Bulk Complaint Level (BLC) Transport Rule and High Confidence Quarantine

Copper Contributor

Hello all, I am trying to get some help with an Exchange Online Transport Rule.  I had one in place which would bypass SPAM processing for specific domains and another which would do the same for specific email addresses.  Basic whiltelisting as an allowed/blocked sender list did not fill the need.

Anyhow, my company receives a ton of directed "Valid Email" from sales, events, and other distributions which users do not want to recieve.  One way we have tried to combat this is to increase the scrutiny of Bulk EMail.  This was done by selecting the threashold of 1 in our Bulk Email setting of the SPAM policy. This did generate the requested results with the exception of some mandatory emails like from our expense application and others.

My solution for this has been to modify the transport rules in place for the SLC scoring since it is an upkept list of good domains and email addresses.  I have added the action of "Remove this header" with the vaule of "X-Microsoft-Antispam" as I believe this is the header that Exchange processes for moving messages with a high BLC.  However, when I run the MS reporting tools, I am not finding these messages as being affected by this.  Although, if I send a test message, it is received and the header is gone as configured.


My questions are, is that the correct header to remove for action against the BLC score, and does anyone have a better/cleaner solution?


Thanks in advance for any input to this.  




Here are the configured pieces of the rule:





Description                                   : If the message:

                                                sender's address domain portion belongs to any of these domains: 'amazon.com' or 'ncas.us-cert.gov' or...

                                                Take the following actions:

                                                Set audit severity level to 'High'

                                                and Set the spam confidence level (SCL) to '-1'

                                                and Remove this header: 'X-Microsoft-Antispam'


RuleVersion                                   :

Conditions                                    : {Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SenderDomainIsPredicate}

Exceptions                                    : 

Actions                                       : {Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SetAuditSeverityAction, Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SetSclAction, 


State                                         : Enabled

Mode                                          : Enforce

RuleErrorAction                               : Ignore

SenderAddressLocation                         : HeaderOrEnvelope

RuleSubType                                   : None


SenderDomainIs                                : {amazon.com, ncas.us-cert.gov...}

PrependSubject                                : 

SetAuditSeverity                              : High


SetSCL                                        : -1

SetHeaderName                                 : 

SetHeaderValue                                : 

RemoveHeader                                  : X-Microsoft-Antispam


DeleteMessage                                 : False

Disconnect                                    : False

Quarantine                                    : False

SmtpRejectMessageRejectText                   : 

SmtpRejectMessageRejectStatusCode             : 

LogEventText                                  : 

StopRuleProcessing                            : False

RouteMessageOutboundRequireTls                : False

ApplyOME                                      : False

RemoveOME                                     : False

OMEExpiryDays                                 : 0

GenerateNotification                          : 

Identity                                      : ByPass_SPAM_Processing_Domain

DistinguishedName                             : CN=ByPass_SPAM_Processing_Domain,CN=TransportVersioned,CN=Rules,CN=Transport 



OrganizationId                                : XXXXXX.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/XXXXXX.onmicrosoft.com - 


Name                                          : ByPass_SPAM_Processing_Domain

IsValid                                       : True

ExchangeVersion                               : 0.1 (8.0.535.0)

ObjectState                                   : Unchanged


4 Replies

Are you sure it's not Outlook that's causing the issue here? I would expect the configuration you already had in place to affect both the SCL and BCL (we dont get separate whitelists for those after all). Even the examples they have on TechNet deal with setting the SCL, though in the opposite direction: https://technet.microsoft.com/en-us/library/dn720438(v=exchg.150).aspx


I guess you can also try creating a separate policy with the BCL set to 0 and apply it to just the users that are OK to receive those messages.

Thanks for the reply Vasil.  I am positive that it isn't the Outlook clients.  This processing of the email is done prior to it ever being recieced by the mailbox.  Also, due to the vast nature of the emails I am needing excluded, I've tried to stay away from creating rules using words or phrases.  This technet article below is one of several that I have been working off of.  It has a section for the X-Microsoft-Antispam header I had mentioned as well as the comments about the SCL being set by the BCL scoring.  I'm needing the BCL to be ignored, so removing that headed seemed the most logical. 




I've asked for help from fellow MVPs on this, but you can also consider opening a support case and getting an official reply.



Is it possible to provide a recent message header for a mail that passed through and was marked as spam that should not have been?  


Ideally a detailed message trace:  https://support.microsoft.com/en-us/help/2990301/how-to-export-a-message-trace-in-exchange-online-pr... would be helpful.


You should not need to bypass scanning and remove the header, one or the other should suffice.  The headers and trace should help determine why these messages are not bypassing.