Content
filtering is not only effective for eliminating spam, but it can also
be beneficial for identifying messages containing content deemed
unacceptable to the organization, such as sexually derogatory remarks or
racial slurs. The content filter processes messages that
are routed through the Receive Connector on the Edge Transport server.
The Content Filtering Agent is enabled by default and can be configured
using the Exchange Management Console or Exchange Management Shell.
Note
Changes described in
this section are applied only to the local system. This is important if
you have more than one Edge Transport server in your environment.
To disable the
Content Filtering Agent using the Exchange Management Console,
right-click the agent icon in the action pane and select Disable. To
disable the Content Filtering Agent using the Exchange Management Shell,
run the set-ContentFilterConfig command with the -Enabled $false parameter:
For example "set-ContentFilterConfig -Enabled $false"
The General tab of the
Agent Properties window displays a brief description of the agent and
its capabilities, its current status, and the last time the agent’s
settings were modified.
The content filter
in Exchange Server 2010 builds on the Intelligent Message Filter
technology that Microsoft developed and included in Exchange Server
2003. The Intelligent Message filtering technology, a proprietary
message–analyzing filter developed by Microsoft, “learns” which messages
are spam and legitimate by analyzing the characteristics contained in
both. This filter is updated periodically through Microsoft Software
Update Services.
After message
analysis has occurred, the content filter assigns an overall score to
the message that corresponds with an action you choose based on the
needs of the organization. For example, all messages scoring an 8 or
higher might be deleted, whereas any message scoring a 3 or lower might
be delivered. This message score is often referred to as the SCL.
Messages are assigned a score ranging from 0–9, with 9 being the “most
confident” score that the message is spam.
The content filter can
leverage the end user’s Safe Recipients List, Safe Senders List, or
trusted contacts list in Outlook (2003 or later) by enabling Safelist
Aggregation. Safelist Aggregation uses the entries inside of Outlook to
help populate the list of legitimate senders so they can be safely
bypassed by the Content Filtering Agent.
To begin configuring
content filtering, launch the Exchange Management Console, and
double-click the Content Filtering Agent in the action pane. From here,
you can customize the Custom Words list to block and allow certain words
or phrases, add recipients to the exclusions list to exempt them from
content filtering, and configure the actions to take on messages based
on the messages’ SCL. Some of these items are not available through the
Exchange Management Console and can only be configured through the
Exchange Management Shell.
The basic function of configuring the content filter on an Edge Transport server is performed as follows:
1. | Enable the Content Filtering Agent (default is enabled).
|
2. | Designate and specify a quarantine mailbox for captured messages.
|
3. | Enable and configure SCL thresholds and actions.
|
4. | Enable or disable puzzle validation.
|
5. | Specify recipient and sender exceptions.
|
6. | Configure Allow phrases and Block phrases.
|
7. | Set the rejection response.
|
These functions are covered in the balance of this section.
Configuring the Quarantine Mailbox for Captured Messages
Before configuring other
content-filtering components, it is advised that you first configure the
mailbox that will store messages on which an action of “quarantine” was
taken. This action is based on the corresponding SCL for the Quarantine
Messages That Have an SCL Rating Larger or Equal To setting in the
Exchange Management Console, or the SCLQuarantineEnabled and
SCLQuarantineThreshold parameters of the Set-ContentFilterConfig
Exchange Management Shell command.
To configure a mailbox for content filtering, complete the following steps:
1. | Create
a user account with a mailbox in Active Directory if the quarantine
mailbox will reside on your internal Exchange servers.
|
2. | To
configure the mailbox using the Exchange Management Console, select the
Action tab of the Content Filter and enter the email address of the
mailbox.
|
3. | To configure the mailbox using the Exchange Management Shell, run the Set-ContentFilterConfig with the –QuarantineMailbox parameter.
Then run the Exchange Management Console.
|
4. | In the Content Filtering Properties window, select the Custom Words tab.
|
5. | Enter
the word or phrase you want to allow in the Messages Containing These
Words or Phrases Will Not Be Blocked field. Email messages containing
these entries will always be allowed to bypass content filtering.
|
6. | Click Add to include the new entry.
|
7. | To remove an entry, highlight it, and click the Delete button.
|
8. | Click Apply to save your changes or OK to save changes and close the Content Filter dialog box.
|
Configuring Spam Quarantine
The
spam quarantine holds messages that meet or exceed the SCL threshold
set in the Content Filtering Agent on the Edge Transport server.
Messages marked for quarantine are sent to a quarantine mailbox where
they can be reviewed and delivered, if necessary. Administrators who
need to resend a quarantined message can use the Send Again feature of
Outlook.
For messages to be
quarantined, an Active Directory user and corresponding mailbox must
exist, solely for this purpose. If you are running multiple Edge
Transport servers, you might consider having one spam quarantine mailbox
per server. Although this might increase the amount of effort needed to
find captured messages, it decreases the load expected of one mailbox
server. This can also help with troubleshooting configuration
differences between Edge Transport servers. Depending on the size of the
organization and the amount of Internet email received, the spam
quarantine can grow substantially.
Tip
It is recommended to
dedicate an Exchange Server database to the spam quarantine mailbox,
configure an email retention policy or recipient policy to restrict the
mailbox size, and set the duration for how long quarantined messages
should be retained.
