Advanced spam filtering options
Advanced spam filtering options give administrators the ability to inspect various content attributes of a message. The presence of these attributes in a message either increases the spam score of the message (thereby increasing the potential for it to be identified as spam) or marks the message as spam. The ASF options target specific message properties, such as HTML tags and URL redirection, which are commonly found in spam messages.
Enabling ASF options is an aggressive approach to spam filtering, and any messages that are filtered by these options cannot be reported as false positives. These messages can be identified through periodic end-user spam notifications and salvaged from the spam quarantine. They can also be identified via the X-header text that's specific to each ASF option and which appear in the Internet header of messages where an ASF option has been matched. For more information, see Anti-spam message headers.
ASF options can be set on, off, or to test mode when you edit your content filter policies. For more information, see Configure your spam filter policies. Test mode is not available for the NDR backscatter, SPF record: hard fail, Conditional Sender ID filtering: hard fail, and Bulk mail options.
Consider enabling your ASF options in test mode in order to maximize spam blocking based upon your environment. For customers with high spam percentages for specific ASF options, we recommend that you test these options first before implementing them in your production environment. If you're concerned about phishing in your organization, turn on the SPF record: hard fail option.
The following table describes each advanced spam filtering option.
|Advanced Spam Filtering Option
|Increase Spam Score Section
||When enabled, these options set the spam confidence level (SCL) of a matched message to 5 or 6, which is considered suspected spam. The action performed on the message will match the Spam setting in your content filter policy.
|Image links to remote sites
||When this setting is enabled, any message with HTML content that has an IMG tag that links remotely (for example, using http) will receive an increased spam score.
||X-CustomSpam: Image links to remote sites
|Numeric IP address in URL
||When this setting is enabled, any message that has numeric-based URLs (most often in the form of an IP address) will receive an increased spam score.
||X-CustomSpam: Numeric IP in URL
|URL redirect to other port
||When this setting is enabled, any message that contains a hyperlink that redirects the user to ports other than port 80 (regular HTTP protocol port), 8080 (HTTP alternate port), or 443 (HTTPS port) will receive an increased spam score.
||X-CustomSpam: URL redirect to other port
|URL to .biz or .info websites
||When this setting is enabled, any message that contains a .biz or .info extension in the body of a message will receive an increased spam score.
||X-CustomSpam: URL to .biz or .info websites
|Mark as Spam Section
||When enabled, these options set the spam confidence level (SCL) of a matched message to 9, which is considered certain spam. The action performed on the message will match the High confidence spam setting in your content filter policy.
||When this setting is enabled, any message in which the body and subject line are both empty, and which also has no attachment, will be marked as spam.
||X-CustomSpam: Empty Message
|Frame or IFrame tags in HTML
||When this setting is enabled, any message that contains the <Frame> or <IFrame> HTML tag will be marked as spam. These tags are used on websites or in HTML messages to format the page for displaying text or graphics.
||X-CustomSpam: IFRAME or FRAME in HTML
|Object tags in HTML
||When this setting is enabled, any message that contains the <Object> HTML tag will be marked as spam. This HTML tag allows plug-ins or applications to run in an HTML window.
||X-CustomSpam: Object tag in html
|Embed tags in HTML
||When this setting is enabled, any message that contains the <Embed> HTML tag will be marked as spam. This HTML tag allows different kinds of documents of varying data types to be embedded into an HTML document. Examples include sounds, movies, or pictures.
||X-CustomSpam: Embed tag in html
|Form tags in HTML
||When this setting is enabled, any message that contains the <Form> HTML tag will be marked as spam. This HTML tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.
||X-CustomSpam: Form tag in html
|Web bugs in HTML
||When this setting is enabled, any message that contains a Web bug will be marked as spam. A Web bug is a graphic that is designed to determine whether a Web page or email message has been read. Web bugs are often invisible to the recipient because they are typically added to a message as a graphic that is as small as one pixel by one pixel. Legitimate newsletters may also use this technique, although many consider this an invasion of privacy.
||X-CustomSpam: Web bug
|Apply sensitive word list
||When this setting is enabled, any message that contains a word from the sensitive word list will be marked as spam. Using the sensitive word list allows easy blocking of words that are associated with potentially offensive messages. Some of these words are case sensitive. As an administrator, you cannot edit this list. Filtering against the sensitive word list is applied to both the subject and message body of a message.
||X-CustomSpam: Sensitive word in subject/body
|SPF record: hard fail||When this setting is enabled, messages that fail an SPF check (meaning they were sent from an IP address not specified in the SPF record) will be marked as spam. Turning this setting on is recommended for organizations who are concerned about receiving phishing messages.
Test mode is not available for this option.
|X-CustomSpam: SPF Record Fail
|Conditional Sender ID filtering: hard fail
||When this setting is enabled, any message that hard fails a conditional Sender ID check is marked as spam. This option combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders.
Test mode is not available for this option.
|X-CustomSpam: SPF From Record Fail
||If you're using EOP to protect on-premises mailboxes, when this setting is enabled, all legitimate non-delivery report (NDR) messages are delivered to the original sender, and all backscatter (illegitimate NDR) messages will be marked as spam. If you don't enable this setting, then all NDRs still go through spam filtering. In this case, most legitimate messages will get delivered to the original sender while some, but not all, backscatter messages will get marked as spam. However, backscatter messages that aren't marked as spam won't go to the original sender because it will go to the spoofed sender.
If you're using the service to protect Exchange Online cloud-hosted mailboxes, you don't need to configure this setting.
For both scenarios (on-premises and cloud-hosted mailboxes), it's also not necessary to enable this setting for outbound mail sent through the service, as NDRs that are legitimate bounce messages will be automatically detected and delivered to the original sender. > Test mode is not available for this option.
TIP: For more information about backscatter messages and EOP, see Backscatter messages and EOP.
|X-CustomSpam: Backscatter NDR
|Bulk mail||Advanced-spam filtering of bulk email has been retired and replaced with the bulk and email threshold settings. Check out What's the difference between junk email and bulk email? and Configure your spam filter policies for more information and how to configure the settings.||X-CustomSpam: Bulk Mail||Bulk Mail