Share via

Office 365 Spam issues (SCL) - 365 or Outlook?

Anonymous
2016-10-10T09:38:16+00:00

Hello,

Like others, I am having recent issues with more genuine spam emails getting blocked.  I am aware of the message flow, and I am aware of whitlisting - but that isn't the question.  We have whitelisted "company" domains, but many customers come from @Hotmail and the like and we are not going to whitelist that domain!  As we have many customers and new leads, we cannot whitelist individual email addresses in advance as we don't know why they are.  I am aware we can notify MS of the incorrect spam, but that so far has zero effect.

It is so bad, we need to disable spam from going to users junk mail.  As you can see, we have done this, and prepend the subject instead with "SPAM (maybe)".  Great

This works - the emails are being prepended.

BUT they are still getting delivered into the users junk mail, albeit with a prepended subject.

The message trace is

So this shows the "mailbox" is moving the mail from the inbox to the junk item by a "rule the recipient set up"  - which is a lie.  The rules are default and hidden.

Looking at https://support.office.com/en-gb/article/Filter-junk-email-and-spam-in-Outlook-on-the-web-db786e79-54e2-40cc-904f-d89d57b7f41d shows an OWA setting to enabled/disable "mailbox filtering" by changing the setting under the "block and allow" to don't move items to the junk mail folder.  Is this the cause of the direction above?

  • If so, if we disable this, does this stop the 365 exchange back end putting other content into "junk"?  Or will EOP/365 still be able to do that?
  • If we disable this, will this then ignore client-side sender whitelists?  (as the user interface stops any more being entered).

In which case - what about any spam Exchange/365 puts in junk that the user wants whitelisted?!

I feel either I don't understand the process, or I can't find some settings!

But in summary:-

  • I want spam (SCL 5/6) to be delivered to users inbox with a modified subject only, and not go to junk
  • I want high confidence spam and other mail flagged by other rules with SCL 7 or above to still go to junk
  • I want users to be able to maintain personal whitelists that overrules any other setting

I have also found https://technet.microsoft.com/en-us/library/bb123559(v=exchg.160).aspx which seems to suggest SCL settings can be amended for users mailboxes, but I don't seem to get this working on 365 - is this on-prem only?

Microsoft 365 and Office | Subscription, account, billing | For home | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

20 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2016-10-10T19:05:16+00:00

    Hi there,

    It can be frustrating for you.

    1. For the 1 status indicate that EOP identify message is SPAM to deliver to Junk folder.

    2. For the 2 status indicate that User setup Inbox rules therefore email deliver to his Junk folder.

    Both are above expected behavior.

    However, you can see the MORE INFORMATION  section on the trace and follow the instruction to submit this false positive message to the Microsoft Spam Analysis Team, they will evaluate and analyze the message. Depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through.

    You can check the Process for Spam Evaluation and Rules Deployment here>>> https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx

    Note: Time frames for rules on individual submissions vary depending on the quantity and quality of submissions. Because new spam rules are set globally for all customers, not all individual spam submissions will result in a new spam rule.

    Good day!

    Was this answer helpful?

    0 comments
  2. Anonymous
    2016-10-10T15:35:01+00:00

    Hi, thank you for taking the time to respond.

    However, there is need for clarification if you can as I do not think you are correct.  Lets simplify it as you say we can't adjust SCL levels in 365 so lets forget that point.  The second point was an entirely separate thread to avoid confusion and mixing up the questions, but one of your colleague moderators merged the threads and made a mess of the question.  So ignore second post from me in this thread as I think you've said "it does not apply to 365".

    Anyway, we agree 365 appears to detect spam (SCL) as 2 levels, "spam" (SCL5?) and "high confidence spam" (SCL9?).  (as shown above in images)

    If we want "spam" to have subject tagged with text, and "high confidence spam" sent to users junk mail - how can we do that?  If you look at the original post, I have set these settings in 365 ECP to do this.  But, all mail still goes to "junk" - but with the prepended text on the "spam" level ones.  As shown in the original posts, this is down to a mailbox rule which we assume is the "block or allow" option in OWA - as this enables/disables the mailbox junk handling.

    If this is set this rule on (default) then

    • "spam" gets tagged with subject and still goes to junk
    • "high confidence spam" goes to junk
    • Users whitelist rule works

    If we set this to "Don’t move items to the junk mail" then

    • "spam" get tagged with subject and goes to inbox
    • "high confidence spam" goes where?
      • SURELY this goes to junk, as this is controlled by the exchange content filter?  But you say:-
      • YOU:  yes, if you disable it, no matter which sender it is, the message should be delivered to your inbox.
      • YOU:  after setting the Block or allow option in OWA to “Don’t move items to the junk mail folder”, the email sent from outside the organization whose SCL value is larger than 5 will be delivered to your inbox, not the junk email folder.
    • User whitelists are ignored (as you say above)
      • YOU:  About “If we disable this, will this then ignore client-side sender whitelist”, yes, if you disable it, no matter which sender it is, the message should be delivered to your inbox.

