Exchange 2007 Content Filter: How to move messages to Junk Mail folder

by Bharat Suneja

You’ve setup Exchange Server 2007, and configured the shiny new Content Filter agent (CFA), which is more than just a rewrite of the equally loved and hated Intelligent Message Filter (IMF) from Exchange Server 2003. How do you configure it?

Spam Confidence Level (SCL) Thresholds in Exchange 2007/2010

The CFA has the following three thresholds, which are equivalent of Gateway thresholds and (gateway) actions in IMF in Exchange 2003:

  1. SCLDeleteThreshold
  2. SCLRejectThreshold and
  3. SCLQuarantineThreshold
  4. Screenshot: Configuring SCL thresholds in Content Filtering properties
    Figure 1: Exchange Server 2007’s Content Filtering agent can be configured with the equivalent of all 3 Gateway actions available in Exchange Server 2003’s Intelligent Message Filter (IMF): 1) Delete messages 2) Reject messages and 4) Quarantine messages

    1. SCLDeleteThreshold: Messages with SCL equal to or higher than the SCLDeleteThreshold are deleted silently. To enable the SCLDeleteThreshold:

      set-ContentFilterConfig -SCLDeleteThreshold 8 -SCLDeleteEnabled:$true

    2. SCLRejectThreshold: Messages with SCL equal to or higher than the SCLRejectThreshold are rejected during the SMTP session, after the data is received. In this case, senders get a NDR. To enable the SCLRejectThreshold:

      set-ContentFilterConfig -SCLRejectThreshold 7 -SCLRejectEnabled:$true

      In the above case, Exchange doesn’t accept the message. After the data is received, it responds with a 500 5.7.1 error and a rejection response (by default this response is: Message rejected due to content restrictions. This rejection message can be configured using the following command (response message used here is for illustration, not a real suggestion – Bharat) :

      set-ContentFilterConfig -RejectionResponse “Stop spamming you *****!”

      The actual NDR is generated and sent to the sender by the sending host. What the sending host will see after the message content is sent (and if you actually modified the rejection response based on my example :)
      500 5.7.1 Stop spamming you *****!

    3. SCLQuarantineThreshold: Messages with SCL equal to or higher than the SCLQuarantineThreshold are delivered to the quarantine mailbox, provided you have one configured. To enable the SCLQuarantineThreshold and configure a quarantine mailbox:

      set-ContentFilterConfig -SCLQuarantineThreshold 6 -SCLQuarantineEnabled:$true -QuarantineMailbox:[email protected]

    This is an improvement over IMF, which had only one gateway action (and one corresponding gateway threshold). The Content Filter agent allows the flexibility of enabling all three actions on the gateway. The rule is: SCLDeleteThreshold > SCLRejectThreshold > SCLQuarantineThreshold.

    To get a list of all three SCL values and whether each action is enabled or not, use the following command:

    get-ContentFilterConfig | Select SCL*

    1. So where’s the equivalent of IMF’s Store threshold, used to move messages to users’ Junk Mail folder?

      It’s called SCLJunkThreshold and it’s configured in the Organization configuration. It can be set using the Set-OrganizationConfig command:

      set-OrganizationConfig -SCLJunkThreshold 5

      Setting SCLJunkThreshold not intuitive?

      Before you jump to conclusions about this being counter-intuitive or confusing, which it may be, consider this – it’s in response to the different server roles in Exchange Server 2007.

      The gateway actions – delete, reject and quarantine – can be thought of as message transport actions and thus applicable to transport server roles – the Edge Transport server and/or the Hub Transort server (if you have antispam agents enabled on the Hub). Moving messages to users’ Junk Mail folders can be thought of as something that happens at the Store, performed by the Mailbox Server role.

      SCLJunkThreshold and Edge Transport servers

      Another aspect to consider when setting the SCLJunkThreshold – if you’re in a topology with an Edge Transport server, the SCLJunkThreshold configured on an Edge Transport server doesn’t impact anything. You must have the SCLJunkThreshold configured on your Exchange Org. The Edge Transport server is not a part of it.

    The default SCL thresholds

    By default, the SCLJunkThreshold is set to 4. If you have an existing Exchange 2003 SP2 server installed and you haven’t tweaked the Store threshold, IMF v2’s default Store threshold of 8 is used. This is what you’ll see in the Org’s SCLJunkThreshold.

    Given that the SCLRejectThreshold is set to 7 by default, messages will not move to users’ Junk Mail folder unless the SCLJunkThreshold is lower than the transport thresholds (i.e. the Delete, Reject and Quarantine thresholds).

    How the Junk Mail threshold is calculated

    Unlike the transport actions of deleting, rejecting, and quarantining messages, which check for SCL equal to or higher than their respective thresholds, for moving messages to Junk Mail folder the Store checks for SCLs higher than the SCLJunkThreshold. This is consistent with the behavior of IMF in Exchange Server 2003 (as mentioned in IMF Confusion – Store threshold rating text in UI).

    If you want to disable rejection of messages with SCL of 7 or above, use the following command:

    Set-ContentFilterConfig -SCLRejectEnabled:$false

    Related Posts

{ 19 comments… read them below or add one }

Anonymous June 7, 2007 at 7:52 am

I have been racking my brain the past couple days on finding the Junk threshold. Thanks a lot for this post!!

Reply

Anonymous August 13, 2007 at 8:53 am

Thank you for this great post, and the formatting as well makes it easy to read.

Reply

Anonymous August 21, 2007 at 7:49 am

Thank you, you saved me a lot of time.

