I have been pulling my hair out for a couple days trying to figure to get the EFA spam filter tagged messages to automatically go to my exchange outlook users junk mail folders. I finally figured it out and I would like to share it.
First what are we trying to accomplish with this. the way my EFA system and most are by default is. RBL listed domains are blocked at the door and do not make it to your mail server. However the messages that pass the RBL check should go through Bayesian checks. This is to see if the messages are spam or not by content of the message. We do this because not all spammers are in the RBLs right away. The Bayesian checker assigns a confident level of how sure it is that it is a spam email message. if it reaches a certain threshold it is passed through to the web quarantine by default and a email is sent to the user so they can allow it through if they want to. But I prefer to have those messages go into my users junk folder where they can directly choose what to do with them. Why would I want to do this you may ask. Well I like to keep my services as transparent to my users as humanly possible. That and I am a geek who likes to bend things to his will.
software versions used in this document are EFA project virtual appliance 3.0.0.1 and exchange server standard 2013. this information will work on all versions of exchange with minor changes due to interface changes.
EFA Project Appliance Configuration
First we need to enable the spam marking headerĀ on the EFA appliance which looks like this “X-Spam-Status: Yes”
First you have to configure EFA. log into your EFA appliance via ssh
Select option 9 and press enter
Select option 2 and press enter
I also rebooted the EFA appliance myself but it may not be needed. I just prefer to reboot after making a system change.
Exchange Server Configuration (exchange 2013 but similar for 2007/2010)
You will need to have anti spam filtering enabled on your exchange server if it is not you can find the direction how to do it right here
https://technet.microsoft.com/en-us/library/bb201691(v=exchg.150).aspx
First you will need a exchange power shell window
First lets set the junk thresh hold for the environment. this should not be needed as the default is 5 but I like to be thorough
Set-OrganizationConfig -SCLJunkThreshold 5
Next lets Disable the Content Filter agent: Since you have a 3rd-party filtering solution running on your non-Exchange SMTP host(s), you can disable the Content Filter Agent. Messages exceeding SCLJunkThreshold will still be moved to Junk Mail folder.
Disable-TransportAgent “Content Filter Agent”
Alternatively, you can leave the CFA enabled, but disable the Delete, Reject and Quarantine actions. I do both commands in the interest of being thorough
Set-ContentFilterConfig -SCLDeleteEnabled $false -SCLRejectEnabled $false -SCLQuarantineEnabled $false
Exchange Transport Rule Creation
last part is to create a transport rule. Here we have a choice. you can create this rule by using either the power shell or the GUI. I will show you both ways to accomplish this. personally I prefer to do this via power shell as it is faster.
Powershell rule creation method
Just copy and paste this line into exchange power shell and you are all set.
New-TransportRule -Name “EFA to Junk Folder” -HeaderMatchesMessageHeader “X-Spam-Status” -HeaderMatchesPatterns “Yes” -SetSCL 9 -Comments “This rule moves spam messages from the EFA filter to the users junk mail folder.”
Now lets do this via the GUI
open up EAC (Exchange Admin Center) and follow along with the next steps.
Click mail flow and Rules should be selected by default
click the plus sign and click create a new rule
Choose a name for the rule I used EFA to Junk Folder
now click more options
Now we need to define the rule properties
from *Apply this rule if.. > A message Header… Matches these text patterns
Specify Header Name X-Spam-Status
Next Specify Words or Phrases Yes
Now we needĀ add an action *Do the following…
Set the spam confidence level (SCL) to… > Set the Spam Level (SCL)…
Next Specify SCL select level 9
If You are interested in how the rule would look in powershell it should look like this
[PS] C:\Windows\system32>Get-TransportRule "EFA to Junk Folder" | Format-List RunspaceId : 9baed7a4-c016-4318-bb18-5075b013bd8e Priority : 1 DlpPolicy : DlpPolicyId : 00000000-0000-0000-0000-000000000000 Comments : This rule moves spam messages from the EFA filter to the users junk mail folder. ManuallyModified : False ActivationDate : ExpiryDate : Description : If the message: 'X-Spam-Status' header matches the following patterns: 'Yes' Take the following actions: Set the spam confidence level (SCL) to '9' RuleVersion : 15.0.0.0 Conditions : {HeaderMatches} Exceptions : Actions : {SetSCL} State : Enabled Mode : Enforce RuleErrorAction : Ignore SenderAddressLocation : Header RuleSubType : None UseLegacyRegex : False From : FromMemberOf : FromScope : SentTo : SentToMemberOf : SentToScope : BetweenMemberOf1 : BetweenMemberOf2 : ManagerAddresses : ManagerForEvaluatedUser : SenderManagementRelationship : ADComparisonAttribute : ADComparisonOperator : SenderADAttributeContainsWords : SenderADAttributeMatchesPatterns : RecipientADAttributeContainsWords : RecipientADAttributeMatchesPatterns : AnyOfToHeader : AnyOfToHeaderMemberOf : AnyOfCcHeader : AnyOfCcHeaderMemberOf : AnyOfToCcHeader : AnyOfToCcHeaderMemberOf : HasClassification : HasNoClassification : False SubjectContainsWords : SubjectOrBodyContainsWords : HeaderContainsMessageHeader : HeaderContainsWords : FromAddressContainsWords : SenderDomainIs : RecipientDomainIs : SubjectMatchesPatterns : SubjectOrBodyMatchesPatterns : HeaderMatchesMessageHeader : X-Spam-Status HeaderMatchesPatterns : {Yes} FromAddressMatchesPatterns : AttachmentNameMatchesPatterns : AttachmentExtensionMatchesWords : ContentCharacterSetContainsWords : HasSenderOverride : False MessageContainsDataClassifications : SenderIpRanges : SCLOver : AttachmentSizeOver : MessageSizeOver : WithImportance : MessageTypeMatches : RecipientAddressContainsWords : RecipientAddressMatchesPatterns : SenderInRecipientList : RecipientInSenderList : AttachmentContainsWords : AttachmentMatchesPatterns : AttachmentIsUnsupported : False AttachmentProcessingLimitExceeded : False AttachmentHasExecutableContent : False AttachmentIsPasswordProtected : False AnyOfRecipientAddressContainsWords : AnyOfRecipientAddressMatchesPatterns : ExceptIfFrom : ExceptIfFromMemberOf : ExceptIfFromScope : ExceptIfSentTo : ExceptIfSentToMemberOf : ExceptIfSentToScope : ExceptIfBetweenMemberOf1 : ExceptIfBetweenMemberOf2 : ExceptIfManagerAddresses : ExceptIfManagerForEvaluatedUser : ExceptIfSenderManagementRelationship : ExceptIfADComparisonAttribute : ExceptIfADComparisonOperator : ExceptIfSenderADAttributeContainsWords : ExceptIfSenderADAttributeMatchesPatterns : ExceptIfRecipientADAttributeContainsWords : ExceptIfRecipientADAttributeMatchesPatterns : ExceptIfAnyOfToHeader : ExceptIfAnyOfToHeaderMemberOf : ExceptIfAnyOfCcHeader : ExceptIfAnyOfCcHeaderMemberOf : ExceptIfAnyOfToCcHeader : ExceptIfAnyOfToCcHeaderMemberOf : ExceptIfHasClassification : ExceptIfHasNoClassification : False ExceptIfSubjectContainsWords : ExceptIfSubjectOrBodyContainsWords : ExceptIfHeaderContainsMessageHeader : ExceptIfHeaderContainsWords : ExceptIfFromAddressContainsWords : ExceptIfSenderDomainIs : ExceptIfRecipientDomainIs : ExceptIfSubjectMatchesPatterns : ExceptIfSubjectOrBodyMatchesPatterns : ExceptIfHeaderMatchesMessageHeader : ExceptIfHeaderMatchesPatterns : ExceptIfFromAddressMatchesPatterns : ExceptIfAttachmentNameMatchesPatterns : ExceptIfAttachmentExtensionMatchesWords : ExceptIfContentCharacterSetContainsWords : ExceptIfSCLOver : ExceptIfAttachmentSizeOver : ExceptIfMessageSizeOver : ExceptIfWithImportance : ExceptIfMessageTypeMatches : ExceptIfRecipientAddressContainsWords : ExceptIfRecipientAddressMatchesPatterns : ExceptIfSenderInRecipientList : ExceptIfRecipientInSenderList : ExceptIfAttachmentContainsWords : ExceptIfAttachmentMatchesPatterns : ExceptIfAttachmentIsUnsupported : False ExceptIfAttachmentProcessingLimitExceeded : False ExceptIfAttachmentHasExecutableContent : False ExceptIfAttachmentIsPasswordProtected : False ExceptIfAnyOfRecipientAddressContainsWords : ExceptIfAnyOfRecipientAddressMatchesPatterns : ExceptIfHasSenderOverride : False ExceptIfMessageContainsDataClassifications : ExceptIfSenderIpRanges : PrependSubject : SetAuditSeverity : ApplyClassification : ApplyHtmlDisclaimerLocation : ApplyHtmlDisclaimerText : ApplyHtmlDisclaimerFallbackAction : ApplyRightsProtectionTemplate : SetSCL : 9 SetHeaderName : SetHeaderValue : RemoveHeader : AddToRecipients : CopyTo : BlindCopyTo : AddManagerAsRecipientType : ModerateMessageByUser : ModerateMessageByManager : False RedirectMessageTo : RejectMessageEnhancedStatusCode : RejectMessageReasonText : DeleteMessage : False Disconnect : False Quarantine : False SmtpRejectMessageRejectText : SmtpRejectMessageRejectStatusCode : LogEventText : StopRuleProcessing : False SenderNotificationType : GenerateIncidentReport : IncidentReportOriginalMail : IncidentReportContent : RouteMessageOutboundConnector : RouteMessageOutboundRequireTls : False ApplyOME : False RemoveOME : False Identity : EFA to Junk Folder DistinguishedName : CN=EFA to Junk Folder,CN=TransportVersioned,CN=Rules,CN=Transport Settings,CN=McGearyTech,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mcgearytech,DC=com Guid : 8c190883-5e67-4221-853c-f6bb1178f180 ImmutableId : 8c190883-5e67-4221-853c-f6bb1178f180 OrganizationId : Name : EFA to Junk Folder IsValid : True WhenChanged : 10/9/2014 8:55:20 AM ExchangeVersion : 0.1 (8.0.535.0) ObjectState : Unchanged [PS] C:\Windows\system32>
That is it the spam messages that would normally be in the web quarantine will now be in your users mailboxes junk folders.
I hope this helps. This information will work with most 3rd party spam filtering with minor changes. If it does help please leave me a message with some feedback.