    Surely that's wrong?  Why does ECP have the functionality to treat "spam" and "high confidence spam" differently, tag one, and send the other to junk mail - yet according to you the mailbox ignores this - and if the mailbox junk mail is "on" then any spam goes to junk, and "off", all mail goes to inbox.  That is what you say above?

    That must be wrong?  My testing shows difference in logs between "spam" that is sent to "junk" via a mailbox setting (as per image above); and "high confidence spam" that goes direct to junk.  The email trace shows it is put there by the EOP not the mailbox.  But, if mail can be forwarded to junk either directly by EOP or via the mailbox, then its imperative the mailbox can over ride with user whitelist - b

    SURELY the following is possible:-

    • "spam" gets subject prepended as per ECP settings and sent to inbox
    • "high confidence spam" gets put direct in junk mail
    • User whitelist can still be used to override "high confidence spam" going into junk mail.

    But if turning off the mailbox junk mail means a user whitelist can't be used, that's really bad design!

    Appreciate your clarification

    edit:  see two traces from different emails where the filtering was different - one looks like via EOP and one via the "rules" on mailbos (as above).  See the "status" section.  So even with mailbox rules off the trace shows one junk mail went direct to junk and not touch the mailbox rules.  This is the opposite to what you said above?  Isn't it? /confused

    Was this answer helpful?

    0 comments
  3. Anonymous
    2016-10-10T14:10:06+00:00

    Hi Blue Snowman,

    Based on my test result, after setting the Block or allow option in OWA to “Don’t move items to the junk mail folder”, the email sent from outside the organization whose SCL value is larger than 5 will be delivered to your inbox, not the junk email folder.

    Regarding “if we disable this, does this stop the 365 exchange back end putting other content into "junk"?  Or will EOP/365 still be able to do that”, if you set the Block or allow option in OWA to “Don’t move items to the junk mail”, EOP will still put the email message whose SCL value is larger than 5 to the junk email folder of other mailboxes inside your organization. The message can only be delivered to your inbox if you choose this option in your OWA. In other words, the Block or allow option is a mailbox-level function while the EOP spam filter is an organization-level one.

    About “If we disable this, will this then ignore client-side sender whitelist”, yes, if you disable it, no matter which sender it is, the message should be delivered to your inbox.

    Regarding “I have also found https://technet.microsoft.com/en-us/library/bb123559(v=exchg.160).aspx which seems to suggest SCL settings can be amended for users mailboxes, but I don't seem to get this working on 365 - is this on-prem only”, yes, the article is applied to the on-premises only.

    Let’s go to your second post, based on your description, you want to change the default SCL threshold to other value. Based on my experience, it’s not feasible to change the default SCL threshold to other value. Thanks for your understanding. The PowerShell commands you mentioned should only be applied to the on-premises Exchange server.

    Thanks,

    Mouran

    Was this answer helpful?

    0 comments
  4. Anonymous
    2016-10-10T12:00:19+00:00

    I see some mod has merged two threads?

    Not sure the two posts above are the same question - one is related to finding out which component is moving junk mail and how to amend it.  The other is a more general how to configure 365 and spam protection.  Related questions - yes. 

    But completely different answers to both expected!!!    Client/mailbox/user settngs vs. global admin settings.

    So hope people who can answer post 2 can read past post 1! 

    Thanks mods for confusing matters

    Was this answer helpful?

    0 comments
  5. Anonymous
    2016-10-10T09:59:58+00:00

    Due to suffering with pain caused by recent secret changes to the 365 spam filters, research has shown there are both organisation wide and mailbox specific SCL threshholds which can be altered to make them more or less sensitive to spam.

    So, for instance, change SCL to 7 to allow "maybe spam SCL of 5" to be treated as normal.

    e.g. https://technet.microsoft.com/en-us/library/aa995744%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396 and https://technet.microsoft.com/en-us/library/bb123559(v=exchg.160).aspx

    However, the command  Set-ContentFilterConfig does not seem to exist;

    Get-OrganizationConfig shows the SCLJunkThreshhold level set to 4 - but  Set-OrganizationConfig  -SCLJunkThreshold 6 does not work - says parameter not available.  (365 restriction?)

    Set-Mailbox with any parameter like -SCLJunkThreshhold, or JunkEnabled or whatever says parameter not available (365 restriction?)

    Set-MailboxJunkEmailConfiguration does seem to work, and each mailbox can have its junk email config enabled/disabled, but this is not the desired effect (is it?) as this stops the personal whitelist and blacklist working, and would this also stop "high confidence" spam of SCL 7,8 or 9?

    So - how do you set a mailbox, multiple mailboxes, or entire tenant to have different SCL threshholds than the default?

    Was this answer helpful?

    0 comments