Blocking email spam with the Office 365 spam filter (for administrators)

 

This article is intended for Office 365 administrators.

Related articles, intended for general Office 365 users, who don't have administrator permissions, are:

An Exchange Online or Exchange Online Protection (EOP) administrator can help to ensure spam and junk messages are blocked by adjusting your Office 365 spam filter. This helps to prevent the false negative issue, where email spam is allowed through to a user inbox.

An administrator can use several Office 365 spam filter settings to help prevent email spam from being sent to a user inbox. The Office 365 spam filter will become better able to block email spam and prevent false negative messages if you use the options listed here. In this context, a false negative refers to email spam or junk messages that are getting sent to a user inbox.

This article describes the steps required by an administrator to adjust your Office 365 anti-spam filter and help prevent spam from being delivered to user's inboxes. It contains the following sections:

 

Blocking IP addresses with a connection filter

Customise your Office 365 spam filter by adding the sender IP address to the connection filter IP block list. To do this, proceed as follows.

  1. Obtain the headers for the message you want to block in your mail client, such as Outlook, or Outlook on the web (previously known as Outlook Web App, or OWA).
  2. Search for the IP address following the CIP tag in the X-Forefront-Antispam-Report header using Microsoft's message header analyzer, or manually.
  3. Create an IP Block list, and then add the IP address to the IP Block list as follows.
    1. In the Exchange admin center (EAC), navigate to Protection > Connection filter, and then double-click the default policy.
    2. Click the Connection filtering menu item.
    3. Click Add image 365 add icon .
    4. In the subsequent dialog box, specify the IP address or address range to be blocked
    5. Click OK.
    6. Repeat Step c to Step e to add additional addresses as required. (You can also edit or remove IP addresses after they have been added.)
    7. Optionally, select the Enable safe list check box to prevent missing email from certain well-known senders.

Note:
Microsoft subscribes to third-party sources of trusted senders. Using this safe list means that these trusted senders aren't mistakenly marked as spam. We recommend selecting this option because it should reduce the number of false positives (good mail that's classified as spam) you receive.

  1. Click Save.

A summary of your default policy settings appears in the right pane.

 

Blocking bulk mail with transport rules

If the spam is primarily bulk mail, for example, newsletters or promotions, then you can customise the spam filter in Office 365 to block the bulk mail. The administrator may do this by using transport rules to aggressively filter bulk email messages.

The following procedures mark an email message as spam for your entire organisation. Transport rules may filter bulk email messages based on text patterns, or on phrases. The following paragraphs describe how to set up both types of filtering

Note:
You can add another condition to apply transport rules only to specific recipients in your organisation. This way, the aggressive bulk email filtering settings can apply to a few users who are highly targeted, while the rest of your users (who mostly get the bulk email they signed up for) aren't impacted.

Creating an Exchange Transport rule to filter bulk email messages based on text patterns
To create an Exchange Transport rule to filter bulk email messages based on text patterns, proceed as follows.

  1. In the Exchange admin center (EAC), go to Mail flow > Rules.
  2. Click Add and then select Create a new rule.
  3. Specify a name for the rule.
  4. Click More options then, under Apply this rule if, select The subject or body > subject or body matches these text patterns.
  5. In the specify words or phrases dialog box, add the following regular expressions commonly found in bulk emails, one at a time:
  • If you are unable to view the content of this email\, please
  • \>(safe )?unsubscribe( here)?\</a\>
  • If you do not wish to receive further communications like this\, please
  • \<img height\="?1"? width\="?1"? src\=.?http\://
  • To stop receiving these\s+emails\:http\://
  • To unsubscribe from \w+ (e\-?letter|e?-?mail|newsletter)
  • no longer (wish )?(to )?(be sent|receive) \w+ email
  • If you are unable to view the content of this email\, please click here
  • To ensure you receive (your daily deals|our e-?mails)\, add
  • If you no longer wish to receive these emails
  • to change your (subscription preferences|preferences or unsubscribe)
  • click (here to|the) unsubscribe
  1. When you have finished adding words and phrases, click OK.

