i would suggest to lower the message rep score to between 51-55. scores between 51-79 means emails are high likely to be spam but there could be some emails that get caught which are legit emails. 80+ is always spam.
also you want to make sure that the spam rules are getting updated from the local exchange server. if you log into the local msme gui and look at the version and updates section of the dashboard, the Update Information tab will show the anti-spam engine (9309) and Rules. the rules should look something like this
if the rules version doesn't look like this then the anti-spam rules might not be fully up to date.
Thanks I'll look into it.
All messages even obvious spam are coming through with scores of -5000 and threshold of 5 is there a reason for this? e.g
X-NAI-Spam-Version: 18.104.22.16809 : core<5004> : inlines <1074> : streams
<1239065> : uri <1791485>
X-Auto-Response-Suppress: DR, OOF,AutoReply
I was expecting to see spam scores at least in the positive. Also would you happen to know how the system junk folder works? It hasn't caught any messages in 2 days.
edit: I've lowered it down to 60 and if it doesn't go well will look at 55 next.
Our core anti-spam setting:
So I looked at this message which is obvious spam\phishing and it's not on the whitelist or blacklist and scores a -5000:
Received: from espmta125187.v4broadcaster.com (22.214.171.124) by
EXCHSERVERNAME.DOMAINNAME.com (INTERNALIP) with Microsoft SMTP Server id
126.96.36.199; Wed, 16 Jul 2014 19:04:26 +0930
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=esp; d=v4broadcaster.com;
h=To:From:Reply-To:Subject:MIME-Version:List-Unsubscribe:Sender:Content-Type:Me ssage-ID:Date; i=rpl=3Decsv4.firstname.lastname@example.org;
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=esp; d=v4broadcaster.com;
From: ECS <email@example.com>
Reply-To: Reply <firstname.lastname@example.org>
Sender: ECS <email@example.com>
Date: Wed, 16 Jul 2014 10:30:47 +0100
X-NAI-Spam-Version: 188.8.131.5209 : core <5004> : inlines <1081> : streams
<1239844> : uri <1791819>
I've gone ahead and removed all our white listed senders. We only have our internal domain address(es) set under whitelisted recipients and blacklisted senders, i'll see how it goes and report back.
We had a 3rd party spam filter on our firewall prior to a month ago, now MSME is taking on all the load and responsibility.