An Introduction to the new Spam Filter Allow and Block Lists


Rather than start this article with an appetizer, I’m going to switch things up and dive right into the meat and potatoes. Very soon, if not already, you will see two new entries in your Spam Filter in Exchange Online Protection, Allow Lists & Block Lists.

As suggested by the name, this is a new way to manage allow and block lists within EOP. These new entries certainly don’t replace using Transport Rules to manage allow and block lists, but instead offer a simpler alternative.

In fact, I would still recommend using Transport Rules when there is a need for more complex allow and block lists. For example, creating a Transport Rule to safe list a partner domain only if the DMARC checks also passes. Or creating a Transport Rule that deletes messages from particular senders or domains for the case where your spam action is set to something other than Delete Message.

New Spam Filter Verdict Values

In addition to these new lists, there are new also new Spam Filter Verdict (SFV) values that will be stamped in the X-Forefront-Antispam-Report for senders/domains that are in the Spam Filter Allow and Block lists.

  • SFV:SKA – Indicates the sender or sending domain is on the Spam Filter Allow list. You will also see SCL:-1 stamped by EOP.
  • SFV:SKB – Indicates the sender or sending domain is on the Spam Filter Block list. You will also see SCL:9 stamped by EOP. In this scenario, the message will take the action set for High Confidence Spam in your Spam Filter.

This is one of the benefits to using the Spam Filter Allow and Block lists. If a message was safe listed or marked as spam because the sender is in the new Allow or Block list, you will see evidence of this right in the message header. Whereas if a safe or block list Transport Rule triggers, you won’t see evidence of it in the header, unless of course you have added that action to the rule – See my previous post Easily tell which transport rules a message triggered.

For reference, we have also updated the Anti-spam message headers TechNet page with these new values.

Enforcement Priority

The enforcement priority is listed below, with the Connection Filter taking the highest priority, and the Spam Filter taking the lowest priority.

  • Connection Filter
  • End user Safe and Blocked senders
  • Exchange Transport Rules
  • Spam Filter Allow and Block lists
  • Spam Filter

 

History and when to use

As mentioned above, you can continue to use Transport Rules to manage allow and block lists and completely ignore the Allow and Block lists in the Spam Filter. Think of the new Allow and Block lists as a less complex, and less cumbersome method for managing block and allow strategies.

Also keep in mind the down side of Allow lists. If an attacker spoofs a sender or domain that you have safe listed, they get a free ride to the inbox. For very trusted partners that you would like to safe list, I recommend the Transport Rule listed above to do the safe listing, where it will look not only at the sender, but will also verify that DMARC or SPF checks pass. For these more complex allow scenarios, they will need to stay as a Transport Rules.

Deployment

Spam Filter Allow and Block lists are currently rolling out so if you do not see them yet in your tenant, you soon will.

Cheers!

Resources

Anti-spam message headers
Configure your spam filter policies

Comments (9)

  1. SNI-DavidM says:

    Andrew the "Order Of Processing" paragraph is so important in this and probably the most ignored. thanks for bringing it to the forefront again.

    If my transport rule is programmed to whitelist a domain and stop further transport rules, then is it still reviewed by "Safe and Block"?

    I guess my question is when is a whitelist entry truly white or a black list entry truly black? It continues to be an Achilles heal to understanding all of this.

    Question – Does it require a "YES" from all 5 of the Blueboxes to deliver to Inbox and only a single "NO" to go to Junk/Personal Quarantine/System Quarantine?

    – thanks – David

  2. Tushar Shah says:

    Andrew, long time we didn't have a chat, hope you are doing good. I must say your articles are very educative and I've got it all in my RSS feeds.

    So, adding to what David mentioned, if we have users who have whitelisted a domain say @microsoft.com at Outlook level and we've blocked the domain at spam filter level on Office365 console – where would those emails land up – inbox / junk / quarantine?

    Also, if there is a sender domain is blocked as per a transport rule, the connecting IP Address is in allowed state, and the user email address is added in the safe-sender list at user's Outlook – where would those emails land up – inbox / junk / quarantine?

    -Tushar

  3. Hi David and Tushar, thank you for the great feedback!

    For the most part, the last action to happen is going to be what actually happens. There are some exceptions though. If a transport rule has the action "Redirect to quarantine," nothing further in the processing can change this. I haven’t yet tested all of
    the different combinations, but I would expect that using the new Allow and Block lists will be the final say as they happen last in the processing (unless a rule moves the message to the quarantine).

    One more thing, I have so far seen a users "Blocked Senders" list always honored by EOP, no matter what configurations are in place. I would expect this to be the same, although I have not yet tested that particular scenario.

  4. Matt Girgenti says:

    How can I add domains to the Spam Filter "Domain allow list" in bulk? I was hoping for PowerShell, but can't find anything as of yet. In the GUI, I get an error when adding more than a few at a time. Once I get the error, I can't even add 1 for the next
    60+ minutes.

  5. Hi Matt, the following should allow you to add in bulk:

    Set-HostedContentFilterPolicy –Identity ‘Default’ –AllowedSenderDomains @(‘Microsoft.com’,’contoso.com’,’fabrikam.com’,’tailspintoys.com’)

    I’d write a script where the existing list was pulled into a variable using Get-HostedContentFilterPolicy, then import your list from a text or csv file and append it to the variable. Finally, have the script write the contents of the variable back to the list
    using Set-HostedContentFilterPolicy.

    1. Peter says:

      “Hi Matt, the following should allow you to add in bulk:

      Set-HostedContentFilterPolicy –Identity ‘Default’ –AllowedSenderDomains @(‘Microsoft.com’,’contoso.com’,’fabrikam.com’,’tailspintoys.com’)

      I’d write a script where the existing list was pulled into a variable using Get-HostedContentFilterPolicy, then import your list from a text or csv file and append it to the variable. Finally, have the script write the contents of the variable back to the list
      using Set-HostedContentFilterPolicy.”

      I found the easiest way was a csv with no header.

      $csvdomains=import-csv textfile.csv -header domains
      % ($name in $csvdomains){
      Set-HostedContentFilterPolicy -Identity “Trusted Customer List” -AllowedSenderDomains @{Add=”$($name.domains)”}
      }

  6. I add domains to safe sender in spam filter(hybrid environment with centralized mail flow) but they still get flagged as scl=5
    any other thing to do besides use transport rule?
    Thanks

    1. Hi Turbomcp, I’d start with a message trace to see if anything may be changing the SCL like a transport rule. The problem could also be related to your mail flow if you have a complex routing model. I would start with the message trace (maybe even an Extended Trace) and then go from there based on what the trace shows.

Skip to main content