Note
The above list isn't an exhaustive set of regular expressions found in bulk emails; more can be added or removed as needed. However, it's a good starting point.

  1. Under, Do the following, select, Modify the message properties > set the spam confidence level (SCL).
  2. In the specify SCL dialog box, set the SCL to 56, or 9.

Note:
Setting the SCL to 5 or 6 takes the Spam action, while setting the SCL to 9 takes the High confidence spam action, as configured in the content filter policy. The service will perform the action set in the content filter policy. The default action is to deliver the message to the recipients' Junk Email folder, but different actions can be configured as required.

  1. Click OK.

Note:
If your configured action is to quarantine the message rather than send it to the recipients' Junk Email folder, the message will be sent to the administrator quarantine as a transport rule match, and it will not be available in the end user spam quarantine or via end-user spam notifications.

  1. Click Save, to save the rule.

Creating an Exchange Transport rule to filter bulk email messages based on phrases
To create an Exchange Transport rule to filter bulk email messages based on phrases, proceed as follows.

  1. In the EAC, go to Mail flow > Rules.
  2. Click Add , and then select Create a new rule.
  3. Specify a name for the rule.
  4. Click More options then, Under Apply this rule if, select The subject or body > subject or body includes any of these words.
  5. In the specify words or phrases dialog box, add the following phrases commonly found in bulk emails, one at a time:
  • to change your preferences or unsubscribe
  • Modify email preferences or unsubscribe
  • This is a promotional email
  • You are receiving this email because you requested a subscription
  • click here to unsubscribe
  • You have received this email because you are subscribed
  • If you no longer wish to receive our email newsletter
  • to unsubscribe from this newsletter
  • If you have trouble viewing this email
  • This is an advertisement
  • you would like to unsubscribe or change your
  • view this email as a webpage
  • You are receiving this email because you are subscribed
  1. When you have finished adding words and phrases, click OK.

Note: 
Once again, this list isn't an exhaustive set of phrases found in bulk emails; more can be added or removed as needed. However, it's a good starting point.

  1. Under Do the following, select Modify the message properties > set the spam confidence level (SCL).
  2. In the specify SCL dialog box, set the SCL to 56, or 9.

Note:
Setting the SCL to 5 or 6 takes the Spam action, while setting the SCL to 9 takes the High confidence spam action, as configured in the content filter policy. The service will perform the action set in the content filter policy. The default action is to deliver the message to the recipients' Junk Email folder, but different actions can be configured as described as required.

  1. Click OK.

Note:
If your configured action is to quarantine the message rather than send it to the recipients' Junk Email folder, the message will be sent to the administrator quarantine as a transport rule match, and it will not be available in the end user spam quarantine or via end-user spam notifications.

  1. Click Save, to save the rule.

 

Blocking email spam using spam filter block lists

You may configure your spam filter policies to add the sender address to the sender block list, or domain to the domain block list, in the spam filter. Emails from a sender or domain on a spam filter block list will be marked as spam.

Note:
For EOP standalone customers: By default, the EOP spam filters send spam-detected messages to each recipients' Junk Email folder. However, in order to ensure that the Move message to Junk Email folder action will work with on-premises mailboxes, you must configure two Exchange Transport rules on your on-premises servers to detect spam headers added by EOP.

To block email spam using spam filter block lists, proceed as follows.

Note:
This is quite a lengthy procedure, and may take up to 30 minutes.

  1. In the Exchange Admin Centre (EAC), navigate to Protection > Spam filter.
  2. On the general page, do one of the following:
    1. Double-click the default policy in order to edit this company-wide policy.
    2. Click the New icon, , in order to create a new custom spam-filter policy that can be applied to users, groups, and domains in your organization. You can also edit existing custom policies by double-clicking them.
  3. For custom policies only, specify a name for this policy. You can optionally specify a more detailed description as well. You cannot rename the default policy.

