Configure the Spam Confidence Level Thresholds.

Managing the Spam Quarantine Mailbox

When you manage your spam quarantine mailbox, follow these guidelines:

  • Release items that have been sent to the spam quarantine mailbox by using the Send Again feature in Outlook to resend the original message.

    For more information, see How to Recover Quarantined Messages from the Spam Quarantine Mailbox.

  • Monitor the spam quarantine mailbox so that the size of the spam quarantine mailbox remains in an acceptable range. The volume of e-mail messages can change because of a larger set of recipients, the natural trend of larger messages, or the threshold on the SCL quarantine action.

  • Monitor the spam quarantine mailbox for false positives. If your spam quarantine mailbox includes many false positives, adjust your SCL quarantine threshold as described in "Adjusting the SCL Quarantine Threshold" later in this topic. For more information about how to determine why false positives are being delivered to the spam quarantine mailbox, see Anti-Spam Stamps.

  • Use the same Outlook profile to recover quarantined messages from the spam quarantine mailbox. Applying permissions to different Outlook profile to recover messages is not supported. You cannot use a different Outlook profile to recover or release messages from the spam quarantine mailbox.

Important:
NDRs that are identified as spam are deleted, even if their SCL rating indicates that they should be quarantined. NDRs are not delivered to the spam quarantine mailbox. To track such messages, use the agent log or the message tracking log. For more information, see Get-AgentLog and How to Search Message Tracking Logs.

Adjusting the SCL Quarantine Threshold

After you configure the SCL quarantine threshold, periodically monitor the settings and adjust them based on your organization's needs. For example, if too many false positives are filtered into the spam quarantine mailbox, raise the SCL quarantine threshold to a larger number. For more information about how to adjust the SCL quarantine threshold, see Adjusting the Spam Confidence Level Threshold.

Using Exchange Hosted Services

Spam filtering and quarantine functionality is enhanced by or is also available as a service from Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted services:

  • Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware

  • Hosted Archive, which helps them satisfy retention requirements for compliance

  • Hosted Encryption, which helps them encrypt data to preserve confidentiality

  • Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations

These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.

For More Information

For more information about anti-spam functionality in Exchange 2007, see the following topics:

For more information about messaging records management, see the following topics:

For more information about content filtering, see the following topics: