Quarantine messages that contain malware or attachment that is password protected, encrypted or damaged
|

|
Objective: Quarantine messages that contain malware or attachment that is password protected, encrypted or damaged
Create the following rule for Mail transport protection:
Condition
•Type: Antivirus scan result
•Operation: is not
•Parameter: Clean
Action
Type: Quarantine message
|
Move messages that failed an SPF check to a Junk folder
|

|
Objective: Move messages that failed an SPF check to a Junk folder
Create the following rule for Mail transport protection:
Condition
•Type: SPF result
•Operation: is
•Parameter: Fail
Action
•Type: Set SCL value
•Value: 5
Set the value according to the SCLJunkThreshold parameter of Get-OrganizationConfig cmdlet of your Exchange server. For more details, see the SCL threshold actions article.
|
Verify email message suspicious from sender spoofing
|

|
Objective: Verify email message suspicious from sender spoofing. If the message contains your own domain in the "From:" email header or Envelope sender, verify by SPF result. If SPF result is neutral, quarantine the message, log to events, and notify the administrator.
Condition
•Type: Envelope sender and From header comparison result
•Operation: is
•Parameter: Match
•Type: SPF result - From header
•Operation: is
•Parameter: Neutral
Action
Type: Quarantine message, Log to events and Send event notification to administrator
|
Drop messages from specific senders
|

|
Objective: Drop messages from specific senders
Create the following rule for Mail transport protection:
Condition
•Type: Sender
•Operation: is / is one of
•Parameter: spammer1@domain.com, spammer2@domain.com
Action
Type: Drop message silently
|
Blocked IP list
|

|
Objective: Quarantine message from an IP address on the Blocked IP list, notify the administrator and log the event.
Details: If an email message arrives from an IP address on the Blocked IP list, <%PM%> will quarantine the message and notify you via email. You can then release the message from quarantine or delete it permanently. Otherwise, <%PM%> would drop the message without an option for action.
Open Mail transport protection
Condition
•Type: Sender's IP address
•Operation: is on the list
•List: Blocked IP list
Action
Type: Quarantine message, Log to events and Send event notification to an administrator
|
Customize pre-defined rule
|

|
Objective: Customize pre-defined rule
Details: Allow archive attachments in messages from specified IP addresses (internal systems, for example) while using the Forbidden archive file attachments rule
Open the Mail transport protection rule set, select Forbidden archive file attachments and click Edit.
Condition
•Type: Sender's IP address
•Operation: is not / is not any
•Parameter: 1.1.1.2, 1.1.1.50-1.1.1.99 |
Message body
|

|
Objective: Quarantine messages that contain certain strings in the Message body
Create the following rule for Mail transport protection:
Condition
•Type: Message body
•Operation: contains / contains one of, click Add type website URL or part of a URL
Action
Type: Quarantine message
|
Store messages for non-existent recipients
|

|
Objective: Store messages for non-existent recipients
Details: If you want to have all messages to non-existent recipients quarantined (regardless of being marked by Antivirus or Antispam protection)
Condition
•Type: Recipient validation result
•Operation: is
•Parameter: Contains invalid recipient
Action
Type: Quarantine message
|