582
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
Exercise 14.5 outlines the instructions to configure sender filtering on the Exchange Server 2007
server. Note that the procedure described is applied only to the local system. If you are running
more than one Edge Transport server in your organization, then follow the procedure on your
other Edge Transport servers to maintain consistency.
EXERCISE 14.6
Configuring Sender Filtering
Use the following steps to configure sender filtering:
1. Log on to the server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange
Management Console.
3. Select Edge Transport in the Console tree.
4. Click on the Anti-spam tab, right-click on the sender-filtering agent, and then click on
Properties.
5. The General tab of the Agent Properties window displays its current status (Enabled or Dis-
abled), the last time the agent’s settings were modified, and a brief description of the agent.
Click on the Blocked Senders tab to add, edit, or delete entries in the Blocked Senders list.
6. At the bottom of the window shown below, choose the Block Messages from Blank Senders
option. This option blocks messages that do not specify the sender’s email address. (A com-
mon technique of spammers is to hide the sender address or not specify an email address in
the sender field.) Click on Add.
81461.book Page 582 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
583
7. In the Add Blocked Senders dialog box, under Individual E-mail Address, type in the
email address of a sender ( in this example), as shown
below, and then click OK to continue. You also can choose Domain to block particular
domains and subdomains.

8. On the Action tab, ensure that Reject Message is selected. Alternatively, you can choose
to stamp messages with “Blocked Sender” and continue processing instead of rejecting
the messages.
9. Click Apply to save changes, or click OK to save changes and close the window.
10. Close the Exchange Management Console.
EXERCISE 14.6 (continued)
81461.book Page 583 Wednesday, December 12, 2007 4:49 PM
584
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
Sender filtering allows you to use the asterisk (*) wildcard to block multiple
email addresses. For example, you can add *@externalcompany.com to the Indi-
vidual Email Address field to block all emails from externalcompany.com. You
can get the same result by adding externalcompany.com to the Domain field.
Sender filtering overrides the Outlook Safe Senders list, which means that
your Edge Server will reject/stamp the message even if your users/recipients
have included the sender on an Outlook Safe Senders list.
Once you configure sender filtering, the next step is to test your changes. Exercise 14.7 outlines
the steps to test sender filtering on the Exchange Server 2007.
Recipient Filtering
Emails that are not rejected by sender filtering are handed over to the recipient-filtering agent.
Recipient filtering is similar to sender filtering, except it is designed for your Exchange orga-
nization and is based on the recipient address instead of sender address. With recipient filter-
ing you can block email messages from the Internet to specific internal email addresses. This
EXERCISE 14.7
Testing Sender Filtering
To test sender filtering, follow these steps:
1. Log on to the server on which you want to run this command.
2. Click Start  Run, type cmd.exe, then press Enter or click OK.

3. In the command-prompt windows, type telnet YourExchangeServername 25, and then
press Enter.
4. Type EHLO, and then press Enter.
5. Type Mail From: , and then press Enter. Confirm that
you receive a “sender denied” message.
6. Type Quit to exit, and then press Enter.
7. Type Exit to close the command prompt and return to the Windows Shell.
81461.book Page 584 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
585
option is extremely helpful in stopping spam to specific email accounts, such as those that
are no longer active in your organization, or commonly named email accounts (such as
or ).
Recipient filtering checks the recipient of the email against the Blocked Recipient
list. If the recipient is not listed, the email is handed over to the next agent. If the
Edge Transport server receives an email message addressed to a recipient that
is either listed on the Blocked Recipient list or not present in the Global Address
List, a “550 5.1.1 User unknown SMTP” session error will be returned to the
sender of the message.
Recipient filtering is enabled by default and can be configured using the Exchange Manage-
ment Console or Exchange Management Shell. If you decide to disable recipient filtering, you
can do so by using the EMC and the EMS. Disabling recipient filtering using the EMC is simple.
Right-click on the agent icon in the Action pane and select Disable. To disable recipient filtering
using the EMS, run the set-RecipientFilterConfig -Enabled $false command.
Exercise 14.8 outlines the instructions to configure recipient filtering on the Exchange
Server 2007 server. Note that the procedure described in the exercise applies only to the local
system. If you are running more than one Edge Transport server in your organization, follow
the procedure on your other Edge Transport servers to maintain consistency.
EXERCISE 14.8
Configuring Recipient Filtering

