Spam quarantine in Exchange 2016
Summary: Learn how the spam quarantine in Exchange 2016 allows an administrator to review suspicious messages.
Many organizations are bound by legal or regulatory requirements to preserve or deliver all legitimate email messages. In Exchange Server 2016, spam quarantine is a feature of the Content Filter agent that reduces the risk of losing legitimate incoming email messages by providing a temporary storage location for messages that are identified as spam. Spam quarantine is basically unchanged from Exchange Server 2010.
Messages that are identified as spam by the Content Filter agent are wrapped in a non-delivery report (also known as an NDR, delivery status notification, DSN, or bounce message) and delivered to the designated spam quarantine mailbox inside the organization. Administrators can use Microsoft Outlook to review the messages in the spam quarantine mailbox and take appropriate action. For example, you can delete messages, or release legitimate messages to their intended recipients. In addition, you can configure the spam quarantine mailbox to automatically delete messages after a designated time period.
To use the spam quarantine, follow these steps:
Verify content filtering is enabled.
Create a dedicated mailbox for spam quarantine.
Specify the spam quarantine mailbox.
Configure the SCL quarantine threshold.
Manage the spam quarantine mailbox.
Adjust the SCL quarantine threshold as needed.
For detailed instructions, see Configure a spam quarantine mailbox.
The Content Filter agent evaluates incoming messages and applies a spam confidence level (SCL) to each message. The SCL is a numeric value from 0 through 9, where 0 is considered very unlikely to be spam, and 9 is considered very likely to be spam. You can configure the Content Filter agent to take progressively more serious action based on a higher SCL value. For example:
SCL is 8 or higher: Silently delete the message.
SCL is 7: Reject the message with an NDR.
SCL is 6: Quarantine the message.
SCL is 5: Deliver the message to the user's Junk Email folder.
SCL is 4 or lower: Deliver the message to the user's Inbox.
For more information, see Exchange spam confidence level (SCL) thresholds.
As you monitor the spam quarantine mailbox, you can view the results of antispam filtering by inspecting the antispam stamps (X-header fields) that were applied to the message. For more information, see View antispam stamps in Outlook. You can then adjust the SCL thresholds to more accurately filter the spam that's coming into your organization. For example:
Too many legitimate messages are sent to the spam quarantine mailbox (too many false positives).
Too many obvious spam messages are sent to the quarantine mailbox (not enough spam is rejected or deleted).
To release a false positive from the spam quarantine to the intended recipient, see the following topics: