Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2010 Content Filtering Issue

Posted on 2012-03-18
7
Medium Priority
?
1,427 Views
Last Modified: 2012-07-10
I'm trying to figure out how to block email from a particular sender ... However, it's not the EMAIL address, it's the FRIENDLY NAME that I'm trying to block -

Specifically, I'm trying to minimize the amount of SPAM that actually goes into the SPAM folder. I'm getting tons of emails like "SAMPLE ENLARGEMENT" as the "Friendly Name", but with some random email address.

I can't seem to put a filter in that will block the friendly name (which is still part of the header) - Anyone have an idea?
0
Comment
Question by:ppapasav
  • 3
  • 3
7 Comments
 
LVL 4

Expert Comment

by:ltsweb
ID: 37735049
Hi,

First, I would strongly suggest you use Postini.Com (google) or Baracuda Networks as the first level of defense.  These products will offer you much better protection and control.  At minimum, I would suggest you download Microsoft Forefront for your exchange box.

However, to answer your question, you should use the Content Filter found in the Exchange Management Console.  In there you can customize how the Content Filter agent assigns SCL values by configuring custom words. Custom words are individual words or phrases that the Content Filter agent uses to apply appropriate filter processing. You configure approved words or phrases with Allow phrases and unapproved words or phrases with Block phrases. When the Content Filter agent detects a preconfigured Allow phrase in an inbound message, the Content Filter agent automatically assigns an SCL value of 0 to the message. Alternatively, when the Content Filter agent detects a configured Block phrase in an inbound message, the Content Filter agent assigns an SCL rating of 9.

You can enter custom words or phrases in any combination of uppercase and lowercase letters. However, when the Content Filter agent evaluates message content, it ignores case. The maximum number of custom words or phrases that can be created is 800.

See:  http://technet.microsoft.com/en-us/library/bb124739.aspx for more details.

Hope this helps!

Regards!
0
 

Author Comment

by:ppapasav
ID: 37735334
We actually already use Trend Micro scanmail ... The mail is already classified as Spam and we have already done Everything you have suggested.

The problem is the content filter is MISSING the "friendly name" from the email address (it appears to only be looking at the actual email address).
0
 
LVL 17

Expert Comment

by:Suraj
ID: 37736416
Is the sender sending mail from one particular IP?
You may also try to use a transport rule!
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
LVL 4

Expert Comment

by:ltsweb
ID: 37740621
Doesn't it show up in the text of the message?  I am assuming you tried blocking the friendly name using the Phrase ACL?   At least it is getting tagged as SPAM!
0
 

Author Comment

by:ppapasav
ID: 37761375
I tried the following

1) In Transport rules, created a new one that
 A) When the from address contains certain words, "Enlargement", "Rolex", "Viagra" .. etc, delete the message... perhaps I have to change this to "When Message Header contains certian words instead?

My understanding, from having spoken to Trend Micro, is that Scanmail will see the message AFTER Exchange content filtering or Transport rules see it ... so, the only thing I'm thinking is, since it is winding up in SPAM, is it possible it's the other way around?? Even so, the Transport rule should delete the message

These are the actual options I can use

"When the message header contains specific words
When the from address contains specific words
When the from address matches text patterns

So as you can see, there are many options that could all potentially work .. SO far, I've tried whens the from address contains specific words -

I've also tried under the content filtering tab under anti-spam - I added custom words .. I have to believe either one of two things is happening:

1. It's not evaluating the header
2. It is but it's not following through on the action (when the SCL level is >= 9) ...

Any ideas?
0
 
LVL 4

Accepted Solution

by:
ltsweb earned 1340 total points
ID: 37761426
Can you remove the Exchange filters that are trapping the spam and just use the Trend product?  Will Trend product take care of the filter or was that letting items go through?

If not, what is the SCL tag on the spam?  I am assuming you confirmed it is tagged =>9?

A typical setting is:

SCL delete threshold is set to 8.
 
SCL reject threshold is set to 7.
 
SCL quarantine threshold is set to 6.
 
SCL Junk E-mail folder threshold is set to 5.

It really sounds like there is a conflict between the two systems if you have confirmed everything above.

I also found a Technet post with a similar issue (See:  http://social.technet.microsoft.com/Forums/uk/exchangesvrantivirusandantispam/thread/a19bf469-cba8-489a-9bfb-c5bbe71212e9)

In summary:


"Remove “ms-Exch-Bypass-Anti-Spam” permission from all users except for the users below:...
 
Get-ReceiveConnector "default HUBXXX" | Remove-ADPermission -User "domain\ExchangeLegacyInterop" -ExtendedRights "Ms-Exch-Bypass-Anti-Spam"

enable internal Anti-spam:

"Set-ContentFilterConfig -ExternalMailEnabled:$true - InternalMailEnabled:$true"

In this configuration, the SCL rating still does not work, the agent log changes from "SCL PolicyDisabled" on all messages to "Content Filter Bypassed" and no actions take place.

Then there needs to be an explicit deny for the LegacyInterop group, just removing the permission is not enough.

"Get-ReceiveConnector "default HUBXXX" | Add-ADPermission -User "domain\ExchangeLegacyInterop" -deny -ExtendedRights "Ms-Exch-Bypass-Anti-Spam""

After doing this and restarting the Transport service, it should work according to the post.

SCL ratings should show in the agent log, and hopefully the deletethresholds should work.


Keep us posted.
0
 

Author Comment

by:ppapasav
ID: 37775101
I think your answer is very thorough ... and right now, I don't have the cycles  to test it ... I will try a bit more this weekend - I appreciate the time you put into answering this question - I'll try it in a few days at most
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question