Anti-Spam Protection

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2013-05-20

Spam filtering is automatically enabled for all inbound and outbound email messages processed by your Exchange Online or Exchange Online Protection service. Spam filtering cannot be completely disabled. However, certain company-wide settings can be modified by editing the default anti-spam policy for the policy types described below. For greater granularity, you can also create custom content filter policies and apply them to specified users, groups, or domains in your organization. By default, custom policies take precedence over the default policy, but you can change the priority (running order) of your custom policies.

Spam filtering is comprised of the following policy types:

• Connection filtering   The spam filters first check the IP Allow and IP Block lists and filter inbound messages according to the specifications of both lists. Messages that are sent from allowed IP addresses are not subject to further spam filtering; for example, content filtering is bypassed. Furthermore, messages from an IP address that appears on both lists are allowed. IP Allow and IP Block lists are empty by default and must be configured by editing the default connection filter policy.
  You can also select the Enable safe list check box by editing the default connection filter policy. Microsoft subscribes to various third-party sources of trusted senders. Selecting this option skips spam filtering on messages sent from these senders, ensuring that they are never mistakenly marked as spam.
  In addition to the IP Allow list, IP Block list, and safe list options that you can configure in the Exchange admin center, Microsoft uses and maintains a dynamic IP Block list as well as several third-party IP Block lists; senders whose IP address matches the IP Block lists are rejected.
  For more information about connection filtering, see Configure the Connection Filter Policy.
  
• Content filtering   Content filtering examines each part of the inbound email message, such as headers, bodies, and MIME parts, using a list of regular expressions. A score is then assigned to the message if a rule is matched within the message. Several URL lists are also used to block suspicious messages that contain specific URLs within their message body. When a message is identified as a potential spam message, the action that is performed upon the message is dependent upon the confidence threshold level. You can configure actions for each confidence threshold level via your content filter policies.
  You can also configure the following options via your content filter policies:
  
  • International Filtering   You can choose to filter email messages written in specific languages, or sent from specific countries or regions. The service will apply the configured action.
    
  • Advanced Spam Filtering Options   When enabled, advanced spam filtering (ASF) options inspect various content attributes of a message. The presence of these attributes in a message either increases the potential for it to be identified as spam or causes the message to be marked as spam. ASF options are disabled by default and enabling them is an aggressive approach to spam filtering.
    It’s recommended that organizations who are concerned about phishing turn on the SPF record: hard fail and Conditional Sender ID filtering: hard fail options. These options use a combination of Sender ID and SPF technologies to authenticate and verify that messages are not spoofed. When checking the Sender ID, a call is made into DNS to verify that a legitimate IP address is sending the message on behalf of the domain. SPF authentication checks if a message is coming from an IP address that is not on the list of allowed IPs who can send mail on behalf of the domain; if this is the case, the message is marked as spam.
    

  Tip:

  You can also create transport rules to enforce company-wide regulations and policies; for more information, see Transport Rules. Additionally, end users can manage some spam settings for their own mailbox, using Outlook or Outlook Web App. For example, end users can add email addresses or domain names to their safe senders list or safe recipients list. Be sure to use the Office 365 Directory Synchronization tool to ensure that these settings are synced to the service.

  For more information about content filtering, see Configure Content Filter Policies.
  
• Outbound filtering   Outbound spam filtering is always enabled if you use the service for sending outbound email, thereby protecting organizations using the service and their intended recipients. Similar to inbound filtering, outbound spam filtering is comprised of connection filtering and content filtering, however the outbound filter settings are not configurable. If an outbound message is determined to be spam, it is routed through the high risk delivery pool, which reduces the probability of the normal outbound-IP pool being added to a block list. If a customer continues to send outbound spam through the service, they will be blocked from sending messages. Although outbound spam filtering cannot be disabled or changed, you can configure several company-wide outbound spam settings via the default outbound spam policy.
  For more information about outbound spam filtering, see Configure the Outbound Spam Policy.