Blog Post

Exchange Team Blog
4 MIN READ

Take Advantage of EOPs new Bulk Mail Detection

The_Exchange_Team's avatar
Sep 25, 2014

Bulk mail is often mistaken for spam and is starting to become a larger problem for organizations. EOP is not very aggressive out of the box when it comes to bulk mail because this type of mail falls into a grey area. Some organizations will want to receive this type of mail, whereas others will not.

Over the last few months we have greatly increased EOPs ability to detect bulk mail which you can take advantage of starting today. This new system is based on a scale which gives customers the ability to set the aggressiveness of bulk mail detection to meet their specific needs.

X-Microsoft-Antispam is a new header that is stamped on all messages traversing Exchange Online and only started appearing in messages few months ago. This new header currently contains two published values to help better detect bulk and phishing emails.

  • BCL – Bulk Complaint Level
  • PCL – Phishing Confidence Level

The beauty of this header is that it is stamped on incoming messages BEFOREthe EOP transport rules are evaluated. This means EOP transport rules can be written to trigger based on what’s in this header.

One of the goals behind the new X-Microsoft-Antispam header is to allow customers to decide how sensitive they want EOP to be when it comes to bulk mail detection. Currently in the EOP Content Filter there is a bulk mail detection switch that can only be set to either On or Off.

image

The problem with this switch only being on or off is that bulk mail is a very grey area. What one user considers as bulk another will not. This is why EOP (with no additional configuration added) typically does not block this type of mail. This is also why we are moving beyond the On or Off switch to a multi-value type classification system where customers will be able to set the level that they are comfortable with.

With this new header, you can decide on a scale how sensitive you want the service to be with bulk mail detection. Eventually this will be rolled in to the Advanced Spam Filter options and replace the current bulk On or Off switch, but for now you can write EOP Transport Rules to start taking advantage of this today! You can choose the bulk mail detection level that makes sense for your organization.

At MEC this year there was a great presentation with the title “So how does Microsoft handle my spam?” In this presentation, bulk mail detection is discussed between 22:30 to 28:50 and the speakers provide great insight into this topic. The entire session is great, but I would recommend at least listening to the six minutes where they discuss bulk mail.

What can I do today?

If you are receiving unwanted bulk mail today, the following suggestions can help.

1. Take advantage of the new x-Microsoft-Antispam header by creating an EOP transport rule. The following is an example of a rule that will mark messages as spam if the stamped Bulk Complaint Level is 6 or higher.

image

For detected messages this rule will set the SCL to 6 which will cause the message to take the spam action you have configured in the content filter. The additional header that this rule adds will make it easy to identify messages that were marked as spam by this rule.
For more information on rules that will increase the bulk sensitivity of EOP see Use transport rules to aggressively filter bulk email messages. This page describes three separate rules, the first of which walks through the creation of the above rule. I would recommend starting only with the first rule that looks at x-Microsoft-Antispam, and if you need even more aggressive filtering, create the subsequent two rules.

2. Educate yourself on the new X-Microsoft-Antispam header. See Anti-spam message headers and Bulk Complaint Level values.

3. Educate your users. If a user recognizes the sender of the bulk message and does not want to receive further mail, they can click the unsubscribe link on the email. If the user does not recognize the sender, they can block the sender or domain in Outlook or OWA by adding the sender to their Blocked Senders list.

4. Submit bulk mail and spam back to Microsoft for analysis. This allows us to continually refine our message filters. See Submitting spam and non-spam messages to Microsoft for analysis.

Note: EOP will always stamp this new header on messages regardless if it already exists or not. This prevents a spammer from manually adding this header themselves and setting a BCL of 0.

Going forward

In the near future it will be easier to take advantage of this new BCL system. We plan to roll this functionality into a slider that will be configurable in the Office 365 portal. Until this happens, creating the transport rule described above will allow you to take advantage of this functionality immediately.

Resources

The following TechNet documentation was updated in July 2014 to include information about the new X-Microsoft-Antispam header.

What’s the difference between junk email and bulk email?
Anti-spam message headers
Bulk Complaint Level values
Use transport rules to aggressively filter bulk email messages

Andrew Stobart

Updated Jul 01, 2019
Version 2.0
  • Hi Jeff! The current "bulk mail" switch in the content filter operates on different logic than the new BCL rating so they can't be compared. To take advantage of the BCL rating today, you will need to create the transport rule mentioned in this article.

    Eventually you will be able to set the BCL threshold in the portal and at that time it will replace the current "bulk mail" switch in the content filter option.

  • Really looking forward to the new functionality in EOP. Spam is a big problem for a lot of my customers.


    What is the x-Microsoft-Antispam threshold used when "Block all bulk email messages" is set to "On"? In other words, if I turn this setting on, what level messages are being blocked?

  • Images are not being displayed, error 404.
  • So we configure a transport rule to increase the SCL & send it to Quarantine box. It blocks some of the legitimate subscribed emails, so how we allow those valid subscribed mails to pass thru to inbox? Can user control/bypass the EOP by adding this domain

    to outlook's safe list? I am trying to test this safe sender list option against another transport rule where I am increasing SCL for mails from specific domain, but users couldn't receive those emails in their mailbox.

  • Hi, what is EOP?? OPlease define abbreviations at the begining of any artice - its a basic requirement.
  • KyleHardin's avatar
    KyleHardin
    Copper Contributor

    It's great that EOP is adding tools to classify bulk mail, and also that the EOP team acknowledges that bulk mail falls into a gray area between legitimate mail and spam.  However, our actions are still limited to block vs not block.  I'd like to see additional diversity in what actions can be applied to bulk mail now that it's classified. 

    For example, Outlook has this great new feature that separates Focused Inbox messages from Other Inbox messages.  We have tools to force inbound messages into Focused, based on different properties; however, there are no tools for forcing a message into Other inbox.  It seems like Bulk mail would be the perfect use case.