Use the following steps to configure recipient filtering:
1. Log on to the server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange
Management Console.
3. Select Edge Transport in the Console tree.
4. Click on the Anti-spam tab, right-click on the recipient-filtering agent, and then click on
Properties.
5. The General tab of the Agent Properties window displays its current status (Enabled or
Disabled), the last time the agent’s settings were modified, and a brief description of the
agent. Click on the Blocked Recipient tab to add, edit, or delete entries in the Blocked
Recipient list.
81461.book Page 585 Wednesday, December 12, 2007 4:49 PM
586
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
Any email addresses entered on the Blocked Recipients list will be blocked
only for senders who are located outside of your organization or who are
sending emails from the Internet. Internal users will still be able to send
messages to recipients listed in the Blocked Recipient list. Recipient filtering
allows you to enter up to 800 email addresses.
Once you configure recipient filtering, the next step is to test your changes. Exercise 14.9
outlines the steps to test recipient filtering on the Exchange Server 2007.
6. Click on Block the Following Recipients. In the Block the Following Recipients text box, type
and then click Add to continue. Click Add again to add
more recipients. Spammers often send emails to common names (such as Michelle, Cindy,
Lisa, John, Jason, James, etc.). To address the “common recipient” spamming technique,
you can block messages that are sent to recipients not listed in your Global Address List.
As shown below, simply check the box to block messages sent to recipients not listed in the
Global Address List.

7. Click Apply to save changes, or click OK to save changes and close the window.
8. Close the Exchange Management Console.
EXERCISE 14.8 (continued)
81461.book Page 586 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
587
The Edge Transport server receives the recipient list from the Active Direc-
tory. Because recipient filtering can only check recipients in the Global
Address List, you must configure the EdgeSync process between the
Active Directory Application Mode (ADAM) and Active Directory forest for
recipient lookup.
Sender ID Filtering
If an email message has not been rejected by sender filtering and recipient filtering, it goes to
sender ID filtering. Sender ID filtering counters domain spoofing and phishing schemes by ensur-
ing that an email message is sent from an SMTP server that is authorized to send email messages
for a specific domain. Recipient servers accomplish this by extracting the email address in the
From field of the message headers and checking the address of the sending email server against
a list of registered servers that the domain owner has authorized to send emails. When config-
ured correctly, sender ID filtering can help you accurately eliminate malicious email without
additional analysis of its content. All verification is performed automatically by the Edge Trans-
port server or Hub Transport server before the message is delivered to the recipient. Once the
sender ID has been recognized and authenticated, the email message is delivered to other filters
for additional processing.
EXERCISE 14.9
Testing Recipient Filtering
Follow these steps to test your recipient filtering:
1. Log on to the server on which you want to run this command.
2. Click Start  Run then type cmd.exe. Press Enter or click OK.
3. In the command-prompt window, type telnet YourExchangeServername 25, and then
press Enter.

4. Type EHLO and then press Enter.
5. Type Mail From: and then press Enter.
6. Type Rcpt To: and then press Enter. Confirm that you
receive a “user unknown” message.
7. Type Quit to exit, and then press Enter.
8. Type Exit to close the command prompt and return to the Windows shell.
81461.book Page 587 Wednesday, December 12, 2007 4:49 PM
588
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
Sender Policy Framework (SPF) Records
To configure sender ID filtering, you must first understand the Sender Policy Framework (SPF)
records. SPF records work with sender ID filtering to stop malicious emails. The SPF record is
a piece of information on the DNS servers that is required by sender ID filtering to determine
whether the email message was sent by an authorized server for the specified domain. In simple
terms, an SPF record is a listing of authorized SMTP servers for a particular domain or set of
domains in the DNS database. Publishing an SPF record in the public DNS allows the recipient
SMTP servers to perform a reverse Mail Exchanger (MX) lookup by cross-referencing the IP
addresses of the authorized SMTP servers against that organization’s DNS entry for their domain.
SPF records can be in different formats. Here are few examples:
mcitpdomain.com IN TXT “v=spf1 mx -all” This indicates that all servers identified by an
MX record for the mcitpdomain.com domain are allowed to send email for that domain.
v=spf1 mx ip4:192.168.10.10 –all This SPF record indicates that server 192.168.10.10
identified by an MX record is allowed to send email for your domain.
MAIL IN TXT “v=spf1 a -all” This SPF record indicates that server MAIL is allowed to
send email for your domain.
mcitpdomain.com IN TXT “v=spf1 ip4:192.168.10.10 -all” This SPF record indicates that a
server with IP address 192.168.10.10 is allowed to send email for the mcitpdomain.com domain.
v=spf1 mx mx:mail1.mcitpdomain.com mx:mail2.mcitpdomain.com mx:mail3.mcitpdomain

