Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Can Junk Email options for all Exchange users be set with PowerShell command.

Posted on 2015-02-20
Medium Priority
Last Modified: 2015-03-01
Content Filtering is enabled on our Exchange Server.  9 - Delete Message, 8 - Reject Message, 5 - Quarantine Message.

With an SCL of 5 set for "Quarantine", our Exchange Server is catching an extraordinary number of email messages.  By examining these quarantined emails, I can tell that many valid emails are also being quarantined.  Ultimately, I'd like to have the end user have the option of examining an email and letting me (domain admin) know if he/she believes the email to be from a trusted sender.  I could then run blacklist checks, etc. on the IP address of the sending server and decide whether to White List that sender or not.

I'd like to pass along those questionable emails to the end user's Outlook mailbox.  Rather than fill up their INBOX, I'd rather send them initially to the JUNK folder.

Is there a way to use the "Set-Mailbox" cmdlet to make this happen for all end users in our domain at once - over 500 domain users?

I'd like to use a command that would redirect every email with an SCL of 5 or more to the end user's JUNK folder.

For the Exchange Server Content Filtering setting, I'm assuming I'd have to reset the Quarantine SCL to 6.

Please advise.
Question by:baleman2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 17

Expert Comment

by:Viral Rathod
ID: 40622855
The gateway actions – delete, reject and quarantine – can be thought of as message transport actions and thus applicable to transport server roles – the Edge Transport server and/or the Hub Transort server (if you have antispam agents enabled on the Hub). Moving messages to users’ Junk Mail folders can be thought of as something that happens at the Store, performed by the Mailbox Server role.

SCLJunkThreshold and Edge Transport servers

Another aspect to consider when setting the SCLJunkThreshold – if you’re in a topology with an Edge Transport server, the SCLJunkThreshold configured on an Edge Transport server doesn’t impact anything. You must have the SCLJunkThreshold configured on your Exchange Org. The Edge Transport server is not a part of it.

This is an improvement over IMF, which had only one gateway action (and one corresponding gateway threshold). The Content Filter agent allows the flexibility of enabling all three actions on the gateway. The rule is: SCLDeleteThreshold > SCLRejectThreshold > SCLQuarantineThreshold.

To get a list of all three SCL values and whether each action is enabled or not, use the following command:

get-ContentFilterConfig | Select SCL*

So where’s the equivalent of IMF’s Store threshold, used to move messages to users’ Junk Mail folder?
It’s called SCLJunkThreshold and it’s configured in the Organization configuration. It can be set using the Set-OrganizationConfig command:

set-OrganizationConfig -SCLJunkThreshold 5

How the Junk Mail threshold is calculated ?

Unlike the transport actions of deleting, rejecting, and quarantining messages, which check for SCL equal to or higher than their respective thresholds, for moving messages to Junk Mail folder the Store checks for SCLs higher than the SCLJunkThreshold. This is consistent with the behavior of IMF in Exchange Server 2003 (as mentioned in IMF Confusion – Store threshold rating text in UI).

If you want to disable rejection of messages with SCL of 7 or above, use the following command:

Set-ContentFilterConfig -SCLRejectEnabled:$false
LVL 17

Accepted Solution

Viral Rathod earned 2000 total points
ID: 40622864
To change the SCL level in the organization use PowerShell:

Set-OrganizationConfig -SCLJunkThreshold n

The default is a level of 4. Valid ranges are from 0 to 9. The lower the number the more likely you'll get false positives. So if you're finding legitimate mail ending up in the Junk Mail folder with Exchange 2010, try to increase the value to something like 7 or 8.

Author Comment

ID: 40623034
Let me give you both a bit more information concerning our Anti-Virus and Anti-Spam protection for our domain.  Neither of you may be Firewall technicians, but I believe the following will help you to help me make a better decision.

At the front of our domain is a Fortigate hardware firewall.  Part of its settings involve scanning emails and ALL emails (internal and external) must pass through this firewall before reaching our Exchange server.  Our company subscribes to Fortigate's FortiGuard service which is their version of Anti-Virus and Anti-Spam subscriptions - updated automatically several times a day.  By using other settings in the firewall (IP Address Check, HELO DNS Lookup, Black/White List Check, Email Checksum Check, Detect Phishing URL's Check) ALL emails are subjected to examination by the Fortigate and determined to be "safe" or not.  No SCL is assigned by the Fortigate.  However, if an email is determined to have a problem, it is "tagged" by the Fortigate and a message (Do Not Open!) is added to the Subject Line of the email.  I do have the ability to "DISCARD" rather than "TAG" the email at the firewall.  But, because of the possibility of "false positive" detections, I prefer to allow the email to pass along to the end user so they have the opportunity to examine the email.  Otherwise, I'm sure there would be valid email from trusted senders that would never reach the end user.