Note:
When creating a new policy, all configuration settings appear on a single screen, whereas when editing a policy you must navigate through different screens. The settings are the same in either case, but the rest of this procedure describes how to access these settings when editing a policy.

  1. On the spam and bulk email actions page, under Spam, and High confidence spam, select the action to take for incoming spam and bulk email. By default, Move messages to Junk Email folder is selected. The other possible values are:
    1. Delete message - Deletes the entire message, including all attachments.
    2. Quarantine message - Sends the message to quarantine instead of to the intended recipients. If you select this option, in the Retain spam for (days) input box, specify the number of days during which the spam message will be quarantined. (It will automatically be deleted after the time elapses. The default value is 15 days which is the maximum value. The minimum value is 1 day).
    3. Move message to Junk Email folder - Sends the message to the Junk Email folder of the specified recipients. This is the default action for both confidence threshold levels.

Important:
For Exchange Online Protection (EOP) customers: In order for this action to work with on-premises mailboxes, you must configure two Exchange Transport rules on your on-premises servers to detect spam headers added by EOP.

  1. Add X-header - Sends the message to the specified recipients but adds X-header text to the message header that identifies it as spam. Using this text as an identifier, you can optionally create rules to filter or route the messages as needed. The default X-header text is, This message appears to be spam.

You can customize the X-header text using the, Add this X-header text input box. If you customize the X-header text, be aware of the following:

i.  If you specify only the header in the format <header>, where there are no spaces within the <header>, then a colon will be appended to the custom text, followed by the default text. For example, if you specify, "This-is-my-custom-header", then the X-header text will appear as, "This-is-my-custom-header: This message appears to be spam".

ii.  If you include spaces within the custom header text, or if you add the colon yourself, such as, "X This is my custom header" or "X-This-is-my-custom-header:", then the X-header text will revert back to the default as, "X-This-Is-Spam: This message appears to be spam."

iii.  You can't specify the header text in the format <header>:<value>. If you do this, then both values before and after the colon will be ignored, and the default X-header text appears instead; "X-This-Is-Spam: This message appears to be spam."

  1. Prepend subject line with text - Sends the message to the intended recipients but prepends the subject line with the text that you specify in the Prefix subject line with this text input box. Using this text as an identifier, you can optionally create rules to filter or route the messages as needed.
  2. Redirect message to email address - Sends the message to a designated email address instead of to the intended recipients. Specify the "redirect" address in the Redirect to this email address input box.
  1. Under Bulk email, you can select a threshold to treat bulk email as spam. This threshold is based on the bulk complaint level of the message. You can choose a threshold setting from 1 - 9, where 1 marks most bulk email as spam, and 9 allows most bulk email to be delivered. The service then performs the configured action, such as sending the message to the recipient's Junk Email folder.
  2. On the Block Lists page, if required, specify entries, such as senders or domains that will always be marked as spam. The service will apply the configured high confidence spam action on emails that match these entries.
    1. To add unwanted senders to the Sender block list,

i.  Click, Add  then in the selection dialog box, add the sender addresses you want to block. You can separate multiple entries using a semi-colon or a new line.

ii. Click, Ok to return to the Block Lists page.

  1. To add unwanted domains to the Domain block list.

i.  Click, Add  then in the selection dialog box, add the domains you want to block. You can separate multiple entries using a semi-colon or a new line.

ii.  Click, Ok to return to the Block Lists page.

Caution:
If you block top-level domains, it's likely that email you want will be marked as spam.

  1. On the Allow Lists page, you can specify entries, such as senders or domains that will always be delivered to the inbox. Email messages from these entries is not processed by the spam filter.
    1. To add trusted senders to the Sender allow list.

i.  Click, Add  the in the selection dialog box, add the sender addresses you wish to allow. You can separate multiple entries using a semi-colon or a new line.

ii.  Click, Ok to return to the Allow Lists page.

  1. To add trusted domains to the Domain allow list.

i. Click, Add  then in the selection dialog box, add the domains you wish to allow. You can separate multiple entries using a semi-colon or a new line.

ii.Click, Ok to return to the Allow Lists page.