.com -all This SPF record for mcitpdomain.com uses an MX record to identify three mail
servers (mail1, mail2, and mail3) that are authorized to send emails from the mcitpdomain
.com domain.
Creating a Sender Policy Framework (SPF) Record
To create SPF records, you can use Microsoft’s four-step wizard. If you want to use the advanced
features of SPF format, you may need to manually edit the SPF record created by the wizard.
Exercise 14.10 outlines the steps to create an SPF record.
EXERCISE 14.10
Creating an SPF Record
1. The wizard is found online at />technologies/senderid/wizard/.
2. At Identify Your Domain, enter the domain name for which you want to create a new SPF
record (in this example, mcitpdomain.com).
3. At Display Published DNS Records, you’ll see that the wizard checked the DNS for infor-
mation about mcitpdomain.com, including existing SPF, MX, and A records. If an SPF
record was found, you can verify its contents and use the remaining steps of the wizard
to modify the record. If no SPF record was found, you can use information from the
domain’s MX and A records to create a new SPF record.
81461.book Page 588 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
589
The record example for mcitpdomain.com looks like this:
v=spf1 mx mx:mail1.mcitpdomain.com mx:mail2.mcitpdomain.com
mx:mail3.mcitpdomain.com -all
Where:
v=spf1 designates that this is an SPF record and it is version 1.
mx mx:mail1.mcitpdomain.com mx:mail2.mcitpdomain.com
mx:mail3.mcitpdomain.com signifies that mail1, mail2, and mail3 are authorized to
send and receive email for mcitpdomain.com.
-all designates that no one besides the IP addresses in mcitpdomain.com’s MX records
are authorized to send email.

Configuring Sender ID Filtering
Sender ID filtering is enabled by default and can be configured using the Exchange Management
Console or Exchange Management Shell. You also can disable sender ID filtering by using the
EMC and the EMS. Disabling sender ID filtering using the EMC is simple. Right-click on the agent
icon in the Action pane, and then select Disable. To disable sender ID filtering using the EMS, run
the set-SenderIDFilterConfig -Enabled $false command.
4. At Create SPF Record, the wizard prompts you to choose proper options to create SPF
records. This step is divided into different sections. Your choices are as follows:
No Mail Is Sent from Domain: Choose this option if the domain does not send email.
Domain’s Inbound Servers May Send Mail: Choose this option if your inbound mail
servers are also used to send outbound mail.
All Addresses Listed in A Records May Send Mail: If all the IP addresses listed in A
records for your domain in DNS are outbound mail servers, you should include this
option in your new SPF record. You also can enter any additional IP addresses you
wish to add to your SPF record.
All PTR Records Resolve to Outbound Email Servers: Choose this option if all reverse
DNS Pointer records (PTR) resolve to the domain’s outbound email servers.
Outsourced Domains: Choose this option if domain’s outbound email is routed
through another domain (outsourced).
Does Your Domain Send Email from Any IP Addresses That Are Not Identified in the
Above Sections? Choose appropriate settings for your environment.
5. At Generate SPF Record, the wizard will provide you with the generated SPF records.
EXERCISE 14.10
81461.book Page 589 Wednesday, December 12, 2007 4:49 PM
590
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
The following exercise outlines the steps to configure sender ID filtering on the Exchange
Server 2007 server. Note that the procedure described in the following section applies only to

the local system. If you are running more than one Edge Transport server in your organization,
follow the procedure on your other Edge Transport servers to maintain consistency.
EXERCISE 14.11
Configuring the Sender ID Filtering Agent
To configure the sender ID filtering agent, follow these steps:
1. Log on to the server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange
Management Console.
3. Select Edge Transport in the Console tree.
4. Click on the Antispam tab, right-click on the Sender ID agent, and then click on Properties.
5. Click on the Action tab. As shown below, you can configure sender ID filtering to reject
a message, delete a message, or stamp a message with the sender ID result and con-
tinue processing.
Choose Reject Message if you want to reject the message and send an error response
to the sending server.
Choose Delete Message if you want to delete the message without notifying
the sender.
Choose Stamp Message with Sender ID Result and Continue Processing if you are
planning to append certain information to the message headers for the content-filter-
ing agent. This information, often referred to as metadata, is used by the content filter
to create the SCL.
81461.book Page 590 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
591
How Sender ID Filtering Works
To use sender ID filtering, the sender organization must create a Sender Policy Framework
records and publish it as a DNS host record on the sender’s public DNS servers. The
published SPF record is a single TXT record in the public DNS database that holds the
IP address information of the SMTP servers that are allowed to send emails for that
domain. The receiving Exchange servers check the SPF records to confirm that the sending

