I am parsing X-Forefront-Antispam-Report and X-Microsoft-Antispam headers with on-Prem rules leveraging EOP SCL, BCL, and PCL scores.

Exchange 2013 SP1 on-Prem does not seem to parse these SCL, BCL, and PCL scores from these headers, and rewrite them into the X-MS-Exchange-Organization headers for Delete, Reject, and Junk E-Mail folder processing automatically.  While I can create custom Mail Flow rules on-Prem to do so it seems very segregated, and not a Microsoft Integrated solution.

In fact, in the implementation documentation, I only found guidance to parse SFV:SPM and SFV:SKS from the X-Header, but this is far from enough.  https://technet.microsoft.com/en-us/library/JJ837173(v=EXCHG.150).aspx

Example Message Header.  X-MS-Exchange-Organization-SCL was marked by on-Prem Rule inspecting for SFV:SPM for delivery to Junk E-Mail folder.  Had the X-Forefront-Antispam-Report SCL been rewritten into the X-MS-Exchange-Organization-SCL, the message would have been rejected or deleted as a SCL score of 9.

X-Forefront-Antispam-Report: CIP:212.48.64.30;CTRY:IL;IPV:NLI;EFV:NLI;SFV:SPM;SFS:(6009001)(2980300002)(428002)(318001);DIR:INB;SFP:;SCL:9;SRVR:DM2PR12MB0555;H:xxxxxx;FPR:;SPF:None;MLV:ovr;A:1;MX:1;PTR:xxxxxx;LANG:en;
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR12MB0555;
X-OrganizationHeadersPreserved: DM2PR12MB0555.namprd12.prod.outlook.com
X-MS-Exchange-Organization-Network-Message-Id: 2a2a7963-b1b2-4e4d-4a15-08d292a143e1
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-SCL: 3

Are there efforts to improve the 'sharing' of SCL, BCL, PCL scoring between EOP and Exchange 2013 SP1 on-Prem?

Hi ,

Thank you for your question.

You are right, the X-Forefront-Antispam-Report SCL will has been rewritten into the X-MS-Exchange-Organization-SCL. It just a different form in EOP and Exchange on-premise. If the value is high, it will be gone for delete, reject or junk email. When it is in on-premise, it express as X-MS-Exchange-Organization-SCL; if it is on EOP, it express as X-Forefront-Antispam-Report. We could also refer to the following link:

https://technet.microsoft.com/en-us/library/dn205071(v=exchg.150).aspx

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Can you please clarify:  "... the X-Forefront-Antispam-Report SCL {will ??? has} been rewritten into the X-MS-Exchange-Organization-SCL..."

Are you suggesting that if I remove the recommendations from the Implementation Documentation ( https://technet.microsoft.com/en-us/library/JJ837173(v=EXCHG.150).aspx ), which has me manually write the X-MS-Exchange-Organization-SCL header with a transport rule based on the "SFV:XXX" text within the EOP X-Forefront-Antispam-Report header, that Exchange will automatically parse the X-Forefront-Antispam-Report and rewrite the SCL to the X-MS-Exchange-Organization-SCL header for further organization processing on the mailbox server?

Can you provide me with an updated implementation article that suggests this?  The link( https://technet.microsoft.com/en-us/library/dn205071(v=exchg.150).aspx  ) just defines the details of the X-Forefront-Antispam-Report header which may help an administrator make some custom rules; however, there is no EOP implementation documentation that suggests we {should} do any more than SFV:SPM and SFV:SKS; which in my case; was just resulting in an enormous amount of garbage in each users Junk E-Mail folders.