Content filtering
Applies to: Forefront Security for Exchange Server
Content filtering provides another tool to help manage the flow of messages entering and exiting your enterprise mail stream. Content filtering enables you to filter messages using a variety of filtering tools. These include:
Sender-domains filtering (for Realtime and Manual scan jobs)
Subject line filtering (for Realtime and Manual scan jobs)
Filter set templates (simplify the creation and management of file and content filters on all scan jobs)
If you route e-mail messages through edge transport servers in your environment and are running Forefront Security for Exchange Server on your Exchange servers, you should enter the IP addresses of your edge transport servers into the General Options Transport External Hosts setting to ensure that all mail routed through the edge transport servers is treated as inbound mail rather than internal mail by Forefront Security for Exchange Server. (For more information about this setting, see Forefront Server Security Administrator.)
Configuring sender-domains filtering
Sender-domains filtering enables you to filter messages from particular senders or domains. Wildcard characters can be used to enable such filters as *@domain.com to filter all mail from a certain domain.
Note
Sender-domains filtering only applies to the From field in a message. It cannot be used for the To field.
To configure sender domains filtering
In the Shuttle Navigator, click FILTERING.
Select the Content icon. The Content Filtering pane appears.
In the upper work pane, select the Realtime Scan Job or the Manual Scan Job. (Content filtering is not available for the Transport Scan Job, but see Keyword filtering.)
In the Content Fields pane, select Sender-Domains, and then click the Add button in the Content Filters pane.
A text box appears. Type the sender or domain that you would like to filter. If you want to use a generic domain name filter, you must use an * (wildcard character) before the domain name.
Examples:
A generic domain: *@domain.com
A specific sender: someone@domain.com
Press ENTER after you have typed the sender or domain. You may add as many entries as you like.
Enable the filter with the Filter field.
In the Action field, indicate the action to take if there is a filter match.
Indicate whether to Send Notifications if there is a filter match. The Content Administrators set up in the Notification work pane, located under REPORT in the Shuttle Navigator, will be sent a notification that a message was filtered. In addition, you must also configure the notifications (see E-mail notifications).
Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.
Click Save.
The scan job looks at both the display name and the e-mail address of the sender to match against sender-domains filters. It applies the filter against the display name of the mailbox first. If the display name and sender e-mail address are different, Forefront Security for Exchange Server also applies the filter against the sender e-mail address. If either matches, the filter action is taken. If you do not want to filter against sender email addresses, set the registry value ContentFilterSMTPAddress to zero (0).
You can create a sender-domains filter that filters mail from all users in a domain except for specific users in that domain. For more information, see Filtering mail from all users in a domain except for specific users.
Configuring subject line filtering
Subject line filtering enables you to filter messages based on the content of the subject line of the message. Wildcard characters can be used.
To configure subject line filtering
In the Shuttle Navigator, click FILTERING.
In the upper work pane, select the Realtime Scan Job or the Manual Scan Job.
Select the Content icon. The Content Filtering pane appears.
In the Content Fields pane, select Subject Lines.
In the Content Filters pane, click the Add button. A text box appears. Type the content you would like to filter.
Press ENTER after you have typed the content. You may add as many entries as you like.
Enable the filter with the Filter field.
In the Action field, indicate the action to take if there is a filter match.
Indicate whether to Send Notifications if there is a filter match. The Content Administrators set up in the Notification work pane located under REPORT in the Shuttle Navigator will be sent a notification that a message was filtered. In addition, you must also configure the notifications (see E-mail notifications).
Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.
Click Save.
If you are entering a partial subject line as a filter, it is recommended that you use asterisk wildcard characters (*) at the beginning and the end of the phrase to ensure proper detection.
For example:
The filter get rich quick filters messages that contain only the target phrase in the subject line.
The filter *get rich quick filters messages that contain the target phrase and any phrase that ends with the target phrase in the subject line.
The filter *get rich quick* filters messages that contain the target phrase anywhere in the subject line.
For more information about wildcards, see Matching patterns with wildcards.
Action
You must indicate the action that Forefront Security for Exchange Server should take upon detecting a match to your filter criteria.
Note
You must set the action for each file filter you configure. The action setting is not global.
For a Realtime Scan Job sender-domains or subject line filter, select the Skip or Purge action (the Manual Scan Job has a fixed value of Skip: detect only).
Skip: detect only |
Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. |
Purge: eliminate message |
Deletes the message from your mail system. When you select this option, a warning appears, informing you that if there is a filter match, the message will be purged and unrecoverable, unless quarantined. Click Yes to continue. |
Editing a content filter
Once you have created a content filter, it can be modified.
To edit a content filter
In the Shuttle Navigator, click FILTERING, and then select the Content icon. The Content Filtering work pane appears.
