Export (0) Print
Expand All

Advanced Spam Filtering Options

Exchange 2013
 

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2014-08-13

Advanced spam filtering (ASF) options give administrators the ability to inspect various content attributes of a message. The presence of these attributes in a message either increases the spam score of the message (thereby increasing the potential for it to be identified as spam) or marks the message as spam. The ASF options target specific message properties, such as HTML tags and URL redirection, which are commonly found in spam messages.

Enabling ASF options is an aggressive approach to spam filtering, and any messages that are filtered by these options cannot be reported as false positives. These messages can be identified through periodic end-user spam notifications and salvaged from the spam quarantine. They can also be identified via the X-header text that’s specific to each ASF option and which appear in the Internet header of messages where an ASF option has been matched. For more information, see Anti-spam message headers.

ASF options can be set on, off, or to test mode when you edit your content filter policies. For more information, see Configure Content Filter Policies. (Note: Test mode is not available for the NDR backscatter, SPF record: hard fail, Conditional Sender ID filtering: hard fail, and Bulk mail options.)

TipTip:
  • Consider enabling your ASF options in test mode in order to maximize spam blocking based upon your environment. For customers with high spam percentages for specific ASF options, we recommend that you test these options first before implementing them in your production environment.

  • It’s recommended that organizations who are concerned about phishing turn on the SPF record: hard fail option.

The following table describes each advanced spam filtering option.

 

Advanced Spam Filtering Option

Description

X-header text

Increase Spam Score Section

When enabled, these options set the spam confidence level (SCL) of a matched message to 5 or 6, which is considered suspected spam. The action performed on the message will match the Spam setting in your content filter policy.

Image links to remote sites

When this setting is enabled, any message with HTML content that has an IMG tag that links remotely (for example, using http) will receive an increased spam score.

X-CustomSpam: Image links to remote sites

Numeric IP address in URL

When this setting is enabled, any message that has numeric-based URLs (most often in the form of an IP address) will receive an increased spam score.

X-CustomSpam: Numeric IP in URL 

URL redirect to other port

When this setting is enabled, any message that contains a hyperlink that redirects the user to ports other than port 80 (regular HTTP protocol port), 8080 (HTTP alternate port), or 443 (HTTPS port) will receive an increased spam score.

X-CustomSpam: URL redirect to other port

URL to .biz or .info websites

When this setting is enabled, any message that contains a .biz or .info extension in the body of a message will receive an increased spam score.

X-CustomSpam: URL to .biz or .info websites

Mark as Spam Section

When enabled, these options set the spam confidence level (SCL) of a matched message to 9, which is considered certain spam. The action performed on the message will match the High confidence spam setting in your content filter policy.

Empty messages

When this setting is enabled, any message in which the body and subject line are both empty, and which also has no attachment, will be marked as spam.

X-CustomSpam: Empty Message

JavaScript or VBScript in HTML

When this setting is enabled, any message that uses JavaScript or Visual Basic Script Edition in HTML will be marked as spam. Both of these scripting languages are used within an HTML message to automatically cause a specific action to occur. The browser will parse and process the script along with the rest of the document.

X-CustomSpam: Javascript or VBscript tags in HTML

Frame or IFrame tags in HTML

When this setting is enabled, any message that contains the <Frame> or <IFrame> HTML tag will be marked as spam. These tags are used on websites or in HTML messages to format the page for displaying text or graphics.

X-CustomSpam: IFRAME or FRAME in HTML

Object tags in HTML

When this setting is enabled, any message that contains the <Object> HTML tag will be marked as spam. This HTML tag allows plug-ins or applications to run in an HTML window.

X-CustomSpam: Object tag in html

Embed tags in HTML

When this setting is enabled, any message that contains the <Embed> HTML tag will be marked as spam. This HTML tag allows different kinds of documents of varying data types to be embedded into an HTML document. Examples include sounds, movies, or pictures.

X-CustomSpam: Embed tag in html

Form tags in HTML

When this setting is enabled, any message that contains the <Form> HTML tag will be marked as spam. This HTML tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.

X-CustomSpam: Form tag in html

Web bugs in HTML

When this setting is enabled, any message that contains a Web bug will be marked as spam. A Web bug is a graphic that is designed to determine whether a Web page or email message has been read. Web bugs are often invisible to the recipient because they are typically added to a message as a graphic that is as small as one pixel by one pixel. Legitimate newsletters may also use this technique, although many consider this an invasion of privacy.

X-CustomSpam: Web bug

Apply sensitive word list

When this setting is enabled, any message that contains a word from the sensitive word list will be marked as spam. Using the sensitive word list allows easy blocking of words that are associated with potentially offensive messages. Some of these words are case sensitive. As an administrator, you cannot edit this list. Filtering against the sensitive word list is applied to both the subject and message body of a message.

X-CustomSpam: Sensitive word in subject/body

SPF record: hard fail

When this setting is enabled, messages that fail an SPF check (meaning they were sent from an IP address not specified in the SPF record) will be marked as spam. Turning this setting on is recommended for organizations who are concerned about receiving phishing messages.

Note: Test mode is not available for this option.

X-CustomSpam: SPF Record Fail

Conditional Sender ID filtering: hard fail

When this setting is enabled, any message that hard fails a conditional Sender ID check is marked as spam. This option combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders.

Note: Test mode is not available for this option.

X-CustomSpam: SPF From Record Fail

NDR backscatter

If you’re using EOP to protect on-premises mailboxes, when this setting is enabled, all legitimate non-delivery report (NDR) messages are delivered to the original sender, and all backscatter (illegitimate NDR) messages will be marked as spam. If you don’t enable this setting, then all NDRs still go through content filtering. In this case, most legitimate messages will get delivered to the original sender while some, but not all, backscatter messages will get marked as spam. However, backscatter messages that aren’t marked as spam won’t go to the original sender because it will go to the spoofed sender.

If you’re using the service to protect Exchange Online cloud-hosted mailboxes, you don’t need to configure this setting.

NoteNote:
  • For both scenarios (on-premises and cloud-hosted mailboxes), it’s also not necessary to enable this setting for outbound mail sent through the service, as NDRs that are legitimate bounce messages will be automatically detected and delivered to the original sender.

  • Test mode is not available for this option.

TipTip:
For more information about backscatter messages and EOP, see Backscatter messages and EOP.

X-CustomSpam: Backscatter NDR

Bulk mail

When this setting is enabled, any message that is identified as bulk mail on Microsoft’s internal bulk list, such as advertisements and marketing emails, will be marked as spam. Email is marked as bulk based on the following criteria:

  • The sending IP address belongs to a sender that's known to send promotional materials, or are known or suspected email marketers.

    Note: The Bulk Complaint Level (BCL) message header is inserted when a bulk email is identified by Microsoft’s internal bulk list or by one of our third-party bulk list providers.

  • The quality of the sender's email list acquisition practices can’t be determined.

NoteNote:
  • By default, this option is enabled for new customers and disabled for transitioned Forefront Online Protection for Exchange (FOPE) customers.

  • Test mode is not available for this option.

  • IP addresses on the bulk list are added as single IP addresses or by CIDR range, and not by reverse DNS value. 

  • Exchange Online and EOP customer sending IP addresses may be added to the bulk list if they’re sending bulk email.

  • If you want bulk email messages to be delivered to your inbox, make sure to add the senders to your safe senders list in Outlook or Outlook Web App.

TipTip:

X-CustomSpam: Bulk Mail

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft