How to protect Exchange Server 2007 with Content FilteringWritten by Paul Cunningham on December 19, 2008
Exchange Server 2007 anti-spam functionality includes the Content Filter agent which is designed to provide spam detection based on the contents of an email message.
The Connection Filter agent is based on the Intelligent Message Filter first introduced in Exchange Server 2003. The Intelligent Message Filter bases its spam detection on a database of email submissions from Microsoft partners that is used as a basis for heuristic scanning of email content. A “spam confidence level” (SCL) rating is then assigned to the email message and used to determine whether to classify the message as spam or not.
The SCL rating is a number from 0 to 9 where the higher the number the more likely the email message is spam.
The Content Filter agent assesses the content of email messages after the Connection Filter agent has initially determined whether the sending host should be blocked entirely or not. The order of priority improves Exchange server performance by removing the most obvious spam based on the sending IP address before the more resource intensive content filtering takes place.
How to configure the Content Filter agent for Exchange Server 2007
The Content Filter agent is enabled by default on Edge Transport servers but must be enabled by an administrator on Hub Transport servers using the “install-antiSpamAgents.ps1″ script that is included with Exchange Server 2007.
The Anti-spam tab now appears in the Hub Transport section of the Exchange Management Console.
Configuring custom word lists
The Content Filter agent can be configured to never block messages containing certain keywords or phrases. This option is effectively a whitelist of words that when contained within an email message must ensure that the message is not blocked as spam.
Although some organisations will require this functionality most will not. Using a whitelist in this manner carries the risk that a spam message that happens to contain a whitelisted word will not be blocked. A message that contains a whitelisted keyword or phrase is assigned an SCL of 0 regardless of whether it contains spam content that would score it higher.
Keywords and phrases can also be configured as a blacklist, which will cause any message containing those words to be blocked as spam. To block the message as spam the Content Filter agent assigns an SCL of 9 to the message.
The Content Filter agent can be configured to ignore messages sent to certain email addresses within the organisation. An example would be an important customer service email address. If the organisation wishes to ensure that no customer service emails are inadvertently blocked as spam then the customer service email address can be added as an exception.
Configuring actions for spam messages
The default Content Filter agent configuration rejects messages with an SCL of 7 or higher. This configuring will reject the most obvious spam but will more than likely result in many spam messages getting through to user mailboxes.
To configure the Content Filter agent to deal with spam messages we must first understand the three available actions:
- Delete – the message is silently deleted with no notification to the sending host.
- Reject – the message is rejected with a Non Delivery Report to the sending host. The NDR can be customised to a limited degree.
- Quarantine – the message is redirected to a specified email address, usually a special mailbox on the Exchange server.
Delete takes precedence over Reject and Quarantine, and when used must always be set to a higher SCL than Reject or Quarantine. Reject takes precedence over Quarantine and must also always be set to a higher SCL than Quarantine.
Using the Delete action is risky when combined with blacklisted keywords or phrases. A legitimate email message that happens to contain a blacklisted word will be deleted with no notification to either the sender or the intended recipient, and with no way of retrieving the message from a quarantine area. For this reason the blacklisted custom word list should only contain keywords or phrases that the organisation wants to block regardless of the importance of the content of the email message.
The Reject action is most commonly used to handle likely spam but requires constant monitoring and tuning to ensure that it is not producing too many false positives, nor that it is allowing too much spam through to user mailboxes.
Quarantine can be used to store likely spam in a mailbox where it can be retrieved if requested by the end user.
Pros and cons of the Exchange Server 2007 Content Filter agent
The most obvious advantage of the built in Content Filter agent is that is provides content filtering at no additional cost to the business. However this cost saving may be negated by one or more of the following disadvantages.
- The effectiveness of the content filtering relies on anti-spam signatures released by Microsoft. There is no capability for the Content Filter agent to “learn” about your organisations email content and make better judgements as to what is and isn’t spam.
- When the Reject action is used and a message is rejected it cannot be retrieved from the server by the Exchange administrator.
- When the Quarantine action is used and a message is quarantined neither the sender nor the intended recipient are notified. Crucial time may pass before an important business email is suspected of being quarantined and the Exchange administrator is asked to retrieve it.
- There is no “self service” capability for end users to check and retrieve their own quarantined items. Only a single quarantine mailbox can be used, which raises privacy concerns if end users were given access to it and able to look at quarantined emails that are intended for other recipients.
- Very limited reporting capabilities.
Alternatives to Exchange Server 2007 Content Filter agent
The shortcomings of the Exchange Server 2007 Content Filter agent can be addressed by implementing a more comprehensive email security solution.
A dedicated, quality email security product contains more effective spam content analysis, the ability to “learn” about an organisation’s business emails, greater configurability in how to handle suspected spam emails, end user “self service” to make quarantine management easier for users and less costly for administrators, and detailed reporting features so that system administrators and business stakeholders can see and judge the performance of the email security product.