Block email spam with the Office 365 spam filter to prevent false negative issues
Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect your organization against spam and malware. If you have mailboxes in Office 365, they are already protected by default with EOP.
You can help to ensure spam and junk messages are blocked by adjusting your Office 365 spam filter. This helps to prevent the false negative issue, where email spam is allowed through to a user inbox. As an Exchange Online or Exchange Online Protection (EOP) administrator, use the following steps to adjust your Office 365 anti-spam filter and help prevent spam from being delivered to your user's inboxes.
Customize the Office 365 anti-spam filter with these settings
An Admin can use several Office 365 spam filter settings to help prevent email spam from being sent to a user inbox. The Office 365 spam filter will become better able to block email spam and prevent false negative messages if you use the options listed here. In this context, a false negative refers to email spam or junk messages that are getting sent to a user inbox.
Block IP addresses with a connection filter
Customize your Office 365 spam filter by adding the sender IP address to the connection filter IP block list:
Obtain the headers for the message you want to block in your mail client such as Outlook or Outlook Web App, as described in Message Header Analyzer.
Search for the IP address following the CIP tag in the X-Forefront-Antispam-Report header using the message header analyzer or manually.
Add the IP address to the IP Block list by following the steps in "Use the EAC to edit the default connection filter policy" in Configure the Connection Filter Policy.
Block bulk mail with transport rules or the spam filter
Is the spam primarily bulk mail, for example, newsletters or promotions? You can customize the spam filter in Office 365 if you Use transport rules to aggressively filter bulk email messages or turn on the Bulk mail setting in your spam filter's Advanced Spam Filtering Options. In the Exchange Admin center, get started by clicking Protection > Content filter and then double click the filter policy you want to adjust. Click Spam and bulk mail actions to adjust the settings, as shown here.
Block email spam using spam filter block lists
Configure your spam filter policies to add the sender address to the sender block list or domain to the domain block list in the spam filter. Emails from a sender or domain on a spam filter block list will marked as spam.
Advanced spam filtering options
For more spam settings that apply to the whole organization, take a look at Prevent false positive email marked as spam with a safelist or other techniques. This is helpful if you have administrator-level control and you want to prevent false positives.
Email users can also help ensure that false negative and email spam is blocked with Office 365 spam filter
It will help your Office 365 anti-spam efforts to prevent false negatives and junk mail if you tell your users to add the spam sender address to their blocked sender list in Outlook or Outlook Web App. In Outlook Web App, get started by clicking Settings > Options > Block or allow, and then adding the address to the Blocked senders list, as shown here.
For more detailed information about safe sender lists, see Safe Sender and Blocked Sender Lists FAQ.
The previous paragraphs in this subsection applies only to customers who use EOP as service to protect on-premises email systems or as part of a hybrid email deployment. Learn more about EOP at the Exchange Online Protection home page.
EOP-only customers: Set up the Office 365 spam filter to block email spam
For EOP-only customers with on-premises mailboxes: If you setup a spam filter for the default action, Move message to Junk Email folder, follow the required steps provided in Ensure that spam is routed to each user's Junk Email folder. We've tried to make this easy by providing the Exchange Management Shell commands in a separate topic, as well as a link to more general information about how to get started with the shell.
It will help you to avoid false negative email spam if you sync user settings with the service via directory synchronization to ensure that your blocked senders are respected. For more information, see "Use directory synchronization to manage mail users" in Manage mail users in EOP.
EOP-only customers who are not using directory synchronization
The EOP service is designed to honor the user's safe and blocked senders, if the information has been shared with the service. If you are an EOP customer using Outlook, but do not have Directory Synchronization configured to sync your users to Office 365, you can still stop messages from being delivered to your users' inbox using blocked senders. However, you may have to set up some Exchange mail flow rules in the following situations:
If a message goes through regular spam filtering through EOP and then is delivered to a local on-premises Exchange server, and EOP assigns a spam verdict of SCL 1-4 (non-spam), then your users' local blocked senders list will override the EOP spam filter verdict and deliver it to their junk email folder.
If a message in EOP is assigned SCL -1 by an Exchange mail flow rule or because the IP address or domain is in your allow list, the SCL is propagated to the on-premise Exchange server using connectors. In this case, your user's blocked senders list will not be enforced. To change this, you can create a local mail flow rule that sets the SCL to 0. This will cause Outlook to enforce your user's local blocked senders list.
To set up a mail flow rule to stop messages from being delivered to your users' inbox by using the blocked senders list
Open the Exchange Management Shell on your on-premises server. To learn how to open the Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
Run the following command to route content-filtered spam messages to the Junk Email folder in order to update the SCL on every message that was marked with SCL -1:
New-TransportRule "NameForRule" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SCL:-1" -SetSCL 0
Because the SCL is 0 in your on-premises Exchange server, non-spam will be delivered to your users' inboxes but still allow for users' local blocked senders list to send them to junk email. If you are using spam quarantine in EOP, it is still possible that senders who are on your user's safe list will be identified as spam and sent to quarantine. If you are using the Junk Mail Folder in your local mailbox, however, this will allow delivery to the Inbox for safe senders.
If you use a mail flow rule to change the SCL value to 0 (or any value other than -1), then all of the Outlook junk mail options will apply to the message. This means that blocked and safe lists will be honored, but also means that messages that do not have addresses from the blocked or safe lists will potentially be marked as junk by the client side junk mail filter processing. If you want to have Outlook process the blocked and safe lists, but not use the client side junk mail filter, you must set the option to "No Automatic Filtering" in Outlook Junk Mail Options. "No Automatic Filtering" is the default option in the latest versions of Outlook, but you should confirm that the this setting is in place to ensure the client side junk mail filter is not applied to the messages. As an administrator, you can enforce disabling the Outlook Junk Email filtering by following the instructions in Outlook: Policy setting to disable the Junk E-mail UI and filtering mechanism.