Behavior Change When Setting the SCL with a Transport Rule

  • Article

With my coffee currently in one hand, it would be very useful if I could type with only my other hand. Alas I cannot, so I’ll be typing this article with both hands while my coffee waits for me. With none of this at all being relevant to this blog, let’s dig in to this week’s EOP article.

We recently made a change to the behavior that takes place when a transport rule set the SCL on an inbound message. This behavior change is especially important to be aware of if you are setting the SCL with a transport rule in your own tenant. First off, let’s review EOP spam actions (trust me, this is relevant).

Spam Actions

In the EOP Content Filter, you can decide what happens to messages marked as Spam or High confidence spam.

If the content filter scans a message and assigns an SCL of 5 or 6, EOP will take the Spam action on the message. If the content filter scans a message and assigns an SCL of 9, EOP will take the High confidence spam action. All possible values are documented here.

With this understanding, let’s look at what’s changed.

What’s changed?

Previously, if a transport rule set the SCL of a message, the content filter WOULD NOT take the corresponding spam action (ie. If a transport rule set an SCL of 9 and the High confidence spam action was to move a message to the quarantine, the message would not be moved to the quarantine). Instead, as long as the SCL which was set by the transport rule was greater than your SCLJunkThreshold level, the message would be moved to the junk mail folder, regardless of what the EOP Spam or High confidence spam action was set to.

Note: For the action, Move message to Junk Email folder, to work with on-premises mailboxes, two rules need to be added to the on-premises mail environment.

With the new change that rolled out over the last couple of weeks, setting the SCL in a transport rule WILL cause the content filter to take the appropriate spam action. Personally, I think this is much more intuitive then how it previously worked. Setting the following SCL values in a transport rule will now take the noted actions.

  • Bypass spam filtering – This sets the SCL to -1, which means that content filtering will not be performed.

  • 0 to 4 – When you set the SCL to one of these values, the message will be passed along to the content filter for additional processing. See my previous article on this, Special Case – Set SCL to 0.

  • 5, 6 – When you set the SCL to one of these values, the action specified for Spam in the content filter will be performed.

  • 7 to 9 – When you set the SCL to one of these values, the action specified for High confidence spam in the content filter will be performed.

Bonus behavior

The above change also comes with a great bonus feature. Previously, when a transport rule was set to Deliver the message to the hosted quarantine, only admins could release these messages from the quarantine. These quarantined messages would not appear in End-user Spam Notifications nor would they appear in an end users online quarantine view. This meant that end users could never release messages on their own which had been quarantined by a transport rule. We can now get around this limitation!

If your Spam action or High confidence spam action is set to move a message to the quarantine, setting an SCL in a transport rule (to a value which will trigger either spam or high confidence spam) will cause the content filter to move the message to the quarantine. Messages moved to the quarantine this way will appear in End-user Spam Notifications as well as in the end users online Quarantine view. Sweet!

To quickly tell which messages in the quarantine will be viewable to end users, look at the Type property. Spam indicates that the message will be viewable in the end users online quarantine view and ESN which will allow them to release it. Whereas Transport rule indicates that the message won’t appear in an end users online quarantine view nor in an ESN and will only be releasable by an administrator.

Example

The following indicates that the quarantined message can only be released by administrators.


 

The following indicates that the quarantined message can be released by end users.


Resources

Spam confidence levels
Create a transport rule to identify mail as spam or not spam by setting the SCL
Create on-premises transport rules for Junk Email Folder to work
Special Case, Set SCL to 0
Release quarantined messages as an end user