SMTP server is on the list of authorized servers for that particular domain. If the sending
SMTP server is not listed, then the receiving Exchange server will assume the email is com-
ing from an unauthorized server and either drop the message or forward it with additional
header information.
In general, sender ID filtering works as follows:
1. The message is received by the Exchange Edge Transport server.
2. The Edge Transport server checks the IP address of the sending SMTP server and queries
the DNS for the SPF record.
3. If the SPF record matches the sender SMTP server, the Edge Transport server forwards the
message to the next filter for additional processing or sends it to the recipient, depending
on how your environment is configured.
4. If the SPF record does not match the sender SMTP server, the Edge Transport server will
drop the message or forward it with additional header information.
We highly recommend that you create an SPF record for your domain. Doing
so helps protect your domain and makes it difficult for spammers to forge
your domain name and use it to spam to other organizations.
Content Filtering
Content filtering is another antispam agent that blocks or quarantines messages based on their
content, regardless of the originating SMTP servers. Content filtering analyzes the content of
all the emails received by your Edge Transport server to evaluate whether the messages are
spam. It is useful for identifying messages containing content deemed unacceptable to your
organization, such as advertisements or sexually explicit remarks.
6. Click OK to continue.
7. Close the Exchange Management Console.
EXERCISE 14.11 (continued)
81461.book Page 591 Wednesday, December 12, 2007 4:49 PM
592
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007

Content filtering checks emails for specific content and keywords. Depending
on your organizational requirements, the filter can block the email message
or send it to quarantine. In either case, when the Edge/Hub Transport server
receives messages with content or phrases included on a list of blocked
keywords, the content-filtering agent returns a default response message
of “550 5.7.1 Message rejected due to content restrictions” to the sender.
You can customize this message by using the Set-ContentFilterConfig
command in the Exchange Management Shell.
Content filtering is considered the next generation of the Intelligent Message Filter (IMF, ver-
sion 3), which is based on Microsoft’s SmartScreen Filter technology (a proprietary message-
analyzing filter). The content filter, developed based on evaluations of millions of messages, can
distinguish between spam and legitimate email. The filter is updated periodically through
Microsoft Software Update Services.
When the Edge Transport server with content filtering enabled receives an email, it evalu-
ates the content of the email and assigns it an overall rating based on the probability that the
message is spam. This rating is generally referred to as the SCL, and it is stored as an email
message property (actually a MAPI property). Because the rating is saved as a property of the
email message, it will persist with the email message when it is sent to other Exchange servers.
The SCL rating is a numerical value between zero and nine (with zero indicating that the mes-
sage is highly unlikely to be spam and nine meaning that the message is very likely to be spam).
Depending on how you configure your environment and the threshold value of the SCL, you
can silently delete, reject, or quarantine the message to a specified mailbox.
Content filtering includes the following options:
Block or Allow Messages: Allows you to define a list of customized words and phrases
and block or allow messages based on that list. You can create a list of words or phrases
that will not be blocked no matter what the SCL rating of the particular message is. You
also can create a list of words or phrases that will be blocked no matter what the message’s
SCL rating is.
Allow Exceptions: You can define an exceptional recipient list so that the content-filtering
agent excludes the recipients in the list and delivers messages to the recipients.

Specify Actions: You can configure the SCL threshold and threshold actions. You can
choose to delete, reject, or quarantine messages for which the SCL value is higher than
your specified settings.
If an email’s SCL rating is equal to the SCL delete threshold, the message will be deleted
without notifying the sending server. If an email’s SCL is equal to the SCL reject threshold, the
message will be deleted and a rejection response of “550 5.7.1 Message rejected due to content
restrictions” will be returned to the sending server. If an email’s SCL rating is equal to the SCL
quarantine threshold, the message will be sent to the email address specified in the Quarantine
mailbox email address field.
81461.book Page 592 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
593
In general, configuring the content filter on an Edge Transport server involves seven steps:
1. Enable the content-filtering agent.
2. Create a mailbox for quarantined messages.
3. Designate a quarantine mailbox.
4. Configure allow and block keywords and phrases.
5. Configure the exceptional recipient list.
6. Specify actions and configure SCL threshold values.
7. Specify recipient and sender exceptions.
These steps are detailed in the following sections.
Step 1: Enabling the Content-Filtering Agent
The content-filtering agent is enabled by default and can be configured using the Exchange
Management Console or Exchange Management Shell. As noted earlier, you can disable con-
tent filtering using the EMC and EMS.
The following exercise outlines the steps to configure content filtering on Exchange Server 2007
servers. Note that the procedure described in the following section is applied only to the local
system. If you are running more than one Edge Transport server in your organization, follow the
procedure on your other Edge Transport servers to maintain consistency.
To disable the content-filtering agent using the Exchange Management Shell, run the

