Exchange
United States (English) Sign in
Home Online 2013 2010 Other Versions Library Forums Gallery EHLO Blog
0 out of 2 rated this helpful - Rate this topic

Manage Quarantined Messages

Exchange Online
 

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2013-05-21

When messages are sent to the quarantine, you can view a list of all messages, or you can search for specific messages by specifying filter criteria. The following procedures describe several search-related scenarios. After searching for and locating a specific quarantined message, you can view details about the message.

tipTip:
Messages are kept in the quarantine for a maximum of 15 days. The retention period can be lowered via the Retain spam for (days) setting in your content filter policies. For more information, see Configure Content Filter Policies.
tipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection

You can perform a quick search for quarantined messages if a user in your organization is not receiving messages. After locating this user’s messages in the quarantine, you can view details about the messages and release them if they are false positives.

  1. In the EAC, navigate to Protection > Quarantine, and then click Advanced search.
  2. In the Advanced search window, select Recipient email address, type the email address of the recipient, and then click OK. You can also specify additional search conditions. For more information about these conditions, see Use the EAC to use Advanced Search to filter messages.
  3. Select the message after it is displayed. (If the message is not displayed, you may want to specify a different email address for this recipient.) For information about viewing details about the message, see Use the EAC to view details about a specific quarantined message. For information about releasing the message and optionally reporting it as a false positive, see Release a Quarantined Message and Optionally Report it as a False Positive.

You can perform a targeted search for a specific message. For example, if a specific message is sent by, or intended for, a user in your organization, but it never reaches its destination, you can search for the message using the message trace feature. For details, see Run a Message Trace and View Results. If you discover that the message was sent to the quarantine, perhaps because it matched a rule or was identified as spam, you can then use advanced search to easily find the message in the quarantine using its Message ID. After locating the message in the quarantine, you can view details about the message and release the message if it is a false positive.

  1. In the EAC, navigate to Protection > Quarantine, and then click Advanced search.
  2. In the Advanced search window, select Message ID, specify the Message ID you are searching for, and then click OK. Be sure to include the full Message ID string. This may include angle brackets (<>).
  3. Select the message after it is displayed. For information about viewing details about the message, see Use the EAC to view details about a specific quarantined message. For information about releasing the message and optionally reporting it as a false positive, see Release a Quarantined Message and Optionally Report it as a False Positive.

Repeat the above steps to search for additional messages.

You can filter quarantined items based on several different conditions using advanced search. You can use these conditions separately or in combination with one another. This search will provide a list of messages that meet all your filter criteria, after which you can view details about the messages and release them if they are false positives. For details, see Use the EAC to view details about a specific quarantined message and Release a Quarantined Message and Optionally Report it as a False Positive.

  1. In the EAC, navigate to Protection > Quarantine, and then click Advanced search.
  2. In the Advanced search window, select any combination of the following conditions. Select the associated check box in order to enable each condition.
    1. Message ID   For more information about how to best use this field, see Use the EAC to search for a specific message.
    2. Sender email address   Specify the email address of the person who sent the message.
    3. Recipient email address  Specify the email address of the intended recipient of the message.
    4. Received   You can select one of the following values:
      • Today   The message was received by the quarantine within the previous 24 hours.
      • Last 2 days   The message was received by the quarantine within the previous 48 hours.
      • Last 7 days   The message was received by the quarantine within the previous week (168 hours).
      • Custom   You can select a time interval during which the message was received by the quarantine. Use the drop-down calendars to select the start date and end date, and use the drop-down lists to select the start time and end time.
    5. Expires   You can select one of the following values:
      • Today   The message will be deleted from the quarantine within the next 24 hours.
      • Next 2 days   The message will be deleted from the quarantine within the next 48 hours.
      • Next 7 days   The message will be deleted from the quarantine within the next week (168 hours).
      • Custom   You can select a time interval during which the message will be deleted from the quarantine. Use the drop-down calendars to select the start date and end date, and use the drop-down lists to select the start time and end time.
    6. Type   You can specify whether to search for quarantined messages that have been identified as Spam, or whether to search for messages that matched a Transport rule.
  3. Click OK to start running the advanced search.
    noteNote:
    To clear your search criteria and view all messages in the quarantine, clear all the check boxes in the Advanced search window, and then click OK.

After searching for messages, the results that match your specified criteria will display in the user interface. A maximum of 500 messages can be displayed in the EAC. For information about selecting a message and viewing details about it, see Use the EAC to view details about a specific quarantined message. For information about releasing a message and optionally reporting it as a false positive, see Release a Quarantined Message and Optionally Report it as a False Positive.

After searching for and locating a specific quarantined message in the EAC, you can select the message in order to view details about it.

  1. In the EAC, select a specific message and a summary of the properties of that message appear in the details pane.
    The Message status values are as follows:
    • Type   Denotes whether the message has been identified as Spam or matched a Transport rule.
    • Expires   The date when the message will be deleted from the quarantine.
    The Message details values are as follows:
    • Sender   The email address of the person who sent the message.
    • Subject   The subject line text of the message.
    • Received   The date on which the message was received by the quarantine.
    • Size   The size of the message, in kilobytes (KB), or, if the message size is greater than 999 KBs, in megabytes (MB).
  2. If you double-click a quarantined message, the Quarantined message window opens and displays the following information:
    • Released to   A list of all email addresses to whom the message has been released, if any.
    • Not yet released to   A list of all email addresses to whom the message has not been released, if any. You can click the Release to link in order to release the message; for more information, see Release a Quarantined Message and Optionally Report it as a False Positive.
    • Message ID   The Internet Message ID (also known as the Client ID) found in the header of the message.
    Click Close to return to the main quarantine pane.
 
Did you find this helpful?
(1500 characters remaining)
© 2013 Microsoft. All rights reserved.