Understanding Spam Confidence Level Threshold
Applies to: Exchange Server 2010
In Microsoft Exchange Server 2010, you can define specific actions according to spam confidence level (SCL) thresholds. For example, you can define different thresholds for rejecting, deleting, or quarantining a message on a computer that has the Edge Transport server role installed.
The combination of this SCL threshold configuration on the Edge Transport server and the SCL Junk E-mail folder configuration on the user mailbox helps you implement a more comprehensive and precise anti-spam strategy. This more precise and detailed SCL threshold adjustment functionality in Exchange 2010 can help you reduce the overall cost of deploying and maintaining an anti-spam solution across your organization.
The SCL threshold configuration is used by the Content Filter agent, one of the default anti-spam agents included with Exchange 2010. The Content Filter agent uses Microsoft SmartScreen technology to assess the contents of a message and to assign an SCL rating to each message.
The Content Filter agent performs this function late in the anti-spam cycle, after other anti-spam agents have processed any inbound messages. Many of the other anti-spam agents that process inbound messages before they are processed by the Content Filter agent are deterministic in how they act on a message. For example, the Connection Filter agent rejects any message sent from an IP address on a real-time block list. The Sender Filter agent and Recipient Filter agent process messages in a similarly deterministic manner.
In Exchange 2010, these deterministic anti-spam agents process messages first and therefore greatly reduce the number of messages that must be processed by the Content Filter agent. For more information about the order in which anti-spam agents process messages, see Understanding Anti-Spam and Antivirus Functionality.
Because content filtering isn't an exact, deterministic process, the ability to adjust the action that the Content Filter agent performs on different SCL values is important. By carefully adjusting the SCL threshold configuration, you can minimize the following:
- Size of the spam quarantine storage
- Number of legitimate e-mail messages mistakenly quarantined
- Number of legitimate e-mail messages that reach the Microsoft Outlook user's Junk E-mail folder
- Number of offensive spam e-mail messages that reach the Outlook user's Inbox or Junk E-mail folder
- Number of spam e-mail messages that reach the Outlook user's Inbox
Looking for management tasks related to anti-spam and antivirus functionality? See Managing Anti-Spam and Antivirus Features.
SCL Threshold Actions in Exchange 2010
In Exchange 2010, by adjusting SCL threshold actions, you can escalate the content filtering action taken on messages that have a greater risk of being spam. To understand this functionality, it's helpful to understand the different SCL threshold actions and how they're implemented:
- SCL delete threshold When the SCL value for a specific message is equal to or higher than the SCL delete threshold, the Content Filter agent deletes the message. There's no protocol-level communication that tells the sending system or sender that the message was deleted. If the SCL value for a message is lower than the SCL delete threshold value, the Content Filter agent doesn't delete the message. Instead, the Content Filter agent compares the SCL value to the SCL reject threshold.
- SCL reject threshold When the SCL value for a specific message is equal to or higher than the SCL reject threshold, the Content Filter agent deletes the message and sends a rejection response to the sending system. You can customize the rejection response. In some cases, a non-delivery report (NDR) is sent to the original sender of the message. If the SCL value for a message is lower than the SCL delete and SCL reject threshold values, the Content Filter agent doesn't delete or reject the message. Instead, the Content Filter agent compares the SCL value to the SCL quarantine threshold.
- SCL quarantine threshold When the SCL value for a specific message is equal to or higher than the SCL quarantine threshold, the Content Filter agent sends the message to a quarantine mailbox. E-mail administrators must periodically review the quarantine mailbox. If the SCL value for a message is lower than the SCL delete, reject, and quarantine threshold values, the Content Filter agent doesn't delete, reject, or quarantine the message. Instead, the Content Filter agent sends the message to the appropriate Mailbox server, where the per-recipient SCL Junk E-mail folder threshold value of the message is evaluated.
- SCL Junk E-mail folder threshold If the SCL value for a specific message exceeds the SCL Junk E-mail folder threshold, the Mailbox server puts the message in the Outlook user's Junk E-mail folder. If the SCL value for a message is lower than the SCL delete, reject, quarantine, and Junk E-mail folder threshold values, the Mailbox server puts the message in the user's Inbox.
