Configuring the action when a filter is matched


Applies to: Forefront Protection for Exchange

Topic Last Modified: 2009-07-10

You must indicate the action that Forefront Protection 2010 for Exchange Server (FPE) should take upon detecting a match to your filter criteria.

You must set the action for each filter list you configure. The action setting is not global.

The action options are only available after a filter list has been enabled, and the types of action options that are available are dependent upon the type of filtering you are performing. Possible action choices are listed and described in the following table. Click Save after making any changes to your action settings.


Action Description

Skip detect

Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, Delete corrupted compressed files, Delete corrupted UUEncoded Files, or Delete encrypted compressed files was selected in Global Settings - Advanced Options, a match to any of those conditions causes the item to be deleted.


Deletes the file attachment. The matched file is removed from the message (even if part of a container file), and the deletion text is inserted in its place. For information about modifying deletion text, see Editing deletion text for file filters.

You can specify the extension type used for all deleted attachments (for example, .abc), making it easy to instantly identify deleted attachments. For more information, see "Configuring the extension type for all deleted attachments" in Configuring the action when malware is detected.


Deletes the entire message from your mail system. It cannot be recovered unless you selected to quarantine files.

Identify in subject line

Identify in message header

Identify in subject line and message header

Depending on which option you select, tags the subject line, the message header, or the subject line and message header of the detected message with a customizable word or phrase so that it can be easily identified. This tag text can be modified; for more information, see Configuring tag text to identify messages. This tag is used for all filters identified by the transport scan job.

You can tag the subject line or MIME header of messages that meet filter criteria, so that the message can be later identified for purposes identified by the FPE Administrator. For example, the administrator could route tagged messages to specific user inboxes. The action for a filter list must be set to Identify in subject line, Identify in message header, or Identify in subject line and message header in order for the tag text to be used.

To configure tag text to identify messages
  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and then under the Filters section, click Filter Options.

  2. In the Filters - Filter Options pane, in the Transport Filtering Options section:

    • To specify tag text to be added to the subject line of a message, enter text in the Tag text for subject line box. The default text is SUSPECT:.

    • To specify tag text to be added to the MIME header of a message, enter text in the Tag text for message header box. The default text is Junk-Mail.

  3. Click Save.