Premium AntiSpam (PAS) has recently been enabled in Symantec Mail Security for Microsoft Exchange (SMSMSE) and it is necessary to know how it works and how to configure it.

How Premium AntiSpam works

PAS assigns a spam score from 1 to 100 to every message it scans. A score of 1 means the message is highly unlikely to be spam. A score of 100 means the message is almost certainly spam. A spam message has a score of 90 to 100. By default, a suspected spam message has a score of 72 to 89. The suspected spam category is configurable. The lower threshold of the scale can be set as low as 25.

PAS has 3 action categories, Spam Messages, Suspected Spam and SCL, and Suspected Spam. It is possible to configure a different action for each category.

NOTE:
Spam confidence level (SCL) is a value assigned to a message that indicates the likelihood that the message is spam. This value is separate from the spam score assigned to a message by PAS. The SCL values are 1 to 9. An SCL value of 1 means there is an extremely low likelihood that the message is spam. An SCL value of 9 means there is an extremely high likelihood that the message is spam.

Spam Messages
Messages defined as spam have a score of 90 to 100. Based on Symantec testing, there is a 1 in 1,000,000 chance of getting a false positive detection at this level.

Suspected Spam and SCL
Messages defined as Suspected Spam and SCL have both of the following characteristics:
 

• The organization has a front-end server that touches messages before this server and the front-end server applies SCL values to the messages.
• The message has a score between the values that have been defined for suspected spam. The default range for suspected spam is 72 to 89.

Suspected Spam
Messages defined as Suspected Spam have a score between the values that have been defined for suspected spam. The default range for suspected spam is 72 to 89.


How to configure Premium AntiSpam

This section explains how to configure PAS to do the following:
 

• Reject spam messages
• Deliver suspected spam messages to the user’s Junk E-Mail folder

These settings reduce the amount of server resources required to process spam. In addition, they free the administrator from interacting with false positive spam identifications.

NOTE:
These settings are guidelines only. Symantec does not guarantee that these settings are the best for every environment. Please understand and test these settings thoroughly before implementing them in a production environment.


Premium AntiSpam Settings
To access PAS Settings, open SMSMSE. Click Policies > Premium AntiSpam Settings.
 

1. Check ‘Enable Symantec Premium AntiSpam.’
2. Under Spam scoring check ‘Flag messages as suspected spam.’
3. Leave the ‘Lower spam threshold’ setting at 72. See the section Lower Spam Threshold for more information about this setting.
4. Uncheck "Enable Ruleset based Sender IP Reputation" (7.5.1 and later only.)
5. 7.5.1 & later - Check "Enable DNS IP Reputation"  (This feature is more robust and includes Sender IP Reputation unchecked in Step 4)
6. For version with the options for: Marketing/News letter/Suspected URL enable these if you wish to detect these types of non-Spam emails.

           Note:  Marketing and Newletter messages are not considered spam but are sometimes viewed as spam by end-users. More than 50% of all messages submitted to Symantec as missed spam are considered Marketing and Newsletter, which means that perceived effectiveness of the Antispam service is increased significantly with these options enabled.  These detections will take the Suspected Spam action.

Premium AntiSpam Actions
To access PAS Actions, open SMSMSE. Click Policies > Premium AntiSpam Actions.

Spam Messages
Check ‘Reject the message.’

There are two reasons for rejecting spam messages:

• There is a very low instance of false positives at this level (1 in 1,000,000 chance of getting a false positive detection at this level).
• Messages detected as spam are rejected at the SMTP level. The Exchange store does not receive the message. This reduces the amount of processing required for each spam message.

Messages detected as spam receive a spam score of 90 to 100. This setting rejects messages detected as spam. The original sender receives a Non-Delivery Report (NDR). The NDR includes this text, “550.5.7.1 Requested action not taken; message refused.”

Suspected Spam and SCL
Ignore this section unless there is a front-end server. If there is a front-end server, use the same settings as ‘Suspected spam.’

Suspected Spam

1. From Exchange Management Shell (EMS) run:  Get-OrganizationConfig | Select SCLJunkThreshold           
   • For more info see: 'How to configure Premium Antispam to route messages to a users Junk folder with Exchange 2007/2010'
2. Check ‘Accept the message.’
3. Check ‘Assign SCL value to message.’
4. Set the SCL value to one higher than SCLJunkThreshold obtained in step 1.

Do not check any other options in this section.
 

Messages with a score exceeding the spam score (72 by default) are detected as suspected spam and take the defined action. The recommended Suspected Spam settings accept the message and assign the message an SCL value of  of one greater than the SCLJunkThreshold. The Exchange System Manager settings configure Intelligent Message Filtering to deliver the message to the user’s Junk E-mail folder.

Lower Spam Threshold
Depending on the environment and business needs, It may be necessary to adjust the ‘Lower spam threshold’ under Premium AntiSpam Settings. The default is 72. If too much spam is going to the users' inboxes, lower the threshold. If too many legitimate email messages are going to the users Junk E-mail folder, raise the threshold. Make small incremental changes, 5 for example, until the desired filtering level is reached.

For example, if set to a ‘Lower spam threshold’ of 72 and users complain that they are getting too much spam lower the threshold to 67. Let Premium AntiSpam run at that level for a while. If users continue to complain, lower the value to 62. Continue in this manner to determine the optimum ‘Lower spam threshold’ for the users.