I’m no Microsoft Exchange guru, by any stretch of the imagination, but I’ve been working with our email provider for the past three weeks trying to get our spam filtering disabled on Exchange 2007 because we use a third party anti-spam service and wish to simplify the whole solution.

There seems to be some confusion for Email jockeys who are used to the 2003 IMF way of filtering emails as opposed to the 2007 CFA way. Below is a summary of what I’ve learned (more than I wanted) about Exchange’s anti-spam product.

More below the fold.

Microsoft’s Exchange Content Filtering Agent (CFA) is driven by a spam confidence level or SCL. The SCL is based on a complicated back-end algorithm calculated by Microsoft Smartscreen, which is way beyond the means of this post. The SCL is set at the Edge Transport server and is persistent as the email travels through the Exchange system. You can see the SCL rating of an email by looking for the X-MS-Exchange-Organization-SCL header. This number represents the confidence level that Smartscreen has assigned to the email. The higher the number, the more confidence the system has that the given email is indeed spam. The range is 1-9 (but emails sent from an authenticated user within the domain will receive a -1 SCL).

One interesting note is that Exchange 2007 deploys a header firewall. All emails that hit the Edge Transport server, inbound or outbound, get the X-MS-Exchange-Organization-SCL header stripped off, making it very difficult to spoof the header.

Now that we know what the SCL is of a given email, how do we define the actions to take on that email? That’s where the Transport Thresholds and Junk Threshold settings come into play.

The SCLJunkThreshold is the master threshold and should be your first stop in planning your Exchange anti-spam solution. The SCLJunkThreshold defines the maximum SCL rating you are willing to accept. For example, the default setting for a 2007 server out of the box is 4. That means that all email with an SCL of 1 - 4 will be delivered to users’ inbox.

There are three transport thresholds that can also be enabled and set: Quarantine, Reject, and Delete. All three of these actions take place on the transport server before the email reaches the store. Remember that the SCLJunkThreshold defines the maximum SCL rating you are willing to accept, therefore the transport thresholds must be set higher than what your SCLJunkThreshold because anything lower than the SCLJunkThreshold is not considered spam and passes all the way to the store.

But here’s the kicker that seems to be commonly misunderstood if not outright unknown: Even if all three transport actions are disabled, email that has an SCL higher than the SCLJunkThreshold will still be moved to the Junk Mail folder at the store level.

Here are a couple of examples:

Example 1:

Let’s say I have the following settings:

SCLJunkThreshold: 6
SCLQuarantineThreshold: 7
SCLRejectThreshold: 8
SCLDeleteThreshold : 9

An email is delivered to the Edge Transport server and Smartscreen stamps it with an SCL of 6. That email is within the acceptable range and is delivered to the recipient’s inbox.

However, if the email gets stamped with an SCL of 7, the transport server immediately sends it to the Quarantine mailbox. If it has an SCL of 8, the transport server rejects it and returns an NDR to the sender. If the SCL is 9, the transport server nukes the email altogether and tells the sender nothing.

Example 2:

Now I have the following settings:

SCLJunkThreshold: 7
SCLQuarantineThreshold: DISABLED
SCLRejectThreshold: DISABLED
SCLDeleteThreshold : DISABLED

An email that is delivered to the Edge Transport server is stamped with an SCL of 8. That exceeds the accepted level and is considered spam. However, all the transport actions are disabled, so the categorizer (which runs at both Transport levels) informs the store driver to deliver the email to the users Junk Mail folder at the store level, before OWA or Outlook get their grubby hands on it.

So as you can see, the SCLJunkThreshold setting (the maximum SCL rating you’re willing to accept) drives all other settings for your anti-virus solution. The higher the number, the fewer false-positives your solution will catch and the more spam (false negatives) your users will receive in their inbox due to the Smartscreen engine not correctly identifying all true spam.

The SCLJunkThreshold must be lower than all of your Transport Threshold settings (SCLQuarantineThreshold, SCLRejectThreshold, and SCLDeleteThreshold). Even if you have all Transport Actions disabled, the store driver will still act on all email with an SCL higher than your SCLJunkThreshold by moving the email to the Junk Mail folder and this is done even if you have disabled Outlook Junk Mail settings.

If you were inclined (as we are) to disable Microsoft’s anti-spam feature without uninstalling the content filter agents, you can set the SCLJunkThreshold to 9 at the organization level (it can also be set at the mailbox level). Since 9 is the highest setting, no email can exceed that threshold and therefore all email will be delivered to the inbox but will still be stamped with an SCL at the Transport level.

For more information on how to set the various thresholds, check out the Exchangepedia blog. I’ve relied heavily on that blog in doing my research.