I have been pulling my hair out for a couple days trying to figure to get the EFA spam filter tagged messages to automatically go to my exchange outlook users junk mail folders. I finally figured it out and I would like to share it.

First what are we trying to accomplish with this. the way my EFA system and most are by default is. RBL listed domains are blocked at the door and do not make it to your mail server. However the messages that pass the RBL check should go through Bayesian checks. This is to see if the messages are spam or not by content of the message. We do this because not all spammers are in the RBLs right away. The Bayesian checker assigns a confident level of how sure it is that it is a spam email message. if it reaches a certain threshold it is passed through to the web quarantine by default and a email is sent to the user so they can allow it through if they want to. But I prefer to have those messages go into my users junk folder where they can directly choose what to do with them. Why would I want to do this you may ask. Well I like to keep my services as transparent to my users as humanly possible. That and I am a geek who likes to bend things to his will.

software versions used in this document are EFA project virtual appliance and exchange server standard 2013. this information will work on all versions of exchange with minor changes due to interface changes.

EFA Project Appliance Configuration

First we need to enable the spam marking headerĀ  on the EFA appliance which looks like this “X-Spam-Status: Yes”

First you have to configure EFA. log into your EFA appliance via ssh


Select option 9 and press enter

efassh2Select option 2 and press enter

efassh3Select Y and press enter


I also rebooted the EFA appliance myself but it may not be needed. I just prefer to reboot after making a system change.

Exchange Server Configuration (exchange 2013 but similar for 2007/2010)

You will need to have anti spam filtering enabled on your exchange server if it is not you can find the direction how to do it right here


First you will need a exchange power shell window

exps1First lets set the junk thresh hold for the environment. this should not be needed as the default is 5 but I like to be thorough

Set-OrganizationConfig -SCLJunkThreshold 5

exps2Next lets Disable the Content Filter agent: Since you have a 3rd-party filtering solution running on your non-Exchange SMTP host(s), you can disable the Content Filter Agent. Messages exceeding SCLJunkThreshold will still be moved to Junk Mail folder.

Disable-TransportAgent “Content Filter Agent”


Alternatively, you can leave the CFA enabled, but disable the Delete, Reject and Quarantine actions. I do both commands in the interest of being thorough

Set-ContentFilterConfig -SCLDeleteEnabled $false -SCLRejectEnabled $false -SCLQuarantineEnabled $false

exps4Not too bad so far right?

Exchange Transport Rule Creation

last part is to create a transport rule. Here we have a choice. you can create this rule by using either the power shell or the GUI. I will show you both ways to accomplish this. personally I prefer to do this via power shell as it is faster.

Powershell rule creation method

Just copy and paste this line into exchange power shell and you are all set.

New-TransportRule -Name “EFA to Junk Folder” -HeaderMatchesMessageHeader “X-Spam-Status” -HeaderMatchesPatterns “Yes” -SetSCL 9 -Comments “This rule moves spam messages from the EFA filter to the users junk mail folder.”

Now lets do this via the GUI

open up EAC (Exchange Admin Center) and follow along with the next steps.

Click mail flow and Rules should be selected by default


exchange-2013-transport-rules-00click the plus sign and click create a new rule


Choose a name for the rule I used EFA to Junk Folder

now click more options


Now we need to define the rule properties

from *Apply this rule if.. > A message Header… Matches these text patterns

exchange-2013-transport-rules-04Now click add condition

Specify Header Name X-Spam-Status


Next Specify Words or Phrases Yes

exchange-2013-transport-rules-06Now we needĀ  add an action *Do the following…

Set the spam confidence level (SCL) to… > Set the Spam Level (SCL)…


Next Specify SCL select level 9


If You are interested in how the rule would look in powershell it should look like this

[PS] C:\Windows\system32>Get-TransportRule "EFA to Junk Folder" | Format-List

RunspaceId                                   : 9baed7a4-c016-4318-bb18-5075b013bd8e
Priority                                     : 1
DlpPolicy                                    :
DlpPolicyId                                  : 00000000-0000-0000-0000-000000000000
Comments                                     : This rule moves spam messages from the EFA filter to the users junk
                                               mail folder.

ManuallyModified                             : False
ActivationDate                               :
ExpiryDate                                   :
Description                                  : If the message:
                                                   'X-Spam-Status' header matches the following patterns: 'Yes'
                                               Take the following actions:
                                                   Set the spam confidence level (SCL) to '9'

RuleVersion                                  :
Conditions                                   : {HeaderMatches}
Exceptions                                   :
Actions                                      : {SetSCL}
State                                        : Enabled
Mode                                         : Enforce
RuleErrorAction                              : Ignore
SenderAddressLocation                        : Header
RuleSubType                                  : None
UseLegacyRegex                               : False
From                                         :
FromMemberOf                                 :
FromScope                                    :
SentTo                                       :
SentToMemberOf                               :
SentToScope                                  :
BetweenMemberOf1                             :
BetweenMemberOf2                             :
ManagerAddresses                             :
ManagerForEvaluatedUser                      :
SenderManagementRelationship                 :
ADComparisonAttribute                        :
ADComparisonOperator                         :
SenderADAttributeContainsWords               :
SenderADAttributeMatchesPatterns             :
RecipientADAttributeContainsWords            :
RecipientADAttributeMatchesPatterns          :
AnyOfToHeader                                :
AnyOfToHeaderMemberOf                        :
AnyOfCcHeader                                :
AnyOfCcHeaderMemberOf                        :
AnyOfToCcHeader                              :
AnyOfToCcHeaderMemberOf                      :
HasClassification                            :
HasNoClassification                          : False
SubjectContainsWords                         :
SubjectOrBodyContainsWords                   :
HeaderContainsMessageHeader                  :
HeaderContainsWords                          :
FromAddressContainsWords                     :
SenderDomainIs                               :
RecipientDomainIs                            :
SubjectMatchesPatterns                       :
SubjectOrBodyMatchesPatterns                 :
HeaderMatchesMessageHeader                   : X-Spam-Status
HeaderMatchesPatterns                        : {Yes}
FromAddressMatchesPatterns                   :
AttachmentNameMatchesPatterns                :
AttachmentExtensionMatchesWords              :
ContentCharacterSetContainsWords             :
HasSenderOverride                            : False
MessageContainsDataClassifications           :
SenderIpRanges                               :
SCLOver                                      :
AttachmentSizeOver                           :
MessageSizeOver                              :
WithImportance                               :
MessageTypeMatches                           :
RecipientAddressContainsWords                :
RecipientAddressMatchesPatterns              :
SenderInRecipientList                        :
RecipientInSenderList                        :
AttachmentContainsWords                      :
AttachmentMatchesPatterns                    :
AttachmentIsUnsupported                      : False
AttachmentProcessingLimitExceeded            : False
AttachmentHasExecutableContent               : False
AttachmentIsPasswordProtected                : False
AnyOfRecipientAddressContainsWords           :
AnyOfRecipientAddressMatchesPatterns         :
ExceptIfFrom                                 :
ExceptIfFromMemberOf                         :
ExceptIfFromScope                            :
ExceptIfSentTo                               :
ExceptIfSentToMemberOf                       :
ExceptIfSentToScope                          :
ExceptIfBetweenMemberOf1                     :
ExceptIfBetweenMemberOf2                     :
ExceptIfManagerAddresses                     :
ExceptIfManagerForEvaluatedUser              :
ExceptIfSenderManagementRelationship         :
ExceptIfADComparisonAttribute                :
ExceptIfADComparisonOperator                 :
ExceptIfSenderADAttributeContainsWords       :
ExceptIfSenderADAttributeMatchesPatterns     :
ExceptIfRecipientADAttributeContainsWords    :
ExceptIfRecipientADAttributeMatchesPatterns  :
ExceptIfAnyOfToHeader                        :
