Anti-spam Inbound
This policy is responsible for evaluating messages for spam based on thresholds and settings you configure to flag items as spam.
Considerations before deployment
- Are your users used to working with Quarantine items
- If not it would be a good idea to communicate quarantine to avoid overloading the support desk with calls
- How much bandwidth do you have for releasing messages from quarantine
- This will determine what action and quarantine policy you might deploy, for example you might make high confidence spam admin only release while allowing users to release less severe spam
Policy Configuration
Depending on the size of your organization it is usually best to create a new custom policy with the highest precedence that you scope to a smaller subset of users such as IT for testing.
The end goal would be removing that policy and having all users protected by the default policy. Only break off custom policies for the few users that have a valid exception.
Scoping users, groups, and domains
Pay attention to the conditions on custom policies, they are evaluated together because of the AND statements. If you put a user and a group, the user must be a member of the group and anyone else who is a member of that group will not be included in this policy unless they are listed on the user list.
Bulk email spam action
Enabling this will determine if MDO should take action on bulk email.
Bulk email threshold
You can configure this from 1 to 9 where 1 is from a sender with a low bulk complaint level (BCL) and 9 is from a high complaint level bulk sender. Microsoft states they assign this BCL based on third party data sources as well as some internal data sources.
The default is 7, 6 is the normal recommendation here, but it is dependent on the organization. Some don't want people using their work email for bulk mailers and as such they might be more restrictive.
Advanced spam filters
Advanced spam filters (ASF) allow you to specify a message as spam if it hits one of the filters you enable. It essentially increases the spam confidence level (SCL) when the criteria matches, this usually results in items quickly becoming "high confidence" spam.
This is generally not recommended, Microsoft in their own words calls this aggressive. If a message gets flagged as spam because of these filters you can't report it as false positive to Microsoft.
You can look at the header for X-CustomSpam: to determine if ASF is the culprit of a message going to spam.
For each of these settings you generally have three options but test mode is not available for all of them.
- On
- Off
- Test
- This allows you to take no action but add the header info to the message or BCC the specified email for all matching messages.
The below table lists what ASF does when the criteria matches. Most of these settings are straightforward, but you can find a brief description for some settings down below.
| Order | Setting | Behavior |
|---|---|---|
| 1 | URL to .biz or .info website | Increases the spam score |
| 2 | Image links to remote sites | Increases the spam score |
| 3 | Numeric IP address in URL | Increases the spam score |
| 4 | URL redirect to other port | Increases the spam score |
| 5 | Empty messages | Marked as high confidence spam |
| 6 | JavaScript or VBScript in HTML | Marked as high confidence spam |
| 7 | Object tags in HTML | Marked as high confidence spam |
| 8 | Frame or iframe tags in HTML | Marked as high confidence spam |
| 9 | Embedded tags in HTML | Marked as high confidence spam |
| 10 | Form tags in HTML | Marked as high confidence spam |
| 11 | Web bugs in HTML | Marked as high confidence spam |
| 12 | Sensitive words | Marked as high confidence spam |
| 13 | SPF record: hard fail | Marked as high confidence spam |
| 14 | Conditional Sender ID filtering: hard fail | Marked as spam |
| 15 | Backscatter | Marked as spam |
| 16 | International spam - languages | Marked as spam |
| 17 | International spam - regions | Marked as spam |
URL to .biz or .info website
Links with .biz and .info will flag here, even if followed by a different top level domain such as .com.
Image links to remote sites
Numeric IP address in URL
URL redirect to other port
Any links that aren't going to 80, 8080, or 443
Empty messages
Flags when there is no subject, body, and attachment.
JavaScript or VBScript in HTML
Emails with scripts are flagged as high confidence spam.
Object tags in HTML
Allows for applications to be embedded.
Frame or iframe tags in HTML
Helps with arranging the view of an HTML document.
Embedded tags in HTML
Messages with videos or audio embedded in the HTML.
Form tags in HTML
Message contains a form element.
Web bugs in HTML
Web bugs allow the sender to know if their message is read.