In the upper work pane, select the scan job for which you would like to modify the content filter.
Make the required changes to the various fields. The changes apply to the selected scan job.
Click Save to save your filter changes.
Making any change to the configuration activates the Save and Cancel buttons If you make a change to the selected scan job and try moving to another scan job or shuttle icon without saving it, you will be prompted to save or discard your changes.
Matching patterns with wildcards
Use wildcard characters to have your filter match patterns in the content. You can use any of the following to refine your filters:
* |
Used to match any number of characters. You can use multiple asterisks. The following are some examples of its usage. Single: Any of these single wildcard character patterns would detect veryevil: veryevil*, very*, *il Multiple: Any of these multiple wildcard character patterns would detect veryevil: V*r*v*l, *very*, *evil* |
? |
Matches any single character, because many malicious users insert extra characters between letters to spoof filters. Example: You can filter C-O-N-T-E-S-T with the filter: C?O?N?T?E?S?T |
[set] |
A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set is matched. Example: The set is useful for creating a single rule to match when the number zero (0) is used instead of the letter o (for example, pornography and p0rnography can be filtered using p[o0]rnography). |
[^set] |
Used to exclude characters that you know are not used. |
[range] |
Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example: klez[ad-gp] would match kleza, klezd, kleze, klezf, klezg, and klezp but not klezb or klezr. |
\char |
Indicates that special characters are used literally (characters are: * ? [ ] - ^ < >). The backslash is called an escape character, and indicates that a reserved control character is to be taken literally, as a text character. Example: If you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*. |
Note
You must use a \ before each special character.
Content filter lists
As well as creating individual content filters (for subject lines and sender-domains), you can create lists of them to have collections of filters for use by different scan jobs or simply to organize your filters. The individual filters are created in the same way as previously described, but now, each filter is part of a list.
Creating a content filter list
Begin by creating a new filter list for either Subject Lines filters or Sender-Domains filters.
To create a content filter list
In the FILTERING section of the Shuttle Navigator, click the Filter Lists icon.
In the List Types pane, select Subject Lines or Sender-Domains.
In the List Names section, click the Add button.
Type a name for the new list and then press Enter. The empty list appears in the List Names section.
With the new list name selected, click the Edit button. The Edit Filter List dialog box appears. Use it to add items to the list: subject lines (text that might appear in the subject line of messages) or sender-domains (specific senders or generalized domains).
In the Include In Filter section, click the Add button.
Type a subject line, a sender, or a domain (depending on the type of filter list) to be included in the list. Press ENTER when you are finished typing. You may have as many items as you want, but each must be entered separately. Each follows all the rules already discussed for creating single subject line or sender-domains filters.
The Exclude From Filter section is used to enter data that should never be included in the filter list. This prevents this data from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list.
When you are finished adding items, click OK. The list of items you just entered appears, alphabetically, in the pane next to List Names.
Click Save to save the list.
Configure the filter list the same way as described in Configuring sender-domains filtering and Configuring subject line filtering.
Importing items into a filter list
Data for filter lists may be created offline in Notepad or a similar text editor and then imported into the appropriate filter list using the Forefront Server Security Administrator. Note that Forefront Security for Exchange Server can only import lists that are UTF-16 or ANSI files. Other Unicode types will not be properly imported.
To create and import entries into a filter list
Create a list and save it as a text file. Place each filter on its own line in the file.
In the FILTERING section of the Shuttle Navigator, click Filter Lists.
Select the filter list into which you will be importing data.
Click Edit. The Edit Filter List dialog box appears.
Click the Import button. A File Explorer window opens. Use it to navigate to the text file you created in step 1.
Select the file and click Open.
The file is imported into the middle pane of the Import List editor to enable you to select the entries you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section.
When you have moved all the desired items, click OK.
Click Save to save your work.
Filtering mail from all users in a domain except for specific users
This section describes how to configure FSE to filter mail from all users in a domain except for specific users in that domain.
To filter mail from all users in a domain except for specific users
In the Shuttle Navigator, click FILTERING.
Select the Realtime Scan Job, and then select the Content icon.
Set up content filters containing the addresses of specific users whose messages you do not want filtered.
In the lower-left corner, in the Content Fields section, select Sender-Domains, and then in the Content Filters section, click Add.
In the text box that appears, type the e-mail address of the specific user. For example, type someone@example.com, and then press ENTER.
In the Action field, set the action to Skip: detect only.
Note
You can add multiple e-mail addresses, but each one must be entered separately. Repeat step 3 if you want to add more addresses whose messages you do not want filtered.
Set up the name of the domain that you want filtered.
In the lower-left corner, in the Content Fields section, select Sender-Domains, and then in the Content Filters section, click Add.
