Preventing Internal Email Abuse with Exchange Server 2010

There is a lot of attention paid to preventing spam and other malicious email content from entering our networks.  But there is a lesser amount of attention given to preventing internal abuse of email systems.

The risk of internal email abuse may seem low but for some organizations the risk is actually quite significant.

For example, schools have a duty of care to protect their students from harassment and bullying from other students, not just from people outside the network.  Similarly, some global organizations find that cultural differences between staff in different parts of the world open up the possibility of someone taking offense to what is written in an email.

Very few products exist to prevent these problems, and those that do are not always easy to implement in a complex network.  Placing a filtering system in between every possible sender and recipient on the network would be complex and costly.  And routing all email through one centralized filtering system would introduce delays and the risk of a single point of failure.

Even Exchange Server’s own anti-spam filtering can’t help.  If you recall from my previous post on how the Exchange anti-spam SCL works, any email between mailboxes in the same organization is given an SCL of -1, meaning “trusted”.  So no SCL-based filtering decisions can be made.

However Exchange Server 2010 does make it possible to filter certain email content using Transport Rules.  The benefit of this feature is that it is organization-wide, meaning you configure it centrally, but the configuration takes effect on all Hub Transport servers in the organization, meaning it operates in an efficient, distributed manner.

Using a Transport Rule for this type of content filtering involves setting up the following rule configuration:

• Conditions that identify messages sent from Internal senders to Internal Recipients
• Conditions that identify certain words or phrases in the email subject, body, or attachments
• An action to take on email matching the above criteria
• Any exceptions to that rule

Implementing a rule like this involves the creation of a list of words or phrases that are considered to be inappropriate for email communications within the organization.  It might take some imagination to come up with a thorough list that includes a variety of misspellings as well.  If there is a history of such problems in the business then those cases could be mined for specific words and phrases as well.

When this list has been created it can be incorporated into the Transport Rule as specific words and phrases, but the most effective method would be to use regular expressions to define the blocked content.

I recommend before implementing any rule such as this that you first test it in a separate test environment, or when first adding it to the production network do not set a blocking action on the rule for the first few weeks.  Instead let the rule blind copy any email that matches the list of words and phrases to another mailbox where the emails can be checked to determine the rule’s accuracy and effectiveness.

In summary, when the risk of internal email abuse is recognised it is possible to address the problem with Exchange Server 2010 Transport Rules.