Sensitive words
Message contains an offensive word in a Microsoft maintained list. This list is unknown and can not be modified.
SPF record: hard fail
Message sent from an IP not in the SPF record for the sending domain.
Conditional Sender ID filtering: hard fail
When a message comes in it checks the sending domains SPF record to determine if the IP address the message was sent from is allowed to send.
Hard fails:
- A message with no sending IP
- A message from a non-existent domain
- A message from an IP address that is not included in the SPF record and the sender's SPF record is not set to soft fail.1
Backscatter
Backscatter is fake non-delivery reports. Not required for exchange online environments, only when the emails are routed to on-premise exchange environment.
Construction
Verify when this is needed.
Test mode action
You can specify the following for test mode actions:
- On
- Off
- Test
- This allows you to take no action but add the header info to the message or BCC the specified email for all matching messages.
International spam - languages
Not a part of advanced spam filters (ASF)
Any languages specified here will be marked as spam.
International spam - regions
Not a part of advanced spam filters (ASF)
Any languages specified here will be marked as spam.
Actions
Actions contains what action you would like to take based on the configuration of the policy discussed above. It also contains safety tips which are banners at the top of the message your users receive in their inbox.
Recommendations on Spam/Phishing
Discuss potential recommendations
Spam message action
This determines the action to take when the messages SCL is equal to 5 or 6.
High confidence spam message action
This determines the action to take when the messages SCL is 7-9.
Phishing message action
Determines the action to take on phishing messages.
High confidence phishing message action
Determines the action to take on high confidence phishing messages.
Bulk message action
Determines the action to take on bulk messages. Most organizations will send these to junk, but there is an argument to be made to send them to quarantine reducing the places users have to look for their messages.
Intra-Organizational messages to take action on
This is a newer and often overlooked setting.
Microsoft will evaluate internal email for spam and phishing, this determines if Microsoft will take any action on those verdicts.
By default, this setting is configured to Default, which means Microsoft only takes action on high confidence phishing sent internally. If you face problems with internal phishing campaigns increasing this setting may help alleviate some of these issues.
Options:
- Default
- This is the same as
High confidence phishing messages - In US Govt clouds this
Defaultis equal toNone
- This is the same as
- None
- High confidence phishing messages
- Phishing and high confidence phishing messages
- All phishing and high confidence spam messages
- All phishing and spam messages
Enable spam safety tips
Adds a safety tip banner at the beginning of a message that is spam as a warning to the user.
Microsoft does not list what the safety tip says, and I was unable to find a message with such a tip.
Zero-hour auto purge (ZAP)
Zero-hour auto purge (ZAP) will remove messages originally delivered to a user's mailbox if Microsoft later determines the attachment was spam or phishing at a later date.
ZAP will work on messages that have been moved to other folders.
Enable for spam messages
Enable ZAP for spam messages.
Enable for phishing messages
Enable ZAP for phish messages.
Retain spam in quarantine for this many days
You can configure anything between 1-30 days. Once that period passes the messages are deleted and unrecoverable.
When choosing an option for this setting consider windows when your organization might not be in such as holiday breaks where people might not sign-in or be as active for a few weeks.
Allowed and blocked senders and domains
Microsoft's official stance is to avoid using these lists and instead look to the tenant allow/block list for blocks and submitting email to Microsoft for allows.
- These lists are limited to 1000 entries
- They skip all filtering except high confidence phishing and malware.
- This also skips email authentication checks with SPF and DKIM.
- If you have multiple anti-spam policies you must maintain this list on all of those policies making the tenant allow/block list a better way to manage these.
Allowed senders
Keep this list to a minimum.
Allowed domains
Keep this list to a minimum.
Never add domains like Gmail or Hotmail.
Blocked senders
Okay to put senders in here but the tenant allow/block list blocks your user's from sending emails to these addresses as well.
Blocked domains
Okay to put domains in here but the tenant allow/block list blocks your user's from sending emails to these addresses as well.
-
https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/sender-id?view=exchserver-2019#sender-id-status-values and http://www.open-spf.org/SPF_Record_Syntax/ ↩