Manage anti-spam protection
Anti-spam agents are typically enabled on a Mailbox server if an organization doesn't have an Edge Transport server, or it doesn't have some other form of anti-spam filtering on incoming messages. In these instances, you should consider implementing the following agents on the Mailbox servers and Edge Transport servers.
Anti-spam agents on Mailbox servers
Anti-spam agents on Edge Transport servers
Sender Filter agent. Sender filtering compares the sending server to a list of senders or sender domains that are prohibited from sending messages to your organization. For more information, see Sender filtering.
Connection Filtering agent. Connection filtering uses an IP blocklist, IP allowlist, IP blocklist providers, and IP allowlist providers to determine whether a connection should be blocked or allowed. For more information, see Connection filtering on Edge Transport servers.
Sender ID agent. Sender ID relies on the IP address of the sending server and the Purported Responsible Address (PRA) of the sender to determine whether the sending email address is spoofed. For more information, see Sender ID.
Recipient Filter agent. Recipient filtering uses a recipient blocklist to identify messages that aren't allowed to enter the organization. The recipient filter also uses the local recipient directory to reject messages sent to invalid recipients. For more information, see Recipient filtering procedures on Edge Transport servers.
Content Filter agent. The Content filtering agent assigns a spam confidence level (SCL) to each message based on data from both legitimate messages and spam messages. For more information, see Content filtering.
Spam quarantine, which is a component of the Content Filter agent, reduces the risk of losing legitimate messages that are incorrectly classified as spam. Spam quarantine provides a temporary storage location for suspicious messages, so an administrator can review the messages. For more information, see Spam quarantine in Exchange Server.
Content filtering also uses the safelist aggregation feature. Safelist aggregation collects safe list data that users configure in Microsoft, Outlook, and Outlook on the web and makes this information available to the Content Filter agent. For more information, see Safelist aggregation.
Attachment Filtering agent. Attachment filtering blocks messages or attachments based on the attachment file name, extension, or MIME content type. For more information, see Attachment filtering on Edge Transport servers.
Strategy for implementing an anti-spam solution
Providing anti-spam protection is a balancing act between blocking unwanted messages and allowing legitimate messages. If the anti-spam features are configured too aggressively, you'll likely block too many legitimate messages (false positives). If you configure the anti-spam features too loosely, you'll likely allow too much spam into your organization.
Organizations should consider the following best practices when configuring the built-in anti-spam features in Exchange:
Reject messages that are identified by the Connection Filtering agent, Recipient Filter agent, and Sender Filter agent rather than quarantining the messages or applying anti-spam stamps. This approach is recommended for the following reasons:
- Messages that are identified by the default settings of the connection filtering, recipient filtering, or sender filtering typically don't require further tests to determine if they're unwanted. For example, if you configured sender filtering to block specific senders, there's no reason to continue to process messages from those senders. If you didn't want the messages rejected, you wouldn't have put the senders on the blocked sender's list in the first place.
- Configuring a more aggressive level for the anti-spam agents that process messages early in the transport pipeline saves processing, bandwidth, and disk resources. The further a message travels along the transport pipeline, the greater number of variables that the remaining anti-spam features must evaluate to successfully identify the message as spam. As such, the basic rule of thumb is to reject obvious messages early so that you can process ambiguous messages later.
Monitor the effectiveness of the anti-spam features at their current configuration levels. Monitoring enables you to react to trends and adjust the aggressiveness of the settings as needed. Start with the default settings to minimize the number of false positives. As you monitor the amount of spam and false positives, you can increase the aggressiveness of the settings based on the type of spam and spam attacks that your organization experiences.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”