Your strategy for how to configure the anti-spam features and establish the aggressiveness of your anti-spam agent settings requires that you plan and calculate carefully. If you set all anti-spam features filters to their most aggressive levels and configure all anti-spam features to reject all suspicious messages, you are more likely to reject messages that are not spam. On the other hand, if you do not set the anti-spam filters at a sufficiently aggressive level and do not set the SCL threshold low enough, you probably won't see a reduction in the spam that enters your organization.

It is a best practice to reject a message when Exchange detects a bad message through the Connection Filter agent, Recipient Filter agent, or Sender Filter agent. This approach is better than quarantining such messages or assigning metadata, such as anti-spam stamps, to such messages. Therefore, the connection filter agent and recipient filter agent automatically block messages that are identified by the respective filters. The Sender Filter agent is configurable.

This best practice is recommended because the spam confidence level that underlies connection filtering, recipient filtering, or sender filtering is relatively high. For example, with sender filtering, where the administrator has configured specific senders to block, there is no reason to assign the sender filtering data to such messages and to continue to process them. In most organizations, blocked messages should be rejected. If the administrator did not want them rejected, the administrator would not have put them on the Blocked Senders list.

The same logic applies to real-time block list (RBL) services and recipient filtering, although the underlying confidence is not as high as the IP Block list. You should be aware that the further along the mail flow path a message travels, the greater the probability of false positives, because the anti-spam features are evaluating more variables. Therefore, you may find that if you configure the first several anti-spam features in the anti-spam chain more aggressively, you can reduce the bulk of your spam. Therefore you will save processing, bandwidth, and disk resources to process more ambiguous messages.

Ultimately, you must plan to monitor the overall effectiveness of the anti-spam features. If you monitor carefully, you can continue to adjust the anti-spam features to work well together for your environment. With this approach, you should plan on a fairly non-aggressive configuration of the anti-spam features when you start. This approach lets you minimize the number of false positives. As you monitor and adjust the anti-spam features, you can become more aggressive about the type of spam and spam attacks that your organization experiences.

For more information about how Microsoft planned and deployed the first generation of anti-spam features in Exchange Server 2003, see Messaging Hygiene at Microsoft: How Microsoft IT Defends Against Spam, Viruses, and E-Mail Attacks.

For more information about anti-spam and antivirus features in Exchange 2007, see the following topics:

• Anti-Spam Stamps
  
  
• Attachment Filtering
  
  
• Connection Filtering
  
  
• Content Filtering
  
  
• Recipient Filtering
  
  
• Safelist Aggregation
  
  
• Spam Quarantine
  
  
• Sender Filtering
  
  
• Sender ID
  
  
• Sender Reputation