After a mailbox has been
created for the use of quarantining spam messages, the spam quarantine
mailbox must be specified on the Edge Transport server. The spam
quarantine mailbox can only be specified on an Edge Transport server
using the Set-ContentFilterConfig command with the QuarantineMailbox
parameter.
Set-ContentFilterConfig –QuarantineMailbox [email protected]
Configuring the Allowed Keyword or Phrases List
Content filtering
varies from organization to organization, so Exchange Server 2010 Edge
Services has exceptions to allow for keywords or phrases to not cause a
message to be filtered or blocked. This is commonly used in the medical
profession where the reference to certain drugs, body parts, or human
activities is part of the field of business, whereas in other
organizations, those references are commonly used in unwanted or
unsolicited email messages.
To configure the
Exchange Server 2010 Edge Transport server to allow keywords or key
phrases, do the following from within the Exchange Management Console:
1. | Select the Custom Words tab.
|
2. | Enter
the word or phrase you want to allow in the Messages Containing These
Words or Phrases Will Not Be Blocked field. Email messages containing
these entries will always be allowed to bypass content filtering.
|
3. | Click Add to include the new entry.
|
4. | To remove an entry, highlight it, and click the Delete button.
|
5. | Click Apply to save your changes or OK to save changes and close the Content Filter dialog box.
|
Note
Messages containing an allowed word or phrase are given an SCL score of 0.
Configuring Keyword or Phrases List to Block Messages
The second section of the
Custom Words tab allows you to define words or phrases in messages that
should be blocked. There are two exceptions to this: use of the allowed
word or phrase list and the exclusions list. Entries in this section
result in the message being blocked, unless the word or phrase appears
in the Messages Containing These Words or Phrases Will Not Be Blocked
section or the recipient’s email address is listed in the exclusions
list.
For example, your
organization might have an email policy that states any message
containing racial slurs or derogatory terms should be blocked unless the
message is sent to or from the organization’s attorneys and senior
management. To accomplish this, you would use the Block Messages
Containing These Words or Phrases section to include the racially
discriminatory language, the Messages Containing These Words or Phrases
Will Not Be Blocked section could contain the lawyers’ names, office
names, addresses, and so forth of the law firm the attorneys work for,
and the Exceptions tab would hold the email addresses of the company’s
executive staff. This would ensure any message not deemed appropriate
would be blocked unless it contained information about the company’s
lawyers or were sent or copied to one of the organization’s executives.
To configure blocked keywords or phrases, from within the Exchange Management Console, do the following:
1. | Select the Custom Words tab.
|
2. | Enter
the word or phrase you want to block in the Block Messages Containing
These Words or Phrases field. Email messages containing these entries
will always be blocked unless they contain a word or phrase that is
included in the allow list or are sent to recipients included in the
Exceptions tab.
|
3. | Click Add button to include the new entry.
|
4. | To remove an entry, highlight it, and click the Delete button.
|
5. | Click Apply to save your changes or OK to save changes and close the Content Filter dialog box.
|
Note
Messages containing a blocked word or phrase are given an SCL score of 9.
As a recommendation
from experience, get creative but, be precise! In the previous example
scenario, you could request the law firm to insert a particular code or
phrase in messages sent to your company. This makes the message easier
for your company to identify and entries in your content filter lists
easier to manage, and increases the reliability of content filtering
overall. Avoid entering words and phrases that are arbitrary. Instead
choose keywords and phrases specific to why you are blocking the message
and that won’t be mistakenly identified in legitimate messages. This
reduces the amount of false positives and processing power needed by the
content filter.
Configuring the Exceptions List
The next item in
the Content Filter Properties window is the Exceptions tab. The
Exceptions tab is used to define email addresses for those you do not
want to filter their messages by content. For example, a company might
include the human resources’, attorneys’, or system administrator’s
mailbox because they might need to view these messages to fulfill the
duties of their jobs, whereas the same is not true for the rest of the
organization’s employees. To configure exceptions, within the Exchange
Management Console, do the following:
1. | In the Content Filter Properties window, select the Exceptions tab.
|
2. | In the Don’t Filter Messages Sent to the Following Recipients field, enter the full email address of the account.
|
3. | Click Add to include the entry in the list.
|
4. | To remove an entry, highlight it, and click the Delete button.
|
5. | To edit the email address of an entry, highlight it, and click the Edit button.
|
6. | Click Apply to save your changes or OK to save changes and close the Content Filter.
|
Note
The exception list is restricted to a maximum of 100 entries.
Setting the Action Tab of the Content Filtering Agent
The last tab of the
Content Filtering Agent is the Action tab. The Action tab stores the
configuration for what actions should be taken on a message based on the
calculated SCL. The SCL can range from 0 to 9; 9 designates a high
confidence level that the message is spam or contains a match to a block
list, and 0 designates a high confidence level the message is valid or
contains a match to an allowed list.
In the Content
Filtering Agent, an action of Delete takes priority over the action of
Reject, which takes priority over the action of Quarantine. For example,
when all three actions are enabled with a threshold of Delete if SCL is
8 or higher, Reject if SCL is 6 or higher, and Quarantine if 4 or
higher, a message with an SCL of 9 would get deleted even though it
technically is higher than the other thresholds, and a message with an
SCL of 5 would get quarantined. This hierarchy is by design. At least
one but not all actions need to be enabled to use content filtering.
