Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2010 Content Filtering Issue

Posted on 2012-03-18
7
Medium Priority
?
1,421 Views
Last Modified: 2012-07-10
I'm trying to figure out how to block email from a particular sender ... However, it's not the EMAIL address, it's the FRIENDLY NAME that I'm trying to block -

Specifically, I'm trying to minimize the amount of SPAM that actually goes into the SPAM folder. I'm getting tons of emails like "SAMPLE ENLARGEMENT" as the "Friendly Name", but with some random email address.

I can't seem to put a filter in that will block the friendly name (which is still part of the header) - Anyone have an idea?
0
Comment
Question by:ppapasav
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 4

Expert Comment

by:ltsweb
ID: 37735049
Hi,

First, I would strongly suggest you use Postini.Com (google) or Baracuda Networks as the first level of defense.  These products will offer you much better protection and control.  At minimum, I would suggest you download Microsoft Forefront for your exchange box.

However, to answer your question, you should use the Content Filter found in the Exchange Management Console.  In there you can customize how the Content Filter agent assigns SCL values by configuring custom words. Custom words are individual words or phrases that the Content Filter agent uses to apply appropriate filter processing. You configure approved words or phrases with Allow phrases and unapproved words or phrases with Block phrases. When the Content Filter agent detects a preconfigured Allow phrase in an inbound message, the Content Filter agent automatically assigns an SCL value of 0 to the message. Alternatively, when the Content Filter agent detects a configured Block phrase in an inbound message, the Content Filter agent assigns an SCL rating of 9.

You can enter custom words or phrases in any combination of uppercase and lowercase letters. However, when the Content Filter agent evaluates message content, it ignores case. The maximum number of custom words or phrases that can be created is 800.

See:  http://technet.microsoft.com/en-us/library/bb124739.aspx for more details.

Hope this helps!

Regards!
0
 

Author Comment

by:ppapasav
ID: 37735334
We actually already use Trend Micro scanmail ... The mail is already classified as Spam and we have already done Everything you have suggested.

The problem is the content filter is MISSING the "friendly name" from the email address (it appears to only be looking at the actual email address).
0
 
LVL 17

Expert Comment

by:Suraj
ID: 37736416
Is the sender sending mail from one particular IP?
You may also try to use a transport rule!
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 4

Expert Comment

by:ltsweb
ID: 37740621
Doesn't it show up in the text of the message?  I am assuming you tried blocking the friendly name using the Phrase ACL?   At least it is getting tagged as SPAM!
0
 

Author Comment

by:ppapasav
ID: 37761375
I tried the following

1) In Transport rules, created a new one that
 A) When the from address contains certain words, "Enlargement", "Rolex", "Viagra" .. etc, delete the message... perhaps I have to change this to "When Message Header contains certian words instead?

My understanding, from having spoken to Trend Micro, is that Scanmail will see the message AFTER Exchange content filtering or Transport rules see it ... so, the only thing I'm thinking is, since it is winding up in SPAM, is it possible it's the other way around?? Even so, the Transport rule should delete the message

These are the actual options I can use

"When the message header contains specific words
When the from address contains specific words
When the from address matches text patterns

So as you can see, there are many options that could all potentially work .. SO far, I've tried whens the from address contains specific words -

I've also tried under the content filtering tab under anti-spam - I added custom words .. I have to believe either one of two things is happening:

1. It's not evaluating the header
2. It is but it's not following through on the action (when the SCL level is >= 9) ...

Any ideas?
0
 
LVL 4

Accepted Solution

by:
ltsweb earned 1340 total points
ID: 37761426
Can you remove the Exchange filters that are trapping the spam and just use the Trend product?  Will Trend product take care of the filter or was that letting items go through?

If not, what is the SCL tag on the spam?  I am assuming you confirmed it is tagged =>9?

A typical setting is:

SCL delete threshold is set to 8.
 
SCL reject threshold is set to 7.
 
SCL quarantine threshold is set to 6.
 
SCL Junk E-mail folder threshold is set to 5.

It really sounds like there is a conflict between the two systems if you have confirmed everything above.

I also found a Technet post with a similar issue (See:  http://social.technet.microsoft.com/Forums/uk/exchangesvrantivirusandantispam/thread/a19bf469-cba8-489a-9bfb-c5bbe71212e9)

In summary:


"Remove “ms-Exch-Bypass-Anti-Spam” permission from all users except for the users below:...
 
Get-ReceiveConnector "default HUBXXX" | Remove-ADPermission -User "domain\ExchangeLegacyInterop" -ExtendedRights "Ms-Exch-Bypass-Anti-Spam"

enable internal Anti-spam:

"Set-ContentFilterConfig -ExternalMailEnabled:$true - InternalMailEnabled:$true"

In this configuration, the SCL rating still does not work, the agent log changes from "SCL PolicyDisabled" on all messages to "Content Filter Bypassed" and no actions take place.

Then there needs to be an explicit deny for the LegacyInterop group, just removing the permission is not enough.

"Get-ReceiveConnector "default HUBXXX" | Add-ADPermission -User "domain\ExchangeLegacyInterop" -deny -ExtendedRights "Ms-Exch-Bypass-Anti-Spam""

After doing this and restarting the Transport service, it should work according to the post.

SCL ratings should show in the agent log, and hopefully the deletethresholds should work.


Keep us posted.
0
 

Author Comment

by:ppapasav
ID: 37775101
I think your answer is very thorough ... and right now, I don't have the cycles  to test it ... I will try a bit more this weekend - I appreciate the time you put into answering this question - I'll try it in a few days at most
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question