An Introduction to the new Spam Filter Allow and Block Lists

Rather than start this article with an appetizer, I’m going to switch things up and dive right into the meat and potatoes. Very soon, if not already, you will see two new entries in your Spam Filter in Exchange Online Protection, Allow Lists & Block Lists.

As suggested by the name, this is a new way to manage allow and block lists within EOP. These new entries certainly don’t replace using Transport Rules to manage allow and block lists, but instead offer a simpler alternative.

In fact, I would still recommend using Transport Rules when there is a need for more complex allow and block lists. For example, creating a Transport Rule to safe list a partner domain only if the DMARC checks also passes. Or creating a Transport Rule that deletes messages from particular senders or domains for the case where your spam action is set to something other than Delete Message.

New Spam Filter Verdict Values

In addition to these new lists, there are new also new Spam Filter Verdict (SFV) values that will be stamped in the X-Forefront-Antispam-Report for senders/domains that are in the Spam Filter Allow and Block lists.

  • SFV:SKA - Indicates the sender or sending domain is on the Spam Filter Allow list. You will also see SCL:-1 stamped by EOP.
  • SFV:SKB - Indicates the sender or sending domain is on the Spam Filter Block list. You will also see SCL:9 stamped by EOP. In this scenario, the message will take the action set for High Confidence Spam in your Spam Filter.

This is one of the benefits to using the Spam Filter Allow and Block lists. If a message was safe listed or marked as spam because the sender is in the new Allow or Block list, you will see evidence of this right in the message header. Whereas if a safe or block list Transport Rule triggers, you won’t see evidence of it in the header, unless of course you have added that action to the rule – See my previous post Easily tell which transport rules a message triggered.

For reference, we have also updated the Anti-spam message headers TechNet page with these new values.

Enforcement Priority

The enforcement priority is listed below, with the Connection Filter taking the highest priority, and the Spam Filter taking the lowest priority.

  • Connection Filter
  • End user Safe and Blocked senders
  • Exchange Transport Rules
  • Spam Filter Allow and Block lists
  • Spam Filter

 

History and when to use

As mentioned above, you can continue to use Transport Rules to manage allow and block lists and completely ignore the Allow and Block lists in the Spam Filter. Think of the new Allow and Block lists as a less complex, and less cumbersome method for managing block and allow strategies.

Also keep in mind the down side of Allow lists. If an attacker spoofs a sender or domain that you have safe listed, they get a free ride to the inbox. For very trusted partners that you would like to safe list, I recommend the Transport Rule listed above to do the safe listing, where it will look not only at the sender, but will also verify that DMARC or SPF checks pass. For these more complex allow scenarios, they will need to stay as a Transport Rules.

Deployment

Spam Filter Allow and Block lists are currently rolling out so if you do not see them yet in your tenant, you soon will.

Cheers!

Resources

Anti-spam message headers
Configure your spam filter policies

Comments

  • Anonymous
    June 20, 2015
    Thanks
  • Anonymous
    June 22, 2015
    The comment has been removed
  • Anonymous
    June 23, 2015
    The comment has been removed
  • Anonymous
    June 26, 2015
    Hi David and Tushar, thank you for the great feedback!

    For the most part, the last action to happen is going to be what actually happens. There are some exceptions though. If a transport rule has the action "Redirect to quarantine," nothing further in the processing can change this. I haven't yet tested all of the different combinations, but I would expect that using the new Allow and Block lists will be the final say as they happen last in the processing (unless a rule moves the message to the quarantine).

    One more thing, I have so far seen a users "Blocked Senders" list always honored by EOP, no matter what configurations are in place. I would expect this to be the same, although I have not yet tested that particular scenario.
  • Anonymous
    June 29, 2015
    How can I add domains to the Spam Filter "Domain allow list" in bulk? I was hoping for PowerShell, but can't find anything as of yet. In the GUI, I get an error when adding more than a few at a time. Once I get the error, I can't even add 1 for the next 60+ minutes.
  • Anonymous
    July 10, 2015
    Hi Matt, the following should allow you to add in bulk:

    Set-HostedContentFilterPolicy –Identity ‘Default’ –AllowedSenderDomains @(‘Microsoft.com’,’contoso.com’,’fabrikam.com’,’tailspintoys.com’)

    I'd write a script where the existing list was pulled into a variable using Get-HostedContentFilterPolicy, then import your list from a text or csv file and append it to the variable. Finally, have the script write the contents of the variable back to the list using Set-HostedContentFilterPolicy.
    • Anonymous
      December 30, 2015
      "Hi Matt, the following should allow you to add in bulk:Set-HostedContentFilterPolicy –Identity ‘Default’ –AllowedSenderDomains @(‘Microsoft.com’,’contoso.com’,’fabrikam.com’,’tailspintoys.com’)I’d write a script where the existing list was pulled into a variable using Get-HostedContentFilterPolicy, then import your list from a text or csv file and append it to the variable. Finally, have the script write the contents of the variable back to the list using Set-HostedContentFilterPolicy."I found the easiest way was a csv with no header.$csvdomains=import-csv textfile.csv -header domains% ($name in $csvdomains){Set-HostedContentFilterPolicy -Identity "Trusted Customer List" -AllowedSenderDomains @{Add="$($name.domains)"} }
  • Anonymous
    December 19, 2015
    I add domains to safe sender in spam filter(hybrid environment with centralized mail flow) but they still get flagged as scl=5any other thing to do besides use transport rule?Thanks
    • Anonymous
      December 22, 2015
      Hi Turbomcp, I'd start with a message trace to see if anything may be changing the SCL like a transport rule. The problem could also be related to your mail flow if you have a complex routing model. I would start with the message trace (maybe even an Extended Trace) and then go from there based on what the trace shows.
  • Anonymous
    November 01, 2017
    Was looking into powershell for the HostedContentFilterPolicy to pull a list of the Allowed Sender Domains and saw a property there, MatchSubDomains. Is there any description of the behavior or how to add that flag?
    • Anonymous
      November 24, 2017
      Hi Kamaras, in looking at https://technet.microsoft.com/en-us/library/jj200781(v=exchg.160).aspx, I see "This parameter is reserved for internal Microsoft use." I just ran a Get-HostedContentFIlterPolicy, and MatchSubDomains isn't returned. If I try to run a Set-HostedContentFilterPolicy with -MatchSubDomains, it isn't accepted as a valid parameter. Truthfully, I'm not sure what that variable is for, but it doesn't seem to be accessible.