Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-02-08
In Microsoft Exchange Server 2007, the Content Filter agent is the next generation of Exchange Intelligent Message Filter, which is included with Exchange Server 2003.
Intelligent Message Filter is based on patented machine-learning technology from Microsoft Research. During its development, Intelligent Message Filter learned the distinguishing characteristics of legitimate messages and unsolicited commercial e-mail messages (spam), which were submitted by Microsoft partners and classified as either legitimate messages or spam.
Intelligent Message Filter evaluates inbound e-mail messages and assesses the probability that an inbound message is legitimate or spam. Unlike many other filtering technologies, Intelligent Message Filter uses characteristics from a statistically significant sample of e-mail messages. The inclusion of legitimate messages in this sample reduces the chance of mistakes. Because Intelligent Message Filter recognizes characteristics of legitimate messages and spam, the accuracy of Intelligent Message Filter is increased.
Intelligent Message Filter machine-learning is an ongoing, cumulative process. Updates to Intelligent Message Filter are available periodically through Microsoft Update.
Using the Content Filter Agent
The Content Filter agent is one of several anti-spam agents. When you configure anti-spam agents on a computer that has the Edge Transport server role installed, the agents act on messages cumulatively to reduce the amount of spam that enters the organization. For more information about how to plan and deploy anti-spam agents, see Anti-Spam and Antivirus Functionality.
The Content Filter agent assigns a spam confidence level (SCL) rating to each message. The SCL rating is a number between 0 and 9. A higher SCL rating indicates that a message is more likely to be spam.
You can configure the Content Filter agent to take the following actions on messages according to their SCL rating:
- Delete message
- Reject message
- Quarantine message
For example, you may determine that messages that have an SCL rating of 7 or higher must be deleted, messages that have an SCL rating of 6 must be rejected, and messages that have an SCL rating of 5 must be quarantined.
You can adjust the SCL threshold behavior by assigning different SCL ratings to each of these actions. For more information about how to adjust the SCL threshold to suit your organization's requirements and about per-recipient SCL thresholds, see Adjusting the Spam Confidence Level Threshold.
|Messages that are over 11 MB are not scanned by the Intelligent Message Filter. Instead, they pass through the Content Filter without being scanned. However, the default maximum message size limit configured on Exchange 2007 Receive connectors is 10 MB. Therefore, the 11 MB threshold for the Intelligent Message Filter is not a practical concern in the default Exchange configuration.|
Allow Phrases and Block Phrases
You can customize how the Content Filter agent assigns SCL values by configuring custom words. Custom words are individual words or phrases that the Content Filter agent uses to apply appropriate filter processing. You configure approved words or phrases with Allow phrases and unapproved words or phrases with Block phrases. When the Content Filter agent detects a preconfigured Allow phrase in an inbound message, the Content Filter agent automatically assigns an SCL value of 0 to the message. Alternatively, when the Content Filter agent detects a configured Block phrase in an inbound message, the Content Filter agent assigns an SCL rating of 9.
Outlook E-mail Postmark Validation
The Content Filter agent also includes Microsoft Office Outlook E-mail Postmark validation, a computational proof that Outlook applies to outgoing messages to help recipient messaging systems distinguish legitimate e-mail from junk e-mail. This feature helps reduce the chance of false positives. In the context of spam filtering, a false positive exists when a spam filter incorrectly identifies a message from a legitimate sender as spam. When Outlook E-mail Postmark validation is enabled, the Content Filter agent parses the inbound message for a computational postmark header. The presence of a valid, solved computational postmark header in the message indicates that the client computer that generated the message solved the computational postmark.
Computers do not require significant processing time to solve individual computational postmarks. However, processing postmarks for many messages may be prohibitive to a malicious sender. Anyone who sends millions of spam messages is unlikely to invest the processing power that is required to solve computational postmarks for all outbound spam. If a sender's e-mail contains a valid, solved computational postmark, it is unlikely that the sender is a malicious sender. In this case, the Content Filter agent would lower the SCL rating. If the postmark validation feature is enabled and an inbound message either does not contain a computational postmark header or the computational postmark header is not valid, the Content Filter agent would not change the SCL rating.
Bypassing the Recipient, Sender, and Sender Domain
In some organizations, all e-mail to certain aliases must be accepted. This scenario can introduce problems if your organization is in an industry that manages significant volumes of spam.
For example, a company named Woodgrove Bank has an alias named firstname.lastname@example.org that provides e-mail-based support to external loan customers. The Exchange administrators configure the Content Filter agent to set Block phrases that filter out words or phrases that are typically used in spam that is sent by unscrupulous loan agencies. To prevent potentially legitimate messages from being rejected, the administrators set exceptions to content filtering by entering a list of SMTP e-mail recipient addresses in the Content Filter agent configuration.
You can also specify senders and sender domains that you do not want the Content Filter agent to block.
In Exchange Server 2007, the Content Filter agent on the Edge Transport server uses the Microsoft Office Outlook 2003 Safe Senders Lists, Safe Recipients Lists, and trusted contacts from Outlook to optimize spam filtering. Safelist aggregation is a set of anti-spam functionality that is shared across Outlook and Exchange Server 2007. As its name suggests, this functionality collects data from the anti-spam safe lists that Outlook users configure and makes this data available to the anti-spam agents on the Edge Transport server. When an Exchange administrator enables and correctly configures safelist aggregation, the Content Filter agent passes safe e-mail messages to the enterprise mailbox without additional processing. E-mail messages that Outlook users receive from contacts that those users have added to their Outlook Safe Recipients List, Safe Senders List, or trusted contacts list are identified by the Content Filter agent as safe. For more information, see Safelist Aggregation.
Configuring the Content Filter Agent
You configure the Content Filter agent by using the Exchange Management Console or the Exchange Management Shell.
|Configuration changes that you make to the Content Filter agent by using the Exchange Management Console or the Exchange Management Shell are only made to the local computer that has the Edge Transport server role installed. If you have multiple instances of the Edge Transport server role running in your organization, you must make Content Filter configuration changes to each computer.|
For more information about how to configure content filtering, see Configuring Content Filtering.