Solved

Exchange 2010 Content Filtering Issue

Posted on 2012-03-18
7
1,292 Views
Last Modified: 2012-07-10
I'm trying to figure out how to block email from a particular sender ... However, it's not the EMAIL address, it's the FRIENDLY NAME that I'm trying to block -

Specifically, I'm trying to minimize the amount of SPAM that actually goes into the SPAM folder. I'm getting tons of emails like "SAMPLE ENLARGEMENT" as the "Friendly Name", but with some random email address.

I can't seem to put a filter in that will block the friendly name (which is still part of the header) - Anyone have an idea?
0
Comment
Question by:ppapasav
  • 3
  • 3
7 Comments
 
LVL 4

Expert Comment

by:ltsweb
Comment Utility
Hi,

First, I would strongly suggest you use Postini.Com (google) or Baracuda Networks as the first level of defense.  These products will offer you much better protection and control.  At minimum, I would suggest you download Microsoft Forefront for your exchange box.

However, to answer your question, you should use the Content Filter found in the Exchange Management Console.  In there you can customize how the Content Filter agent assigns SCL values by configuring custom words. Custom words are individual words or phrases that the Content Filter agent uses to apply appropriate filter processing. You configure approved words or phrases with Allow phrases and unapproved words or phrases with Block phrases. When the Content Filter agent detects a preconfigured Allow phrase in an inbound message, the Content Filter agent automatically assigns an SCL value of 0 to the message. Alternatively, when the Content Filter agent detects a configured Block phrase in an inbound message, the Content Filter agent assigns an SCL rating of 9.

You can enter custom words or phrases in any combination of uppercase and lowercase letters. However, when the Content Filter agent evaluates message content, it ignores case. The maximum number of custom words or phrases that can be created is 800.

See:  http://technet.microsoft.com/en-us/library/bb124739.aspx for more details.

Hope this helps!

Regards!
0
 

Author Comment

by:ppapasav
Comment Utility
We actually already use Trend Micro scanmail ... The mail is already classified as Spam and we have already done Everything you have suggested.

The problem is the content filter is MISSING the "friendly name" from the email address (it appears to only be looking at the actual email address).
0
 
LVL 17

Expert Comment

by:Suraj
Comment Utility
Is the sender sending mail from one particular IP?
You may also try to use a transport rule!
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 4

Expert Comment

by:ltsweb
Comment Utility
Doesn't it show up in the text of the message?  I am assuming you tried blocking the friendly name using the Phrase ACL?   At least it is getting tagged as SPAM!
0
 

Author Comment

by:ppapasav
Comment Utility
I tried the following

1) In Transport rules, created a new one that
 A) When the from address contains certain words, "Enlargement", "Rolex", "Viagra" .. etc, delete the message... perhaps I have to change this to "When Message Header contains certian words instead?

My understanding, from having spoken to Trend Micro, is that Scanmail will see the message AFTER Exchange content filtering or Transport rules see it ... so, the only thing I'm thinking is, since it is winding up in SPAM, is it possible it's the other way around?? Even so, the Transport rule should delete the message

These are the actual options I can use

"When the message header contains specific words
When the from address contains specific words
When the from address matches text patterns

So as you can see, there are many options that could all potentially work .. SO far, I've tried whens the from address contains specific words -

I've also tried under the content filtering tab under anti-spam - I added custom words .. I have to believe either one of two things is happening:

1. It's not evaluating the header
2. It is but it's not following through on the action (when the SCL level is >= 9) ...

Any ideas?
0
 
LVL 4

Accepted Solution

by:
ltsweb earned 335 total points
Comment Utility
Can you remove the Exchange filters that are trapping the spam and just use the Trend product?  Will Trend product take care of the filter or was that letting items go through?

If not, what is the SCL tag on the spam?  I am assuming you confirmed it is tagged =>9?

A typical setting is:

SCL delete threshold is set to 8.
 
SCL reject threshold is set to 7.
 
SCL quarantine threshold is set to 6.
 
SCL Junk E-mail folder threshold is set to 5.

It really sounds like there is a conflict between the two systems if you have confirmed everything above.

I also found a Technet post with a similar issue (See:  http://social.technet.microsoft.com/Forums/uk/exchangesvrantivirusandantispam/thread/a19bf469-cba8-489a-9bfb-c5bbe71212e9)

In summary:


"Remove “ms-Exch-Bypass-Anti-Spam” permission from all users except for the users below:...
 
Get-ReceiveConnector "default HUBXXX" | Remove-ADPermission -User "domain\ExchangeLegacyInterop" -ExtendedRights "Ms-Exch-Bypass-Anti-Spam"

enable internal Anti-spam:

"Set-ContentFilterConfig -ExternalMailEnabled:$true - InternalMailEnabled:$true"

In this configuration, the SCL rating still does not work, the agent log changes from "SCL PolicyDisabled" on all messages to "Content Filter Bypassed" and no actions take place.

Then there needs to be an explicit deny for the LegacyInterop group, just removing the permission is not enough.

"Get-ReceiveConnector "default HUBXXX" | Add-ADPermission -User "domain\ExchangeLegacyInterop" -deny -ExtendedRights "Ms-Exch-Bypass-Anti-Spam""

After doing this and restarting the Transport service, it should work according to the post.

SCL ratings should show in the agent log, and hopefully the deletethresholds should work.


Keep us posted.
0
 

Author Comment

by:ppapasav
Comment Utility
I think your answer is very thorough ... and right now, I don't have the cycles  to test it ... I will try a bit more this weekend - I appreciate the time you put into answering this question - I'll try it in a few days at most
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now