Udostępnij za pośrednictwem


Adjusting the Spam Confidence Level Threshold

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Note

On November 1, 2016, Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and Outlook. The existing SmartScreen spam definitions will be left in place, but their effectiveness will likely degrade over time. For more information, see Deprecating support for SmartScreen in Outlook and Exchange.

In Microsoft Exchange Server 2003, the spam confidence level (SCL) threshold defines when the content filter feature takes a specific action on a specific message, such as rejecting a message or deleting a message.

In Exchange Server 2007, we've improved the SCL threshold functionality so that you can adjust the SCL to a more precise level. You can define three specific actions according to SCL thresholds. For example, you can define different thresholds for rejecting, deleting, or quarantining a message on a computer that has the Edge Transport server role installed.

The combination of this SCL threshold configuration on the Edge Transport server and the SCL Junk E-mail folder configuration on the user mailbox helps you implement a more comprehensive and precise anti-spam strategy. This more precise and detailed SCL threshold adjustment functionality in Exchange 2007 can help you reduce the overall cost of deploying and maintaining an anti-spam solution across your organization.

The SCL threshold configuration is used by the Content Filter agent, one of the default anti-spam agents that are included with Exchange 2007. The Content Filter agent uses Microsoft SmartScreen technology to assess the contents of a message and to assign an SCL rating to each message.

The Content Filter agent performs this function late in the anti-spam cycle, after other anti-spam agents have processed any inbound messages. Many of the other anti-spam agents that process inbound messages before they are processed by the Content Filter agent are deterministic in how they act on a message. For example, the Connection Filter agent rejects any message that is sent from an IP address that is on a real-time block list (RBL). The Sender Filter agent and Recipient Filtering agent process messages in a similarly deterministic manner.

In Exchange 2007, these deterministic anti-spam agents process messages first and therefore greatly reduce the number of messages that must be processed by the Content Filter agent. For more information about the order in which anti-spam agents process messages, see Anti-Spam and Antivirus Functionality.

Because content filtering is not an exact, deterministic process, the ability to adjust the action that the Content Filter agent performs on different SCL values is important. By carefully adjusting the SCL threshold configuration, you can minimize the following:

  • The size of the spam quarantine storage

  • The number of legitimate e-mail messages that are mistakenly quarantined

  • The number of legitimate e-mail messages that reach the Microsoft Office Outlook user's Junk E-mail folder

  • The number of offensive spam e-mail messages that reach the Outlook user's Inbox or Junk E-mail folder

  • The number of spam e-mail messages that reach the Outlook user's Inbox

SCL Threshold Actions in Exchange 2007

In Exchange 2003, you configure a single action, such as delete or reject, for a single SCL threshold value. In Exchange 2007, by adjusting SCL threshold actions, you can escalate the content filtering action that is taken on messages that have a greater risk of being spam. To understand this new functionality, it is helpful to understand the different SCL threshold actions and how they are implemented.

  • SCL delete threshold   When the SCL value for a specific message is equal to or higher than the SCL delete threshold, the Content Filter agent deletes the message. There is no protocol-level communication that tells the sending system or sender that the message was deleted. If the SCL value for a message is lower than the SCL delete threshold value, the Content Filter agent does not delete the message. Instead, the Content Filter agent compares the SCL value to the SCL reject threshold.

  • SCL reject threshold   When the SCL value for a specific message is equal to or higher than the SCL reject threshold, the Content Filter agent deletes the message and sends a rejection response to the sending system. You can customize the rejection response. In some cases, a non-delivery report (NDR) is sent to the original sender of the message. If the SCL value for a message is lower than the SCL delete and SCL reject threshold values, the Content Filter agent does not delete or reject the message. Instead, the Content Filter agent compares the SCL value to the SCL quarantine threshold.

  • SCL quarantine threshold   When the SCL value for a specific message is equal to or higher than the SCL quarantine threshold, the Content Filter agent sends the message to a quarantine mailbox. E-mail administrators must periodically review the quarantine mailbox. For more information about how to manage the spam quarantine, see Configuring and Managing Spam Quarantine. If the SCL value for a message is lower than the SCL delete, reject, and quarantine threshold values, the Content Filter agent does not delete, reject, or quarantine the message. Instead, the Content Filter agent sends the message to the appropriate Mailbox server, where the per-recipient SCL Junk E-mail folder threshold value of the message is evaluated.

