Examine advanced anti-spam features
Besides the anti-spam and anti-malware filters in Exchange, messaging administrators can also configure other features, such as how to handle outbound spam, and how to quarantine and release messages or unblock users in the Microsoft Defender portal.
Outbound spam filtering
Outbound spam filtering is a feature found only in Exchange Online. It’s always enabled if you use the Exchange Online service for sending outbound email. This design protects organizations using the service and their intended recipients. Like inbound filtering, outbound spam filtering is composed of connection filtering and content filtering.
Note
Outbound filter settings aren't configurable.
When an outbound message is determined to be spam, it's routed through the higher risk delivery pool. This design reduces the probability of the normal outbound-IP pool being added to a blocklist. If a customer continues to send outbound spam through the service, they'll be blocked from sending messages. Although outbound spam filtering can't be disabled or changed, you can configure several company-wide outbound spam settings through the default outbound spam policy.
This outbound spam filter has the following options that control what the system does when it identifies a message containing outbound spam.
Outbound Spam Preference
Description
Send a copy of all suspicious outbound email messages to the following email address or addresses.
This option enables you to specify the email address or addresses of administrators who will receive copies of all suspicious outbound messages. If you specify multiple addresses, separate each address with a semicolon.
Send a notification to the following email address or addresses when a sender is blocked for sending outbound spam.
This option enables you to specify the email address or addresses of administrators who will be notified when outbound messages identified as spam are blocked. Again, use a semicolon to separate multiple addresses.
Note
Outbound spam filtering isn't available in Exchange Server deployments without using Exchange Online Protection (EOP).
Quarantine
An organization can set its content policy to direct spam messages into quarantine. If the organization then receives a message that's classified as spam, the message will end up in the quarantine area. Messages from transport rule matches can also end up in quarantine.
The quarantine feature is limited in Exchange Server deployments. While in Exchange Server, you can define a single mailbox as the quarantine mailbox, which is only accessible by messaging administrators through the Microsoft Outlook client.
In contrast, messages that are quarantined in Exchange Online can be released by messaging administrators, and by users who received a spam message that has been quarantined. The spam quarantine can be accessed through the Review page in the Microsoft Defender portal.
Messages that are quarantined because of a transport rule match aren't included in end-user spam quarantined messages. Only spam-quarantined messages are listed. A messaging administrator or an end user can then inspect the messages before choosing one of the following options:
- Release the messages to continue on to their original addresses.
- Mark them as false positives and release them to their original addresses.
- Leave the messages in quarantine until they expire.
Note
With the first two options, you can release the message to all recipients or just to selected recipients. However, if you release the message to one recipient and then later release it to all recipients, the first recipient won't receive the message a second time.
To assist with managing quarantined messages, there's also an advanced search function that enables you to filter messages based on the following criteria:
- Message ID
- Sender email address
- Recipient email address
- Subject
- Received (by day)
- Expires (by day)
- Type (Spam, Transport rule, Bulk, or Phish)
Note
False positive reports won't be processed if the message was quarantined because of an advanced spam filter option, or if it was quarantined because of a transport rule match.
Unblock users
If a user continuously sends email messages from Exchange Online that are classified as spam, the user will be blocked from sending any more messages. The user will also be listed in the service as a bad outbound sender, and they'll receive a Non-Delivery Report (NDR) that states:
Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam, and it's no longer allowed to send messages outside of your organization. Contact your email admin for assistance. Remote Server returned '550 5.1.8 Access denied, bad outbound sender'.
Messaging administrators can configure their outbound spam policy settings so that they receive a notification when an Exchange Online user is blocked from sending email. After the problem with the user's mailbox is resolved, the messaging admin can remove the block on that sender through the Microsoft Defender portal.
Note
There's a limit to the number of times that an account can be unblocked by the messaging administrator. If the limit for a user has been exceeded, an error message appears. At that point, the messaging admin must contact Microsoft Support to unblock the user. It may take up to 1 hour before the user is unblocked.
Best practices for deploying an anti-spam solution
Anti-spam protection requires ongoing monitoring of the anti-spam solution reports. Messaging administrators must evaluate anti-spam settings and adjust the configuration according to current Internet spam threats and the users’ feedback. For example, an organization’s users may complain that they receive more than five spam messages per day. This scenario indicates that anti-spam configuration should be enhanced with other settings.
When configuring anti-spam settings, consider the following best practices:
Update anti-spam definitions. Anti-spam software uses definitions to scan email for content that is likely to be spam. However, spam senders are continuously trying to use new techniques to hide the spam content to avoid anti-spam softer filters. As such, anti-spam software vendors must remain diligent in updating their anti-spam definitions. As a result, organizations should regularly update their anti-spam definitions to stay abreast of the latest changes from their anti-spam vendors.
Monitor anti-spam reports. Messaging administrators should regularly monitor anti-spam software reports to evaluate the total number of messages received from Internet, the number of blocked messages because of spam, and the number of quarantined messages.
Regularly read about latest Internet security and spam threats. Messaging administrators and security administrators should regularly update their knowledge about the latest security, spam, and malware threats. Anti-spam settings should be reconfigured according to latest best practices and recommendations.
Regularly evaluate end users’ feedback. User feedback related to the number of spam messages received per day or week and the number of spam messages quarantined per day or week is critical when evaluating the effectiveness of your anti-spam solution. Messaging administrators should regularly evaluate end users’ feedback on their everyday experience, and then reconfigure their solution, if necessary, to provide better protection. For example, if users complain about an excessive number of spam messages they receive each day, the organization's anti-spam policies are probably not aggressive enough. Or, if users indicate they no longer receive email from business partners, then the organization's anti-spam software should probably be reconfigured with less aggressive protection settings.
Use multi-layered anti-spam protection. As a best practice, spam should be stopped before it enters an organization's internal network. There are multiple methods an organization can deploy to address this issue, including:
- Deploy the Edge Transport role in the organization's perimeter network, outside of the organization's internal Active Directory forest.
- Deploy hybrid anti-spam protection by using both cloud-based Exchange Online Protection and Exchange on premises anti-spam features.
- Deploy an SMTP gateway with anti-spam functionality that's in the perimeter network, along with the anti-spam features in an Exchange Server on-premises deployment.
Knowledge check
Choose the best response for the following question. Then select “Check your answers.”