Allow mail flow rules to act on Spam Confidence Level for inbound messages
Mail flow rules would be vastly more capable if they could act upon the Spam Confidence Level (SCL) of inbound messages.
X-Microsoft-Antispam exposes BCL and PCL for use in mail flow rules, which is great. Why can't we get access to SCL?
A custom rule designed to quarantine bulk email based on BCL > 5, that only fires if SCL > -1.
This rule would ship bulk mail to quarantine, while, at the same time, allowing individuals to use the personal Allowed Senders/Allowed Domains list to bypass the rule. It would also allow admins to bypass the rule by setting SCL -1 on domains, all managed via the Spam Filter.
Use case #2:
Custom rule inserts a disclaimer on all inbound email, i.e. "Notice: the sender of this message is external to the organization. Please be think before you click on any links or open any attachments". The rule only fires if SCL > -1, thereby allowing users to create exceptions for senders they trust.
Pauld, I have run into the same issue as you (and your proposed order of processing would fix just that). I'd like to use x-headers in mail flow rules, but unfortunately due to the order of processing I can't. I want to be able to override the end-user safe-sender and block-sender lists without disabling their ability to mark as always/never allow. It would be nice to trigger mail flow rules based on SFV, but it simply doesn't work because the x-header isn't part of the message at the point of the mail flow rule processing. Have you ever come up with a workaround?
Here's the daigram of the EOP mail flow: https://docs.microsoft.com/en-us/office365/securitycompliance/eop/exchange-online-protection-overview
I'd like to be able to increment (by one or more) the SCL. Today we can only set the SCL, which sometimes generates false positives. By having one rule doing +1, and another one also +1 (or +2), we would reach the threshold when the message has to be junked, as too many red flags have been raised.
Um. In the "mail flow" rules, there's a "The message has an SCL greater than or equal to" condition available already.
I've used this to do a multi-stage filter for a customer.
However, the per-mailbox ("inbox" rules) side doesn't seem to have that directly available, which is a bother.
I made some transport rules to add custom headers based on the SCL steps used that are easier to check for in the per-mailbox stage.
One way to implement this would be to put in a two-stage spam filtering logic. In the first stage, the spam scores would be generated, and associated headers added to the message. After the first stage process, transport rules would kick in. Transport rules would be able to inspect and modify the header. Finally, after transport rules finished processing, the second spam filter stage would execute, enforcing the spam and bulk mail policies.
Proposed order of processing:
1) Edge Block
3) Spam, phishing, and bulk mail scoring
4) Transport Rules
5) Spam, phishing, and bulk mail policy enforcement
6) Deliver to mailbox