Understanding the Spam Confidence Level in Exchange Server

Written by Paul Cunningham on June 23, 2010

If you have looked at Exchange Server’s anti-spam features or taken a peek at the headers of an email sent through an Exchange server you have probably encountered the term SCL before.

SCL stands for Spam Confidence Level.  It is the “score” that Exchange Server anti-spam assigns to an email based on the email’s contents.  This score is then used to make decisions as to how to handle suspected spam based on the thresholds that the Exchange administrator configures.

The SCL score is calculated and assigned by the Content Filter Agent, which examines all of the content within an email message to look for patterns that indicate spam.  Once the SCL score has been calculated it is added to the message header.

In this snippet of an example message header you can see the SCL score of 7 has been applied.

X-MS-Exchange-Organization-SCL: 7

How the SCL is Used by Exchange Server

The SCL score can then trigger certain actions to take place.  The Exchange server can take the following actions based on the SCL:

  • Delete – the message is deleted with no notification to the sender or recipient.
  • Reject – the message is rejected with a notification to the sender but not the recipient.
  • Quarantine – the message is quarantined in a specified mailbox with no notification to the sender or recipient.  Typically only email administrators can access the quarantine mailbox.
  • Junk – the message is delivered to the recipient’s Junk Email folder.

SCL scores range from 0-9 with 0 meaning not likely to be spam, and 9 meaning very likely to be spam.  There is also a -1 score for trusted email messages.  A -1 SCL would apply to email messages sent between recipients of the same Exchange organization, or messages from external senders that have been whitelisted in some way.

The SCL threshold is then configured for each of the actions.  However it is important to understand that the actions are assessed in a certain order.

  1. Delete is the first action to be assessed.  If the SCL is equal to or higher than the Delete threshold then the message is deleted.  If not, or if there is no Delete threshold configured, then it is passed to the next assessment –  reject.
  2. Reject is the second action to be assessed.  If the SCL is equal to or higher than the Reject threshold then the message is deleted.  If not, or if there is no Reject threshold configured, then it is passed to the next assessment –  quarantine.
  3. Quarantine is the third action to be assessed.  If the SCL is equal to or higher than the Quarantine threshold then the message is quarantined.  If not, or there is no Quarantine threshold configured, then it is passed from the Hub Transport server to the Mailbox server.
  4. The Mailbox server then applies the Junk Email threshold if one is configured for the organization or for the recipient of the email.  If the SCL exceeds the Junk Email threshold it is delivered to the Junk Email folder of the mailbox and the recipient is able to access it via Outlook.

Getting the SCL Thresholds Right

When you understand the processing order for the different actions that can be taken based on SCL you can see how important it is to get your configuration correct.  There is no point having a Junk Email threshold of 7 if the emails are going to be deleted for an SCL of 6.

Delete and Reject thresholds should be configured to delete the most likely spam.  Quarantine is optional and I personally find it quite cumbersome to manage, so I prefer not to enable it at all and instead use the Junk Email threshold to put management of less likely spam within reach of the end user.

It is also important to understand that the Content Filter Agent only deals with spam that has already made it past earlier, more deterministic test such as Connection Filtering which blocks SMTP connections from known spam sources.

The Connection Filter Agent will often remove as much as 95% of spam so the Content Filter Agent becomes a fine tuning process to remove as much of the remaining 5% of spam from inboxes without causing an unacceptable number of false positives.

Other Uses of the SCL

The SCL can also be used as criteria for Transport Rules on the Exchange server.  One way to make use of this is to create a Transport Rule that blind copies all email that meets or exceeds a certain SCL to another mailbox.  The contents of that mailbox can then be used to assess how many false positives the current configuration might be generating and make some fine tuning adjustments.

Another alternative would be to configure a Transport Rule that appends a disclaimer to all emails that are going to trigger the Junk Email threshold.  The disclaimer text can explain the process that end users can go through to whitelist a trusted sender so that future emails are not treated as spam, without them having to contact the IT help desk for support.

In summary, having a detailed understanding of the SCL and how it is used in Exchange Server anti-spam will allow an email administrator to get good performance from their anti-spam deployment.

  • (required)
  • (required)