Solved

Can Junk Email options for all Exchange users be set with PowerShell command.

Posted on 2015-02-20
4
295 Views
Last Modified: 2015-03-01
Content Filtering is enabled on our Exchange Server.  9 - Delete Message, 8 - Reject Message, 5 - Quarantine Message.

With an SCL of 5 set for "Quarantine", our Exchange Server is catching an extraordinary number of email messages.  By examining these quarantined emails, I can tell that many valid emails are also being quarantined.  Ultimately, I'd like to have the end user have the option of examining an email and letting me (domain admin) know if he/she believes the email to be from a trusted sender.  I could then run blacklist checks, etc. on the IP address of the sending server and decide whether to White List that sender or not.

I'd like to pass along those questionable emails to the end user's Outlook mailbox.  Rather than fill up their INBOX, I'd rather send them initially to the JUNK folder.

Is there a way to use the "Set-Mailbox" cmdlet to make this happen for all end users in our domain at once - over 500 domain users?

I'd like to use a command that would redirect every email with an SCL of 5 or more to the end user's JUNK folder.

For the Exchange Server Content Filtering setting, I'm assuming I'd have to reset the Quarantine SCL to 6.

Please advise.
0
Comment
Question by:baleman2
  • 2
  • 2
4 Comments
 
LVL 16

Expert Comment

by:Viral Rathod
Comment Utility
The gateway actions – delete, reject and quarantine – can be thought of as message transport actions and thus applicable to transport server roles – the Edge Transport server and/or the Hub Transort server (if you have antispam agents enabled on the Hub). Moving messages to users’ Junk Mail folders can be thought of as something that happens at the Store, performed by the Mailbox Server role.

SCLJunkThreshold and Edge Transport servers

Another aspect to consider when setting the SCLJunkThreshold – if you’re in a topology with an Edge Transport server, the SCLJunkThreshold configured on an Edge Transport server doesn’t impact anything. You must have the SCLJunkThreshold configured on your Exchange Org. The Edge Transport server is not a part of it.

This is an improvement over IMF, which had only one gateway action (and one corresponding gateway threshold). The Content Filter agent allows the flexibility of enabling all three actions on the gateway. The rule is: SCLDeleteThreshold > SCLRejectThreshold > SCLQuarantineThreshold.

To get a list of all three SCL values and whether each action is enabled or not, use the following command:

get-ContentFilterConfig | Select SCL*

So where’s the equivalent of IMF’s Store threshold, used to move messages to users’ Junk Mail folder?
It’s called SCLJunkThreshold and it’s configured in the Organization configuration. It can be set using the Set-OrganizationConfig command:

set-OrganizationConfig -SCLJunkThreshold 5

How the Junk Mail threshold is calculated ?

Unlike the transport actions of deleting, rejecting, and quarantining messages, which check for SCL equal to or higher than their respective thresholds, for moving messages to Junk Mail folder the Store checks for SCLs higher than the SCLJunkThreshold. This is consistent with the behavior of IMF in Exchange Server 2003 (as mentioned in IMF Confusion – Store threshold rating text in UI).

If you want to disable rejection of messages with SCL of 7 or above, use the following command:

Set-ContentFilterConfig -SCLRejectEnabled:$false
0
 
LVL 16

Accepted Solution

by:
Viral Rathod earned 500 total points
Comment Utility
To change the SCL level in the organization use PowerShell:

Set-OrganizationConfig -SCLJunkThreshold n

The default is a level of 4. Valid ranges are from 0 to 9. The lower the number the more likely you'll get false positives. So if you're finding legitimate mail ending up in the Junk Mail folder with Exchange 2010, try to increase the value to something like 7 or 8.
0
 

Author Comment

by:baleman2
Comment Utility
Let me give you both a bit more information concerning our Anti-Virus and Anti-Spam protection for our domain.  Neither of you may be Firewall technicians, but I believe the following will help you to help me make a better decision.

At the front of our domain is a Fortigate hardware firewall.  Part of its settings involve scanning emails and ALL emails (internal and external) must pass through this firewall before reaching our Exchange server.  Our company subscribes to Fortigate's FortiGuard service which is their version of Anti-Virus and Anti-Spam subscriptions - updated automatically several times a day.  By using other settings in the firewall (IP Address Check, HELO DNS Lookup, Black/White List Check, Email Checksum Check, Detect Phishing URL's Check) ALL emails are subjected to examination by the Fortigate and determined to be "safe" or not.  No SCL is assigned by the Fortigate.  However, if an email is determined to have a problem, it is "tagged" by the Fortigate and a message (Do Not Open!) is added to the Subject Line of the email.  I do have the ability to "DISCARD" rather than "TAG" the email at the firewall.  But, because of the possibility of "false positive" detections, I prefer to allow the email to pass along to the end user so they have the opportunity to examine the email.  Otherwise, I'm sure there would be valid email from trusted senders that would never reach the end user.

