3. Content Filtering
Content filtering is a feature in Exchange Server
2010 that was formerly known as the Intelligent Message Filter. And
arguably it is the most useful of the antispam features. The content
filter examines the message's content based on keyword analysis,
message size, and other factors, and then assigns the message a spam
confidence level (SCL) ranking. This ranking is from 0 to 9. A message
with a ranking of 0 is the least likely to be spam, and a message with
an SCL of 9 is very likely to be spam. Based on the SCL value of the
message, you have several actions you can take (see Figure 2).
You can take three possible actions, ranked in order of severity:
Delete
messages that meet or exceed a specific SCL threshold. This is the most
drastic of actions. The sender is not notified that this has occurred,
and you can't later evaluate whether the message really was spam.
Reject
messages that meet or exceed a specific SCL threshold. The Edge
Transport or Hub Transport server accepts the message, analyzes it, and
kicks it back to the sender with text indicating that the message was
rejected because it looks like spam.
Quarantine
messages that meet or exceed a specific SCL threshold. Any messages
with the specified SCL value or higher will be sent to an SMTP address
where you can then analyze them to determine whether they are truly
spam.
|
Is it possible to have an SCL value of −1? Yes,
actually it is. Any message that is sent to your server via an
authenticated connection, or if the sender's email address is on your
safe senders list, then the SCL value of the message is set to −1. So
if one of your trusted senders is sending you a short message about
low-interest rate mortgages and buying cheap Viagra, you will still get
the message.
|
You can activate none, one, two, or all three of the
actions, but the SCL values must progress downward in accordance with
the severity of the action. For example, you could set a reject value
of 8 or higher and a quarantine value of 7 or higher. In that case, any
messages with an SCL value of 8 or 9 will be rejected; messages with an
SCL value of 7 will be sent to the quarantine email address. However,
you cannot set a quarantine value of 9 but then delete everything with
an SCL value greater than or equal to 7.
On the inside of your Exchange organization, a
global value called the SCL Junk Threshold is set to 4 by default. This
instructs the information store to place any messages with a spam
confidence level of 4 or higher into the user's Junk Email folder.
Users can then review their Junk Email folder to determine whether a
message was truly spam. However, if you set the quarantine value on the
Edge Transport server to 3, then only messages with an SCL value of 3
will reach the Junk Email folder.
For most organizations, a global SCL Junk Threshold
of 4 is probably sufficient, but depending on your business model and
the types of mail you receive, you might want to raise it. You can
raise the SCL value to 5 or 6. To raise the Junk Email threshold for
all users, on one of the Exchange Server 2010 servers in your
organization, type this command:
Set-OrganizationConfig -SCLJunkThreshold 6
You can view the organization configuration using the Get-OrganizationConfig cmdlet. Here is an example:
Get-OrganizationConfig | FL SCLJunk*
SCLJunkThreshold : 4
In some cases, a specific user may need a different
set of SCL values than the Edge Transport server provides. The values
the Edge Transport server provides can be customized on a user-by-user
basis. In the following command, we have disabled the Quarantine and Reject parameters for a particular user, and we have specified that this user's Junk Email threshold is 4:
Set-Mailbox "Matt Paleafei" -SCLRejectEnabled $False -SCLQuarantineEnabled
$False -SCLJunkThreshold 4 -SCLJunkEnabled $True
You can view the resulting configuration for the mailbox with the Get-Mailbox cmdlet. Here is an example:
Get-Mailbox "Matt Paleafei" | FL Name,*scl*
Name : Matt Paleafei
SCLDeleteThreshold :
SCLDeleteEnabled :
SCLRejectThreshold : 7
SCLRejectEnabled : False
SCLQuarantineThreshold : 9
SCLQuarantineEnabled : False
SCLJunkThreshold : 4
SCLJunkEnabled : True
On the Exceptions tab of the Content Filtering
properties, you can configure the SMTP addresses of the internal
recipients to which you do not want to apply the content filter. This
can be useful when managing a mailbox that is so important you never
want any of its messages to be filtered.
|
Company STUV is a real estate services company. Much
of their communication with customers and prospective customers is via
email. They found when they started using the content filter that many
of their customers' emails were being flagged as spam because of key
words in the message body.
They decided to use the content filter's custom
words feature to specify some words or phrases that the content filter
would not block. This included words and phrases such as "mortgage,"
"interest rates," "real estate," and "assessment." The thought behind
this was that it was better to possibly receive a few extra spam
messages that use these words than it was to reject a message from a
real customer.
|
The Custom Words tab of the Content Filtering object's properties enables some interesting features (see Figure 3).
You can enable two types of word lists. If the message contains words
in the first list, even if the message appears to be spam, the message
is accepted. If the words in the second list are contained in a
message, the message is blocked unless it contains words from the first
list.
The list with words and phrases that are always
accepted can be particularly useful if legitimate messages to your
company will frequently contain a particular word or phrase that might
otherwise be filtered.
