I have a reasonably vanilla Exchange 2007 SP2 setup (Server Std. 2008) with a fairly liberal spam policy. I allow anything through with an SCL of 7 or lower and quarantine everything else. This lets some spam spam through but almost guarantees no false positives. (almost).
We have customers that manage their own lists that include our staff as recipients. It appears that a single delivery, addressed To: list@theircompany.com, but enveloped to three recipients at ourcompany.com got an SCL of 8, even though it picked up an active SPF pass on the way. It was particularly infuriating as it was quite an important message, timing-wise and previous messages to the same list had been passed with no trouble. The agent log only shows the following:
[snip sender] Content Filter Agent,OnEndOfData,QuarantineMessage,550 5.2.1 Content Filter agent quarantined this message,SclAtOrAboveQuarantineThreshold,8,DV:3.3.9515.631;SV:3.3.9007.60;SID:SenderIDStatus Pass
Now, I can whitelist some more domains and senders, but I hate having to pile up these explicit lists and I hate being beholden to black box systems that appear to arbitrarily break their own rules on a whim.
Could anyone tell me how I can see why it got an SCL of 8 (perhaps similar to what SpamAssassin would show), and whether it's possible to modify the weighting at all?
Cheers
Best Answer
The spam confidence level rating (SCL) may be set by any installed content filter extension, but the feature you probably mean is the Exchange Intelligent Message Filter is a black box - it changes with the definition updates issued by Microsoft every month. You might define additional "blacklisted" or "whitelisted" keyword lists and recipients, but aside from that, it is not configurable in the sense as SpamAssassin is. This is the reason why many Exchange administrators do use different message filtering techniques instead.