EOP Part2

After preparing the onprem environment for EOP in previous post, this post is on configuring EOP scan engines to filter mails.

This roughly how an inbound email flows within in EOP

Content filter is where action is taken on mails detected as spam, high confidence spam etc.

It would helpful to set the action as above. For mails detected as SPAM, you can route it to user’s junk folder so that if required user can add the sender to his/her safe sender list. This info is set at user’s mailbox level in exchange and next time the message comes, it would go into inbox instead of junk folder. At the same time if the mail is marked to another user, it would still delivery for him into junk folder if he/she has not added the sender to safe sender list. Set-MailboxJunkEmailConfiguration cmdlet also gives the option to set “ContactsTrusted” to TRUE, making the exchange trust address in user’s contact and deliver the mail to inbox instead of Junk folder.


Get-MailboxJunkEmailConfiguration pkpanda

RunspaceId : bfa778de-aefa-46ea-bb7b-73d8329c
Enabled : True
TrustedListsOnly : False
ContactsTrusted : True
TrustedSendersAndDomains : {pkpnotes.com}
BlockedSendersAndDomains : {}
MailboxOwnerId : pkpanda
Identity : pkpanda
IsValid : True
ObjectState : Unchanged


Likewise storing the High confidence SPAMs in quarantine give ability to check their header, to understand why the email was detected as high confidence SPAM. In case of false positive to release them to user. In this situation quarantine folder should not be exposed to user i.e. it would be an admin only quarantine.

Content filter also gives the ability to use advance filters like Bulk email detection for the email. Some of them would mark the email as SPAM, where others would increase the SCL value. Once SCL value crosses SCLJunkThreshold i.e. 4, it would get into SPAM category in case was not earlier

Few of them can be tested before taking a call on enforcement

With the above setting, every email would have the test header indicating what the test filter has found in the email, giving an idea what would happen once the filter is changed to on position in dropdown.

In a large enterprise challenge arises when few user start complaining about certain advance filter making their mails detected as SPAM and adding to safe sender list option is not feasible. EOP content filter allows to have addtional content filter then the default, that can be set to a specific set of user or group.

This is my default content filter policy for the domain. Now to have a separate one for the sales team

Where sales group is a group created in O365 and required users are added into that.

The next post would be on using exchange transport rule (ETR) for custom filter of mails