In the text box that appears, type the name of the domain that you want filtered. When you type the domain name, include the asterisk (*) wildcard character. For example, type *@example.com.
Note
Make sure that you add the filter for the domain name directly underneath the filter for the specific users whose mail you do not want filtered. FSE works from the top of the list down.
In the Action field, set the action to Purge: Eliminate Message.
Click Save.
International character sets
Support for file filtering by name in Forefront Security for Exchange Server extends beyond the English character set. For example, messages with an attachment that includes Japanese characters, words, or phrases are handled in the same manner as English character sets.
Reporting
Messages that are filtered because of sender-domains or subject line filtering are reported in the Incidents log under the Virus or Filter heading. Messages filtered because of sender-domains matches are noted as SENDER=<filter>, and subject line matches will be reported as SUBJECT=<filter>. For activity and Incidents logs, no file name is indicated. In the quarantine area, the body and each attachment is quarantined with the sender-domains or subject line filter indicated.
Filter set templates
Filter set templates can be created for use with any Forefront Security for Exchange Server scan job. A single filter set template can be associated with any or all of the scan jobs and administrators can also create multiple filter set templates for use on different servers or different scan jobs.
Creating a filter set template
Start by creating a filter set template.
To create a filter set template
If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.
Click File, select Templates, and then click New. The New Template dialog box appears.
Select Filter Set, enter a name for it, and then click OK. The name has a maximum of 19 characters. Your new filter set template now appears in the list in the top pane, ready to be configured.
Configuring a filter set template
After you have created a filter set template, you must configure it.
To configure a filter set template
In the FILTERING section of the Shuttle Navigator, click File or Content. The File Filtering or Content Filtering work pane appears.
In the upper pane, select the name of the filter set template to be configured.
Using the Add button, add a File Filter or a Content Filter, and then specify the criteria for that filter. You may create multiple filters within a filter set template. A filter set template may contain a combination of file filters and content filters.
Click Save to save your work.
Associating a filter set template with a scan job
After you have created and configured a filter set template, associate it with a scan job. During scanning, Forefront Security for Exchange Server uses the filter set template configuration first and then uses any other filter setting you have specified when setting up the scan job.
To associate a filter set template with a scan job
In the SETTINGS section of the Shuttle Navigator, select Templates.
Select a scan job in the Job List.
Select the filter set template that you want to associate with the job from the Filter Set list in the lower pane. You can associate a single filter set template with a scan job. If you are unsure about the contents of the filter set template, click View Filter Set. Click the left arrow button at the bottom of the pane when you are finished viewing the contents.
Click Save. The filter set template is now associated with that scan job. During scanning, FSE uses the filter set template configuration first and then any other filter settings that you specified when setting up the scan job.
Note
To cancel the association, repeat the preceding steps and select None from the Filter Set list (or select a different filter set template).
Editing a filter set template
You can modify the settings in a filter set template.
To edit a filter set template
In the FILTERING section of the Shuttle Navigator, click File or Content. The File Filtering or Content Filtering work pane appears.
In the upper pane, select the filter set template.
In the lower pane, select the filter whose configuration you want to modify
Click Edit and make your changes.
Click Save to save your changes.
Note
File filters that you created are displayed in the File Names section and can be modified. Filter set templates are also displayed; however they cannot be selected for modification in the File Names section. To modify a filter set template, you must select its template in the upper pane. When a filter set template is assigned to a scan job, the contents of the filter set are not visible in the UI unless View Templates is selected in the File option of the menu bar.
Deleting a filter set template
You can delete a filter set template.
To delete a filter set template
If the filter set template has been associated with a scan job, you have to remove the association. Follow the directions in Associating a Filter Set Template With a Scan Job and either reset the association to None or select a different filter set template for the association.
In the job list of the Template Settings work pane, select the filter set.
Click File, click Templates, and then click Delete.
Confirm the deletion request.
Renaming a filter set template
You can rename a filter set template.
To rename a filter set template
In the job list of the Template Settings work pane, select the filter set.
Click File, select Templates, and then click Rename. The Rename Template dialog box appears.
Type the template's new name. The name has a maximum of 19 characters.
Click OK.
Distributing filter set templates to remote servers
Filter set templates can be distributed to remote servers using a deployment job in the Microsoft Forefront Server Security Management Console (FSSMC). For more information about using the FSSMC, refer to the "Microsoft Forefront Server Security Management Console User Guide".
You can also use FSCStarter from a command prompt to manually install filter set templates on remote servers:
The syntax of FSCStarter is:
FSCStarter t[options] [\servername]
The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them to the named server.
For complete FSCStarter instructions, see "Deploying named templates" in Templates.
For example, to update the content filter settings on server1, you would enter:
FSCStarter tc \server1