Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-20
When you use anti-spam filters, there is always a chance that the filters will identify false positives. In the context of spam filtering, a false positive exists when a spam filter incorrectly identifies a message from a legitimate sender as spam. In Microsoft Exchange Server 2007, you can reduce the risk of false positives and the potential loss of valuable messages if you use the Content Filter agent to quarantine messages that have been identified as potential spam. When the Content Filter agent is enabled and configured, all messages that have a spam confidence level (SCL) rating equal to or greater than the SCL quarantine threshold but less than the SCL delete threshold or SCL reject threshold are delivered to a mailbox that you have identified as the spam quarantine mailbox. When you enable multiple SCL threshold actions to work together, consider the following requirements:
- The SCL reject threshold must be greater than the SCL
quarantine threshold.
- The SCL delete threshold must be greater than the SCL reject
threshold and the SCL quarantine threshold.
For example, if you have set the SCL quarantine threshold to 6 and the SCL reject threshold to 8, a message that has a SCL rating of 7 will be quarantined. A message that has an SCL rating of 8 will be rejected.
You can review quarantined messages and, as appropriate, release them by using the Send Again feature in Microsoft Outlook. For more information, see How to Recover Quarantined Messages from the Spam Quarantine Mailbox. In addition, you can configure the spam quarantine mailbox to delete items that you do not release after a specified period of time. For more information, see Managing Messaging Records Management.
Important: |
---|
By the nature of the feature, the IT administrator who is responsible for the spam quarantine mailbox can view potentially private and sensitive messages and send mail on behalf of anybody in the Exchange organization. |
Configuring Spam Quarantine
To configure spam quarantine, you must follow these steps:
- Enable content filtering.
- Create a spam quarantine mailbox.
- Specify the spam quarantine mailbox.
- Set the SCL quarantine threshold.
- Manage the spam quarantine mailbox.
- Adjust the SCL quarantine threshold as needed.
Enabling Content Filtering
You must enable content filtering before you can apply a spam quarantine. By default, the Content Filter agent filters all external messages that come through all Receive connectors on the computer on which the Content Filter feature is enabled.
Important: |
---|
Configuration changes that you make to the Content Filter agent by using the Exchange Management Console or the Exchange Management Shell are made only to the local computer that has the Edge Transport server role installed. If multiple instances of the Edge Transport server role are running in your organization, you must apply sender reputation configuration changes to each computer. |
For more information, see How to Enable or Disable Content Filtering.
Creating a Spam Quarantine Mailbox
You must create a spam quarantine mailbox before you can enable the feature. To set up a spam quarantine mailbox, you must follow these steps:
- Create a dedicated Exchange database We
recommend that you create a dedicated database for the spam
quarantine mailbox. The spam quarantine mailbox should have a large
database, because if the storage quota limit is reached, messages
will be lost. For more information, see How to Create a New
Mailbox Database.
- Create an Active Directory user We
recommend that you create a separate
Active Directory user for the spam quarantine mailbox.
You may apply different recipient policies, such as messaging
records management and mailbox size, and delegation
rights, according to your organization's compliance policies
and needs.
- Create a new user mailbox You must
create a mailbox that you can use as the spam quarantine mailbox
with an appropriate messaging records management policy that
includes mailbox size and the number of days that messages will be
saved before they are deleted. For more information, see Managing Messaging
Records Management.
Note: If a quarantined message is rejected because of a storage quota, the message will be lost. Exchange does not generate non-delivery reports (NDRs) for quarantined messages because the quarantined messages are wrapped as NDRs.
- Set up the Outlook account profile You
must configure management or delegation of the Outlook account
to meet the needs of your organization. In addition, to help with
the account management, we recommend that you configure the
Outlook profile to expose the original Sender[#0x0069001E],
Recipient[#0x0E04001E], and Bcc[#0x0E02001E] fields in the Message
view. For more information, see How to Recover
Quarantined Messages from the Spam Quarantine Mailbox.
Specifying a Spam Quarantine Mailbox
After you set up the spam quarantine mailbox, you must specify the spam quarantine mailbox in the content filter configuration. You use the Set-ContentFilterConfig command in the Exchange Management Shell to specify a spam quarantine mailbox. The QuarantineMailbox parameter takes the Simple Mail Transfer Protocol (SMTP) address of the spam quarantine mailbox.
Important: |
---|
You must specify the spam quarantine mailbox on all servers that have the Edge Transport server role installed and in the Active Directory directory service where user mailboxes are located. To specify the spam quarantine mailbox in Active Directory, run the Set-ContentFilterConfig cmdlet on a Hub Transport server. You do not have to have Content Filtering enabled on the Hub Transport server to specify a spam quarantine mailbox in Active Directory. |
For more information, see How to Specify a Spam Quarantine Mailbox.
Configuring the SCL Quarantine Threshold
The SCL quarantine threshold is the value at which a particular message that is identified as potential spam is delivered to the spam quarantine mailbox. You can set the SCL quarantine threshold to a value between 0 and 9, where 0 is considered less likely to be spam, and 9 is considered most likely to be spam.
For more information about how to adjust SCL thresholds to suit your organization's requirements and how to adjust per-recipient SCL thresholds, see How to Enable and Configure the Spam Confidence Level Thresholds.
Managing the Spam Quarantine Mailbox
When you manage your spam quarantine mailbox, follow these guidelines:
- Release items that have been sent to the spam quarantine
mailbox by using the Send Again feature in Outlook to resend
the original message.
For more information, see How to Recover Quarantined Messages from the Spam Quarantine Mailbox.
- Monitor the spam quarantine mailbox so that the size of the
spam quarantine mailbox remains in an acceptable range. The volume
of e-mail messages can change because of a larger set of
recipients, the natural trend of larger messages, or the threshold
on the SCL quarantine action.
- Monitor the spam quarantine mailbox for false positives. If
your spam quarantine mailbox includes many false positives, adjust
your SCL quarantine threshold as described in "Adjusting the SCL
Quarantine Threshold" later in this topic. For more information
about how to determine why false positives are being delivered to
the spam quarantine mailbox, see Anti-Spam
Stamps.
- Use the same Outlook profile to recover quarantined
messages from the spam quarantine mailbox. Applying permissions to
different Outlook profile to recover messages is not
supported. You cannot use a different Outlook profile to
recover or release messages from the spam quarantine mailbox.
Important: |
---|
NDRs that are identified as spam are deleted, even if their SCL rating indicates that they should be quarantined. NDRs are not delivered to the spam quarantine mailbox. To track such messages, use the agent log or the message tracking log. For more information, see Get-AgentLog and How to Search Message Tracking Logs. |
Adjusting the SCL Quarantine Threshold
After you configure the SCL quarantine threshold, periodically monitor the settings and adjust them based on your organization's needs. For example, if too many false positives are filtered into the spam quarantine mailbox, raise the SCL quarantine threshold to a larger number. For more information about how to adjust the SCL quarantine threshold, see Adjusting the Spam Confidence Level Threshold.
Using Exchange Hosted Services
Spam filtering and quarantine functionality is enhanced by or is also available as a service from Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted services:
- Hosted Filtering, which helps organizations protect themselves
from e-mail-borne malware
- Hosted Archive, which helps them satisfy retention requirements
for compliance
- Hosted Encryption, which helps them encrypt data to preserve
confidentiality
- Hosted Continuity, which helps them preserve access to e-mail
during and after emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.
For More Information
For more information about anti-spam functionality in Exchange 2007, see the following topics:
For more information about messaging records management, see the following topics:
For more information about content filtering, see the following topics: