The message hygiene options in Exchange Server 2010
help prevent you from receiving mail that you don't want. This mail is
either about a subject that you don't want to hear about, or it's from a
sender that you don't want to receive messages from. In either case,
it's important to ensure that you understand how to fight this battle
and come out on top. This section focuses on helping you block the mail
that you don't want to receive.
1. Battle Unwanted Mail
One of the challenges of
administering email systems is accurately filtering out messages that
are unwanted. These messages, called spam,
often appear in the form of advertisements or offensive content. Spam
poses multiple risks to organizations by spreading viruses, bloating
users' mailboxes with massive numbers of email messages, and using
valuable storage. This section is about using the content filtering
mechanisms in Exchange to battle this unwanted mail.
1.1. Understand the Spam Confidence Level
When messages come in from
outside your organization, they can be assigned a number called the
Spam Confidence Level (SCL) rating. This is a number between 0 and 9
that determines the likelihood that the message is spam. A high rating
means that there is a high probability that the message is spam. The
content filter determines the probability of a message's being spam and
marks the message with the SCL rating. Depending on the SCL rating that
is assigned to the message, certain actions can be taken. Table 1 describes these actions and the default thresholds for when these actions are taken on a message.
Table 1. Actions and Thresholds for Messages Marked as Spam
Action | Default Threshold |
---|
The message is not delivered to the user, but is instead placed in a quarantine mailbox. | 9 |
A rejection is sent to the sender and the message is deleted. | 7 |
The message is deleted without any notice. | 9 |
1.2. Use Spam Quarantine
When a message has an SCL rating
that is high enough to quarantine it, the message is moved to a
quarantine mailbox. An administrator can monitor the quarantine mailbox
for false positives. The administrator can have such messages sent to
users. To use spam quarantining, use the following steps:
Configure the quarantine mailbox.
Monitor the quarantine mailbox.
Adjust the SCL thresholds as necessary.
1.2.1. Configure the Quarantine Mailbox
When configuring the mailbox used for spam quarantine, here are some considerations to keep in mind:
Administrators will need to monitor this mailbox, so ensure that those administrators have permissions to the mailbox.
The
quarantine mailbox has the potential to get rather large, depending on
the amount of spam that you except to receive. Therefore, you may want
to place the quarantine mailbox in its own database and decide whether
or not it is worth replicating it if you are using a DAG.
Consider
applying separate retention policies and a large quota to the
quarantine mailbox. You probably don't want messages being removed
before you've had a chance to review them.
After you have created the
spam quarantine mailbox, you need to configure the mailbox in the
Content Filter settings so that Exchange knows to send quarantined
messages to that mailbox. You can make this configuration change using
the Set-ContentFilterConfig cmdlet in the EMS, using the following command as an example:
Set-ContentFilterConfig -QuarantineMailbox
[email protected]
Make sure that you
configure the quarantine mailbox on the Transport servers that will be
performing the content filtering. If you are using Edge Transport
servers, you must configure the quarantine mailbox on every Edge
Transport server individually. For Hub Transport servers, you only need
to configure the quarantine mailbox once, because Exchange uses Active
Directory to ensure that every Hub Transport server uses the same spam
quarantine configuration.
1.2.2. Monitor the Quarantine Mailbox
Administrators will need to
monitor the quarantine mailbox to ensure that any false positives are
caught and the messages are sent to the recipients. The easiest way to
do this is for administrators to connect to the quarantine mailbox using
Microsoft Outlook. In order to do this, you must ensure that the
administrator has access to open the quarantine mailbox. The quarantine
mailbox can be opened as a secondary mailbox in Outlook, so an
additional Outlook profile does not need to be created.
When you come across a
message in the quarantine mailbox that is a false positive, you can use
the following steps to resend the message to the user:
In the list of messages in Outlook, open the NDR that represents the message that was falsely identified as spam.
In the message, select the Report tab.
On
the Report tab, click the Send Again button. The original message will
open in a new dialog box. When it does, click the Send button to have
the message sent to the user.
1.2.3. Adjust the SCL Thresholds
After monitoring the
quarantine mailbox for a while, you may notice that there are many
false positives. If this is the case, you may want to increase the SCL
threshold to a higher value when taking action on a message. To increase
the SCL thresholds, you can use the Set-ContentFilterConfig cmdlet with
a set of the parameters specified in Table 2.
Table 2. EMS Parameters for Setting the SCL Thresholds
Action | Feature Enable Parameter | Threshold Parameter |
---|
Quarantine the message | SCLQuarantineEnabled | SCLQuarantineThreshold |
Reject the message | SCLRejectEnabled | SCLRejectThreshold |
Delete the message | SCLDeleteEnabled | SCLDeleteThreshold |
Remember that the threshold
values can be anywhere from 0 to 9. So to set the SCL message quarantine
threshold to 7, you would use the following command:
Set-ContentFilterConfig -SCLQuarantineEnabled $true
-SCLQuarantineThreshold 7
1.3. Block Message Attachments
In Exchange, you have
the ability to block file attachments in email messages that meet
predefined criteria. In Exchange Server 2010, you have many more options
for blocking attachments.
In Exchange Server
2010, attachment filtering is accomplished through a transport rule on
the Transport servers. This no longer runs as an agent. If you want to
use attachment filtering, you will need to create a transport rule for
your Hub Transport servers. The following steps walk you through the
process of creating a transport rule for attachment filtering:
Open the EMC and browse to the Organization Configuration => Hub Transport node in the Console tree.
In the Actions pane, click the New Transport Rule action to start the New Transport Rule wizard.
At the Introduction screen of the wizard, type a name for the attachment filter rule. Then click Next.
On
the Conditions screen, select the check box When Any Attachment File
Name Matches Text Patterns. This allows this transport rule to trigger
when a file attachment name meets the criteria that you specify, such as
a file extension.
While
still on the Conditions screen, click the blue link in the bottom box
that reads Text Patterns. This launches the Specify Text Patterns dialog
box.
Type
in the filename patterns that you want to block and click the Add
button. For example, if you want to block all files that contain .EXE,
type .EXE and click Next.
At
the Actions screen, you can choose what to do with the message that
contains the attachment that you want to block. Click the Next button
after you have chosen your action.
On
the Exceptions screen, you choose what exceptions you want to apply
when blocking attachments. For example, you can choose to let messages
through when they are sent by certain people, even if they contain an
attachment that is usually blocked. Click Next when ready.
On the Create Rule screen, click the New button to create your attachment filter rule.
On the Completion screen, click the Finish button to close the wizard and return to the EMC.