Configuring content filtering

  • Article

 

Applies to: Forefront Protection for Exchange

The Forefront Protection 2010 for Exchange Server (FPE) content filter uses the Cloudmark™ Antispam engine to analyze each e-mail message and stamp it with a Spam Confidence Level (SCL). The SCL ratings that can be applied are -1 and 0 and 5 - 9, where:

  • -1 and 0 indicate non-spam.

  • 5 through 7 indicate grey mail that may be spam.

  • 8 and 9 indicate definite spam.

Note

FPE does not assign SCL ratings between SCL: 1 to SCL: 4. Messages that fall into this category are assigned SCL ratings of SCL:-1 or SCL: 0.

The Cloudmark Antispam engine uses frequently updated spam definitions in order to detect spam. For information about configuring Cloudmark definition updates, see Configuring and scheduling updates.

After an SCL rating is assigned to an e-mail message, FPE can be configured to take several different actions based on the administrator's configured SCL threshold. FPE assigns different values to the SCL rating based on how much you trust the antispam engine's spam determinations.

The SCL action is configured using a drop down box that ranges from None to SCL 5 – 9.

  • None—When the setting None is selected, all messages with an SCL rating of 5 or higher are treated as certain spam. Messages with an SCL rating of -1 and 0 will be treated as non-spam. You have the options of rejecting or deleting mail with an SCL rating in the 5 – 9 range.

  • SCL 5 - 9—When the setting 5 – 9 is selected, all messages with a rating of 5 or higher are treated as suspected spam. Messages with an SCL rating of -1 and 0 will be treated as non-spam. You have the option to Quarantine or Stamp header and continue processing mail with an SCL rating in the 5 – 9 range.

The default setting for the Suspected spam drop down is SCL 5 - 7, which means that all mail with an SCL rating between 5 and 7 will be treated as suspected spam and quarantined and all mail with an SCL rating of 8 or 9 will be treated as certain spam. You should monitor the mail that ends up in quarantine, and if you find that all or most of it is spam, you can adjust the SCL setting to a lower setting. For example, you can configure FPE to quarantine messages with SCL 5 or 6 and reject messages starting with SCL 7 and continue to monitor the quarantine for false positives.

Antispam detection actions

You can configure FPE to take several actions when spam is detected.

  • Quarantine—Quarantines the suspected spam and does not deliver it to the recipient.

  • Stamp header and continue processing—Stamps the SCL rating as a header on the message and delivers it to the recipient. Microsoft Outlook can use the SCL rating stamp to process the message according to spam rules set by the end user.

  • Reject—Rejects the message. An NDR is generated by the sending MTA.

  • Delete—Deletes the message. No NDR is generated.

Enabling and configuring the Content Filter

To begin using content filtering, you must enable the content filter, enable definition updates for the Cloudmark Antispam engine, and then configure the Spam Confidence Level setting.

To enable the content filter

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console  Policy Management tree view, expand Antispam, and then click Configure.

  2. In the Antispam – Configure pane, in the Content filter section, select the Enable Content Filtering check box.

Note

The Microsoft Exchange Transport service must be stopped and then started again for changes to this setting to take effect. Do not use the Restart function.

For information about enabling antispam engine definition updates, see Configuring and scheduling updates.

Note

The antispam engine downloads definition updates independently from other engine and definition updates. If you use a proxy server, configure proxy settings to ensure that the antispam updates download successfully. Antispam updates cannot be downloaded from a redistribution server (UNC path).

Note

The antispam engine is updated very infrequently, at most two times per year and this is the version information that is displayed in the UI. So do not be alarmed if the version information does not change often in the UI. The actual spam definitions (fingerprints) are updated every forty five seconds (These are called “microupdates.”), and full fingerprint updates are downloaded approximately every three minutes. This guarantees that FPE always runs with the latest spam fingerprints.

To configure the spam confidence level

  1. In the FPE Administrator Console  Policy Management tree view, tree, expand Antispam, and then click Configure.

  2. In the Antispam - Configure pane, in the Content filter section, and select the SCL setting you would like in the Suspected spam drop down box. This sets level at which you would like e-mail messages that have been assigned an SCL rating to be considered "certain spam."

