Configuring Anti-Spam Features to Reduce the Volume of Spam

Exchange 2007

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Topic Last Modified: 2016-11-10

You can use the Exchange Management Console or the Exchange Management Shell to configure each default anti-spam feature individually.

When the Content Filter agent assigns a spam confidence level (SCL) rating to a message, it considers any assigned data from other filters in the SCL calculation. The SCL rating is a number between 0 and 9. A higher SCL rating indicates that a message is more likely to be spam. The SCL threshold is a set of configurations that you set on the Edge Transport server and on the e-mail server. In Microsoft Exchange Server 2003, the SCL threshold defines when the content filtering feature takes a specific action on a specific message, such as when it rejects a message or deletes a message. In Exchange Server 2007, we've improved the SCL threshold functionality so that you can adjust the SCL to a more precise level. You can now define three specific actions according to SCL thresholds. For example, in Exchange 2007, you can define different thresholds that determine whether a message on the Edge Transport server will be rejected, deleted, or quarantined.

For more information, see Adjusting the Spam Confidence Level Threshold.

Your strategy for how to configure the anti-spam features and establish the aggressiveness of your anti-spam agent settings requires that you plan and calculate carefully. If you set all anti-spam features filters to their most aggressive levels and configure all anti-spam features to reject all suspicious messages, you are more likely to reject messages that are not spam. On the other hand, if you do not set the anti-spam filters at a sufficiently aggressive level and do not set the SCL threshold low enough, you probably won't see a reduction in the spam that enters your organization.

It is a best practice to reject a message when Exchange detects a bad message through the Connection Filter agent, Recipient Filter agent, or Sender Filter agent. This approach is better than quarantining such messages or assigning metadata, such as anti-spam stamps, to such messages. Therefore, the connection filter agent and recipient filter agent automatically block messages that are identified by the respective filters. The Sender Filter agent is configurable.

This best practice is recommended because the spam confidence level that underlies connection filtering, recipient filtering, or sender filtering is relatively high. For example, with sender filtering, where the administrator has configured specific senders to block, there is no reason to assign the sender filtering data to such messages and to continue to process them. In most organizations, blocked messages should be rejected. If the administrator did not want them rejected, the administrator would not have put them on the Blocked Senders list.

The same logic applies to real-time block list (RBL) services and recipient filtering, although the underlying confidence is not as high as the IP Block list. You should be aware that the further along the mail flow path a message travels, the greater the probability of false positives, because the anti-spam features are evaluating more variables. Therefore, you may find that if you configure the first several anti-spam features in the anti-spam chain more aggressively, you can reduce the bulk of your spam. Therefore you will save processing, bandwidth, and disk resources to process more ambiguous messages.

Ultimately, you must plan to monitor the overall effectiveness of the anti-spam features. If you monitor carefully, you can continue to adjust the anti-spam features to work well together for your environment. With this approach, you should plan on a fairly non-aggressive configuration of the anti-spam features when you start. This approach lets you minimize the number of false positives. As you monitor and adjust the anti-spam features, you can become more aggressive about the type of spam and spam attacks that your organization experiences.

For more information about how Microsoft planned and deployed the first generation of anti-spam features in Exchange Server 2003, see Messaging Hygiene at Microsoft: How Microsoft IT Defends Against Spam, Viruses, and E-Mail Attacks.


Community Additions