Legitimate incoming mail is identified as spam for a mailbox that Microsoft Forefront Online Protection for Exchange (FOPE) helps protect. Mail is routed in one of the following ways:
- Quarantined in the FOPE spam quarantine mailbox
- Marked as spam and then delivered to the recipient's mail system
- Rejected as spam by the FOPE service
An email message that is identified incorrectly as spam is known as a false-positive.
This issue may occur if one of the following conditions is true:
- The sender reputation of the sending Simple Mail Transfer Protocol (SMTP) email server is compromised in some way.
- A customer-controlled FOPE policy rule identifies and disposes of the legitimate email message as spam.
- The spam score that is assigned by FOPE to a legitimate email message incorrectly meets the threshold that is required to identify the email message as spam.
To determine how a message was processed and the cause of the issue, examine the header of the false-positive for the following information:
Collapse this tableExpand this table
|X-CustomSpam: …||This entry indicates that this message was filtered by using Additional Spam Filter (ASF) options.|
The presence of this entry indicates that the false-negative was processed by using ASF options.
|If this entry is present, use Method 2 in the "Resolution" section.|
|X-BigFish: vps#...||This entry indicates that FOPE processed the message as follows:|
v: was virus-scanned
p: was policy-scanned
s: was spam-scanned
#: represents spam score
|Not having the "s" value indicates that spam filtering was bypassed.|
Not having the "p" value indicates that policy filtering was bypassed.
|If the "s" value is absent, but spam filtering is not disabled, use Method 3 in the "Resolution" section.|
If "p" value is present, but it is not expected because policy filtering is disabled, use Method 3 in the "Resolution" section.
|X-SpamScore: # …||This entry indicates the FOPE spam score.||For comparative analysis only. No specific issue can be identified by this value.||-|
Before you try to correct other issues, it is important to identify whether there are sender reputation issues on the SMTP server that is sending the mail item. If this is the case, note the following:
- The spam score that FOPE assigns to all mail items from that server are automatically incremented based on the sender reputation problems that are detected.
- Any correction of the sender reputation issues must be conducted by the administrator of the sending SMTP server.
The sender reputation score may be viewed in the message header.
The sender reputation score is most directly related to the following aspects of SMTP server setup:
- HELO/EHLO analysis
- Forward and reverse Domain Name System (DNS) lookup
- Analysis of Spam Confidence Level (SCL) ratings on messages from a particular sender
- Sender open proxy test
For more information about sender reputation, visit the following Microsoft TechNet website:
To resolve this issue, use one of the following methods, as appropriate for your situation.
Method 1: De-activate Additional Spam Filtering options
Additional Spam Filtering (ASF) options enable you to customize aspects of email messages that should adversely affect spam scoring. When a mail item is identified by using one or more active ASF options, the spam score increases the probability that FOPE will identify and quarantine that item as spam. For more information about how to use ASF, visit the following Microsoft TechNet website:Note
Mail items that are identified as spam by ASF options cannot be overridden by spam signature changes to the FOPE service. These false-positives must be corrected by de-activation of the ASF option that is bumping the email message spam score over the threshold.
Method 2: Submit false-positive samples to FOPE Spam Team
The spam-scanning heuristics of the FOPE data center have to be updated to exclude the signature of the email message that is received. In this case, identify the item as spam to the FOPE team by using either of the following methods:
- Using the Junk E-mail Reporting Add-In for Microsoft Office Outlook
Note If the Not Junk button is absent when a message is viewed in spam quarantine, the message was filtered because of restrictions that the email administrator has applied, such as an ASF option or a custom policy rule.
- Submit by email. To do this, follow these steps:
- Create a new email message and then attach the false-positive message to it.
Note Make sure that the spam mail item is not forwarded or replied to in the submission because these actions change the mail header information that is used to evaluate the submission.
- Identify the attachment as a false-positive.
- Address the email message to firstname.lastname@example.org.
The FOPE Spam Team will review messages that are submitted to email@example.com
. The filtering process is not immediate and sometimes requires improving several rules or creating a new rule, and this may take an extended time. Although FOPE helps protect users from any unwanted mail, FOPE must also weigh these changes and improvements to make sure that legitimate mail is not filtered out. Continue to send examples of offending messages so that the Spam Team can fine-tune the filtering rules to be as accurate as possible.
A submission report is available in the FOPE Administration Center to verify how many submissions the organization is creating. For more information about the kinds of reports that are available in FOPE, visit the following Microsoft TechNet website:
Method 3: Adjust custom policy rules
FOPE administrators have the additional option of managing their own logic for spam filtering. This includes enabling, quarantining, or rejecting mail items based on customized, customer-controlled criteria. Custom policy rules can be used to either tighten or loosen the spam scanning security profile based on customer needs. Note
You may have to use this method either to establish spam filtering bypass rules or to loosen up previously created policy rules that are falsely identifying legitimate email message as spam.
For more information about how to create customer policy rules, visit the following Microsoft TechNet websites:
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.