Tales from Tech Support: Part 7 – ORF and SCL scoring

We are often asked if ORF could redirect blacklisted emails to the Junk folder of users for further review instead of rejecting them. The answer is yes, it is possible: a guide for Exchange 2003 is already available. For instructions on Exchange 2007, please read on.

On Exchange 2003, we use the Custom Weighting Feature (CWF) of Intelligent Message Filtering (IMF) to increase the Spam Confident Level (SCL) score of the email if ORF tags it. (I wish I could put more three-letter abbreviations into this sentence, but I ran out :) On Exchange 2007, however, thing are much easier, since we can create a simple Transport Rule to achieve the same thing in a few steps:

I. Settings in Exchange

A. Using the GUI

1. Start the Exchange Manage Console
2. Expand Organization Configuration > Hub Transport and select the Transport Rules tab
2. Click on New Transport Rule in the Action pane
3. Name the rule (e.g. “SCL of ORF-tagged emails”). You can add a comment as well.
4. In the Conditions page, select the condition to trigger this rule: “When the subject field contains specific words”
5. Set the “specific word” to [SPAM] (the tag we will use in ORF)
6. In the Actions page, select the action “Set the spam confidence level to value”
7. In the rule description, click on the 0 link and add a value that’s above your SCLJunkThreshold, e.g. 9, and click Next
8. On the Exceptions page, click Next again
9. Click New, then click Finish.

B. Command line

If you prefer command line, issue the following commands instead of using the GUI:

$condition = Get-TransportRulePredicate SubjectContains
$condition.words = @(“[SPAM]”)
$action = Get-TransportRuleAction SetSCL
$action.SCLValue = 9
new-TransportRule “Stamp SCL” -condition @($condition) -action @($action)

II. Settings in ORF

1. Start the ORF Administration Tool
2. Expand Configuration / Tests / Tests in the left navigation pane
3. Assign all tests possible to On Arrival
4. Expand Configuration / Filtering – On Arrival / Actions
5. Click the Actions button and select “Accept email and perform further actions”
6. Check “Tag email subject with the text below” and enter [SPAM]
7. Click OK and save your settings by pressing Ctrl+S. (If you use an older version (pre-4.3), restarting the ORF Service is also required, so press Ctrl+U in this case)

And that’s it: ORF will tag spam, the Transport Rule will increase the SCL score of the tagged email to 9 and it will land in the Junk folder. Cool, isn’t it?

Some Things To Consider
Note that the above solution may not work if you run any other filtering software which may interfere (e.g. dropping the email before it would reach the Junk folder). Therefore, if you want ALL spam detected by ORF to be redirected, you may want to configure this other software not to drop these emails. This includes the Content Filter Agent of Exchange as well. You can disable the Delete, Reject, and Quarantine actions of CFA using the following command:

Set-ContentFilterConfig -SCLDeleteEnabled $false -SCLRejectEnabled $false -SCLQuarantineEnabled $false

2 thoughts on “Tales from Tech Support: Part 7 – ORF and SCL scoring

  1. Alan

    Nice post. Worked just great although I hate having all the junk email in my archiver. Oh well. Can you do this for just one email address?

  2. Krisztian Post author

    Sure: if you want to redirect all spam of all recipients to a single Junk folder, then you should simply configure ORF to tag with [SPAM] AND to redirect all blacklisted emails to the mailbox you want to store the Junk in. (Configuration / Filtering – On Arrival / Actions). This way, the Transport Agent rule (which redirects the tagged emails to the Junk folder) will be triggered for this single mailbox only.

    However, if you want to drop all blacklisted emails, but accept (and redirect to the Junk folder) for a single recipient address, you will need two rules in Exchange: one to drop emails tagged with [SPAM] for all recipients but one (“except the message is sent to people” exception) and one to redirect all tagged emails to the Junk folder for this specified recipient.

Leave a Reply

Your email address will not be published. Required fields are marked *

AlphaOmega Captcha Classica  –  Enter Security Code