Export (0) Print
Expand All

Configuring Additional Spam Filtering Options


Applies to: Forefront Online Protection for Exchange

Topic Last Modified: 2012-08-02

Forefront Online Protection for Exchange (FOPE), Additional Spam Filtering (ASF) options give you as an IT administrator the ability to select various content attributes of a message that either increase the spam score (potential for the message to be quarantined as spam) or quarantine messages containing specific attributes. The ASF rules target specific message properties such as HTML tags and URL redirection, which are commonly found in spam messages. See below for the full list of ASF Options.

Enabling the ASF options is considered an aggressive approach to spam filtering, and any messages that are filtered by these options cannot be reported as false positives. These messages can be salvaged using Spam Quarantine and the periodic spam notification messages. Administrators can create Allow policy rules that permit messages to bypass all spam filtering, including these ASF options. If a domain is using a Spam Action option, the ASF definition appears in the Internet header section of a message that has been marked as spam.

Configure ASF options for your domain
  1. On the Administration tab, click the Domains tab.

  2. In the Domains list, click the name of the domain that you want to modify. You can search for a specific domain name by using the search box.

  3. In the Service Settings section in the center pane, next to Additional Spam Filtering (ASF) Options, click Edit.

    ASF Options
  4. For each option, do one of the following:

    • Turn the option on or off. When you turn an option on, messages will be actively filtered according to the rule associated with that option. Messages will be marked as spam or will have the spam scores increased, depending on which ASF options you enable.

    • Click Test to run the option in Test mode. Options that enable filters in Test mode do not take action on messages that meet the filter criteria. Test messages are tagged with either an X-Header or a Subject Line insertion before they are delivered to the intended recipient. They are not filtered against the spam filtering rules.

  5. Click Save.

Some ASF options increase the spam score of a message. Other options mark the message as spam and quarantine it. For a description of each ASF option, see the Additional Spam Filtering (ASF) Options table below. For additional information and recommendations about the ASF options, also see “Additional Spam Filtering Options” in Best Practices for Configuring FOPE.


ASF Option Description ID (as displayed in Test Mode, Quarantine, and so on)

Increase Spam Score Section

Image links to remote sites

This option specifies that any messages with image links to remote sites will trigger a code that causes an HTML email message to load a graphic from a remote Web site. Image tags can be used in legitimate newsletters. However, a spammer can also use an image tag to display text or graphics for advertising purposes. Therefore, applying this option increases the score that such a message receives, and therefore increases the likelihood that it will be marked as spam.


Numeric IP in URL

Messages that have numeric-based URLs (most often in the form of an IP address) will receive an increased spam score.


URL redirect to other port

Messages that contain a hyperlink that redirects the user to ports other than port 80 (regular HTTP protocol port), 8080 (HTTP alternate port), or 443 (HTTPS port) will receive an increased spam score.


URL to .biz or .info Web sites

Messages that contain a .biz or .info extension in the body of a message will receive an increased spam score.


Mark as Spam Section

Empty messages

Any message in which the message body and subject line are both empty and have no message body formatting, and which also has no attachment, will be marked as spam.


JavaScript or VBScript in HTML

Any message that uses JavaScript or Visual Basic Script Edition in HTML will be marked as spam. Both of these scripting languages are used within an HTML email message to automatically cause a specific action to occur. The browser will parse and process the script along with the rest of the document. The presence of either of these tags indicates dynamic content and the possibility of malicious intent.


Frame or IFrame tags in HTML

Any message that uses the <Frame> or <IFrame> HTML tag will be marked as spam. These tags are used on Web sites or in HTML email messages to format the page for displaying text or graphics.


Object tags in HTML

Any message that contains the <Object> HTML tag will be marked as spam. This HTML tag allows plug-ins or applications to run in an HTML window.


Embed tags appear in HTML

Any message that contains the <Embed> HTML tag will be marked as spam. This HTML tag allows different kinds of documents of varying data types to be embedded into an HTML document. Examples include sounds, movies, or pictures.


Form tags appear in HTML

Any message that contains the <Form> HTML tag will be marked as spam. This HTML tag is used to create Web site forms. Email advertisements often include this tag in an attempt to solicit information from the recipient.


Web bugs in HTML

Any message that contains a Web bug will be marked as spam. A Web bug is a graphic that is designed to determine whether a Web page or email message has been read. Web bugs are often invisible to the recipient because they are typically added to a message as a graphic that is as small as one pixel by one pixel.

Legitimate newsletters may also use this technique, although many consider this an invasion of privacy.


Apply sensitive word list

Any message that contains a word from the sensitive word list will be marked as spam. Using the sensitive word list allows easy blocking of words that are associated with potentially offensive messages. Some of these words are case sensitive.

As administrator, you cannot edit this list. Filtering against the sensitive word list is applied to both the subject and message body of a message.

8, 9

SPF record Hard Fail

Any message that does not pass an SPF record verification will be marked as spam. The filter determines whether the envelope sender domain of an incoming message publishes an SPF record (v=spf1 TXT record). If the envelope sender domain does not publish an SPF record, this filter will have no impact on mail filtering. If the envelope sender domain does publish an SPF record, the filter will perform an SPF check to verify that the connecting IP is an approved sender IP for that domain. If the connecting IP is not an approved sender for the domain, then the mail is marked as spam.

In order to avoid false positives (legitimate email incorrectly identified as spam) for mail from your company, make sure that the SPF record is correctly configured for your domains. See “SPF Record Settings” for outbound email filtering in Best Practices for Configuring FOPE to learn how to configure your SPF record.


From: address authentication: Hard fail

Any message that hard fails a “From Address” SPF authentication process will be marked as spam. From Address authentication is a method of authenticating the sender of the message. Specifically, this option uses an SPF check to help protect against message headers that contain forged senders.

A regular SPF check authenticates the message by verifying that the envelope sender corresponds to the IP address that sent the message. It does this by looking up the transmitting IP address in the sender’s SPF record. However, in many cases, the envelope sender is not the sender that is displayed to the end user. What the end user sees in the email client are the “message From:” and “message To:” headers.

From Address authentication is designed to work with traditional SPF checks. If a regular SPF check returns a value of SPF None, Neutral, TempError, or PermError, then an additional SPF check will be performed against the domain in the Sender field in the message headers, if that field exists. If it does not exist, then the SPF check will be conducted against the domain in the From field in the message headers (the domain that appears in the end user’s email client).

From Address authentication helps identify and prevent an event in which a spammer spoofs both the envelope sender, by sending from a domain with no SPF record, and the domain that the end user sees in the email client. A traditional SPF check will not capture this case because it does not authenticate against domains in the From field, so From address authentication will capture it. If a hard fail occurs, the message is flagged as spam; otherwise, spam points are added.

From Address authentication is skipped if the result of the regular SPF check is SPF Pass, Hard Fail, or Soft Fail.

It is possible for From Address authentication to create false positives (legitimate emails misidentified as spam), because in the SMTP protocol it is not illegal to send mail while rewriting the sending organization in the From or Sender fields. This is most likely to occur in newsletters and other bulk mail. In order to avoid the possibility of messages from your company being marked as spam, it is important to make sure that the SPF record is correctly configured for your domains.
See “SPF Record Settings” for outbound email filtering in Best Practices for Configuring FOPE to learn how to configure your SPF record.


NDR (non-delivery report) Backscatter

This option marks as spam all messages that match the non-delivery report (NDR) bounce characteristics. Customers with outbound filtering do not need to enable this option, as NDRs that are legitimate bounce messages will be automatically detected as such and delivered to the original sender. At the same time, all illegitimate bounce messages, known as backscatter, are marked as spam.

Enabling this option will mark all NDRs as spam, regardless of whether or not the customer is using outbound filtering, and regardless of whether the NDR is legitimate.


Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft