Documentation Home > Exchange Anti-Spam Toolkit
Content Analysis Filter
The QSS Content Analysis Filter detects patterns in the content, markup and header of messages, which are frequently associated with spam, but are rare in legitimate messages.
Compared to the built-in Exchange Content Filter, rather than relying on lists of allowed and blocked phrases, it analyzes technical aspects of the message structure.
Additionally, the Content Analysis Filter maintains a list of Free Email Domains (e.g. Gmail, Hotmail, Outlook.com, etc.) which enable stricter filtering to be applied to messages originating from these domains.
Spam Confidence Level (SCL) Values
The Spam Confidence Level (SCL) value of a message, which is also used by the built-in Exchange Content Filter. is manipulated by the QSS Content Analysis Filter. A higher SCL value will increase the chance of a message being classified as spam.
If a message is assigned an SCL value of 9 or higher, due to a combination of rules, the message will be rejected. See the Content Filter documentation to understand SCL values and thresholds.
The SCL Junk Threshold set on individual mailboxes in Mailbox Junk Config will cause filtered messages to be moved to the Junk Email folder for that user. If the built-in Content Filter is enabled and the Content Filter Transport Agent runs after the QSS Content Analysis Filter Agent (not set by default), the Reject and SCL Delete thresholds defined for the built-in Content Filter, if enabled, will process messages based on the adjusted SCL scores set by the QSS Content Analysis Filter.
SCL Impact
The SCL Impact values determine the increase to the SCL value as a result of a message matching a particular rule. A value of zero will disable a particular rule. Rules with non-zero values will be applied to all messages, depending on the Enabled, Internal Mail Enabled and External Mail Enabled settings.
Rule | Default Value | Description |
---|---|---|
Message body contains only hyperlinks and images | 9 | The HTML body of a message contains only hyperlinks or images. There is no text which is not within a hyperlink. This is unlikely with messages from a legitimate sender. Such a message has a very high likelihood of being spam and the default value of 9 will cause them to be rejected. |
Message body contains invalid or non-standard HTML markup | 2 | The HTML body of a message contains invalid or obsolete HTML. While not a guarantee of spam, invalid and obsolete HTML markup is more common in spam messages. |
Sent using high-risk API | 3 | The X-Mailer header or META HTML tags indicate that the messages was sent using an API which is high-risk (such as the GMail API, which is used less often for legitimate email marketing), or it is suspected that the listed API has been forged. |
Reply-to address invalid | 3 | The Reply-To header is present, but does not contain any validly formatted email addresses. |
No valid header recipients (To or Cc) | 3 | The message does not contain any valid internal addresses within the To and Cc fields. Poorly-constructed spam emails often have the sender address in the To field, instead of being addressed to a specific recipient, so this increases the chance that a message is spam. Legitimate email marketing is almost always personally addressed. Note that legitimate mail from an external sender, where all local recipient(s) are in the Bcc field, will also match this rule. |
The Rejection Response will be applied to messages where the total SCL value reaches or exceeds a value of 9 (reject) after processing by the QSS Content Analysis Filter, unless the message matches a Free Email Domain (see below).
Free Email Domain SCL Impact
These rules will match messages where the envelope from address (MAIL FROM address), header from address or Reply-To address matches a domain defined in the Free Email Domains section.
Rule | Default Value | Description |
---|---|---|
Reply-To address is a different domain | 9 |
A common pattern in spam is to send messages from a free email account, such as Gmail or Outlook.com account, but to set the Reply-To address to a different account. This is done to enable spammers to receive a reply even if the free email account is closed for violating the provider's spam policies. Legitimate mail from free email domains with an alternative Reply-To domain is very rare. Most legitimate organizations don't use free email accounts, even for sending bulk email. The reverse scenario, i.e. a message with a Reply-To address set to a free email domain, but the From address is not a free email domain, is also captured by this rule. This pattern is sometimes used by in identity theft or other fraudulent messages, to create the appearance of a legitimate message, but directing replies to a disposable free email account controlled by the scammer. |
No valid envelope recipients (To or Cc) | 7 | The message does not contain any valid internal addresses within the To and Cc fields. Poorly-constructed spam emails often have the sender address in the To field, instead of being addressed to a specific recipient, so this increases the chance that a message is spam. Legitimate email marketing is almost always personally addressed. Note that legitimate mail from an external sender, where all local recipient(s) are in the Bcc field, will also match this rule, although the prevalence of spam from free email domains is such that we recommend at least filtering such messages to the Junk Email folder. |
The Rejection Response will be applied to messages meeting the free email domain criteria, where the total SCL value reaches or exceeds a value of 9 (reject) after processing by the QSS Content Analysis Filter. That is, the Rejection Response for free email domains takes precedence over the standard Rejection Response.
Free Email Domains
Free Email Domains can be customized. The largest and most popular free email providers are included by default, although the default values can be removed if desired.
We recommend customizing the list to include region-specific free email providers and local subsidiaries of the default free email domains (such as outlook.com.au and yahoo.co.uk domains).
Depending on the nature of your organization, you can decide whether major ISP email accounts should also have the stricter filtering rules applied. We only recommend this if there are major ISPs in your region with known inadequate outbound spam controls, and you are receiving spam from those domains matching the above rules.