set-ContentFilterConfig -Enabled $false command.
EXERCISE 14.12
Configuring the Content-Filtering Agent
Use the following steps to configure the content-filtering agent:
1. Log on to the server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange
Management Console.
3. Select Edge Transport in the Console tree.
4. Click on the Anti-spam tab, right-click on the content-filtering agent, and then click on
Enable or Disable.
5. Close the Exchange Management Console.
81461.book Page 593 Wednesday, December 12, 2007 4:49 PM
594
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
Step 2: Creating a Quarantine Mailbox
The second step in the process is to create a mailbox called Quarantined Messages and a
corresponding Active Directory user account. This mailbox will store messages on which an
action of “quarantine” was taken. You may want to consider creating multiple quarantine
mailboxes solely for each individual Edge Transport server. Generally, it is recommended to
have one quarantine mailbox per Edge Transport server. Although this may create more work
for Exchange system administrators, it will decrease the load on one Mailbox server. It’s also
extremely helpful if you have to troubleshoot configurations and quarantine issues between
the Edge Transport servers. Depending on how many messages are received by your Exchange
organization and how many recipients you have in your Exchange organization, configure
a reasonable quota (designate a quota based on your organization’s policies, practices, and
email volume) for this mailbox because the spam quarantine can grow substantially. You also
may want to set up delegation if you’re going to open the mailbox as an additional mailbox
by using your primary mailbox account.

The following exercise outlines the steps to create and configure the quarantine mailbox.
EXERCISE 14.13
Creating a Quarantine Mailbox
Follow these steps to create and configure the quarantine mailbox:
1. Log on to the server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange
Management Console.
3. In the Console tree, expand Recipient Configuration, and then click Mailbox.
4. Right-click on the mailbox, and then click New Mailbox.
5. Click Next to accept the default option of User Mailbox.
6. Click Next to accept the default option of New User.
7. Beside Organizational Unit, click Browse. In the Select Organizational Unit dialog box,
expand an appropriate OU where you would like to keep this mailbox. Click OK.
8. Enter the following information for the new user, and then click OK:
First name: Quarantine
Last name: Mailbox
User logon name (User Principal Name): Quarantine
Password: Pa$$w0rd
9. Click Next.
81461.book Page 594 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
595
Step 3: Designating the Quarantine Mailbox
The third step in the process is to designate the quarantine mailbox that will store the messages
that exceed the SCL quarantine threshold value of the content filter. You must designate and
define the quarantine mailbox before you configure content filtering in your environment, so
that the messages marked for quarantine are sent to a quarantine mailbox where they can be
reviewed later. You can configure the quarantine mailbox only in the EMS on an Edge Trans-
port server using the Set-ContentFilterConfig command.
The following exercise outlines the steps to designate the quarantine mailbox.

10. Click Next again to accept the default mailbox settings.
11. Read the summary, and then click New to create the Active Directory user and mailbox.
12. Click Finish to continue.
13. Close the Exchange Management Console.
EXERCISE 14.14
Designating the Quarantine Mailbox
Follow these steps to designate the quarantine mailbox:
1. Log on to the Edge Transport server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange
Management Shell.
3. Type Set-ContentFilterConfig –QuarantineMailbox , as
shown below.
4. Type Exit to exit the EMS.
EXERCISE 14.13 (continued)
81461.book Page 595 Wednesday, December 12, 2007 4:49 PM
596
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
Step 4: Configuring Allow and Block for Keywords and Phrases
Content filtering allows you to define keywords or phrases that must not be blocked on the
Exchange 2007 Edge Transport server. These are commonly used words specific to certain
professions and industries.
Exercise 14.15 outlines the steps to create and configure content filtering to allow keywords
and phrases.
EXERCISE 14.15
Configuring to Allow Keywords and Phrases
Follow these steps to allow keywords and phrases:
1. Log on to the server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange

Management Console.
3. Select Edge Transport in the Console tree.
4. Click on the Anti-spam tab, right-click on the content-filtering agent, and then click on
Properties.
5. The General tab of the Agent Properties window displays its current status (Enabled or
Disabled), the last time the agent’s settings were modified, and a brief description of the
agent. Click on the Custom Words tab to add, edit, or delete entries. On the Custom
Words tab, in the Message Containing These Words or Phrases Will Not Be Blocked box,
type Information Technology and then click Add, as shown below. Repeat the procedure
to add more words that are common to your business.
6. To remove an entry, highlight it and click Delete.
7. Click Apply to save your changes or OK to save changes and close the Content Filtering
dialog box.
8. Close the EMC.
81461.book Page 596 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
597
Content filtering also allows you to define keywords or phrases to be blocked on the Exchange
2007 Edge Transport server. For example, you may want to include commonly used words that
are specific to “adult” industries or other forms of spam. Messages containing a blocked word or
phrase are given an SCL score of nine, and they will either be deleted or quarantined.
The following exercise outlines the instructions to create and configure content filtering to
block keywords and phrases.
EXERCISE 14.16
Configuring to Block Keywords and Phrases
Use the following steps to block keywords and phrases:
1. Log on to the server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange
Management Console.
3. Select Edge Transport in the Console tree.

