Legitimate email messages are marked as spam for a Forefront Online Protection for Exchange (FOPE) user

Article translations Article translations
Article ID: 2669119 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Legitimate incoming mail is identified as spam for a mailbox that Microsoft Forefront Online Protection for Exchange (FOPE) helps protect. Mail is routed in one of the following ways:
  • Quarantined in the FOPE spam quarantine mailbox
  • Marked as spam and then delivered to the recipient's mail system
  • Rejected as spam by the FOPE service
An email message that is identified incorrectly as spam is known as a false-positive.

Cause

This issue may occur if one of the following conditions is true:
  • The sender reputation of the sending Simple Mail Transfer Protocol (SMTP) email server is compromised in some way.
  • A customer-controlled FOPE policy rule identifies and disposes of the legitimate email message as spam.
  • The spam score that is assigned by FOPE to a legitimate email message incorrectly meets the threshold that is required to identify the email message as spam.
To determine how a message was processed and the cause of the issue, examine the header of the false-positive for the following information:
Collapse this tableExpand this table
Header ValueDescriptionDiagnosisResolution
X-CustomSpam: …This entry indicates that this message was filtered by using Additional Spam Filter (ASF) options.
The presence of this entry indicates that the false-negative was processed by using ASF options.
If this entry is present, use Method 2 in the "Resolution" section.
X-BigFish: vps#...This entry indicates that FOPE processed the message as follows:

v: was virus-scanned
p: was policy-scanned
s: was spam-scanned
#: represents spam score
Not having the "s" value indicates that spam filtering was bypassed.

Not having the "p" value indicates that policy filtering was bypassed.
If the "s" value is absent, but spam filtering is not disabled, use Method 3 in the "Resolution" section.

If "p" value is present, but it is not expected because policy filtering is disabled, use Method 3 in the "Resolution" section.
X-SpamScore: # …This entry indicates the FOPE spam score.For comparative analysis only. No specific issue can be identified by this value.-
Before you try to correct other issues, it is important to identify whether there are sender reputation issues on the SMTP server that is sending the mail item. If this is the case, note the following:
  • The spam score that FOPE assigns to all mail items from that server are automatically incremented based on the sender reputation problems that are detected.
  • Any correction of the sender reputation issues must be conducted by the administrator of the sending SMTP server.
The sender reputation score may be viewed in the message header.

The sender reputation score is most directly related to the following aspects of SMTP server setup:
  • HELO/EHLO analysis
  • Forward and reverse Domain Name System (DNS) lookup
  • Analysis of Spam Confidence Level (SCL) ratings on messages from a particular sender
  • Sender open proxy test
For more information about sender reputation, visit the following Microsoft TechNet website:
Understanding Sender Reputation

Resolution

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: De-activate Additional Spam Filtering options

Additional Spam Filtering (ASF) options enable you to customize aspects of email messages that should adversely affect spam scoring. When a mail item is identified by using one or more active ASF options, the spam score increases the probability that FOPE will identify and quarantine that item as spam. For more information about how to use ASF, visit the following Microsoft TechNet website:
Configuring Additional Spam Filtering Options
Note Mail items that are identified as spam by ASF options cannot be overridden by spam signature changes to the FOPE service. These false-positives must be corrected by de-activation of the ASF option that is bumping the email message spam score over the threshold.

Method 2: Submit false-positive samples to FOPE Spam Team

The spam-scanning heuristics of the FOPE data center have to be updated to exclude the signature of the email message that is received. In this case, identify the item as spam to the FOPE team by using either of the following methods:
  • Using the Junk E-mail Reporting Add-In for Microsoft Office Outlook

    Note
    If the Not Junk button is absent when a message is viewed in spam quarantine, the message was filtered because of restrictions that the email administrator has applied, such as an ASF option or a custom policy rule.
  • Submit by email. To do this, follow these steps:
    1. Create a new email message and then attach the false-positive message to it.

      Note
      Make sure that the spam mail item is not forwarded or replied to in the submission because these actions change the mail header information that is used to evaluate the submission.
    2. Identify the attachment as a false-positive.
    3. Address the email message to false_positive@messaging.microsoft.com.
The FOPE Spam Team will review messages that are submitted to false_positive@messaging.microsoft.com. The filtering process is not immediate and sometimes requires improving several rules or creating a new rule, and this may take an extended time. Although FOPE helps protect users from any unwanted mail, FOPE must also weigh these changes and improvements to make sure that legitimate mail is not filtered out. Continue to send examples of offending messages so that the Spam Team can fine-tune the filtering rules to be as accurate as possible.

A submission report is available in the FOPE Administration Center to verify how many submissions the organization is creating. For more information about the kinds of reports that are available in FOPE, visit the following Microsoft TechNet website:
Understanding the Types Of Reports Available in FOPE

Method 3: Adjust custom policy rules

FOPE administrators have the additional option of managing their own logic for spam filtering. This includes enabling, quarantining, or rejecting mail items based on customized, customer-controlled criteria. Custom policy rules can be used to either tighten or loosen the spam scanning security profile based on customer needs.

Note You may have to use this method either to establish spam filtering bypass rules or to loosen up previously created policy rules that are falsely identifying legitimate email message as spam.

For more information about how to create customer policy rules, visit the following Microsoft TechNet websites:
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Properties

Article ID: 2669119 - Last Review: June 19, 2013 - Revision: 5.0
Applies to
  • Microsoft Forefront Online Protection for Exchange
Keywords: 
vkbportal225 KB2669119

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com