Export (0) Print
Expand All

Chapter 13 - Using content filtering

 

Applies to: Microsoft Antigen

Topic Last Modified: 2008-01-28

Content filtering provides another tool to help manage the flow of messages entering and exiting your business's mail stream. Content filtering enables you to filter messages by using a variety of filtering tools. These include:

  • Sender-domains filtering
  • Subject line filtering
  • Filter set templates (simplifies the creation and management of file and content filters on all scan jobs)

You can enable inbound or outbound content filtering for the Internet Scan Job by using these registry keys:

  • DisableOutboundContentFiltering
  • DisableInboundContentFiltering

Both keys are set to 0 (disabled) by default. To enable each key, set its value to 1. After changing these settings, the Microsoft® Exchange Server and Antigen services must be recycled for the changes to take effect. (For more information on Antigen registry settings, see Appendix B - Setting registry values.)

If you route e-mail messages through SMTP Gateway servers in your environment and are running Antigen on your Exchange servers, you should enter the IP addresses of your Gateway servers into the SMTP External Hosts setting under General Options to ensure that all mail routed through the Gateway servers is treated as inbound mail rather than internal mail by Antigen and the Antigen Spam Manager. For more information on this setting, see Chapter 4 - Using the Antigen Administrator.

Sender-domains filtering lets you filter messages from particular senders or domains. Wildcard characters can be used to enable filters such as *@domain.com to filter all mail from a certain domain.

noteNote:
Sender-domains filtering applies only to the From field in a message. It cannot be used for the To field.
To configure sender-domains filtering
  1. Click FILTERING in the Shuttle Navigator.

  2. Select the Content icon. The Content Filtering pane appears on the right.

  3. In the upper work pane, select the scan job for which you would like to create a content filter.

  4. Select Sender-Domains in the Content Fields pane in the lower-left corner, and then click Add in the Content Filters pane.

  5. A text box appears. Type the sender or domain that you would like to filter. If you want to use a generic domain name filter, you must use an * (wildcard character) before the domain name.

    Examples:   

    A generic domain: *@domain.com

    A specific sender: someone@domain.com

  6. Press ENTER after you have typed the sender or domain. You can add as many entries as you want, but each must be entered separately.

  7. Set the Filter field to Enabled.

  8. Indicate the Action to take if there is a filter match.

  9. Indicate whether to Send Notifications if there is a filter match. If Send Notifications is selected, the Content Administrators set in the Notification Setup work pane (located under REPORT in the Shuttle Navigator) will be sent a notification that a message was filtered. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications).

  10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.

  11. Click Save.

noteNote:
The Realtime Scan Job will look at both the display name and the e-mail address of the sender to match against sender-domains filters. It will apply the filter against the display name of the mailbox first. If the display name and e-mail address are different, Antigen will also apply the filter against the e-mail address. If either matches, the filter action will be taken. If you do not want to filter against e-mail addresses, set the registry value ContentFilterSMTPAddress to zero (0).
The SMTP Scan Job will use the display name of the sender to match against sender-domains filters. If there is no display name in the header, the SMTP Scan Job will fall back to use the e-mail address to match against the filter.
You can also create a filter list that contains multiple sender-domains. For more information, see Creating content filter lists.
You can create a sender-domains filter that filters mail from all users in a domain except for specific users in that domain. For more information, see Filtering mail from all users in a domain except for specific users.

Subject line filtering lets you filter messages based on the content of the subject line of the message. Wildcard characters can be used.

To configure subject line filtering
  1. Click FILTERING in the Shuttle Navigator.

  2. Select the Content icon. The Content Filtering pane appears on the right.

  3. In the upper work pane, select the scan job for which you would like to create a content filter.

  4. Select Subject Lines in the Content Fields pane in the lower-left corner, and then click the Add button in the Content Filters pane.

  5. A text box appears. Type in the content that you would like to filter.

  6. Press ENTER after you have typed the content. You can add as many entries as you want, but each must be entered separately.

  7. Set the Filter field to Enabled.

  8. Indicate the Action to take if there is a filter match.

  9. Indicate whether to Send Notifications if there is a filter match. If Send Notifications is selected, the Content Administrators set in the Notification Setup work pane located under REPORT in the Shuttle Navigator will be sent a notification that a message was filtered. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications).