4. Click on the Anti-spam tab, right-click on the content-filtering agent, and then click on
Properties.
5. The General tab of the Agent Properties window displays its current status (Enabled or
Disabled), the last time the agent’s settings were modified, and a brief description of the
agent. Click on the Custom Words tab to add, edit, or delete entries. On the Custom
Words tab, in the Message Containing These Words or Phrases Will be Blocked, Unless
the Message Contains a Word or Phrase from the List Above box, type Sex and then click
Add, as shown below. Repeat the procedure to add more words to the list.
6. To remove an entry, highlight it and click Delete.
7. Click Apply to save your changes, or OK to save changes and close the Content Filtering
dialog box.
8. Close the EMC.
81461.book Page 597 Wednesday, December 12, 2007 4:49 PM
598
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
Step 5: Configuring the Exceptional List
The next step is to configure the Exceptional list. In the Content Filtering Properties window,
the Exceptions tab defines exceptions so that messages to certain recipients are excluded from
content filtering. For example, a company might include the IT, Sales, Help Desk, and Infor-
mation mailboxes because employees in those departments might need to view these messages
to perform their duties. The only drawback to the Exceptional list is that it is restricted to a
maximum of 100 entries.
The following exercise outlines the steps to define the Exceptional list.
EXERCISE 14.17
Defining the Exceptional List
Follow these steps to define the Exceptional list:
1. Log on to the server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange

Management Console.
3. Select Edge Transport in the Console tree.
4. Click on the Anti-spam tab, right-click on the content-filtering agent, and then click on
Properties.
5. The General tab of the Agent Properties window displays its current status (Enabled or Dis-
abled), the last time the agent’s settings were modified, and a brief description of the agent.
On the Exceptions tab, in the Do Not Filter content in Messages Addressed to the Following
Recipients Box, click Add to include the new entry. Type ,
as shown below, and then click Add.
To add more email addresses to the list, repeat the procedure. To remove an entry, high-
light it, and click Delete. To edit the email address of an entry, highlight it, and click Edit.
81461.book Page 598 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
599
Step 6: Configuring the SCL Threshold Values
The next step is to configure the SCL threshold values. The Edge Transport server assigns
an SCL rating to messages, based on the probability that the messages are spam. The SCL is
stored as an email message property.
When defining an action, it is important to remember that Delete takes prece-
dence over Reject, which takes precedence over Quarantine. For example, if
you set your threshold to Delete if the SCL is eight or higher, Reject if the SCL
is five or higher, and Quarantine if the SCL is three or higher, then a message
with an SCL of nine would be deleted, a message with an SCL of six would be
rejected, and a message with an SCL of four would be quarantined.
The following exercise outlines the steps to specify actions and configure SCL threshold
values.
6. Click Apply to save your changes, or OK to save changes and close the Content Filtering
dialog box.
7. Close the Exchange Management Console.
EXERCISE 14.18

Configuring the SCL Threshold Values
Follow these steps to configure the SCL threshold values:
1. Log on to the server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange
Management Console.
3. Select Edge Transport in the Console tree.
4. Click on the Anti-spam tab, right-click on the content-filtering agent, and click on Properties.
5. On the Action tab, and choose appropriate settings for your Exchange organization, as
shown below.
Choose the Delete Messages That Have a SCL Rating Greater Than or Equal To option,
and set the threshold appropriately. All messages with the respective SCL or higher
would be deleted.
Choose the Reject Messages That Have a SCL Rating Greater Than or Equal To option,
and set the threshold appropriately. All messages with the respective SCL or higher
would be rejected.
EXERCISE 14.17 (continued)
81461.book Page 599 Wednesday, December 12, 2007 4:49 PM
600
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
Step 7: Specifying Recipient and Sender Actions
The final step is to exclude specific senders and sending domains from content filtering. You
must use the EMS to define an exclusion list to exclude specific senders and sending domains.
Exercise 14.19 outlines the steps to exclude specific senders and sending domains from
the EMS.
Choose the Quarantine Messages That Have a SCL Rating Greater Than or Equal To
option, and set the threshold appropriately. All messages with the respective SCL or
higher would be quarantined.
To disable any action, uncheck the box next to it.