The Fortigate then passes the email along to our Exchange Server.  It is at this point that the email undergoes another examination by the Transport rules established by me.

We have no Edge Server.  The Exchange Server serves as a Hub Transport Server.  Outlook 2007 is installed on this server and the account name is QUARANTINE.  I use this so that all contaminated emails (as detected by the Exchange Server) can be redirected to this account.

The Transport Rule I've created is called SPAM_DELETION.  The rule states that if the words "Do not Open! (just added by the Fortigate Firewall) are detected in the Subject Line of the email, redirect the email to the QUARANTINE account.  

I've used the PowerShell Command Line Interface to enable Content Filtering.  Once enabled, I have also enabled:  
IP Allow List, IP Allow List Providers, IP Block List, IP Block List Providers (with 5 selections), Recipient Filtering, Sender Filtering, Sender ID, and Sender Reputation.

For those emails that were not "tagged" by the Fortigate, I'm assuming they're undergoing examination based on the items I enabled above under Content Filtering.  The "Actions" tab under Content Filtering has the following settings:
SCL 9 = Deletion, SCL 8 = Rejection, SCL 7 =  Quarantine . . . with the "Quarantine mailbox Email Address" being QUARANTINE@xxxxxxxxxxxx.com (the same account residing on the Exchange Server that catches all the emails that are redirected by the Transport Rule above.)  The SCL = 7 setting is used because of the possibility of "false positive" detections.  I prefer to allow the email to pass along to the end user so they have the opportunity to examine the email.  Otherwise, I'm sure there would be valid email from trusted senders that would never reach the end user.

Our domain has over 500 end users.  Each has an email account.  With the settings in place as described, the QUARANTINE mailbox fills with thousands of emails every day.  Even so, 20 to 30 unwanted emails (along with valid emails) a day still make it through to the INBOX of our end users.  I would assume these emails have an SCL of "less" than 7, based on the settings in the previous paragraph.  If I could "Set-Mailbox" for the end user to redirect emails with an SCL = 5, then many of the emails that are still being delivered to their INBOX would go to their JUNK folder.  These could then be examined at the end user's leisure to determine if they are indeed "junk" or are "false positives".  If "trusted" senders are seen in the JUNK folder, I would be notified to take further action - possibly adding that sender to our White List.

Sorry - I've expanded my question to include your thoughts on my security setup.

Author Comment

ID: 40624611
To Viral Rathod:

I used your command, Set-OrganizationConfig -SCLJunkThreshold 5.
I used the command, Get-OrganizationConfig | Select SCLJunkThreshold
     to test that the setting was there.  It was.  

Given my Quarantine setting is SCL = 7, I would assume that ALL emails that have an SCL rating less than 7 would get passed along to the end user.  Your command would further filter the email to the JUNK folder.  That is, if the email has an SCL =5 rating, that email should be delivered to the end user's JUNK folder rather than the INBOX.

I've included a screenshot (Message_Options) of my own Outlook account screen after receiving what I believe to be spam.  Note that on the left side of the screen, there are no emails in my JUNK email folder.  Instead you can see that the email was delivered to my INBOX.  On the right side of the screen, is the popup produced after a Right-Click on the message itself and selection of the "Message Options" line item.  I've scrolled down so you can see the line item labeled, "X-MS-Exchange-Organization-SCL: 5".

Shouldn't this email have automatically been delivered to the JUNK folder?

Other considerations:
The email address of the "sending" server is:  I ran a "BlackList" check (see the attached screenshot labeled "BlackList") and this "sending" server is indeed blacklisted by several IP BlackList Providers.  

Given my description above of my Fortigate hardware firewall settings (one of which is an IP Address check), this email made its way past the Fortigate without getting tagged.  This would have allowed it past my "Transport Rule".  Then, Content Filtering would have made its check against the IP Block List Providers that I have enabled.  Since I wasn't using any of the IP Block List Providers as shown in the screenshot, the email passed that test.  

So, it has not been given an SCL or 7, 8, or 9 - which would have kept it from being delivered to the end user's mailbox.  

However, it was given an SCL = 5 rating.  Even though it wouldn't have been Deleted, Rejected, or Quarantined (which meant that it would be delivered to the end user), shouldn't this email have gone to the end user's JUNK folder?

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question