An Early Gift, EOP Bulk Mail Detection - The Easy Way
This past summer we added new bulk detection capabilities to Exchange Online Protection. At the time, if you wanted to take advantage of these new capabilities you had to add an EOP transport rule to detect the BCL (bulk complain level) that EOP stamped on incoming messages. This new capability worked wonderfully, but the problem was that it was not discoverable to customers (unless you read our blogs or TechNet), and second, to implement this you had to create a transport rule that contained regex (while not difficult, it still added a level of complexity to the implementation).
Starting soon we hope to elevate both of these problems by making this new capability both discoverable and configurable in the EOP / Exchange Online portal. This means you will no longer need to create a transport rule to take advantage of EOPs bulk mail detection capability, sweet!
Technology wise not a lot has changed since BCL stamping was first enabled this past summer. Since implementation the detection capabilities have continued to be improved, but the big change now is that you can enable this capability in the portal with ease by checking a box (as opposed to creating an EOP transport rule). This means that those misguided individuals that do not read my blog will now see and learn about this new capability when they log in to the portal. Luckily you are one of the elite that don’t fall into that category!
Note that this will be rolling out soon, so don’t worry if you don’t see these changes yet.
This new setting will be configurable in your Content Filter. Here’s what you will see when this change has gone live in your portal.
By default, any messages marked with a BCL of 7 or higher will be marked as spam. Depending on your organization you can either raise or lower this threshold like so.
I would recommend that administrators start collecting missed spam messages that have landed in end users inboxes. Look through the headers and take note of what the average BCL value appears to be. This will give you a good indication where you should initially set this threshold. The BCL value can be seen in the X-Microsoft-Antispam header.
What is the Bulk Complaint Level?
Let’s take a brief step back and review the bulk complain level feature. The BCL value will be stamped in the header of all messages that pass through EOP (look for the X-Microsoft-Antispam header). The value can range between 0 and 9 and is based on feedback we receive from customers on what they do and do not want to receive. The following shows what you can expect a particular BCL rating to indicate.
How it worked in the past
Before we launched the Bulk Complain Level system, bulk mail detection was an option in the Advanced Options of the content filter that could be turned On or Off. With this older implementation, mail was determined as bulk based on the sending IP. This method quickly became dated and did not give customers a sliding scale to set just how sensitive they wanted EOP to be when it came to bulk mail. A sliding scale is very important as some customers want to receive bulk mail, others do not, and others are right in the middle. Our new bulk mail detection capability will replace this older switch.
My experience with bulk mail
In my role I do a lot of consults with customers that are receiving large amounts of spam that appear to have been missed by EOP. In every single one of these cases, a large number of the messages that appeared to be missed were actually marked as bulk (tagged with a BCL value) by EOP. However, because the customer had not created the bulk transport rule, EOP would not treat bulk mail as spam.
In all of these cases I had the customers create the bulk transport rule which drastically reduced the amount of spam they received. Personally I’m very excited that this capability will soon be visible in the portal as more customers will learn about it and subsequently implement it.
What if you have already implemented a transport rule to detect the BCL value?
For these customers nothing needs to change. The transport rule that you would have created (see the first rule on the page, Use transport rules to aggressively filter bulk email messages) does exactly the same thing that the check box will do once it has gone live in your portal. To clean up your transport rules, I would recommend enabling the bulk mail check box once it has gone live in your portal, and at this point you will then be able to delete the transport rule that you had previously created.
Having this feature visible in the portal is a massive step forward in educating customers on this new capability. For those that have not created a transport rule to detect the BCL value, I would recommend waiting until this capability appears in your portal (unless of course it can’t wait), and until it does collect samples of spam that have come through and take note of the stamped BCL value to get an idea of where you will want to set this threshold.
Block spam this holiday season with the new enhanced bulk mail experience in EOP
Bulk Complaint Level values
Anti-spam message headers
What’s the difference between junk email and bulk email?
Use transport rules to aggressively filter bulk email messages (see rules 2 & 3 if you need EOP to be even more aggressive with bulk mail)
Create a transport rule to identify mail as spam or not spam by setting the SCL