For example, if you set the SCL delete threshold to 8, the SCL reject threshold to 7, the SCL quarantine threshold to 6, and the SCL Junk E-mail folder threshold to 5, all e-mail with an SCL of 5 or lower will be delivered to the user's Inbox.
As you plan and deploy your strategy for adjusting the SCL threshold, it's important to understand that the Content Filter agent and the SCL Junk E-mail folder process the SCL threshold value differently. The Content Filter agent takes action on the SCL threshold value that you configure. The SCL Junk E-mail folder takes action on the SCL threshold value that you configure plus 1. For example, if you configure the Delete action to an SCL of 4 on the Content Filter agent, all messages with an SCL of 4 or greater are deleted. However, if you configure the Delete action to an SCL of 4 on the SCL Junk E-mail folder, all messages with an SCL of 5 or greater are deleted.
To configure the SCL Junk E-mail folder threshold on individual user mailboxes, you must use the Set-Mailbox cmdlet in the Exchange Management Shell. You can configure the SCL delete, reject, and quarantine thresholds in two locations:
On the content filter configuration (per-transport server SCL configuration) We recommend that you set the organization-wide SCL thresholds on the content filter configuration on the Edge Transport server. If you run anti-spam agents on the Hub Transport server, set the organization-wide SCL thresholds on the Hub Transport server. By applying the same SCL thresholds across all transport servers, you can establish a consistent baseline level of SCL functionality across the organization. Over time, as you analyze the spam functionality and metrics provided by the anti-spam logging and reporting features, you can make additional adjustments to these SCL threshold configurations as needed.
On user mailboxes (per-recipient SCL configuration) You can use the Set-Mailbox cmdlet to set per-recipient SCL delete, reject, and quarantine thresholds on individual user mailboxes. As mentioned earlier in this topic, you set the SCL Junk E-mail folder threshold on individual user mailboxes by using the Set-Mailbox cmdlet. The per-recipient SCL delete, reject, and quarantine thresholds are stored in Active Directory and are replicated to the Edge Transport servers by the Microsoft Exchange EdgeSync service. The per-recipient SCL threshold configurations are used by the Content Filter agent even if you have set per-transport server SCL configurations. Therefore, if you have set per-recipient SCL thresholds, the Content Filter agent uses the per-recipient SCL thresholds for specific users instead of the SCL configuration on the Content Filter agent.
Note
Per-recipient SCL thresholds are not enforced on mail received through distribution groups. These types of messages are rejected at the Transport server before the per-recipient threshold settings are applied. Additionally, if you're using Microsoft Forefront Protection 2010 for Exchange Server, any per-recipient SCL threshold settings replicated to the Edge Transport servers by the Microsoft Exchange EdgeSync service will take precedence over the Forefront anti-spam settings.
For more information about how to use the Set-Mailbox cmdlet, see Set-Mailbox.
Best Practice for Setting Up and Adjusting SCL Thresholds
We recommend that you set up and adjust the SCL thresholds as follows:
- Enable the SCL delete, reject, and quarantine thresholds on the content filter configuration on each Edge Transport server. We recommend that you start with the default values for these SCL thresholds. The default values were set by the Exchange Server team according to real-world data from the Microsoft IT messaging department and from Exchange 2010 early adopter feedback. The default values are optimized for large, global enterprise deployments. For more information about how to set the SCL thresholds on the content filter configurations, see Configure Content Filtering Properties.
- Enable and configure per-recipient SCL thresholds. At a minimum, you should enable and set the SCL Junk E-mail folder threshold on each user's mailbox. You can also configure the SCL delete, reject, and quarantine thresholds on a per-recipient configuration. Also, you can set exceptions on each user's mailbox so that messages to that mailbox bypass all anti-spam scanning on the Edge Transport server.
- Monitor spam reports and logs closely for the first week after you enable the SCL thresholds. If the data indicates that you must make immediate adjustments, reconfigure the SCL thresholds. Otherwise, collect data and analyze the spam reporting to determine whether adjustments are required.