Compartilhar via


An Early Gift, EOP Bulk Mail Detection - The Easy Way

This past summer we added new bulk detection capabilities to Exchange Online Protection. At the time, if you wanted to take advantage of these new capabilities you had to add an EOP transport rule to detect the BCL (bulk complain level) that EOP stamped on incoming messages. This new capability worked wonderfully, but the problem was that it was not discoverable to customers (unless you read our blogs or TechNet), and second, to implement this you had to create a transport rule that contained regex (while not difficult, it still added a level of complexity to the implementation).

Starting soon we hope to elevate both of these problems by making this new capability both discoverable and configurable in the EOP / Exchange Online portal. This means you will no longer need to create a transport rule to take advantage of EOPs bulk mail detection capability, sweet!

What’s New

Technology wise not a lot has changed since BCL stamping was first enabled this past summer. Since implementation the detection capabilities have continued to be improved, but the big change now is that you can enable this capability in the portal with ease by checking a box (as opposed to creating an EOP transport rule). This means that those misguided individuals that do not read my blog will now see and learn about this new capability when they log in to the portal. Luckily you are one of the elite that don’t fall into that category!

Note that this will be rolling out soon, so don’t worry if you don’t see these changes yet.

This new setting will be configurable in your Content Filter. Here’s what you will see when this change has gone live in your portal.


 
Default view with the Bulk email filter enabled.

By default, any messages marked with a BCL of 7 or higher will be marked as spam. Depending on your organization you can either raise or lower this threshold like so.


 
I would recommend that administrators start collecting missed spam messages that have landed in end users inboxes. Look through the headers and take note of what the average BCL value appears to be. This will give you a good indication where you should initially set this threshold. The BCL value can be seen in the X-Microsoft-Antispam header.

What is the Bulk Complaint Level?

Let’s take a brief step back and review the bulk complain level feature. The BCL value will be stamped in the header of all messages that pass through EOP (look for the X-Microsoft-Antispam header). The value can range between 0 and 9 and is based on feedback we receive from customers on what they do and do not want to receive. The following shows what you can expect a particular BCL rating to indicate.

How it worked in the past

Before we launched the Bulk Complain Level system, bulk mail detection was an option in the Advanced Options of the content filter that could be turned On or Off. With this older implementation, mail was determined as bulk based on the sending IP. This method quickly became dated and did not give customers a sliding scale to set just how sensitive they wanted EOP to be when it came to bulk mail. A sliding scale is very important as some customers want to receive bulk mail, others do not, and others are right in the middle. Our new bulk mail detection capability will replace this older switch.

My experience with bulk mail

In my role I do a lot of consults with customers that are receiving large amounts of spam that appear to have been missed by EOP. In every single one of these cases, a large number of the messages that appeared to be missed were actually marked as bulk (tagged with a BCL value) by EOP. However, because the customer had not created the bulk transport rule, EOP would not treat bulk mail as spam.

In all of these cases I had the customers create the bulk transport rule which drastically reduced the amount of spam they received. Personally I’m very excited that this capability will soon be visible in the portal as more customers will learn about it and subsequently implement it.

What if you have already implemented a transport rule to detect the BCL value?

For these customers nothing needs to change. The transport rule that you would have created (see the first rule on the page, Use transport rules to aggressively filter bulk email messages) does exactly the same thing that the check box will do once it has gone live in your portal. To clean up your transport rules, I would recommend enabling the bulk mail check box once it has gone live in your portal, and at this point you will then be able to delete the transport rule that you had previously created.

Summary

Having this feature visible in the portal is a massive step forward in educating customers on this new capability. For those that have not created a transport rule to detect the BCL value, I would recommend waiting until this capability appears in your portal (unless of course it can’t wait), and until it does collect samples of spam that have come through and take note of the stamped BCL value to get an idea of where you will want to set this threshold.

Resources

Block spam this holiday season with the new enhanced bulk mail experience in EOP
Bulk Complaint Level values
Anti-spam message headers
What’s the difference between junk email and bulk email?
Use transport rules to aggressively filter bulk email messages (see rules 2 & 3 if you need EOP to be even more aggressive with bulk mail)
Create a transport rule to identify mail as spam or not spam by setting the SCL

Comments

  • Anonymous
    January 01, 2003
    HI Tushar, good to see you again! Yes... that suggestion does go against best practices. However, it's currently the only way to use the Online Quarantine with a shared mailbox. Our product team has heard this request but I can't say if or when this functionality may be coming. If I have an opportunity I'll go to bat for you on this feature as I agree that it is needed.
  • Anonymous
    January 01, 2003
    Hi David. With shared mailboxes, the easiest thing to do is to use End User Spam Notifications (daily digests). If you instead want to use the end user quarantine, that account will need a user name and password which would then need to be shared with everyone who needs to access the only view of the quarantine.

    It is certainly easier to only use the ESNs, but it is possible to have multiple users use the end user quarantine.http://technet.microsoft.com/en-us/library/dn683870(v=exchg.150).aspx.

    I'll also note that the setup for the user name and password will be slightly different depending on if you have an EOP Stand Alone tenant or a full Exchange Online tenant.
  • Anonymous
    December 06, 2014
    Andrew,
    We've recently embraced the BCL features and are now directing more unwanted mail to the Personal Quarantine. Our new challenge is how to access the Personal Quarantine for a Resource or Shared Mailbox? I realize it will get a daily digest, but we need to have a URL to access the Personal Quarantine for a Resource or Shared Mailbox "on demand". Thoughts?

    Thanks - David
  • Anonymous
    December 10, 2014
    Andrew, doesn't your recommendation go against MS best practice of using shared-mailbox credentials.

    Shared mailboxes Shared mailboxes aren't primarily associated with individual users and are generally configured to allow access by multiple users.
    Although it's possible to assign additional users the logon access permissions to any mailbox type, shared mailboxes are dedicated for this functionality. The Active Directory user associated with a shared mailbox must be a disabled account. After you create a shared mailbox, you must assign permissions to all users that require access to the shared mailbox

    Ref: http://technet.microsoft.com/en-IN/library/bb201680(v=exchg.150).aspx

    Most of the Anti-spam solutions (including FOPE, Cisco, Fortimail, Barracuda) have a simple solution to provide multiple quarantine-user-account access via console to just one user.

    Do you know if MS is hearing our plea, to have this sort of functionality to be introduced in future?

    -Tushar

    PS: Been long had a chat with you :)