Use mail flow rules to filter bulk email in EOP

Important

The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. Refer to the Applies To section and look for specific call-outs in this article where there might be differences.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP uses anti-spam policies (also known as spam filter policies or content filter policies) to scan inbound messages for spam and bulk mail (also known as gray mail). For more information, see Configure anti-spam policies in EOP.

If you want more options to filter bulk mail, you can create mail flow rules (also known as transport rules) to search for text patterns or phrases that are frequently found in bulk mail, and mark those messages as spam. For more information about bulk mail, see What's the difference between junk email and bulk email? and Bulk complaint level (BCL) in EOP.

This topic explains how create these mail flow rules in the Exchange admin center (EAC) and PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

What do you need to know before you begin?

Use the EAC to create mail flow rules that filter bulk email

  1. In the EAC, go to Mail flow > Rules.

  2. Click Add Add icon and then select Create a new rule.

  3. In the New rule page that opens, configure the following settings:

    • Name: Enter a unique, descriptive name for the rule.

    • Click More Options.

    • Apply this rule if: Configure one of the following settings to look for content in messages using regular expressions (RegEx) or words or phrases:

      • The subject or body > subject or body matches these text patterns: In the Specify words or phrases dialog that appears, enter one of the following values, click Add Add Icon, and repeat until you've entered all the values.

        • If you are unable to view the content of this email\, please
        • \>(safe )?unsubscribe( here)?\</a\>
        • If you do not wish to receive further communications like this\, please
        • <img height="?1"? width="?1"? src=.?http\://
        • To stop receiving these+emails\:http\://
        • To unsubscribe from \w+ (e\-?letter|e?-?mail|newsletter)
        • no longer (wish )?(to )?(be sent|receive) w+ email
        • If you are unable to view the content of this email\, please click here
        • To ensure you receive (your daily deals|our e-?mails)\, add
        • If you no longer wish to receive these emails
        • to change your (subscription preferences|preferences or unsubscribe)
        • click (here to|the) unsubscribe

      To edit an entry, select it and click Edit Edit icon. To remove an entry, select it and click Remove Remove icon.

      When you're finished, click OK.

      • The subject or body > subject or body includes any of these words: In the Specify words or phrases dialog that appears, enter one of the following values, click Add Add Icon, and repeat until you've entered all the values.

        • to change your preferences or unsubscribe
        • Modify email preferences or unsubscribe
        • This is a promotional email
        • You are receiving this email because you requested a subscription
        • click here to unsubscribe
        • You have received this email because you are subscribed
        • If you no longer wish to receive our email newsletter
        • to unsubscribe from this newsletter
        • If you have trouble viewing this email
        • This is an advertisement
        • you would like to unsubscribe or change your
        • view this email as a webpage
        • You are receiving this email because you are subscribed

      To edit an entry, select it and click Edit Edit icon. To remove an entry, select it and click Remove Remove icon.

      When you're finished, click OK.

    • Do the following: Select Modify the message properties > set the spam confidence level (SCL). In the Specify SCL dialog that appears, configure one of the following settings:

      • To mark messages as Spam, select 6. The action that you've configured for Spam filtering verdicts in your anti-spam policies is applied to the messages (the default value is Move message to Junk Email folder).

      • To mark messages as High confidence spam select 9. The action that you've configured for High confidence spam filtering verdicts in your anti-spam policies is applied to the messages (the default value is Move message to Junk Email folder).

    For more information about SCL values, see Spam confidence level (SCL) in EOP.

    When you're finished, click Save

Use PowerShell to create mail flow rules that filter bulk email

Use the following syntax to create one or both of the mail flow rules (regular expressions vs. words):

New-TransportRule -Name "<UniqueName>" [-SubjectOrBodyMatchesPatterns "<RegEx1>","<RegEx2>"...] [-SubjectOrBodyContainsWords "<WordOrPhrase1>","<WordOrPhrase2>"...] -SetSCL <6 | 9>

This example creates a new rule named "Bulk email filtering - RegEx" that uses the same list of regular expressions from earlier in the topic to set messages as Spam.

New-TransportRule -Name "Bulk email filtering - RegEx" -SubjectOrBodyMatchesPatterns "If you are unable to view the content of this email\, please","\>(safe )?unsubscribe( here)?\</a\>","If you do not wish to receive further communications like this\, please","\<img height\="?1"? width\="?1"? src=.?http\://","To stop receiving these+emails\:http\://","To unsubscribe from \w+ (e\-?letter|e?-?mail|newsletter)","no longer (wish )?(to )?(be sent|receive) w+ email","If you are unable to view the content of this email\, please click here","To ensure you receive (your daily deals|our e-?mails)\, add","If you no longer wish to receive these emails","to change your (subscription preferences|preferences or unsubscribe)","click (here to|the) unsubscribe"... -SetSCL 6

This example creates a new rule named "Bulk email filtering - Words" that uses the same list of words from earlier in the topic to set messages as High confidence spam.

New-TransportRule -Name "Bulk email filtering - Words" -SubjectOrBodyContainsWords "to change your preferences or unsubscribe","Modify email preferences or unsubscribe","This is a promotional email","You are receiving this email because you requested a subscription","click here to unsubscribe","You have received this email because you are subscribed","If you no longer wish to receive our email newsletter","to unsubscribe from this newsletter","If you have trouble viewing this email","This is an advertisement","you would like to unsubscribe or change your","view this email as a webpage","You are receiving this email because you are subscribed" -SetSCL 9

For detailed syntax and parameter information, see New-TransportRule.

How do you know this worked?

To verify that you've configured mail flow rules to filter bulk email, do any of the following steps:

  • In the EAC, go to Mail flow > Rules > select the rule > click Edit Edit icon, and verify the settings.

  • In PowerShell, replace <Rule Name> with the name of the rule, and run the following command to verify the settings:

    Get-TransportRule -Identity "<Rule Name>" | Format-List
    
  • From an external account, send a test messages to an affected recipient that contains one of the phrases or text patterns, and verify the results.