To change the SCL threshold of an action, either type in a new number in the box or
use the up and down arrow keys to change the value.
6. Click Apply to save your changes, or OK to save changes and close the content filtering
Properties dialog box.
7. Close the EMC.
EXERCISE 14.18 (continued)
81461.book Page 600 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
601
Attachment Filtering
Attachment filtering allows you to filter content in messages to prevent malicious or offensive
content from being transmitted via attachments. It allows you to filter out both the message
and attachment or just the attachment. Moreover, it allows you to “silently” delete both the
message and the attachment, or just delete the attachment without notifying the sender.
Attachment filtering is a powerful tool that allows you to filter out specific attached files,
file names, extensions, or file MIME content types. It can be applied to incoming and outgoing
email, which gives flexibility to Exchange system administrators to prevent the distribution of
unacceptable contents and files. You also can use this feature to define certain levels of security
to protect your organization’s proprietary data.
EXERCISE 14.19
Excluding Specific Senders and Sending Domains
Follow these steps to exclude specific senders:
1. Log on to the Edge Transport server on which you want to run this command.
2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange
Management Shell.
3. Type Set-ContentFilterConfig –BypassedSenders ilse.vancriekinge@mcitpdomain
.com, , , andy
(Note: The BypassedSenders parameter allows you to
specify up to 100 external email addresses.)
4. Type Exit to exit the Exchange Management Shell.

To exclude specific domains, use the following steps:
5. Log on to the Edge Transport server on which you want to run this command.
6. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange
Management Shell.
7. Type Set-ContentFilterConfig –BypassedSenderDomains *.companyabc.com, companyxyz
.com, *.companyasd.com. (Note: The BypassSenderDomains parameter works similarly
to the BypassedSenders parameter, but it is used to exclude the whole domain instead of
individual email addresses. This saves time and will consume fewer entries in your list.
BypassedSenderDomains parameter allows you to specify up to 100 external domains.)
8. Type Exit to exit from the Exchange Management Shell.
81461.book Page 601 Wednesday, December 12, 2007 4:49 PM
602
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
Before configuring attachment filtering, you must make a few decisions, including the
following:

Determine what attachments and types of attachments you want to block.

Determine attached files, file names, extensions, or file MIME content types to block.

Determine whether you want to configure attachment filtering for inbound or outbound
messages, or both.

Determine what you want to do with messages containing the unwanted attachments.
Based on your organizational requirements, you can choose one of the following
default actions:
Reject: Reject the message by stopping delivery of the message and attachments to the
recipient and send an “undeliverable” response to the sender. Neither the message nor

the attachment will be delivered to the recipient.
Strip: Strip the attachment in the message, and then deliver the email to the recipient with
a notification that the attachment has been removed.
SilentDelete: Reject the message by stopping delivery of the message and attachment
to the recipient without sending an “undeliverable” response to the sender. Neither the
message nor the attachment will be delivered to the recipient.
Table 14.2 lists all file name extensions and content types on which attachment filtering can
be used.
TABLE 14.2 File Name and Content Types to Use with Attachment Filtering
Type Name Identity
ContentType Application/x-msdownload ContentType:application/xmsdownload
ContentType Message/partial ContentType:message/partial
ContentType Text/scriptlet ContentType:text/scriptlet
ContentType Application/prg ContentType:application/prg
ContentType Application/msaccess ContentType:application/msaccess
ContentType Text/javascript ContentType:text/javascript
ContentType Application/x-javascript ContentType:application/xjavascript
ContentType Application/javascript ContentType:application/javascript
ContentType x-internet-signup ContentType:x-internet-signup
81461.book Page 602 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
603
ContentType Application/hta ContentType:application/hta
FileName *.ade FileName:*.ade
FileName *.adp FileName:*.adp
FileName *.app FileName:*.app
FileName *.asx FileName:*.asx
FileName *.bas FileName:*.bas
FileName *.bat FileName:*.bat
FileName *.chm FileName:*.chm

FileName *.cmd FileName:*.cmd
FileName *.com FileName:*.com
FileName *.cpl FileName:*.cpl
FileName *.crt FileName:*.crt
FileName *.csh FileName:*.csh
FileName *.exe FileName:*.exe
FileName *.fxp FileName:*.fxp
FileName *.hlp FileName:*.hlp
FileName *.hta FileName:*.hta
FileName *.inf FileName:*.inf
FileName *.ins FileName:*.ins
FileName *.isp FileName:*.isp
FileName *.js FileName:*.js
TABLE 14.2 File Name and Content Types to Use with Attachment Filtering (continued)
Type Name Identity
81461.book Page 603 Wednesday, December 12, 2007 4:49 PM
604
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007
FileName *.jse FileName:*.jse
FileName *.ksh FileName:*.ksh
FileName *.lnk FileName:*.lnk
FileName *.mda FileName:*.mda
FileName *.mdb FileName:*.mdb
FileName *.mde FileName:*.mde
FileName *.mdt FileName:*.mdt
FileName *.mdw FileName:*.mdw
FileName *.mdz FileName:*.mdz
FileName *.msc FileName:*.msc