  10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.

  11. Click Save.

noteNote:
You can also create a filter list that contains multiple subject lines. For more information, see Creating content filter lists.

If you are entering a partial subject line as a filter, it is recommended that you use asterisk wildcard characters (*) at the beginning and the end of the phrase to ensure proper detection. For example:

  • The filter “get rich quick” will filter messages that contain only the target phrase in the subject line.
  • The filter “* get rich quick” will filter messages that contain the target phrase and any phrase that ends with the target phrase in the subject line.
  • The filter “* get rich quick *” will filter messages that contain the target phrase anywhere in the subject line.

You can use the following syntax to refine your filters:

 

Syntax Description

*

Match any number of characters in a file name. You can use multiple asterisks. Following are some examples of usage:

Single: Any of these single wildcard character patterns would detect veryevil:

veryevil*, very*, *il

Multiple: Any of these multiple wildcard character patterns would detect veryevil: V*r*v*l, *very*, *evil*

?

Match any single character, because many malicious users insert extra characters between letters to spoof filters. For example:

You can filter C-O-N-T-E-S-T with the filter: C?O?N?T?E?S?T

[set]

A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set will be matched.

For example, the set is useful for creating a single rule to match when the number zero (0) is used instead of the letter o. Ozone and oz0ne can be filtered using oz[o0]ne.

[^set]

Exclude characters that you know are not used.

range

Indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example:

klez[ad-gp] would match kleza, klezd, kleze, klezf, klezg, and klezp but not klezb or klezr.

\char

Indicate that special characters are used literally (characters are: * ? [ ] - ^ < >). The backslash is called an escape character, which indicates that a reserved control character should be taken literally, as a text character.

For example: If you enter *hello*, you would usually expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*.

noteNote:
You must use a backslash before each special character.

You will also need to select the action that Antigen should take when it detects a match to your filter criteria.

noteNote:
You must set the action for each file filter you configure. The action setting is not global.

 

Action Description

Skip: Detect Only

Records the number of messages that meet the filter criteria, but allows messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.

Purge: Eliminate Message

Deletes the message from your mail system. When you select this option, a warning will appear informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue.

noteNote:
If you are running Microsoft Exchange 2000 Server with VSAPI 2.0, the Realtime scanner can purge only outbound messages, but the SMTP Scan Job can purge inbound and outbound messages. Inbound and outbound purging by the Realtime scanner is available when running VSAPI 2.5. If a message that matches a content filter is found in the Inbox (inbound), Antigen will delete any attachments and the message body. If there are no attachments to the message body, Antigen will take no action. In either case, the UI will report the message as Detected.

Identify: Tag message

The subject line or message header of the detected message can be tagged with a customizable word or phrase. This tag can be modified for each scan job by clicking Tag Text on the Scan Job Settings work pane and modifying the text. The same tag, however, will be used for all filters associated with the particular scan job.

When the Antigen Spam Manager is enabled and Antigen is installed on an Exchange 2003 server, the Tag Message action also lets you set the SCL property in Exchange 2003 and move tagged messages to the ASM Junk Mail folder. For more information on these features, see Chapter 17 - Antigen Spam Manager overview.

You can create a content list that contains multiple content filters (sender-domains or subject lines). After you have created the list, the steps for configuring the filter list are the same as in the preceding procedures, except that you must select the filter list rather than a filter name.

To create a content filter list
  1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator.

  2. In the List Types section, select Subject Lines or Sender-Domains.

  3. In the List Names section, click Add.

  4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names section.

  5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use it to add items to the list.

  6. In the Include In Filter section, click Add.

  7. Type the data to be included in the filter list. The type of data that you add depends on the type of filter list that you selected. For Subject Lines, add text that might appear in the subject line of a message. For Sender-Domains, add specific senders or generalized domains. Press ENTER when you have finished typing. You can have as many words or phrases as you want, but each must be entered separately.

    The Exclude from Filter field is used to enter data that should never be included on the relevant list. This prevents these entries from being accidentally added when importing a list from a text file. For more information on importing files, see Importing new items into a filter list.

  8. When you are finished adding items, click OK. The information that you just entered appears, alphabetically, in the pane next to List Names.

  9. Click Save.

noteNote:
You can change the name of a list by selecting the list in the List Names box and then pressing F2.

Filter lists can be created offline in Notepad or in a similar text editor, and then imported into the appropriate filter list by using the Antigen Administrator.

To create and import entries into a filter list
  1. Create a list and then save it as a text file. Place each filter on its own line in the file.

  2. Open the Antigen Administrator and click Filter Lists on the FILTERING area of the Shuttle Navigator.

  3. Select the filter list into which you will be importing data.

  4. Click the Edit button. The Edit Filter List dialog box appears.

  5. Click the Import button. A File Explorer window will open so that you can navigate to the text file that you created in step 1.

  6. Select the file and click Open.

  7. The file will be imported into the middle pane of the Import List editor so that you can select the entries that you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section, or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section.

  8. When you have moved all of the desired items, click OK.

  9. Click Save.

The command line utility ExportLists facilitates the export of sender-domains filters, file filters, and subject line filters. Exported files are saved as text files that can then be imported into Antigen using the import function.

To export files from Antigen
  1. From the DOS command prompt, change directories until you are in the Antigen installation folder.

  2. Enter: ExportLists [-s ServerName][-o OutputDirectory] and then press ENTER.

    ServerName is the name of the server from which you are exporting the files, and OutputDirectory is the directory where you would like the exported files saved.

    If no ServerName is entered, the utility defaults to the current server. Note that the system that this is executed on must have the same username and password as the system from which the lists are retrieved.

    If no OutputDirectory is entered, that field defaults to the current directory.

    A file will be created for each scan job and template that contains any file, sender, or subject line entries. The format of the files is as follows:

    scanjobname-FILES.txt

    templatename Template-FILES.txt

    Where scanjobname is the actual scan job name and templatename is the actual template name.

  3. Import the text files into Antigen by using the Import function described in Importing new items into a filter list.

This section describes how to configure Antigen to filter mail from all users in a domain except for specific users in that domain.

To filter mail from all users in a domain except for specific users
  1. Click FILTERING in the Shuttle Navigator.

  2. Select the Content icon. The Content Filtering work pane appears to the right.

  3. In the upper work pane, select the scan job for which you would like to create a content filter.

  4. Select Sender-Domains in the Content Fields pane in the lower-left corner, and then click Add in the Content Filters pane.

  5. Type the e-mail address of a specific user whose mail you do not want filtered. For example, type user_name@domain_name.com, and then press ENTER.

  6. Set the Action to Skip: detect only.

    noteNote:
    You can add multiple e-mail addresses, but each one must be entered separately. Repeat steps 5 and 6 if you want to add more e-mail addresses whose mail you do not want filtered.
  7. Under Content Filters, click Add.

  8. Type the name of the domain that you want filtered. When you type the domain name, include the asterisk (*) wildcard character. For example, type *@domain_name.com.

    noteNote:
    Make sure that you add the filter for the domain name directly underneath the filter for the specific users whose mail you do not want filtered. Antigen works from the top of the list down.
  9. Set the Action to Purge: Eliminate Message.

  10. Click Save.

When you are using the content filter in conjunction with the SMTP Scan Job, you can configure a filter so that it checks only inbound or outbound e-mail. This is accomplished by adding a prefix to the file name when entering it in the Filter Names work pane.

noteNote:
There are no spaces between the prefix and the file name.

Inbound Filtering—Prefixing the file name with the <in> directive instructs Antigen to apply the filter only to inbound messages.

<in>filename

Outbound Filtering—Prefixing the file name with the <out> directive instructs Antigen to apply the filter only to outbound messages.

<out>filename

Inbound, Outbound, and Internal Filtering—If no prefix is appended to the filename, the filter is applied to all messages, regardless of direction.

filename

Support for content filtering within Antigen extends beyond the English character set. For example, messages with attachments or subject lines that include Japanese characters, words, or phrases are handled in the same manner as messages with attachments or subject lines that use only English character sets.

Messages that are filtered because of sender-domains filtering or subject line filtering will be reported in the Virus Incidents log under the Virus or Filter header. Messages filtered because of sender-domains matches will be noted as SENDER=<filter>, and subject line matches will be reported as SUBJECT=<filter>. For activity and Virus Incidents logs, no file name will be indicated. In the quarantine area, the body and each attachment will be quarantined with the sender-domains or subject line filter indicated.

Filter set templates can be created for use with any Antigen scan job. A single filter set template can be associated with any or all of the scan jobs. You can also create multiple filter set templates for use on different servers or different scan jobs.

Start by creating a filter set template.

To create a filter set template
  1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.

  2. Click File, select Templates, and then click New. The New Template dialog box appears.

  3. Select Filter Set, enter a name for it, and then click OK. Your new filter set template now appears in the list in the top pane, ready to be configured.

After you have created a filter set template, you must configure it.

To configure a filter set template
  1. Click File or Content in the FILTERING shuttle. The File Filtering or Content Filtering work pane appears.

  2. Select the name of the filter set template to be configured in the upper pane.

  3. Using the Add button, add a file filter or a content filter, and then specify the criteria for that filter. You can create multiple filters within a filter set template. A filter set template can contain a combination of file filters and content filters.

  4. Click Save.

After you have created and configured a filter set template, associate it with a scan job. During scanning, Antigen will use the filter set template configuration first, and will then use any other filter setting that you have specified when setting up the scan job.

To associate a filter set template with a scan job
  1. Select Templates in the SETTINGS shuttle.

  2. Select a scan job in the Job List.

  3. Select the filter set template that you want to associate with the job from the Filter Set list in the lower pane. You can associate a single filter set template with a scan job. If you are not sure about the contents of the filter set template, click View Filter Set. Click the left arrow button at the bottom of the pane when you have finished viewing the contents.

  4. Click Save. The filter set template is now associated with that scan job. During scanning, Antigen will use the filter set template configuration first, and then will use any other filter settings that you specified when setting up the scan job.

noteNote:
To cancel the association, repeat the preceding steps, and then select None from the Filter Set list (or select a different filter set template).

You can modify the settings in a filter set template.

To edit a filter set template
  1. Click File or Content in the FILTERING shuttle. The File Filtering or Content Filtering work pane appears.

  2. Select the filter set template in the upper pane.

  3. Select the filter whose configuration you want to modify in the lower pane.

  4. Click Edit, and then make your changes.

  5. Click Save.

noteNote:
File filters that you created are displayed in the File Names section and can be modified. Filter set templates are also displayed; however, they cannot be selected for modification in the File Names section. To modify a filter set template, you must select its template in the upper pane. When a filter set template is assigned to a scan job, the contents of the filter set template will not be visible unless View Templates is selected in the File option of the menu bar.

You can delete a filter set template.

To delete a filter set template
  1. If the filter set template has been associated with a scan job, you must remove the association. Follow the directions in Associating a filter set template with a scan job, and either reset the association to None or select a different filter set template for the association.

  2. Select the filter set template in the Job List of the Template Settings work pane.

  3. Click File, click Templates, and then click Delete.

  4. Confirm the deletion request.

You can rename a filter set template.

To rename a filter set template
  1. Select the filter set template in the Job List of the Template Settings work pane.

  2. Click File, click Templates, and then click Rename. The Rename Template dialog box appears.

  3. Type the new name of the template.

  4. Click OK.

Filter set templates can be distributed to remote servers by using the deploy template feature of the Antigen Enterprise Manager (AEM). For more information about using the AEM, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.

You can also use the AntigenStarter from the command prompt to manually install filter set templates on remote servers.

The syntax of AntigenStarter is:

AntigenStarter t[options] [\servername]

The t parameter instructs AntigenStarter to read the settings in the Template.adb file and apply them to the named server.

For complete instructions about AntigenStarter, see “Deploying named templates” in Chapter 11 - Using templates.

For example, to update the content filter settings on server1, you would enter:

AntigenStarter tc \server1

 

Chapter 12 - Using file filtering

Chapter 14 - Using mailhost filtering

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft