Update 2014-04-04: Updated the Text Patterns for ETR#1 - modified #2, added #12 and #13
One of the more common requests in the Forefront Online Protection for Exchange (FOPE) and Exchange Online Protection (EOP) services is “How do we get more aggressive bulk email filtering?”
In a previous blog post, New Features in Office 365, I discussed how we released a feature that allows administrators to mark bulk email as spam.
The way this feature works is the following:
The drawback of these two methods is many customers find these settings are not aggressive enough (#1) or they are too aggressive (#2). Because bulk email is so subjective (some people want it, others do not), it is difficult to strike a balance such that everyone is satisfied. In order to control false positives, we generally are less aggressive than we could be on bulk email.
Making Bulk Email Scanning More Aggressive in EOP
For customers who want more aggressive bulk email settings, there are ways to accomplish this with Exchange Transport Rules (ETR) in the EOP service.
There are several patterns that frequently occur in bulk email. Create an ETR (Admin –> mail flow –> rules –> Create new rule by clicking the + sign) that says “If the message includes these text patterns in the message subject or body” and then start adding the following regular expressions:
In the above description, ensure that you choose text pattern and not “subject or body includes any of these words”. The patterns above are regular expressions that match on patterns of text, not exact matches of text.
This is not an exhaustive set of regular expressions; more can be added as appropriate and any can be removed as needed. However, it is a good starting point.
The action should be to modify the message properties and set the SCL to 5 or higher which will mark the message as spam.
When complete, the rule will look similar to the below.
A second ETR can be created that looks for exact matches and sets the SCL to 5. But whereas the above looks for text patterns, this one should look for “subject or body includes any of these words”. Below is a list of commonly used bulk email phrases:
This second ETR goes beyond the scope of what is in the first one. Once again, this list is not exhaustive and more can be added as necessary, or removed as required. However, it is a good starting point.
Using both of these ETRs can help customers cut down on the amount of unwanted bulk email in EOP.
What about legitimate bulk email that some users want?
The above ETRs are aggressive and will most likely flag messages as spam that some users want. To work around this, customers have two options:
Both of these options will help ensure that people can still get the bulk email they want to receive. Option 1 is disruptive for the general user base but allows individuals to self-service (they can add safe senders as required), whereas option 2 is less disruptive to the user base but forces the customer’s administrator to do a bit more work up front by collecting a list of highly targeted users, and creating a more complicated ETR.
What about FOPE?
The above ETRs can be created as Policy Rules in FOPE. However:
As you can see, FOPE is more limited than EOP. It will not be upgraded to support the same variations as EOP.
The above descriptions are the current workarounds for more aggressive bulk email filtering in the service – how to flag more of it as spam, how to allow users to receive the mail they want, and what the limitations in FOPE are (the older version of service).
I have created the second ETR that looks for exact matches but emails are still passing through the filter.
Thank you - this post helped us reduce marketing related bulk emails.
Inquiry... the article references header "X-Forefront-Antispam-Report", but in a number of spam type emails I no longer see this header, but instead see header "X-Forefront-Antispam-Report-Untrusted".
SFV:SPM I understand indicates that it was marked as spam. When analyzing headers from the EOP quarantine, I show following two headers typically have the most information and include SFV:SPM:
The header "X-Forefront-Antispam-Report" typically does not include the SFV statement. (CIP:188.8.131.52;CTRY:US;IPV:NLI;IPV:NLI;EFV:NLI;)