FileName *.msi FileName:*.msi
FileName *.msp FileName:*.msp
FileName *.mst FileName:*.mst
FileName *.ops FileName:*.ops
FileName *.pcd FileName:*.pcd
FileName *.prf FileName:*.prf
FileName *.prg FileName:*.prg
FileName *.ps1 FileName:*.ps1
FileName *.ps11 FileName:*.ps11
FileName *.ps11xml FileName:*.ps11xml
FileName *.ps1xml FileName:*.ps1xml
TABLE 14.2 File Name and Content Types to Use with Attachment Filtering (continued)
Type Name Identity
81461.book Page 604 Wednesday, December 12, 2007 4:49 PM
Planning and Implementing Exchange Server 2007 Antispam Features
605
To add file extensions or file names to the list, you can use the Add-AttachmentFilterEntry
cmdlet. For example, if you want to filter out .rar files, you need to run the Add-
AttachmentFilterEntry -Name *.rar -Type FileName cmdlet. If you later decide to
remove the file from the list, use the Remove-AttachmentFilterEntry –Identity filename:
*.rar cmdlet.
The attachment-filtering agent is enabled by default and can be configured using only the
EMS. If attachment filtering is disabled, you can enable it using the Enable-TransportAgent
-Identity “Attachment Filtering Agent” cmdlet and pressing Enter.
Attachment filtering can be configured only through the Get, Add, Remove, and Set com-
mands in the EMS. Each shell command has its own parameters to perform certain actions.
For example, you can use the following commands:

To display a list of the current settings for AttachmentFilterListConfig, use Get-
AttachmentFilterListConfig cmdlet.


To add a file name to the attachment-filtering agent, use the Add-
AttachmentFilterEntry -name filename.exe -type FileName cmdlet.
FileName *.reg FileName:*.reg
FileName *.scf FileName:*.scf
FileName *.scr FileName:*.scr
FileName *.sct FileName:*.sct
FileName *.shs FileName:*.shs
FileName *.shs FileName:*.shb
FileName *.url FileName:*.url
FileName *.vb FileName:*.vb
FileName *.vbe FileName:*.vbe
FileName *.vbs FileName:*.vbs
FileName *.wsc FileName:*.wsc
FileName *.wsf FileName:*.wsf
FileName *.wsh FileName:*.wsh
TABLE 14.2 File Name and Content Types to Use with Attachment Filtering (continued)
Type Name Identity
81461.book Page 605 Wednesday, December 12, 2007 4:49 PM
606
Chapter 14

Planning Antivirus and Antispam for Exchange Server 2007

To remove an attachment filter entry, use the Remove-AttachmentFilterEntry -
Identity filename:filename.exe cmdlet.

To change the values and modify the configuration of the attachment filter, use
the Set- command. For example, to configure a custom response message that is
returned to the sender when a message and an attached file are blocked, use the

Set-AttachmentFilterListConfig -Action Reject -RejectResponse “The
Attachment type is not allowed in this organization.” cmdlet.

To filter out messages that contain a specific attachment, use the Add-
AttachmentFilterEntry -Name specificfilename -Type FileName cmdlet.
All attachment filter entries on the Edge Transport server use the same
filtering behavior. For example, when you use the command Set-
AttachmentFilterConfigList –Action SilentDelete to silently delete
both a message and an attachment, the command applies to all attach-
ments rather than to one particular attachment.
For additional help and information on configuring attachment filtering, use Get-Help
Set-AttachmentFilterListConfig in the EMS or see the Exchange Server 2007 Help file.
Sender Reputation Filtering
Sender reputation filtering is another antispam feature in Exchange 2007 that helps reduce
unwanted email. This filtering agent uses dynamic data to block inbound messages according
to the sender’s reputation, which is a collection of dynamic values collected by Exchange
server based on real-time data about messages sent from a specific sender. These dynamic
values determine if the source of the messages is legitimate or if it is sending spam. By default,
sender reputation filtering is enabled only for incoming messages from the Internet.
How Sender Reputation Filtering Works
Based on the email messages received from senders, the Sender Reputation agent analyzes vari-
ous information and statistics about the sender and then assigns an overall rating based on the
probability that the message is spam. This rating is generally known as Sender Reputation Level
(SRL), which is very similar to the SCL. The SRL rating is a numerical value between zero and
nine. A zero rating indicates that there is less than a one percent chance that the sender is a spam-
mer, whereas a rating of nine indicates a higher than 99 percent chance that the email message
is coming from a spammer. Depending on your organizational requirements, you can configure
an SRL threshold. When the threshold is exceeded because the sender appears to be a source of
spam, the sender is automatically added to the IP Block list for a specified number of hours. The
default is 24 hours, but you can configure the duration from 0 to 48 hours.

81461.book Page 606 Wednesday, December 12, 2007 4:49 PM