Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-11-28
In Microsoft Exchange Server 2010, safelist aggregation refers to anti-spam functionality shared across Microsoft Outlook and Exchange. This functionality collects data from the anti-spam Safe Recipients Lists, Safe Senders Lists, Blocked Senders Lists, and contact data that Outlook users configure, and makes this data available to the anti-spam agents on the computer that has the Edge Transport server role installed. Safelist aggregation can help reduce the instances of false-positives in anti-spam filtering performed by the Edge Transport server.
This topic provides an overview about how to configure safelist aggregation. To learn more about safelist aggregation, see Understanding Safelist Aggregation.
Looking for other management tasks related to anti-spam and antivirus features? Check out Managing Anti-Spam and Antivirus Features.
Use the Shell to configure mailbox safelist collection limits
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Recipient Provisioning Permissions" section in the Mailbox Permissions topic.
|You can't use the EMC to configure mailbox safelist collection limits.|
You can configure the maximum number of safe senders and blocked senders a user can configure for each user. You use the Set-Mailbox cmdlet to configure these limits. By default, users can configure up to 5,000 safe senders and 500 blocked senders. Typically, it isn't necessary to modify these limits.
This example configures the mailbox email@example.com to have a maximum of 2,000 safe senders and 200 blocked senders.
Set-Mailbox firstname.lastname@example.org -MaxSafeSenders 2000 -MaxBlockedSenders 200
For detailed syntax and parameter information, see Set-Mailbox.
Use the Shell to run the Update-Safelist command
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam" entry in the "Recipient Provisioning Permissions" section in the Mailbox Permissions topic.
|You can't use the EMC to run the Update-Safelist command.|
In Exchange 2010, safelist aggregation is done automatically; therefore, you no longer need to schedule or manually run the Update-Safelist cmdlet. However, you may still want to run this cmdlet when you're testing safelist aggregation.
The Update-SafeList cmdlet reads the safelist collection from the Microsoft Outlook user mailbox, hashes each entry, sorts the entries for easy search, and then converts the hash to a binary attribute. Finally, the command compares the binary attribute created to any value stored on the attribute. If the two values are identical, the command doesn't update the user attribute value with the safelist aggregation data.
Be mindful of the network and replication traffic that may be generated when you run this command. If you run the command on multiple mailboxes where safelists are heavily used, this may generate a significant amount of traffic. We recommend that if you run the command on multiple mailboxes, you should run the command during off-peak, non-business hours.
|Safelist aggregation data contains both the user's Safe Senders
List and the user's Safe Recipients List. When you use the
Update-Safelist cmdlet, you can specify whether you update
the Safe Senders List or the Safe Recipients List, or both.
However, only Safe Senders List data is used by the safelist
aggregation feature; the safelist aggregation feature doesn't act
on Safe Recipients List data. Therefore, to reduce storage and
replication in Active Directory, we don't recommend running the
Update-Safelist cmdlet with the Type parameter set to
|Microsoft Exchange Server 2010 provides functionality that allows you to specify whether to include the safe domain data for the anti-spam agents on the Edge Transport server by using the Update-Safelist cmdlet. In most cases, we don't recommend that you include domains because users may include the domains of large Internet service providers (ISP), which could unintentionally provide addresses that may be used or spoofed by spammers.|
This example writes the safe senders list for the mailbox email@example.com to Active Directory.
Update-Safelist -Identity firstname.lastname@example.org -Type SafeSenders
For detailed syntax and parameter information, see Update-SafeList.
Options available in the msexchangemailboxassistants.exe.config file
To activate the options to include safe domains, or to change the maximum values for the default settings, you must change the msexchangemailboxassistants.exe.config file. Specifically, the following settings and values can be changed in the appsettings section of the msexchangemailboxassistants.exe.config file:
The value for this setting can be True or False.
By default, the value for this setting is 15 minutes. This setting can have a value from 15 minutes through 1 day.
TestUpdateInterval is used in test environments. This setting can have a value from 10 seconds through 1 hour.
By default, the value for this setting is 500. The maximum value is 1000.
For example, the settings in the appsettings section of the msexchangemailboxassistants.exe.config file may be as follows:
<configuration> <runtime> <gcConcurrent enabled="false" /> <generatePublisherEvidence enabled="false" /> </runtime> <appSettings> <add key="IncludeSafeDomains" value="true" /> </appSettings> </configuration>
Verify safelist aggegation
You may need to verify that safelist aggregation when you first deploy your Edge Transport servers and configure EdgeSync replication, or when you're troubleshooting. Typically, you need to verify the following:
- Make sure that the safelist aggregation data is being
replicated by the EdgeSync service.
- Make sure that content filtering is enabled.
- Verify the safelist aggregation functionality using a test
The following sections provide step by step instructions for each scenario:
Use AD LDS to verify EdgeSync replication of safelist aggregation data
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Edge Transport server" entry in the Transport Permissions topic.
You can view the user objects in the Active Directory Lightweight Directory Services (AD LDS) instance on the Edge Transport server to verify that the safelist collection data is updated for the user objects and that the Microsoft Exchange EdgeSync service has replicated the data to the AD LDS instance.
There are three safelist collection attributes for each user object:
- msExchSafeRecipientsHash This attribute
stores the hash of the Safe Recipients List collection for the
- msExchSafeSendersHash This attribute
stores the hash of the Safe Senders List collection for the
- msExchBlockedSendersHash This attribute
stores the hash of the Blocked Senders List collection for the
If a hexadecimal string, such as
0xac 0xbd 0x03
0xca, is present on the attribute, the user object was
updated. If the attribute has a value of
Set>, the attribute wasn't updated.
You can search for and view the attributes by using the AD LDS Active Directory Service Interfaces (ADSI) Edit snap-in.
Verify that content filtering is enabled
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" entry in the Transport Permissions topic.
The safelist aggregation feature relies on content filtering to recognize the senders on an Outlook user's Safe Senders List or Blocked Senders List. Verify that content filtering is enabled on each Edge Transport server on which the anti-spam and antivirus features are running. By default, content filtering is enabled.
Use the EMC to verify that content filtering is enabled
- In the console tree, click Edge Transport.
- In the result pane, click the Anti-spam tab, click
Content Filtering, and then in the action pane, click
Use the Shell to verify that content filtering is enabled
This example verifies whether content filtering is enabled.
Get-ContentFilterConfig | Format-List Enabled
If the output shows the Enabled parameter to be
True, content filtering is enabled. If it isn't, use
the following command to enable content filtering.
Use a message to verify that safelist aggregation is functioning
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" and "EdgeSync" entries in the Transport Permissions topic.
To test whether safelist aggregation is functioning, you need to send a message, which would be blocked by content filtering, from a sender marked as a safe sender. If safelist aggregation is functioning, the message should arrive in your Outlook Inbox.
- Create an e-mail account by using a free Web-based e-mail
provider like Hotmail.
- Add that account to your Safe Senders List in Outlook.
- Use the Update-SafeList cmdlet to have the safelist
collection from that mailbox copied to Active Directory.
- Run the Start-EdgeSynchronization cmdlet to force
EdgeSync replication. This will replicate the updated data to the
Edge Transport servers. For detailed steps, see Force EdgeSync
- Add a specific word as a blocked phrase to your content
filtering configuration. For detailed steps, see Configure Content
- From the Hotmail account you created in step 1, send a message
to your Exchange mailbox that includes the blocked phrase you
configured in step 5.