  3. Based on the level you have selected, select the Action that FPE should take for Suspect and Certain spam messages, and then click Save at the top of the pane.

Allowing e-mail from specific senders and sender domains to by-pass spam filtering

To add e-mail addresses to the Allowed Senders List

  1. In the Policy Management view of the FPE Administrator Console, in the tree, expand Antispam, and then click Configure.

  2. In the Antispam - Configure pane, in the Content filter section, click the Configure Content Allow Lists button or select Configure Content Allow Lists in the Actions pane.

  3. In the Configure Content Allow Lists dialog box, perform the following steps:

    1. Select Allowed Senders in the menu bar.

    2. In the E-mail Address box, enter the e-mail address that you want to add. You must add each e-mail address individually.

    3. Click Apply to save your changes and enter additional e-mail addresses or click Apply and Close to save your entry and return to the Antispam - Configure pane. The e-mail address is added to the allowed senders list.

  4. Click Save at the top of the pane to save your configuration.

To add e-mail addresses to the Allowed Sender Domians List

  1. In the Policy Management view of the FPE Administrator Console, in the tree, expand Antispam, and then click Configure.

  2. In the Antispam - Configure pane, in the Content filter section, click the Configure Content Allow Lists button or select Configure Content Allow Lists in the Actions pane.

  3. In the Configure Content Allow Lists dialog box, perform the following steps:

    1. Select Allowed Sender Domains in the menu bar.

    2. In the Domain Name box, enter the domain names that you want to add. You must add each entry individually.

    3. Click Apply to save your changes and enter additional domain names or click Apply and Close to save your entry and return to the Antispam - Configure pane. The domain name is added to the allowed sender domains list.

  4. Click Save at the top of the pane to save your configuration.

The address is added to the allowed sender domains list. You can repeat this step in order to add more domain names.

Allowing e-mail sent to specific recipients to by-pass spam filtering

To add e-mail addresses to the Recipient Exception List

  1. In the FPE Administrator Console Policy Management view, in the tree view, expand Antispam, and then click Configure.

  2. In the Antispam - Configure pane, in the Content filter section, click the Configure Content Allow Lists button or select Configure Content Allow Lists in the Actions pane.

  3. In the Configure Content Allow Lists dialog box, perform the following steps:

    1. Select Allowed Recipients in the menu bar.

    2. In the E-mail Address box, enter the e-mail address that you want to add. You must add each e-mail address individually.

    3. Click Apply to save your changes and enter additional e-mail addresses or click Apply and Close to save your entry and return to the Antispam - Configure pane. The e-mail address is added to the Recipient Exceptions List.

  4. Click Save at the top of the pane to save your configuration.

The address is added to the Recipient Exception list. You can repeat this step in order to add more addresses.

Note   You can edit items in the lists by double-clicking and editing an item, and then pressing ENTER. You can delete items from the lists by selecting an item and clicking Remove. You can also import and export items from a list. For more information, see Importing items into a list and Exporting items from a list.

Reporting antispam statistical data

FPE can collect data about spam detections and report it to the antispam engine vendor. This data is used to help improve detection rates of the engine.

To enable statistic collection and reporting

  • In the Content filter section, select the Report statistical data to 3rd party engine provider check box.

No personal information is collected as part of this process.

Reporting false positives and missed spam

Information about false negatives and false positives are used by the antispam engine maker to improve the performance of the engine.

To submit false positive or false negative spam e-mail messages, send the e-mail as an RFC 2822 attachment.  Do not send misclassified messages by using the Forward command; this strips them of essential header information and will result in an invalid submission.

Send the original e-mail message for analysis to:

  • For false negatives: Forefront-spam@submit.cloudmark.com

  • For false positives: Forefront-legit@submit.cloudmark.com

To attach an e-mail message as an RFC 2822 attachment

  1. In Microsoft Outlook, create a new e-mail message.

  2. Address it to the appropriate address.

  3. Click the Attach Item button, select the e-mails that were falsely classified, and then click OK.