Moving Exchange Online Protection Junk Mail to the Junk Email Folder
In a scenario we are using Exchange Online protection (EOP) to filter all our mails in the cloud to remove spam/malware before onward delivery & if we are using Exchange 2007 or later on-premises server, we have to configure Exchange to move the spam to the Junk Email Folder.
EOP by default detects these two levels of spam: Malware automatic detection & it tags them. In the Exchange we have to use Transport rules to move these emails to the user’s Junk email folder. If we want the EOP to dele the Junk mail in case of a very high SCL rating, we still require a transport rule to move the remaining Junk emails (with lower SCL rating) to the Junk email folder. If we are using Exchange Online (Office 365) then we do not need to create these transport rules as they already exists.
Let’s see as what transport rules we have to configure.
We will basically require two transport rules to be created on Our Exchange Organization. These two rules will be created with the highest priority. They will have the SCL (Spam confidence Level) of the message set to 6 in the below Example, however the SCL score should be set to a value that exceeds the SCLJJunkThreshold , which is the org level setting for the Exchange Server. So what’s happens is that any emails that exceed the Value of 6 or above will be placed into the Junk Email Folder.
New-TransportRule “Move EOP Detected Spam (SFV:SPM) to Junk Email Folder” -HeaderContainsMessageHeader “X-Forefront-Antispam-Report” -HeaderContainsWords “SFV:SPM” -SetSCL 6 -Priority 0
New-TransportRule “Move EOP Detected Spam (SFV:SKS) to Junk Email Folder” -HeaderContainsMessageHeader “X-Forefront-Antispam-Report” -HeaderContainsWords “SFV:SKS” -SetSCL 6 -Priority 1
After creating the above two rules, we have to replicate the AD for the rules to be replicated in all the Exchange Servers for the rules to run when a spam email is sent from EOP. The default value for SCLJunkThreshold is 4, so as long as the rules set the SCL value to greater than this value it should work. We can also use the command Get-OrganizationConfig
| FL SCLJunkThreshold to check the value set for the organization.
When the Microsoft Exchange Online Protection scans an inbound email message it inserts the X-Forefront-Antispam-Report header into each message. These headers can help the admins with information about the message & how it was processed. Also the X-Microsoft-Antispam header provides additional information about bulk mail and phishing.
SFV – means Spam Filtering Verdict
SFV:SFE – Originated from a Safe Sender (EOP learns Outlook safe senders due to Windows Azure Directory Sync)
SFV:BLK – Originated from a Blocked Sender
SFV:SPM – Spam
SFV:SKS – (SKIP) The message was marked as spam prior to being processed by the spam filter. This includes messages where the message matched a Transport rule to automatically mark it as spam and bypass all additional filtering
SFV:NSPM – Not Spam
Microsoft MVP | Exchange Server