You’ve setup Exchange Server 2007, and configured the shiny new Content Filter agent (CFA), which is more than just a rewrite of the equally loved and hated Intelligent Message Filter (IMF) from Exchange Server 2003. How do you configure it?
Spam Confidence Level (SCL) Thresholds in Exchange 2007/2010
The CFA has the following three thresholds, which are equivalent of Gateway thresholds and (gateway) actions in IMF in Exchange 2003:
- SCLRejectThreshold and
- SCLDeleteThreshold: Messages with SCL equal to or higher than the SCLDeleteThreshold are deleted silently. To enable the SCLDeleteThreshold:
set-ContentFilterConfig -SCLDeleteThreshold 8 -SCLDeleteEnabled:$true
- SCLRejectThreshold: Messages with SCL equal to or higher than the SCLRejectThreshold are rejected during the SMTP session, after the data is received. In this case, senders get a NDR. To enable the SCLRejectThreshold:
set-ContentFilterConfig -SCLRejectThreshold 7 -SCLRejectEnabled:$true
In the above case, Exchange doesn’t accept the message. After the data is received, it responds with a 500 5.7.1 error and a rejection response (by default this response is: Message rejected due to content restrictions. This rejection message can be configured using the following command (response message used here is for illustration, not a real suggestion – Bharat) :
set-ContentFilterConfig -RejectionResponse “Stop spamming you *****!”
The actual NDR is generated and sent to the sender by the sending host. What the sending host will see after the message content is sent (and if you actually modified the rejection response based on my example :)
500 5.7.1 Stop spamming you *****!
- SCLQuarantineThreshold: Messages with SCL equal to or higher than the SCLQuarantineThreshold are delivered to the quarantine mailbox, provided you have one configured. To enable the SCLQuarantineThreshold and configure a quarantine mailbox:
set-ContentFilterConfig -SCLQuarantineThreshold 6 -SCLQuarantineEnabled:$true -QuarantineMailbox:[email protected]
- So where’s the equivalent of IMF’s Store threshold, used to move messages to users’ Junk Mail folder?
It’s called SCLJunkThreshold and it’s configured in the Organization configuration. It can be set using the Set-OrganizationConfig command:
set-OrganizationConfig -SCLJunkThreshold 5
Setting SCLJunkThreshold not intuitive?
Before you jump to conclusions about this being counter-intuitive or confusing, which it may be, consider this – it’s in response to the different server roles in Exchange Server 2007.
The gateway actions – delete, reject and quarantine – can be thought of as message transport actions and thus applicable to transport server roles – the Edge Transport server and/or the Hub Transort server (if you have antispam agents enabled on the Hub). Moving messages to users’ Junk Mail folders can be thought of as something that happens at the Store, performed by the Mailbox Server role.
SCLJunkThreshold and Edge Transport servers
Another aspect to consider when setting the SCLJunkThreshold – if you’re in a topology with an Edge Transport server, the SCLJunkThreshold configured on an Edge Transport server doesn’t impact anything. You must have the SCLJunkThreshold configured on your Exchange Org. The Edge Transport server is not a part of it.
This is an improvement over IMF, which had only one gateway action (and one corresponding gateway threshold). The Content Filter agent allows the flexibility of enabling all three actions on the gateway. The rule is: SCLDeleteThreshold > SCLRejectThreshold > SCLQuarantineThreshold.
To get a list of all three SCL values and whether each action is enabled or not, use the following command:
get-ContentFilterConfig | Select SCL*
The default SCL thresholds
By default, the SCLJunkThreshold is set to 4. If you have an existing Exchange 2003 SP2 server installed and you haven’t tweaked the Store threshold, IMF v2’s default Store threshold of 8 is used. This is what you’ll see in the Org’s SCLJunkThreshold.
Given that the SCLRejectThreshold is set to 7 by default, messages will not move to users’ Junk Mail folder unless the SCLJunkThreshold is lower than the transport thresholds (i.e. the Delete, Reject and Quarantine thresholds).
How the Junk Mail threshold is calculated
Unlike the transport actions of deleting, rejecting, and quarantining messages, which check for SCL equal to or higher than their respective thresholds, for moving messages to Junk Mail folder the Store checks for SCLs higher than the SCLJunkThreshold. This is consistent with the behavior of IMF in Exchange Server 2003 (as mentioned in IMF Confusion – Store threshold rating text in UI).
If you want to disable rejection of messages with SCL of 7 or above, use the following command: