Export (0) Print
Expand All
3 out of 9 rated this helpful - Rate this topic

Find and Release Quarantined Messages

Exchange 2013
 

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2014-04-08

NoteNote:
This topic is for administrators who want to manage quarantined messages in the Exchange admin center (EAC). For information about end user spam quarantine self-management, see Use End-User Spam Notifications to Release and Report Spam-Quarantined Messages.

When messages are sent to the quarantine, either because they were spam content-filtered or because they matched a transport rule, you can view a list of all messages, or you can search for specific messages by specifying filter criteria. After searching for and locating a specific quarantined message, you can view details about the message. You can also release the message and, if it’s a spam-quarantined message, you can report it as a false positive (not junk) message to the Microsoft Spam Analysis Team, who will evaluate and analyze the message. Depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through.

TipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

In the Exchange admin center (EAC), you can filter quarantined items based on several different conditions using advanced search. You can use these conditions separately or in combination with one another. The search will provide a list of messages that meet all your filter criteria.

  1. In the EAC, navigate to Protection > Quarantine, and then click Advanced search.

  2. In the Advanced search window, select any combination of the following conditions. Select the associated check box in order to enable each condition. Wildcards aren’t supported.

    1. Message ID  You can use this parameter to perform a targeted search for a specific message. For example, if a specific message is sent by, or intended for, a user in your organization, but it never reaches its destination, you can search for the message using the message trace feature. For details, see Run a Message Trace and View Results. If you discover that the message was sent to the quarantine, perhaps because it matched a rule or was identified as spam, you can then easily find this message in the quarantine by specifying its Message ID. Be sure to include the full Message ID string. This may include angle brackets (<>).

    2. Sender email address   Specify the email address of the person who sent the message.

    3. Recipient email address  Specify the email address of the intended recipient of the message.

    4. Subject  Specify the subject line text of the message.

    5. Received   You can select that the message was received by the quarantine within the past 24 hours (Today), within the past 48 hours (Last 2 days), within the past week (Last 7 days), or you can select a custom time interval during which the message was received by the quarantine.

      Note: Messages are kept in the quarantine for a maximum of 15 days. The retention period can be lowered via the Retain spam for (days) setting in your content filter policies. For more information, see Configure Content Filter Policies.

    6. Expires   You can select that the message will be deleted from the quarantine within the next 24 hours (Today), within the next 48 hours (Next 2 days), within the next week (Next 7 days), or you can select a custom time interval during which the message will be deleted from the quarantine.

    7. Type   You can specify whether to search for quarantined messages that have been identified as Spam, or whether to search for messages that matched a Transport rule.

  3. Click OK to start running the advanced search.

    NoteNote:
    To clear your search criteria and view all messages in the quarantine, clear all the check boxes in the Advanced search window, and then click OK.

After searching for messages, the results that match your specified criteria will display in the user interface. A maximum of 500 messages can be displayed in the EAC.

After locating a specific quarantined message in the EAC, you can view details about it.

  1. In the EAC, select a specific message and a summary of the properties of that message appear in the details pane.

    The Message status values are as follows:

    • Type   Denotes whether the message has been identified as Spam or matched a Transport rule.

    • Expires   The date when the message will be deleted from the quarantine.

    The Message details values are as follows:

    • Sender   The email address of the person who sent the message.

    • Subject   The subject line text of the message.

    • Received   The date on which the message was received by the quarantine.

    • Size   The size of the message, in kilobytes (KB), or, if the message size is greater than 999 KBs, in megabytes (MB).

    • View message header   Click this link to open the message header dialog box, which lets you view the message header text. You can also copy the message header text to your clipboard and paste it into the Message Header Analyzer. Once in the Message Header Analyzer tool, click Analyze headers in order to retrieve information about the header.

      TipTip:
      For information about specific anti-spam message header fields inserted by the service, see Anti-Spam Message Headers.
  2. If you double-click a quarantined message, the Quarantined message window opens and displays the following information:

    • Released to   A list of all email addresses to whom the message has been released, if any.

    • Not yet released to   A list of all email addresses to whom the message has not been released, if any. You can click the Release to link in order to release the message; for more information about releasing a message, see the next section.

    • Message ID   The Internet Message ID (also known as the Client ID) found in the header of the message.

    Click Close to return to the main quarantine pane.

After locating a specific quarantined message in the EAC, you can release it and optionally report it as a false positive (not junk) message using one of the following options:

  • Release the message without reporting it as a false positive   When you choose this option, you can specify to send the message to all recipients who have not yet received it, or to specific recipients.

  • Release the message and report it as a false positive   When you choose this option, the message will be released to all recipients who have not yet received it. If it’s a spam-quarantined message, it will also be reported to the Microsoft Spam Analysis Team, who will evaluate and analyze the message. Depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through.

When a message is released, the service will re-scan the released message for malware but will skip spam filtering and transport rule processing.

  1. In the EAC, navigate to Protection > Quarantine.

  2. Select a message, click the Release Message icon, and then click Release message without reporting it as a false positive from the drop-down list.

  3. In the release message dialog box, select one of the following options:

    1. Release message to all recipients   When you select this option, be aware that a message cannot be released more than once to the same recipient. If a recipient has previously received the message, it will not be released again to that recipient.

    2. Release message to specified recipients   Select the user or users to whom the message can be released. Because a message can only be released once to each user, only users to whom it can be released appear in this list. Multi-selection is supported. After making your user selections, click add.

  4. Click release.

  1. In the EAC, navigate to Protection > Quarantine.

  2. Select a message, click the Release Message icon, and then click Release message and report it as a false positive from the drop-down list.

  3. In the report false positive dialog box, click report false positive.

    NoteNote:
    If a message was quarantined because of a transport rule or because of an advanced spam filter option (for details, see Advanced Spam Filtering Options), the submitted message will not be evaluated.
 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.