Configuring Content Filtering
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2006-08-02
This topic explains how to use the Exchange Management Console or the Exchange Management Shell to configure the Content Filter agent in Microsoft Exchange Server 2007. This topic also provides an introduction to configuration of the Content Filter agent. For more information about customized or advanced configuration, see the links in each section of this topic. For more information about how the Content Filter agent works, see Content Filtering.
To configure the Content Filter agent, you must follow these steps:
Enable the Content Filter agent.
Specify a spam quarantine mailbox.
Enable and configure the spam confidence level (SCL) thresholds and SCL threshold actions. These actions include deleting messages, rejecting messages, or quarantining messages.
Enable or disable puzzle validation.
Specify recipient and sender exceptions.
Configure Allow phrases and Block phrases.
Set the rejection response.
|Configuration changes that you make to the Content Filter agent by using the Exchange Management Console or the Exchange Management Shell are made only to the local computer that has the Edge Transport server role installed. If you have multiple instances of the Edge Transport server role running in your organization, you must configure the Content Filter agent on each computer.|
|Safelist aggregation is performed by the Content Filter agent. Safelist aggregation is likely the most effective way to reduce false positives. As its name suggests, this functionality collects data from the anti-spam safe lists that Microsoft Office Outlook and Outlook Web Access users configure and makes this data available to the anti-spam agents on the Edge Transport server in Exchange Server 2007. Although the Content Filter agent acts on the safelist aggregation configuration, you do not administer or configure safelist aggregation directly through the Content Filter agent. However, the Content Filter agent must be enabled for safelist aggregation to function. For more information, see How to Configure Safelist Aggregation.|
When the Content Filter agent is enabled on a computer, the Content Filter agent filters all messages that come through all Receive connectors on that computer. As noted earlier in this topic, only messages that come from external sources are filtered. External sources are defined as non-authenticated sources that are considered anonymous Internet sources.
For more information about how to configure Receive connectors and how message source categories are determined, see Receive Connectors.
As a best practice, you should not filter messages from trusted partners or from inside your organization. When you run anti-spam filters, there is always a chance that the filters will detect false positives. To reduce the chance of mishandling legitimate e-mail messages, you should enable anti-spam agents to run only on messages from potentially untrusted and unknown sources.
For more information about how to enable or disable content filtering, see How to Enable or Disable Content Filtering.
If you decide to enable the quarantine SCL threshold that is discussed in the next section, you must first configure the spam quarantine infrastructure. All messages that equal to or greater than the Spam Quarantine SCL threshold are sent to the SMTP address that you specify in this step. For more information, see Configuring and Managing Spam Quarantine.
After you set up the spam quarantine mailbox and infrastructure, you must specify the mailbox in the content filter configuration. The QuarantineMailbox parameter takes the Simple Mail Transfer Protocol (SMTP) address of the spam quarantine mailbox.
For more information about how to specify the spam quarantine mailbox, see How to Specify a Spam Quarantine Mailbox.
|By the nature of the spam quarantine feature, the IT administrator who is responsible for the spam quarantine mailbox can view potentially private and sensitive messages and send mail on behalf of anyone in the Exchange organization.|
As explained in Content Filtering, the SCL threshold is the value at which a particular message is identified as potential spam and is acted on. If you have enabled and configured all default anti-spam agents, the Content Filter agent is the last filter to scan incoming messages. Therefore, the settings of the SCL thresholds and threshold actions are very important. If you set the SCL thresholds too high, you may not reduce the spam that enters your organization. If you set the SCL thresholds too low, you risk filtering messages that come from legitimate users. For more information about how to plan an anti-spam strategy and how to optimize settings for the anti-spam agents, see Anti-Spam and Antivirus Functionality.
|After you configure the SCL thresholds, you should periodically monitor these settings and adjust them according to your organization's needs.|
You configure the Content Filter agent to act on messages according to their SCL rating. For example, you may determine that messages that have an SCL rating of 7 or greater must be deleted, whereas messages that have an SCL rating of 6 are rejected, and messages that have an SCL of 5 are quarantined. You can configure the Content Filter agent to take the following actions when a message exceeds different SCL ratings:
You can adjust the SCL threshold behavior by assigning different SCL ratings to each of these actions. You can set each SCL threshold action to a value between 0 and 9, where 0 is considered less likely to be spam, and 9 is considered more likely to be spam.
For more information about how to adjust the SCL threshold to suit your organization's requirements and how to adjust per-recipient SCL thresholds, see the following topics:
Outlook E-mail Postmark validation is a computational proof that Outlook applies to outgoing messages to help recipient messaging systems distinguish legitimate e-mail from junk e-mail. This feature helps reduce the chance of false positives. In the context of spam filtering, a false positive exists when a spam filter incorrectly identifies a message from a legitimate sender as spam. When Outlook E-mail Postmark validation is enabled, the Content Filter agent parses the inbound message for a computational postmark header. The presence of a valid, solved computational postmark header in the message indicates that the client computer that generated the message solved the computational postmark. The results of the postmark validation are calculated into the overall SCL for the incoming message. If the postmark validation feature is enabled and an inbound message either does not contain a computational postmark header or the computational postmark header is not valid, the Content Filter agent would not change the SCL rating.
By default, postmark validation is enabled. For more information about how to enable postmark validation, see How to Enable or Disable Outlook E-Mail Postmark Validation.
Sometimes, you may not want messages that are intended for specific recipients to be filtered by the Content Filter agent. For example, if you have a customer support e-mail alias, you may want to accept all incoming e-mail messages for that address. In this case, you can specify recipients in your organization for which messages are not filtered by the Content Filter agent.
You can also specify senders and sender domains that you do not want to be filtered by the Content Filter agent. Bypassing content filtering for specific senders and sender domain messages is useful if there are external entities that your organization frequently exchanges messages with. Frequently, business contacts in this category may be excluded from content filtering by using individual Office Outlook 2003 users' Safe Senders Lists in your organization. For more information about how to specify recipient and sender exceptions, see How to Specify Recipient and Sender Exceptions for Content Filtering.
As explained in Content Filtering, you can configure the Content Filter agent to recognize and filter on certain phrases. You must specify words or phrases for the Content Filter to act on. When you specify a word or phrase, you must specify whether it is an Allow phrase or a Block phrase. When the Content Filter agent encounters an Allow phrase in a message, the SCL is set to 0. When the Content Filter agent encounters a Block phrase in a message, the SCL is set to 9.
For more information about how to specify allow and block words or phrases, see How to Configure Allow or Block Phrases for Content Filtering.
When the SCL reject threshold is exceeded, the Content Filter agent does not accept the message and instead sends a rejection response during the SMTP transaction. The rejection response is an SMTP response from the Edge Transport server to the sending server.
The SCL Reject action must be enabled for the rejection response to be sent. If you enable the SCL reject action and do not change the value of the rejection response, the default rejection response, "Message rejected due to content restrictions," will be sent.
For more information about how to set the rejection response, see How to Configure the Rejection Response for Content Filtering.