Export (0) Print
Expand All

Find and release quarantined messages as an administrator

Exchange 2013
 

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2014-07-28

This topic and the included video describe how Exchange Online and Exchange Online Protection (EOP) admins can find, release, and report on messages that reside in the quarantine in the Exchange admin center (EAC). These messages were sent to the quarantine either because they were identified as spam or they matched a transport rule.

Watch the following video for a walkthrough of the quarantine and to see how you can manage quarantined messages.

Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.

By default, quarantined messages in the EAC are sorted from newest to oldest on the the RECEIVED field. SENDER, SUBJECT, and EXPIRES values are also listed for each message. You can sort on any of these fields by clicking their headers. Clicking a column header a second time will reverse the sort order. A maximum of 500 messages can be displayed in the EAC.

You can view a list of all quarantined messages, or you can search for specific messages by specifying filter criteria (filtering can also help you reduce your result set if you have more than 500 messages). After searching for and locating a specific quarantined message, you can view details about the message. You can also release the message and report it as a false positive (not junk) message to the Microsoft Spam Analysis Team, who will evaluate and analyze the message. Depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through.

TipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

In the Exchange admin center (EAC), you can filter quarantined items based on several different conditions using advanced search. You can use these conditions separately or in combination with one another. The search will provide a list of messages that meet all your filter criteria.

  1. In the EAC, navigate to Protection > Quarantine, and then click Advanced search.

  2. In the Advanced search window, select any combination of the following conditions. Select the associated check box in order to enable each condition. Wildcards aren’t supported.

    1. Message ID  You can use this parameter to perform a targeted search for a specific message. For example, if a specific message is sent by, or intended for, a user in your organization, but it never reaches its destination, you can search for the message using the message trace feature. For details, see Run a Message Trace and View Results. If you discover that the message was sent to the quarantine, perhaps because it matched a rule or was identified as spam, you can then easily find this message in the quarantine by specifying its Message ID. Be sure to include the full Message ID string. This may include angle brackets (<>).

    2. Sender email address   Specify the email address of the person who sent the message.

    3. Recipient email address  Specify the email address of the intended recipient of the message.

    4. Subject  Specify the subject line text of the message.

    5. Received   You can select that the message was received by the quarantine within the past 24 hours (Today), within the past 48 hours (Last 2 days), within the past week (Last 7 days), or you can select a custom time interval during which the message was received by the quarantine.

    6. Expires   You can select that the message will be deleted from the quarantine within the next 24 hours (Today), within the next 48 hours (Next 2 days), within the next week (Next 7 days), or you can select a custom time interval during which the message will be deleted from the quarantine.

      ImportantImportant:
      By default, spam-quarantined messages are kept in the quarantine for 15 days, while quarantined messages that matched a transport rule are kept in the quarantine for 7 days. After this period of time the messages are deleted and are not retrievable. The retention period for quarantined messages that matched a transport rule is not configurable. However, the retention period for spam-quarantined messages can be lowered via the Retain spam for (days) setting in your content filter policies. For more information, see Configure Content Filter Policies.
    7. Type   You can specify whether to search for quarantined messages that have been identified as Spam, or whether to search for messages that matched a Transport rule.

  3. Click OK to start running the advanced search.

    NoteNote:
    To clear your search criteria and view all messages in the quarantine, clear all the check boxes in the Advanced search window, and then click OK.

After searching for messages, the results that match your specified criteria will display in the user interface. A maximum of 500 messages can be displayed in the EAC.

After locating a specific quarantined message in the EAC, you can view details about it.

  1. In the EAC, select a specific message and a summary of the properties of that message appear in the details pane on the right side of the screen.

    The Message status values are as follows:

    • Type   Denotes whether the message has been identified as Spam or matched a Transport rule.

    • Expires   The date when the message will be deleted from the quarantine.

    The Message details values are as follows:

    • Sender   The email address of the person who sent the message.

    • Subject   The subject line text of the message.

    • Received   The date on which the message was received by the quarantine.

    • Size   The size of the message, in kilobytes (KB), or, if the message size is greater than 999 KBs, in megabytes (MB).

    • View message header   Click this link to open the message header dialog box, which lets you view the message header text. You can also copy the message header text to your clipboard and paste it into the Message Header Analyzer. Once in the Message Header Analyzer tool, click Analyze headers in order to retrieve information about the header.

      TipTip:
      For information about specific anti-spam message header fields inserted by the service, see Anti-spam message headers.
  2. If you double-click a quarantined message, the Quarantined message window opens and displays the following information:

    • Released to   A list of all email addresses to whom the message has been released, if any.

    • Not yet released to   A list of all email addresses to whom the message has not been released, if any. You can click the Release to link in order to release the message; for more information about releasing a message, see the next section.

    • Message ID   The Internet Message ID (also known as the Client ID) found in the header of the message.

    Click Close to return to the main quarantine pane.

After locating a quarantined message, you can perform the following actions on it:

  • Release the message without reporting it as a false positive   When you choose this option, you can specify to send the message to all recipients who have not yet received it, or to specific recipients.

  • Release the message and report it as a false positive   When you choose this option, the message will be released to all recipients who have not yet received it. If it’s a spam-quarantined message, it will also be reported to the Microsoft Spam Analysis Team, who will evaluate and analyze the message. Depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through.

When a message is released, the service will re-scan the released message for malware but will skip spam filtering and transport rule processing.

  1. In the EAC, navigate to Protection > Quarantine.

  2. Select a message, click the Release Message icon, and then click Release message without reporting it as a false positive from the drop-down list.

  3. In the release message dialog box, select one of the following options:

    1. Release message to all recipients   When you select this option, be aware that a message cannot be released more than once to the same recipient. If a recipient has previously received the message, it will not be released again to that recipient.

    2. Release message to specified recipients   Select the user or users to whom the message can be released. Because a message can only be released once to each user, only users to whom it can be released appear in this list. Multi-selection is supported. After making your user selections, click add.

  4. Click release.

If you click the Refresh Refresh Icon icon to refresh your data, and then double-click the message, you should see that it’s been released to the intended recipients.

  1. In the EAC, navigate to Protection > Quarantine.

  2. Select a message, click the Release Message icon, and then click Release message and report it as a false positive from the drop-down list.

  3. In the report false positive dialog box, click report false positive.

    NoteNote:
    If a message was quarantined because of a transport rule or because of an advanced spam filter option (for details, see Advanced Spam Filtering Options), the submitted message will not be evaluated.

If you click the Refresh Refresh Icon icon to refresh your data, and then double-click the message, you should see that it’s been released to the intended recipients.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft