When a legitimate message is marked as spam, the first question usually asked is “why?” It can sometimes, but not always, be quite difficult to find the explanation. If an enabled Advanced Spam Filter (ASF) option has caused the spam detection, this will be called out directly in the header. In these cases, finding the “why?” is very easy!
Advanced Spam Filtering options, which are located in the Content Filter, allow you to increase the aggressiveness of the Exchange Online Protection spam detection engine. If one of the ASF options has caused a message to be marked as spam, there will be an additional header present in the message, X-CustomSpam.
This header will spell out in plain text which ASF option caused the message to be marked as spam. If the X-CustomSpam header is not present in a message that was marked as spam, it means that an ASF option did not trigger and was not the reason for the spam detection.
Example: I enabled the ASF option “URL redirect to other port.”
I then sent a message which contained the link "http://www.contoso.com:123" in the body. This message triggered the above ASF in the Content Filter and caused the message to be marked as spam. Looking in the headers of this message I see the following.
X-CustomSpam: URL redirect to other port
This tells me exactly which ASF option caused the message to be marked as spam and I can now think about adding exceptions in place if the message was legitimate.
A complete list of X-CustomSpam entries can be found on TechNet at Advanced Spam Filtering Options.
Except for the last four ASF options, all other options have three configuration states. Off, On, and Test.
To configure how test mode works, scroll to the bottom of the ASF options window and you will see the following.
Test Mode will allow you to evaluate the impact that an ASF option without actually having it officially mark a message as spam. The “Add the default test X-header text” refers to the X-CustomSpam header and “Send a Bcc message to this address” is self-explanatory.
When educating customers on ASF options I often recommend the following.
Anti-Spam message headers