The Fortigate then passes the email along to our Exchange Server.  It is at this point that the email undergoes another examination by the Transport rules established by me.

We have no Edge Server.  The Exchange Server serves as a Hub Transport Server.  Outlook 2007 is installed on this server and the account name is QUARANTINE.  I use this so that all contaminated emails (as detected by the Exchange Server) can be redirected to this account.

The Transport Rule I've created is called SPAM_DELETION.  The rule states that if the words "Do not Open! (just added by the Fortigate Firewall) are detected in the Subject Line of the email, redirect the email to the QUARANTINE account.  

I've used the PowerShell Command Line Interface to enable Content Filtering.  Once enabled, I have also enabled:  
IP Allow List, IP Allow List Providers, IP Block List, IP Block List Providers (with 5 selections), Recipient Filtering, Sender Filtering, Sender ID, and Sender Reputation.

For those emails that were not "tagged" by the Fortigate, I'm assuming they're undergoing examination based on the items I enabled above under Content Filtering.  The "Actions" tab under Content Filtering has the following settings:
SCL 9 = Deletion, SCL 8 = Rejection, SCL 7 =  Quarantine . . . with the "Quarantine mailbox Email Address" being QUARANTINE@xxxxxxxxxxxx.com (the same account residing on the Exchange Server that catches all the emails that are redirected by the Transport Rule above.)  The SCL = 7 setting is used because of the possibility of "false positive" detections.  I prefer to allow the email to pass along to the end user so they have the opportunity to examine the email.  Otherwise, I'm sure there would be valid email from trusted senders that would never reach the end user.

Our domain has over 500 end users.  Each has an email account.  With the settings in place as described, the QUARANTINE mailbox fills with thousands of emails every day.  Even so, 20 to 30 unwanted emails (along with valid emails) a day still make it through to the INBOX of our end users.  I would assume these emails have an SCL of "less" than 7, based on the settings in the previous paragraph.  If I could "Set-Mailbox" for the end user to redirect emails with an SCL = 5, then many of the emails that are still being delivered to their INBOX would go to their JUNK folder.  These could then be examined at the end user's leisure to determine if they are indeed "junk" or are "false positives".  If "trusted" senders are seen in the JUNK folder, I would be notified to take further action - possibly adding that sender to our White List.

Sorry - I've expanded my question to include your thoughts on my security setup.
0
 

Author Comment

by:baleman2
Comment Utility
To Viral Rathod:

I used your command, Set-OrganizationConfig -SCLJunkThreshold 5.
I used the command, Get-OrganizationConfig | Select SCLJunkThreshold
     to test that the setting was there.  It was.  

Given my Quarantine setting is SCL = 7, I would assume that ALL emails that have an SCL rating less than 7 would get passed along to the end user.  Your command would further filter the email to the JUNK folder.  That is, if the email has an SCL =5 rating, that email should be delivered to the end user's JUNK folder rather than the INBOX.

I've included a screenshot (Message_Options) of my own Outlook account screen after receiving what I believe to be spam.  Note that on the left side of the screen, there are no emails in my JUNK email folder.  Instead you can see that the email was delivered to my INBOX.  On the right side of the screen, is the popup produced after a Right-Click on the message itself and selection of the "Message Options" line item.  I've scrolled down so you can see the line item labeled, "X-MS-Exchange-Organization-SCL: 5".

Shouldn't this email have automatically been delivered to the JUNK folder?

Other considerations:
The email address of the "sending" server is:  46.166.189.23.  I ran a "BlackList" check (see the attached screenshot labeled "BlackList") and this "sending" server is indeed blacklisted by several IP BlackList Providers.  

Given my description above of my Fortigate hardware firewall settings (one of which is an IP Address check), this email made its way past the Fortigate without getting tagged.  This would have allowed it past my "Transport Rule".  Then, Content Filtering would have made its check against the IP Block List Providers that I have enabled.  Since I wasn't using any of the IP Block List Providers as shown in the screenshot, the email passed that test.  

So, it has not been given an SCL or 7, 8, or 9 - which would have kept it from being delivered to the end user's mailbox.  

However, it was given an SCL = 5 rating.  Even though it wouldn't have been Deleted, Rejected, or Quarantined (which meant that it would be delivered to the end user), shouldn't this email have gone to the end user's JUNK folder?
Message-Options.JPG
BlackList.JPG
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now