  • SCL Junk E-mail folder threshold   If the SCL value for a specific message exceeds the SCL Junk E-mail folder threshold, the Mailbox server puts the message in the Outlook user's Junk E-mail folder. If the SCL value for a message is lower than the SCL delete, reject, quarantine, and Junk E-mail folder threshold values, the Mailbox server puts the message in the user's Inbox.

For example, if you set the SCL delete threshold to 8, the SCL reject threshold to 7, the SCL quarantine threshold to 6, and the SCL Junk E-mail folder threshold to 5, all e-mail with an SCL of 5 or lower will be delivered to the user's Inbox.

As you plan and deploy your strategy for adjusting the SCL threshold, it's important to understand that the Content Filter agent and the SCL Junk E-mail folder process the SCL threshold value differently. The Content Filter agent takes action on the SCL threshold value that you configure. The SCL Junk E-mail folder takes action on the SCL threshold value that you configure plus 1. For example, if you configure the Delete action to an SCL of 4 on the Content Filter agent, all messages with an SCL of 4 or greater are deleted. However, if you configure the Delete action to an SCL of 4 on the SCL Junk E-mail folder, all messages with an SCL of 5 or greater are deleted.

To configure the SCL Junk E-mail folder threshold on individual user mailboxes, you must use the Set-Mailbox command in the Exchange Management Shell. You can configure the SCL delete, reject, and quarantine thresholds in two locations:

  • On the content filter configuration (per-transport server SCL configuration)   We recommend that you set the organization-wide SCL thresholds on the content filter configuration on the Edge Transport server. If you run anti-spam agents on the Hub Transport server, set the organization-wide SCL thresholds on the Hub Transport server. By applying the same SCL thresholds across all transport servers, you can establish a consistent baseline level of SCL functionality across the organization. Over time, as you analyze the spam functionality and metrics that are provided by the anti-spam logging and reporting features, you can make additional adjustments to these SCL threshold configurations as needed.

  • On user mailboxes (per-recipient SCL configuration)   You can use the Set-Mailbox command to set per-recipient SCL delete, reject, and quarantine thresholds on individual user mailboxes. As mentioned earlier in this topic, you set the SCL Junk E-mail folder threshold on individual user mailboxes by using the Set-Mailbox command. The per-recipient SCL delete, reject, and quarantine thresholds are stored in the Active Directory directory service and are replicated to the Edge Transport servers by the Microsoft Exchange EdgeSync service. The per-recipient SCL threshold configurations are used by the Content Filter agent even if you have set per-transport server SCL configurations. Therefore, if you have set per-recipient SCL thresholds, the Content Filter agent uses the per-recipient SCL thresholds for specific users instead of the SCL configuration on the Content Filter agent.

    For more information about how to use the Set-Mailbox command, see Set-Mailbox.

Best Practice for Setting Up and Adjusting SCL Thresholds

We recommend that you set up and adjust the SCL thresholds as follows:

  1. Enable the SCL delete, reject, and quarantine thresholds on the content filter configuration on each Edge Transport server. We recommend that you start with the default values for these SCL thresholds. The default values were set by the Exchange Server team according to real-world data from the Microsoft IT messaging department and from Exchange 2007 early adopter feedback. The default values are optimized for large, global enterprise deployments. For more information about how to set the SCL thresholds on the content filter configurations, see Configuring Content Filtering.

  2. Enable and configure per-recipient SCL thresholds. At a minimum, you should enable and set the SCL Junk E-mail folder threshold on each user's mailbox. You can also configure the SCL delete, reject, and quarantine thresholds on a per-recipient configuration. Also, you can set exceptions on each user's mailbox so that messages to that mailbox bypass all anti-spam scanning on the Edge Transport server. For more information, see How to Configure Anti-Spam Features on a Mailbox.

  3. Monitor spam reports and logs closely for the first week after you enable the SCL thresholds. If the data indicates that you must make immediate adjustments, reconfigure the SCL thresholds. Otherwise, collect data and analyze the spam reporting to determine whether adjustments are required.

For More Information

For more information, see the following topics: