Content filtering evaluates incoming email messages by evaluating the likelihood that the messages are legitimate or spam. Unlike other filtering technologies, content filtering uses characteristics of a statistically significant sample of legitimate and spam messages to make its determination. content filtering is provided by the content filtering agent on exchange server and is essentially unchanged from exchange server 2010. updates to the content filtering agent are made available periodically via microsoft update.
By default, the Content Filter agent is enabled on Edge Transport servers, but you can enable it on Mailbox servers. For more information, see Enable anti-spam functionality on Mailbox servers.
for more information on configuring the content filtering agent, see the content filtering procedures.
using the content filter agent
The content filter agent assigns a spam confidence level (scl) to each message by giving it a score between 0 and 9. A higher number indicates that a message is more likely to be spam. Based on this rating, you can configure the agent to perform the following actions:
delete – The message is silently deleted without a non-delivery report (also known as ndr, delivery status notification, dsn, or bounce).
reject: the message is rejected with an ndr.
quarantine: The message is sent to the spam quarantine mailbox. For more information about the spam quarantine mailbox, see exchange server spam quarantine.
for example, you can decide to delete messages with an scl score of 7 or higher, reject messages with an scl score of 6, and quarantine messages with an scl score of 5.
You can tune the behavior of the scl threshold by assigning different scl ratings to each of these actions. For more information about how to adjust the scl threshold to suit your organization’s requirements, see Spam Exchange Confidence Level (SCL) Thresholds.
allow phrases and block phrases
You can customize how the Content Filter agent assigns scl values by setting custom words or phrases that the agent will use to apply filter processing. approved words or phrases are set to allowed phrases and unapproved words or phrases to blocked phrases. when the Content Filter agent detects an allowed phrase in an incoming message, the agent automatically assigns an scl value of 0 to the message. Alternatively, when the Content Filter agent detects a block phrase in an incoming message, the agent assigns an SCL score of 9. You can create up to 800 custom words or phrases in any combination of upper and lower case letters. however, the case is ignored by the content filter agent.
outlook email postmark validation
The content filter agent also includes outlook email postmark validation. this validation is applied to outgoing messages to help messaging systems distinguish legitimate email from spam and to help reduce false positives. In spam filtering, a false positive occurs when a spam filter incorrectly identifies a legitimate message as spam. When outlook email postmark validation is enabled, the content filter agent scans the incoming message for a computational postmark header. the presence of a valid resolved computational postmark header in the message indicates that the client computer that generated the message resolved the computational postmark, so the content filter agent is likely to lower the scl score of the message.
Although computers do not require significant processing time to resolve individual computational postmarks, processing postmarks for millions of spam messages will be prohibitively expensive for a malicious sender. if a sender’s message contains a valid and resolved computer postmark, the sender is unlikely to be malicious, so the content filter agent would lower the scl score. if the postmark validation feature is enabled and the postmark computational header in an incoming message is invalid or missing, the content filter agent will not change the scl score.
omitting recipient, sender and sender’s domain
In some organizations, all email messages to certain aliases must be accepted, which can cause problems if your organization manages a significant volume of spam. you can set exceptions to content filtering for specific recipients, senders, and sender domains.
For example, a company called Woodgrove Bank has an alias called [email protected] that provides email support to third-party loan customers, so exchange administrators set up block phrases to filter out messages that would normally they are used in spam sent by unscrupulous loan agencies. . To prevent potentially legitimate messages from being bounced, administrators set exceptions to content filtering by entering a list of recipient email addresses in the content filter agent configuration.
safe list aggregation
safelist aggregation is a set of anti-spam features that is shared across outlook and exchange. As its name suggests, it collects data from antispam safelists that Outlook users set up and makes this data available to antispam agents on the exchange server. The Content Filter Agent uses Outlook’s Safe Senders Lists, Safe Recipients Lists, and Trusted Contacts to optimize spam filtering. email messages from these contacts are identified as safe by the content filter agent. Sender Filtering and the Sender Filtering Agent use the Outlook Blocked Senders List to perform sender filtering by recipient. for more information, see safelist aggregation.
configure the content filtering agent
You configure the content filter agent using the exchange management shell. for more information, see the content filtering procedures.
The content filter agent relies on updates to determine if a message is spam. These updates contain data on phishing websites, Microsoft SmartScreen spam heuristics, and other Smart Message Filter updates. these updates typically contain around 6mb of data which is useful for longer periods of time than other antispam update data.
content filter updates are available in microsoft update. content filter update data is refreshed and available for download every two weeks.
using the scl value in mail flow rules on Edge Transport servers
On Edge Transport servers, the Edge Rules agent acts on messages before the Content Filter agent adds the scl value. If you want to use the sclover mail flow rule condition (also known as a transport rule), you must configure the content filter agent to run before the edge rule agent by changing the priorities of the transport agent. For more information, see Make message scl values available to mail flow rules on Edge Transport servers.
Although the content filter agent is executed on other smtp events, the scl value is stamped in the message by the content filter agent instance that is registered in the onendofdata smtp event.
If you configure the Content Filter agent to act on messages before the Edge Rules agent on an Edge Transport server, the server might incur additional processing costs because messages that would normally be rejected by other mail flow rules are received and evaluated by the Content Filter agent before they are rejected by the Edge Rules agent. additionally, you will not be able to configure a mail flow rule to flag a message that has an scl value of -1, which tells the Content Filter agent to ignore the message.
For more information about transport agents and transport agent precedence, see transport agents on exchange server.