ExceptIfAnyOfToHeaderMemberOf                :
ExceptIfAnyOfCcHeader                        :
ExceptIfAnyOfCcHeaderMemberOf                :
ExceptIfAnyOfToCcHeader                      :
ExceptIfAnyOfToCcHeaderMemberOf              :
ExceptIfHasClassification                    :
ExceptIfHasNoClassification                  : False
ExceptIfSubjectContainsWords                 :
ExceptIfSubjectOrBodyContainsWords           :
ExceptIfHeaderContainsMessageHeader          :
ExceptIfHeaderContainsWords                  :
ExceptIfFromAddressContainsWords             :
ExceptIfSenderDomainIs                       :
ExceptIfRecipientDomainIs                    :
ExceptIfSubjectMatchesPatterns               :
ExceptIfSubjectOrBodyMatchesPatterns         :
ExceptIfHeaderMatchesMessageHeader           :
ExceptIfHeaderMatchesPatterns                :
ExceptIfFromAddressMatchesPatterns           :
ExceptIfAttachmentNameMatchesPatterns        :
ExceptIfAttachmentExtensionMatchesWords      :
ExceptIfContentCharacterSetContainsWords     :
ExceptIfSCLOver                              :
ExceptIfAttachmentSizeOver                   :
ExceptIfMessageSizeOver                      :
ExceptIfWithImportance                       :
ExceptIfMessageTypeMatches                   :
ExceptIfRecipientAddressContainsWords        :
ExceptIfRecipientAddressMatchesPatterns      :
ExceptIfSenderInRecipientList                :
ExceptIfRecipientInSenderList                :
ExceptIfAttachmentContainsWords              :
ExceptIfAttachmentMatchesPatterns            :
ExceptIfAttachmentIsUnsupported              : False
ExceptIfAttachmentProcessingLimitExceeded    : False
ExceptIfAttachmentHasExecutableContent       : False
ExceptIfAttachmentIsPasswordProtected        : False
ExceptIfAnyOfRecipientAddressContainsWords   :
ExceptIfAnyOfRecipientAddressMatchesPatterns :
ExceptIfHasSenderOverride                    : False
ExceptIfMessageContainsDataClassifications   :
ExceptIfSenderIpRanges                       :
PrependSubject                               :
SetAuditSeverity                             :
ApplyClassification                          :
ApplyHtmlDisclaimerLocation                  :
ApplyHtmlDisclaimerText                      :
ApplyHtmlDisclaimerFallbackAction            :
ApplyRightsProtectionTemplate                :
SetSCL                                       : 9
SetHeaderName                                :
SetHeaderValue                               :
RemoveHeader                                 :
AddToRecipients                              :
CopyTo                                       :
BlindCopyTo                                  :
AddManagerAsRecipientType                    :
ModerateMessageByUser                        :
ModerateMessageByManager                     : False
RedirectMessageTo                            :
RejectMessageEnhancedStatusCode              :
RejectMessageReasonText                      :
DeleteMessage                                : False
Disconnect                                   : False
Quarantine                                   : False
SmtpRejectMessageRejectText                  :
SmtpRejectMessageRejectStatusCode            :
LogEventText                                 :
StopRuleProcessing                           : False
SenderNotificationType                       :
GenerateIncidentReport                       :
IncidentReportOriginalMail                   :
IncidentReportContent                        :
RouteMessageOutboundConnector                :
RouteMessageOutboundRequireTls               : False
ApplyOME                                     : False
RemoveOME                                    : False
Identity                                     : EFA to Junk Folder
DistinguishedName                            : CN=EFA to Junk Folder,CN=TransportVersioned,CN=Rules,CN=Transport
Guid                                         : 8c190883-5e67-4221-853c-f6bb1178f180
ImmutableId                                  : 8c190883-5e67-4221-853c-f6bb1178f180
OrganizationId                               :
Name                                         : EFA to Junk Folder
IsValid                                      : True
WhenChanged                                  : 10/9/2014 8:55:20 AM
ExchangeVersion                              : 0.1 (8.0.535.0)
ObjectState                                  : Unchanged

[PS] C:\Windows\system32>

That is it the spam messages that would normally be in the web quarantine will now be in your users mailboxes junk folders.

I hope this helps. This information will work with most 3rd party spam filtering with minor changes. If it does help please leave me a message with some feedback.

By admin