In Exchange 2003 Microsoft made its first significant steps towards providing a comprehensive anti-spam filtering solution out of the box. Exchange 2007 makes further advancements beefing up the feature set through a number of transport agents.
Today we look at the Content Filter agent, the reincarnation of the Exchange 2003 Intelligent Message Filter (IMF). We see how this agent builds on IMF adding functionality in a number of areas.
Installing the Anti-Spam Agents
The Content Filter forms part of a set of anti-spam transport agents that ship with Exchange 2007. These must be run on a server having the Edge or Hub transport server role. The Edge server installation includes the anti-spam agents within it. However in case of Hub Transport servers, the agents must be installed manually through the command shell.
The installation script is located under:
<Exchange Server dir.>\Scripts\install-AntispamAgents.ps1
On the Hub transport server machine, from the Exchange 2007 program group, open the Exchange Management Shell.
Run> install-AntispamAgents.ps1
Restart the MS Exchange Transport service
Once the Agents are installed we can proceed with the configuration. From the Exchange 2007 program group, open the Exchange Management Console. Next, depending on the server type, select:
Microsoft Exchange | Edge Transport | Anti-Spam OR
Microsoft Exchange | Organization Configuration | Hub Transport | Anti-Spam
From here we can see the various anti-spam filter types Exchange 2007 provides. Note how all of these are enabled by default. For today we just focus on the Content Filter. Open its properties to start exploring the available functionality.
SCL Thresholds
The main set of thresholds is available at the Content Filter properties under the Actions page. Here we find the SCL thresholds for the Gateway level actions.
In Exchange 2003 IMF provided one Gateway threshold to which an action from Delete, Reject or Archive could be applied.
The Content Filter now provides three Gateway thresholds, one for each of the Delete, Reject and Quarantine actions. The three threshold settings follow a rule where:
- The Delete threshold must be greater than the Reject threshold
- The Reject threshold must be greater than the Quarantine threshold
Exchange 2003 IMF users will immediately notice that no threshold is available for disk Archiving. Instead emails can now be rerouted to a central mailbox through the Quarantine Action. We just need to enable the Quarantine threshold and specify the email address where to deposit filtered emails.
Of course it is also possible to configure the gateway thresholds and all other Content Filter properties using the command shell. We do this using the Set-ContentFilterConfig cmdlet. Here are some examples:
Set-ContentFilterConfig -SCLQuarantineEnabled $true -SCLQuarantineThreshold 5
Set-ContentFilterConfig -SCLRejectEnabled $true -SCLRejectThreshold 7
Set-ContentFilterConfig -SCLDeleteEnabled $true -SCLDeleteThreshold 9
What about the Junk Email threshold? How are we to specify which emails should go to the Outlook Junk Folder? Exchange 2007 continues with the tradition of putting certain settings in locations that are not immediately intuitive. Of course there is probably a valid technical reason for this. However the public newsgroups already show this as one of the most common Content Filter related questions.
A global SCL Junk email threshold equivalent to that available in Exchange 2003 can now be set using the command shell:
Set-OrganizationConfig -SCLJunkThreshold <SCL threshold value>
As in the case of Exchange 2003, this SCL Junk threshold applies to emails with an SCL greater but NOT equal to the threshold. Thus considering all the thresholds discussed above, an email is deposited to the Junk Folder if the assigned SCL:
- Exceeds the threshold specified through Set-OrganizationConfig
- Is less than any gateway threshold configured at the Content Filter
So far we discussed the configuration of global thresholds that work very similarly to the Exchange 2003 IMF. In addition to these, Exchange 2007 also provides another option. It is possible to configure thresholds per mailbox that override the global thresholds. On processing an email the Content Filter will first look for the mailbox specific thresholds. If found, these are applied, otherwise the global thresholds are enforced.
Mailbox specific thresholds are configured through the set-mailbox cmdlet. The set of set-mailbox parameters relevant to anti-spam are listed in, How to Configure Anti-Spam Features on a Mailbox.
As an example the following cmdlet overrides the Global Junk Email threshold for the dom\User mailbox:
Set-Mailbox
-Identity dom\User
-SCLJunkEnabled $true
-SCLJunkThreshold 4
This one overrides the Rejection threshold:
Set-Mailbox
-Identity dom\User
-SCLRejectEnabled $true
-SCLRejectThreshold 7
The following clears the rejection threshold override, forcing the Content Filter configuration to be applied:
Set-Mailbox
-Identity dom\User
-SCLRejectEnabled $null
Of course we can also process multiple mailboxes with a single cmdlet by piping the get-mailbox result to set-mailbox:
Get-Mailbox -OrganizationalUnit Domain.com\Users | Set-Mailbox
-SCLDeleteEnabled $true -SCLDeleteThreshold 8
Custom Words Property Page
At the Content Filter properties we also have the Custom Words property page. Here we find a keyword based whitelist and blacklist. This functionality is similar to that provided by the Exchange 2003 XML custom weights file.
The Exchange 2003 XML solution has some major limitations that the Content Filter resolves. In Exchange 2003, whenever an IMF update is installed, the XML file must be copied to the new directory created by the update. Considering that IMF receives two updates per month, this can become quite an issue.
Another problem with the XML file is the lack of a proper UI for configuring keywords. Editing the file manually is prone to human error. For example, mistyping an XML element name leads to invalid XML. In turn this causes IMF to ignore the settings altogether.
Apart for these improvements it is worth noting how the new Content Filter lost a feature on the way. In Exchange 2003 the XML allows both for whitelist/blacklist functionality and also for assigning weights to specific keywords. For example through the XML we can say that if the word "sex" is found, increment the SCL by 2. In this manner we influence how emails are rated. The Content Filter does not provide this functionality any longer.
Recipient Exceptions
As discussed in Excluding Recipients from IMF Filtering, in Exchange 2003 a patch is available for allowing the exclusion of certain mailbox from spam filtering. The patch requires the configuration of email addresses at the registry.
The Exchange 2007 Content Filter now provides the UI for entering these addresses. We find this at the Content Filter | Exceptions properties page.
References
How to install Microsoft Anti Spam Agents on Exchange 2007
How to Enable and Configure the Spam Confidence Level Thresholds
How to Configure Anti-Spam Features on a Mailbox