Reply

Anonymous September 19, 2007 at 12:34 pm

Fantastic information! It always helps to find the key items all of us Exchange Admins need. One note: to check the current value of SCLJunkThreshold run the following:

Get-OrganizationConfig

The value for SCLJunkThreshold will be listed.

Reply

Bob Silva January 11, 2008 at 12:06 am

So does the CFA work if you do not have an Edge Transport? In my single E2007 environment, when I set SCLJunkThreshold to anything other than 8, ALL junk email just disappears, it never makes it into the Junk Mail folder in Outlook.

Reply

Bharat Suneja January 11, 2008 at 1:17 am

Have you installed anti-spam agents on Hub Transport server(s)?

HOW TO: Install anti-spam agents on Hub Transport server

If agents are installed on the Hub:
Exchange 2007 Content Filter: How to move messages to Junk Mail folder

Reply

daryl June 8, 2008 at 8:28 am

Excellent information

Reply

Karl Gagnon December 24, 2009 at 8:47 am

Hi guys,

I work for an Hosted Exchange 2007 company and we're modifying the way our incomming emails are filtered.

We have a third-party solution that scan all our incomming emails and we want to have flagged emails (using Transport Rules to set the spam confidence level) moved into Junk Email folder. So to resume, when the spam confidence level is X, we want those emails moved to Junk Email folder.

For now the only way we were able to make it work is by modifying the Junk E-Mail options into OWA (Automatically filter junk e-mail).

As you can understand, we can't ask to our 70000 users to change this setting. So we want to have a way to do it server side.

I have take a look at the Glen script (http://gsexdev.blogspot.com/2007/07/turning-on-filter-junk-email-in.html) but I'm surprise that this is the only way to have the flagged emails move to the Junk Email Folder..

I have also try to set the SCLJunkEnabled to True on 1 test mailbox using this command: Set-Mailbox -SCLJunkEnabled $True -SCLJunkThreshold 7
It's not working.. again I were able to make it work is by modifying the Junk E-Mail options into OWA.

Is there something I don't understand..?

Do you know how we can have flagged emails move to the Junk Email Folder?

Thanks for your help.

Karl

Reply

Angad January 4, 2010 at 2:06 am

Hi, Can anybody tell me who and how SCL rating of an email is decided.

Reply

Anonymous January 18, 2010 at 10:13 pm

Thanks for the blog.

If all I want is to have server-side moving spams to Junk Mail folder, do I still have to:
1. run the "install-AntispamAgents.ps1" command?
2. tell every user to log into OWA and enable some junk mail option?

Reply

grahamrobinson March 31, 2010 at 10:55 am

I'm having legitimate emails to customers marked as spam. How do I prevent this happening?

Reply

Bharat Suneja March 31, 2010 at 6:28 pm

@Grahamrobinson: Users can add customers to safe senders, you can add customer domain or IP address to whitelist / ip allowed list.

Exchange 2007 Content FIlter: The Whitelist Is Here!

Reply

Ingo April 22, 2010 at 7:29 am

I had another Problem with a migrated mailbox. The Mailbox was exported with Exmerge – on a MSX 2003 – and included Hidden-Files. After import on a MSX 2007 the Junk-Mails didn't go to the Junk-Mail-Folder. Changing the Junk-Mail-Setting in OWA doesn't fix it.

The Problem was the existing Hidden-Message that contains the Rules for the movement. After deleting this Message everything works great.

To delete this Hidden-Message i find this:
http://www.outlook-tips.net/howto/fix_junk.htm

I didn't know if there is an other way to delete this Message.

Regards
Ingo

Reply

Joshua September 8, 2011 at 8:44 am

I ran the command “Get-ContentFilterConfig | select SCL*” and got the following:

SCLRejectThreshold : 7
SCLRejectEnabled : False
SCLDeleteThreshold : 9
SCLDeleteEnabled : False
SCLQuarantineThreshold : 9
SCLQuarantineEnabled : False

I’m trying to disable SCL completely (we have a third party product and don’t want to confuse ourselves in the future if we have spam filtering issues) and trying to figure out which is the culprit (btw, how can I totally disable all of the anti-spam functionality in Exchange 2010?).

Now, even though I have all of these set to FALSE a test message sent in is still marked as a 7 and put into my junk folder. Do I need to restart a service or something to use the new settings? Is there something else I’m missing? The headers look as follows:

X-ESET-AS: SCORE=77
X-MS-Exchange-Organization-SCL: 7
X-EsetResult: clean, is OK
X-EsetId: 84102922B13A7C3BD457

What do I do? Thanks!

Reply

Bharat Suneja September 8, 2011 at 1:19 pm

You can disable the Content Filter agent:
Set-ContentFilterConfig -Enabled $false
Or disable all anti-spam agents.

You can also uninstall anti-spam agents from your transport server. See Install anti-spam agents on Hub Transport server.

Reply

tilo September 20, 2011 at 11:00 am

Hi,

i just want to is there any difference in Exchange 2007 IMF and Exchange 2010 IMF ? i have a option….for which IMF should i go ?

Reply

Bharat Suneja September 21, 2011 at 2:01 am

Not sure what you mean. You can’t install an Exchange 2007 antispam filter on Exchange 2003 or a 2003 filter on 2007. Install the one that’s compatible with your version of Exchange Server.

Reply

hakan February 11, 2012 at 4:56 pm
Art February 28, 2014 at 7:15 am

Thanks for the post which is right to the topic!

Reply

Leave a Comment

Previous post:

Next post: