Troubleshooting spam levels too high

  • Article

This topic provides guidance for diagnosing and resolving issues you may encounter when spam levels are too high. Forefront TMG leverages the capabilities of Forefront Protection 2010 for Exchange Server (FPE) and anti-spam technology built into Exchange Edge Server to provide anti-spam protection. FPE also provides anti-malware protection and content filtering so that key words and phrases can be used to block inappropriate content.

Subscribing to the Exchange Edge component on the TMG firewall allows you to (amongst other things) filter recipients so that email addressed to users that are not in your organization are rejected at the email gateway. For more information, see Planning to protect against e-mail threats and Configuring protection from e-mail-based threats.

Flowchart for troubleshooting spam levels too high

This flowchart guides you through the steps that are required for troubleshooting when spam levels are too high.

Spam levels too high troubleshooting flow

Procedures for troubleshooting spam levels too high

The following procedures describe the steps you might need to take when you use the flowchart to troubleshoot spam levels that are too high:

  • How to backup Exchange and FPE configuration

  • How to verify that E-Mail Policy Integration Mode is enabled

  • How to check that spam filtering is enabled

  • How to configure spam filtering for a specific IP address

  • How to configure spam filtering from specific users

  • How to configure Block List Providers

  • How to enable DNSBL

  • How to configure Backscatter Filtering

  • How to configure Recipient Filtering

  • How to configure Content Filtering

  • How to configure Sender Reputation Filtering

  • How to check that Message Body Filtering is enabled

  • How to check that File Filtering is enabled

How to backup Exchange and FPE configuration:

For each array member, backup the Forefront Protection 2010 for Exchange (FPE) configuration as well as the Exchange Edge configuration.

To backup Exchange and FPE configuration:

  1. On each array member, follow the recommended backup and restore procedures for Forefront Protection 2010 for Exchange Server (FPE). See Backing up and restoring.

  2. Backup the Exchange Edge configuration:

    1. Copy the ExportEdgeConfig.ps1 script to the root folder of your user profile on the server that you are backing up.The ExportEdgeConfig.ps1 script is located in the \Scripts folder in your Exchange installation folder. The default location for this folder is C:\Program Files\Microsoft\Exchange Server\Scripts.

    2. Capture the configuration with the ExportEdgeConfig.ps1 script by running the following command in the Exchange Management Shell:

      ./ExportEdgeConfig -cloneConfigData:"C:\CloneConfigData.xml"

      Note

      Replace C:\CloneConfigData.xml with the full path of the XML backup file to be created by the ExportEdgeConfig.ps1 script.

      The confirmation message, "Edge configuration data is exported successfully to: C:/CloneConfigData.xml," appears.

    3. Copy the output file to a secure location.

How to verify that E-Mail Policy Integration Mode is enabled

To verify that E-Mail Policy Integration Mode is enabled:

  1. In the Forefront TMG Management console, in the tree, click E-Mail Policy.

  2. In the details pane, click the E-Mail Policy tab.

  3. On the Tasks tab, click Edit Filter.

  4. Check that E-Mail Policy Integration Mode is Enabled.

  5. If disabled, enable it by clicking the Troubleshooting node, and then in the Tasks tab, click Control E-Mail Policy Configuration Integration and select Enabled from the Status drop-down list.

How to check that spam filtering is enabled

For more information, see Configuring spam filtering.

To check if spam filtering is enabled:

  1. In the Forefront TMG Management console, in the tree, click E-Mail Policy.

  2. In the E-Mail Policy Settings area, check if Spam Filtering is Enabled.

  3. If spam, filtering is Disabled, enable spam filtering by clicking Disabled and then selecting Enabled from the Status drop-down list, or in the Tasks pane of the Spam Filtering tab, click Enable Spam Filtering.

  4. To check which spam filters are enabled, in the details pane, click the Spam Filtering tab.

How to configure spam filtering for a specific IP address

Check if the spam originates for a specific IP address. Use the IP Block List feature to block the IP address.

To configure spam filtering for a specific IP address:

  1. In the Forefront TMG Management console, in the tree, click E-Mail Policy.

  2. In the details pane, click the Spam Filtering tab.

  3. Click IP Block List, and on the General tab, verify that Status is set to Enabled.

  4. On the Blocked Addresses tab, click Add, and type an IP address or a range of IP addresses to block. If you want to set an expiration date, under Expiration, click Block until date and time and select a date and time.

  5. Click OK to add the blocked addresses to the Blocked Addresses list.

  6. Repeat the steps above to add additional blocked IP addresses.

  7. Click OK. To save your changes, on the Apply Changes bar, click Apply.

How to configure spam filtering from specific users

Check if the spam originates from a specific user. Use the Sender Filtering feature to block the specific users. Add the relevant senders to the Sender filter, and configure the action to be taken if a sender is matched to the list.

To configure spam filtering from specific users:

  1. In the Forefront TMG Management console, in the tree, click E-Mail Policy.

  2. In the details pane, click the Spam Filtering tab.

  3. Click Sender Filtering, and on the General tab, verify that Status is set to Enabled.

  4. On the Blocked Senders tab, click Add.

  5. To block a specific sender, select the Individual e-mail address option, and then type the e-mail address in the text box (for example, kim@contoso.com).

  6. To block the whole user domain, select Domain option, and then type the domain address in the text box (for example contoso.com). To include subdomains check Including subdomains checkbox.

  7. Repeat the steps above to block additional senders.

  8. On the Action tab, select the action to take when the message is generated from a sender on the Blocked Senders list.

  9. To save your changes, click OK, and then on the Apply Changes bar, click Apply.

How to configure Block List Providers

To configure Block List Providers:

  1. Click IP Block List Providers, and on the General tab, verify that Status is set to Enabled.

  2. On the Providers tab, click Add to add a new provider to the IP Allow List providers.

  3. Enter the required information.

  4. On the Exceptions tab, click Add to add the exceptional e-mail addresses.

  5. Click OK, and to save your changes, on the Apply Changes bar, click Apply.

How to enable DNSBL

When the DNS block list (DNSBL) is enabled, FPE checks the IP Address of the connecting MTA against the DNS block list maintained by Microsoft. On all array members, in FPES Administrator console, enable Forefront DNSBL checking and configure backscatter lists.

To enable DNSBL:

  1. In FPES Administrator Console, select Policy Management > Antispam > Configure.

  2. Select Enable Forefront DNSBL checking.

  3. Click Save at the top of the pane to save your configuration.

How to configure Backscatter Filtering

To configure Backscatter Filtering:

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console Policy Management tree view, expand Antispam, and then click Configure.

  2. In the Antispam - Configure pane, in the Backscatter filter section, select the Enable Backscatter filtering check box.

    Important

    The Microsoft Exchange Transport service must be stopped and then started again for changes to this setting to take effect. Do not use the Restart function.

  3. To use Backscatter filtering, you need to enable the feature, configure optional domain exclude and reject lists, generate backscatter keys, and distribute the keys to all of your edge and hub servers that are protected by FPE. For more information, see Configuring backscatter filtering.

How to configure Recipient Filtering

Configure Recipient Filtering to block all irrelevant recipients including distribution lists, groups, and so on.

To configure Recipient Filtering:

  1. In the Forefront TMG Management console, in the tree, click E-Mail Policy.

  2. In the details pane, click the Spam Filtering tab.

  3. Click Recipient Filtering, and on the General tab, verify that Status is set to Enabled.

  4. On the Blocked Recipients tab, select the Block the following recipients check box.

  5. Click Add and type the SMTP address for a recipient, and then click OK to add that recipient to the Recipient Block list.

  6. To block recipients outside of your organization, check Block messages sent to recipients not listed in the Global Address List. (Edge Subscription must be enabled)

  7. Click OK. To save your changes, on the Apply Changes bar, click Apply.

How to configure Content Filtering

Configure Content Filtering and add or revise custom words, exceptions and spam confidence level (SCL) thresholds.

To configure Content Filtering:

  1. In the Forefront TMG Management console, in the tree, click E-Mail Policy.

  2. In the details pane, click the Spam Filtering tab.

  3. Click Content Filtering, and on the General tab, verify that Status is set to Enabled.

  4. On the Custom Words tab, you can do the following:

    • To specify an Allow word or phrase, under Allow messages containing these words or phrases, click Add. Type a word or phrase that is not likely to be contained in spam messages, and then click OK.

    • To specify a Block word or phrase, under Block messages containing these words or phrases, click Add. Type a word or phrase that is likely to be contained in a spam message, and then click OK.

  5. To configure the spam confidence level (SCL) thresholds, click the SCL Thresholds tab, enable the content filter actions, and set the SCL thresholds as appropriate for your organization.

  6. Click OK. To save your changes, on the Apply Changes bar, click Apply.

How to configure Sender Reputation Filtering

Increase the sender reputation level block threshold.

To configure Sender Reputation Filtering:

  1. In the Forefront TMG Management console, in the tree, click E-Mail Policy.

  2. In the details pane, click the Spam Filtering tab.

  3. Click Sender Reputation, and on the General tab, verify that Status is set to Enabled.

  4. On the Sender Confidence tab, select or clear the Perform an open proxy test when determining sender confidence level check box as appropriate.

  5. On the SRL Thresholds tab, drag the Sender Reputation Level Block Threshold slider to the required threshold.

  6. If needed, update the block period duration under Threshold Action.

  7. Click OK to save your changes, and then on the Apply Changes bar, click Apply.

How to check that Message Body Filtering is enabled

Check that Message Body Filtering is enabled. For more information, see Configuring content filtering.

To check that Message Body Filtering is enabled:

  1. In the Forefront TMG Management console, in the tree, click E-Mail Policy.

  2. In the details pane, click the Virus and Content Filtering tab, and then click Message Body Filtering.

  3. On the General tab of the Message Body Filtering properties, verify that Status is set to Enabled.

  4. On the Message Body Filters tab, click Add.

  5. On the General tab of the Message Body Filter properties, verify that the Enable this filter check box is selected. It is enabled by default.

  6. Under Filter name, type a name for this filter.

  7. Select the Action to take if there is a filter match:

    • Skip—Records the number of messages that meet the filter criteria, but enables messages to route normally.

    • Identify—Tags the subject line or message header of the detected message with a customizable word or phrase so that it can be identified later for processing into folders by user inboxes.

    • Delete—Deletes the file attachment. The detected file attachment is removed from the message.

    • Purge—Deletes the message from your mail system.

  8. Select whether you want this filter to be applied to inbound messages, outbound messages, or both.

  9. On the Keywords tab, click Add and type the keywords you want to filter.

How to check that File Filtering is enabled

To check that File Filtering is enabled:

  1. In the Forefront TMG Management console, in the tree, click E-Mail Policy.

  2. In the details pane, click the Virus and Content Filtering tab, and then click File Filtering.

  3. On the General tab of the File Filtering properties, verify that Status is set to Enabled.

  4. On the File Filters tab, click Add.

  5. On the General tab of the File Filter properties, verify that the Enable this filter check box is selected. It is enabled by default.

  6. Under Filter name, type a name for this filter.

  7. Select the Action to take if there is a filter match:

    • Skip—Records the number of messages that meet the filter criteria, but enables messages to route normally.

    • Identify—Tags the subject line or message header of the detected message with a customizable word or phrase so that it can be identified later for processing into folders by user inboxes.

    • Delete—Deletes the file attachment. The detected file attachment is removed from the message.

    • Purge—Deletes the message from your mail system.

  8. Select whether you want this filter to be applied to inbound messages, outbound messages, or both.

  9. On the File Types tab, click the file types that can be associated to the selected file name. You can select one or more file types from the list. If the file type you want to associate to the selected file name is not available in the list, then click Select All.

  10. On the File Names tab, click Add and type the name or extension of the file to be detected.