Solved

Exchange 2010 Content Filtering Issue

Posted on 2012-03-18
7
1,310 Views
Last Modified: 2012-07-10
I'm trying to figure out how to block email from a particular sender ... However, it's not the EMAIL address, it's the FRIENDLY NAME that I'm trying to block -

Specifically, I'm trying to minimize the amount of SPAM that actually goes into the SPAM folder. I'm getting tons of emails like "SAMPLE ENLARGEMENT" as the "Friendly Name", but with some random email address.

I can't seem to put a filter in that will block the friendly name (which is still part of the header) - Anyone have an idea?
0
Comment
Question by:ppapasav
  • 3
  • 3
7 Comments
 
LVL 4

Expert Comment

by:ltsweb
ID: 37735049
Hi,

First, I would strongly suggest you use Postini.Com (google) or Baracuda Networks as the first level of defense.  These products will offer you much better protection and control.  At minimum, I would suggest you download Microsoft Forefront for your exchange box.

However, to answer your question, you should use the Content Filter found in the Exchange Management Console.  In there you can customize how the Content Filter agent assigns SCL values by configuring custom words. Custom words are individual words or phrases that the Content Filter agent uses to apply appropriate filter processing. You configure approved words or phrases with Allow phrases and unapproved words or phrases with Block phrases. When the Content Filter agent detects a preconfigured Allow phrase in an inbound message, the Content Filter agent automatically assigns an SCL value of 0 to the message. Alternatively, when the Content Filter agent detects a configured Block phrase in an inbound message, the Content Filter agent assigns an SCL rating of 9.

You can enter custom words or phrases in any combination of uppercase and lowercase letters. However, when the Content Filter agent evaluates message content, it ignores case. The maximum number of custom words or phrases that can be created is 800.

See:  http://technet.microsoft.com/en-us/library/bb124739.aspx for more details.

Hope this helps!

Regards!
0
 

Author Comment

by:ppapasav
ID: 37735334
We actually already use Trend Micro scanmail ... The mail is already classified as Spam and we have already done Everything you have suggested.

The problem is the content filter is MISSING the "friendly name" from the email address (it appears to only be looking at the actual email address).
0
 
LVL 17

Expert Comment

by:Suraj
ID: 37736416
Is the sender sending mail from one particular IP?
You may also try to use a transport rule!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:ltsweb
ID: 37740621
Doesn't it show up in the text of the message?  I am assuming you tried blocking the friendly name using the Phrase ACL?   At least it is getting tagged as SPAM!
0
 

Author Comment

by:ppapasav
ID: 37761375
I tried the following

1) In Transport rules, created a new one that
 A) When the from address contains certain words, "Enlargement", "Rolex", "Viagra" .. etc, delete the message... perhaps I have to change this to "When Message Header contains certian words instead?

My understanding, from having spoken to Trend Micro, is that Scanmail will see the message AFTER Exchange content filtering or Transport rules see it ... so, the only thing I'm thinking is, since it is winding up in SPAM, is it possible it's the other way around?? Even so, the Transport rule should delete the message

These are the actual options I can use

"When the message header contains specific words
When the from address contains specific words
When the from address matches text patterns

So as you can see, there are many options that could all potentially work .. SO far, I've tried whens the from address contains specific words -

I've also tried under the content filtering tab under anti-spam - I added custom words .. I have to believe either one of two things is happening:

1. It's not evaluating the header
2. It is but it's not following through on the action (when the SCL level is >= 9) ...

Any ideas?
0
 
LVL 4

Accepted Solution

by:
ltsweb earned 335 total points
ID: 37761426
Can you remove the Exchange filters that are trapping the spam and just use the Trend product?  Will Trend product take care of the filter or was that letting items go through?

If not, what is the SCL tag on the spam?  I am assuming you confirmed it is tagged =>9?

A typical setting is:

SCL delete threshold is set to 8.
 
SCL reject threshold is set to 7.
 
SCL quarantine threshold is set to 6.
 
SCL Junk E-mail folder threshold is set to 5.

It really sounds like there is a conflict between the two systems if you have confirmed everything above.

I also found a Technet post with a similar issue (See:  http://social.technet.microsoft.com/Forums/uk/exchangesvrantivirusandantispam/thread/a19bf469-cba8-489a-9bfb-c5bbe71212e9)

In summary:


"Remove “ms-Exch-Bypass-Anti-Spam” permission from all users except for the users below:...
 
Get-ReceiveConnector "default HUBXXX" | Remove-ADPermission -User "domain\ExchangeLegacyInterop" -ExtendedRights "Ms-Exch-Bypass-Anti-Spam"

enable internal Anti-spam:

"Set-ContentFilterConfig -ExternalMailEnabled:$true - InternalMailEnabled:$true"

In this configuration, the SCL rating still does not work, the agent log changes from "SCL PolicyDisabled" on all messages to "Content Filter Bypassed" and no actions take place.

Then there needs to be an explicit deny for the LegacyInterop group, just removing the permission is not enough.

"Get-ReceiveConnector "default HUBXXX" | Add-ADPermission -User "domain\ExchangeLegacyInterop" -deny -ExtendedRights "Ms-Exch-Bypass-Anti-Spam""

After doing this and restarting the Transport service, it should work according to the post.

SCL ratings should show in the agent log, and hopefully the deletethresholds should work.


Keep us posted.
0
 

Author Comment

by:ppapasav
ID: 37775101
I think your answer is very thorough ... and right now, I don't have the cycles  to test it ... I will try a bit more this weekend - I appreciate the time you put into answering this question - I'll try it in a few days at most
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Find out what you should include to make the best professional email signature for your organization.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now