Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-11-28

In Microsoft Exchange Server 2010, safelist aggregation refers to anti-spam functionality shared across Microsoft Outlook and Exchange. This functionality collects data from the anti-spam Safe Recipients Lists, Safe Senders Lists, Blocked Senders Lists, and contact data that Outlook users configure, and makes this data available to the anti-spam agents on the computer that has the Edge Transport server role installed. Safelist aggregation can help reduce the instances of false-positives in anti-spam filtering performed by the Edge Transport server.

This topic provides an overview about how to configure safelist aggregation. To learn more about safelist aggregation, see Understanding Safelist Aggregation.

Looking for other management tasks related to anti-spam and antivirus features? Check out Managing Anti-Spam and Antivirus Features.

Use the Shell to configure mailbox safelist collection limits

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Recipient Provisioning Permissions" section in the Mailbox Permissions topic.

Note:
You can't use the EMC to configure mailbox safelist collection limits.

You can configure the maximum number of safe senders and blocked senders a user can configure for each user. You use the Set-Mailbox cmdlet to configure these limits. By default, users can configure up to 5,000 safe senders and 500 blocked senders. Typically, it isn't necessary to modify these limits.

This example configures the mailbox john@contoso.com to have a maximum of 2,000 safe senders and 200 blocked senders.

Copy Code
Set-Mailbox john@contoso.com -MaxSafeSenders 2000 -MaxBlockedSenders 200

For detailed syntax and parameter information, see Set-Mailbox.

Use the Shell to run the Update-Safelist command

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam" entry in the "Recipient Provisioning Permissions" section in the Mailbox Permissions topic.

Note:
You can't use the EMC to run the Update-Safelist command.

In Exchange 2010, safelist aggregation is done automatically; therefore, you no longer need to schedule or manually run the Update-Safelist cmdlet. However, you may still want to run this cmdlet when you're testing safelist aggregation.

The Update-SafeList cmdlet reads the safelist collection from the Microsoft Outlook user mailbox, hashes each entry, sorts the entries for easy search, and then converts the hash to a binary attribute. Finally, the command compares the binary attribute created to any value stored on the attribute. If the two values are identical, the command doesn't update the user attribute value with the safelist aggregation data.

Be mindful of the network and replication traffic that may be generated when you run this command. If you run the command on multiple mailboxes where safelists are heavily used, this may generate a significant amount of traffic. We recommend that if you run the command on multiple mailboxes, you should run the command during off-peak, non-business hours.

Important:
Safelist aggregation data contains both the user's Safe Senders List and the user's Safe Recipients List. When you use the Update-Safelist cmdlet, you can specify whether you update the Safe Senders List or the Safe Recipients List, or both. However, only Safe Senders List data is used by the safelist aggregation feature; the safelist aggregation feature doesn't act on Safe Recipients List data. Therefore, to reduce storage and replication in Active Directory, we don't recommend running the Update-Safelist cmdlet with the Type parameter set to the SafeRecipients or Both values. The default value for the Type parameter is SafeSenders. Safe sender data is used by the safelist aggregation feature.
Important:
Microsoft Exchange Server 2010 provides functionality that allows you to specify whether to include the safe domain data for the anti-spam agents on the Edge Transport server by using the Update-Safelist cmdlet. In most cases, we don't recommend that you include domains because users may include the domains of large Internet service providers (ISP), which could unintentionally provide addresses that may be used or spoofed by spammers.

This example writes the safe senders list for the mailbox john@contoso.com to Active Directory.

Copy Code
Update-Safelist -Identity john@contoso.com -Type SafeSenders

For detailed syntax and parameter information, see Update-SafeList.

Options available in the msexchangemailboxassistants.exe.config file

To activate the options to include safe domains, or to change the maximum values for the default settings, you must change the msexchangemailboxassistants.exe.config file. Specifically, the following settings and values can be changed in the appsettings section of the msexchangemailboxassistants.exe.config file:

Setting Value

IncludeSafeDomains

The value for this setting can be True or False.

UpdateInterval

By default, the value for this setting is 15 minutes. This setting can have a value from 15 minutes through 1 day.

TestUpdateInterval

TestUpdateInterval is used in test environments. This setting can have a value from 10 seconds through 1 hour.

MaxSafeSenders

3*1024

MaxSafeRecipients

2*1024

MaxBlockedSenders

By default, the value for this setting is 500. The maximum value is 1000.

For example, the settings in the appsettings section of the msexchangemailboxassistants.exe.config file may be as follows:

Copy Code
<configuration>
  <runtime>
	<gcConcurrent enabled="false" />
	<generatePublisherEvidence enabled="false" />
  </runtime>
  <appSettings>

		<add key="IncludeSafeDomains" value="true" />

</appSettings>
</configuration>

Verify safelist aggegation

You may need to verify that safelist aggregation when you first deploy your Edge Transport servers and configure EdgeSync replication, or when you're troubleshooting. Typically, you need to verify the following:

  • Make sure that the safelist aggregation data is being replicated by the EdgeSync service.

  • Make sure that content filtering is enabled.

  • Verify the safelist aggregation functionality using a test message

The following sections provide step by step instructions for each scenario:

Use AD LDS to verify EdgeSync replication of safelist aggregation data

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Edge Transport server" entry in the Transport Permissions topic.

You can view the user objects in the Active Directory Lightweight Directory Services (AD LDS) instance on the Edge Transport server to verify that the safelist collection data is updated for the user objects and that the Microsoft Exchange EdgeSync service has replicated the data to the AD LDS instance.

There are three safelist collection attributes for each user object:

  • msExchSafeRecipientsHash   This attribute stores the hash of the Safe Recipients List collection for the user.

  • msExchSafeSendersHash   This attribute stores the hash of the Safe Senders List collection for the user.

  • msExchBlockedSendersHash   This attribute stores the hash of the Blocked Senders List collection for the user.

If a hexadecimal string, such as 0xac 0xbd 0x03 0xca, is present on the attribute, the user object was updated. If the attribute has a value of <Not Set>, the attribute wasn't updated.

You can search for and view the attributes by using the AD LDS Active Directory Service Interfaces (ADSI) Edit snap-in.

Verify that content filtering is enabled

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" entry in the Transport Permissions topic.

The safelist aggregation feature relies on content filtering to recognize the senders on an Outlook user's Safe Senders List or Blocked Senders List. Verify that content filtering is enabled on each Edge Transport server on which the anti-spam and antivirus features are running. By default, content filtering is enabled.

Use the EMC to verify that content filtering is enabled

  1. In the console tree, click Edge Transport.

  2. In the result pane, click the Anti-spam tab, click Content Filtering, and then in the action pane, click Enable.

Use the Shell to verify that content filtering is enabled

This example verifies whether content filtering is enabled.

Copy Code
Get-ContentFilterConfig | Format-List Enabled

If the output shows the Enabled parameter to be True, content filtering is enabled. If it isn't, use the following command to enable content filtering.

Copy Code
Set-ContentFilterConfig -Enabled:$true

For detailed syntax and parameter information, see the Get-ContentFilterConfig or Set-ContentFilterConfig topics.

Use a message to verify that safelist aggregation is functioning

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" and "EdgeSync" entries in the Transport Permissions topic.

To test whether safelist aggregation is functioning, you need to send a message, which would be blocked by content filtering, from a sender marked as a safe sender. If safelist aggregation is functioning, the message should arrive in your Outlook Inbox.

  1. Create an e-mail account by using a free Web-based e-mail provider like Hotmail.

  2. Add that account to your Safe Senders List in Outlook.

  3. Use the Update-SafeList cmdlet to have the safelist collection from that mailbox copied to Active Directory.

  4. Run the Start-EdgeSynchronization cmdlet to force EdgeSync replication. This will replicate the updated data to the Edge Transport servers. For detailed steps, see Force EdgeSync Synchronization.

  5. Add a specific word as a blocked phrase to your content filtering configuration. For detailed steps, see Configure Content Filtering Properties.

  6. From the Hotmail account you created in step 1, send a message to your Exchange mailbox that includes the blocked phrase you configured in step 5.