Caution:
If you allow top-level domains, it's likely that email you don't want will be delivered to an inbox.

International spam filtering options

  1. On the International Spam page you can filter email messages written in specific languages, or sent from specific countries or regions. You can configure up to 86 different languages and 250 different regions. The service will apply the configured action for high confidence spam. To filter email messages written in specific languages, or sent from specific countries or regions, then do one of the following:
    1. Select the Filter email messages written in the following languages check box.

i.  Click, Add  and then in the selection dialog box, make your choices (multi-selection is supported). For example, if you select to filter messages written in Arabic (AR), and Quarantine message is your configured action for high confidence spam messages, then any messages written in Arabic will be quarantined.

ii.  Click, Ok to return to the International Spam pane.

  1. Select the Filter email messages sent from the following countries or regions check box.

i. Click, Add  and then in the selection dialog box, make your choices (multi-selection is supported). For example, if you select to filter all messages sent from Australia (AU), and Quarantine message is your configured action for high confidence spam messages, then any messages sent from Australia will be quarantined.

ii.  Click Ok to return to the International Spam pane.

Note:
By default, if no international spam options are selected, then the service performs normal spam filtering on messages sent in all languages and from all regions. Messages are analysed, and the configured actions are applied if the message is determined to be spam or high confidence spam.

Advanced spam filtering options

  1. On the Advanced Options page, you can choose OnOff, or Test for each advanced spam filtering option.
    1. On - Messages are actively filtered according to the rule associated with that option. Messages are either marked as spam or will have their spam scores increased, depending on which options you turn on.
    2. Off - No action is taken on messages that meet the spam filter criteria. All options are turned off by default.
    3. Test - No action is taken on messages that meet the spam filter criteria. However, messages can be tagged with an X-header before they are delivered to the intended recipient; this X-header lets you know which ASF option was matched. If you specified Test for any of the advanced options, you can configure the following test mode settings to be applied when a match is made to a test-enabled option:

i.  None - Take no test mode action on the message. This is the default.

ii.  Add the default test X-header text - Sends the message to the specified recipients but adds a special X-header to the message that identifies it as having matched a specific advanced spam filtering option.

iii.  Send a Bcc message to this address - Sends a blind carbon copy of the message to the email address you specify in the input box.

Custom policies only

  1. For custom policies only, click the Apply to menu item and then create a condition-based rule to specify the users, groups, and/or domains for whom to apply this policy. You can create multiple conditions, as follows, provided that they are unique:
    1. To select users, select, The recipient is.

i.  In the subsequent dialog box, select one or more senders from your company from the user picker list and then click, add.

ii.  To add senders who aren't on the list, type their email addresses and click, Check names. In this box, you can also use wildcards for multiple email addresses (for example: *@domainname).

iii.  When you are done with your selections, click, ok to return to the main screen.

  1. To select groups, select, The recipient is a member of.

i.  In the subsequent dialog box, select or specify the groups.

ii.  Click, Ok to return to the main screen.

  1. To select domains, select The recipient domain is.

i.In the subsequent dialog box, add the domains.

ii.Click, Ok to return to the main screen.

Note:
You can create exceptions within the rule, for example you can filter messages from all domains except for a certain domain. Click add exception and then create your exception conditions similar to the way you created the other conditions.

  1. Click save.

A summary of your policy settings appears in the right pane.

Note:
You can select or clear the check boxes in the ENABLED column to enable or disable your custom policies. All policies are enabled by default, and the default policy cannot be disabled.
To delete a custom policy, select the policy, click the Delete icon, and then confirm that you want to delete the policy. The default policy cannot be deleted.
Custom policies always take precedence over the default policy. Custom policies run in the reverse order that you created them (from oldest to newest), but you can change the priority (running order) of your custom policies by clicking the Up Arrow and Down Arrow. The policy with a PRIORITY of 0 will run first, followed by 1, then 2, and so on.