locked
enable anti-spam for internal users RRS feed

  • Question

  • Hi,

    Help set up the Content Filter Agent. The task is simple: Send letters to the quarantine mailbox if there is a match for a phrase or a word. This filtering must be done for internal users.

    To do this, I installed antispam agents using the Install-AntiSpamAgents.ps1 script and disabled all agents except the "Content Filter Agent". For starters, I configured it as a test for internal and external users (ExternalMailEnabled and InternalMailEnabled $ true).

    Messages are successfully quarantined if there is a match for a phrase if it came from outside, but messages from Exchange users are not cut, in the properties of the message X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypass which indicates that it passed the agent.

    Tell me how to work out for internal users?

    Monday, May 25, 2020 3:30 PM

Answers

  • MessageSecurityAntispamBypass indicates that the message wasn't filtered for content and that the sender has been granted permission to bypass the antispam filters. 

    I enabled content filter agent and set BadWord in my environment, but the internal messages are not filtered as well. It shows that content filter agent doesn't work for internal senders by default. I will do more test to check if this can be modify.

    You're also welcomed to post here, if you have more information to share.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    • Marked as answer by Andy DavidMVP Tuesday, June 2, 2020 11:23 AM
    Thursday, May 28, 2020 7:42 AM
  • Thanks for the recommendation.
    Why doesn't filtering work in my cases? After all, this functionality is declared. What am I doing wrong?
    I dont think you are necessarily doing anything wrong, I just dont think the anti-spam stuff installed on the mailbox role works that well.
    • Marked as answer by Andy DavidMVP Tuesday, June 2, 2020 11:23 AM
    Friday, May 29, 2020 10:57 AM

All replies

  • Hi,

    What's the detailed version of your Exchange server? You can check with the following command:

    Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion

    What about the X-MS-Exchange-Organization-SCL in the message header? Is it greater than or equal to the SCL quarantine threshold?

    Do you enabled the Content Filter agent on Edge Transport server or Mailbox server? Please provide more details about your environment. 

    If you have several Mailbox servers, we have to make sure the message can reach the server where Content Filter agent is enabled.

    Use the following command for double-confirm. You can post the screenshot here, and don't forget to cover your personal information:

    Get-ContentFilterConfig | Format-List

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, May 26, 2020 2:04 AM
  • This is a test setup. Initially, I test in the sandbox and then deploy it to production servers.

    

    In test emails inside the Exchange organization X-MS-Exchange-Organization-SCL: -1, SCLQuarantineThreshold is 7.

    Content Filter agent is enabled on mailbox servers; edge servers are neither in the test deployment nor in the production one.

    In the logs of Content Filter agents, I record a message about this message with the status "Content Filter Agent, OnEndOfData, AcceptMessage ,, SCL, not available: content filtering was bypassed"

    Maybe I didn’t explain it correctly, but if I send a test letter using the anonymous port 25, the letter will be successfully quarantined. If you send a letter within the organization, the letter will not be quarantined.

    Tuesday, May 26, 2020 3:14 AM
  • MessageSecurityAntispamBypass indicates that the message wasn't filtered for content and that the sender has been granted permission to bypass the antispam filters. 

    I enabled content filter agent and set BadWord in my environment, but the internal messages are not filtered as well. It shows that content filter agent doesn't work for internal senders by default. I will do more test to check if this can be modify.

    You're also welcomed to post here, if you have more information to share.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    • Marked as answer by Andy DavidMVP Tuesday, June 2, 2020 11:23 AM
    Thursday, May 28, 2020 7:42 AM
  • Thanks for the answer.
    So I came across the fact that filtering does not work for internal senders, although the InternalMailEnabled parameter in Get-ContentFilterConfig indicates what should work.
    Perhaps this article can somehow help, but I do not know how to put it into practice.

    https://social.technet.microsoft.com/Forums/de-DE/7945c98d-9db8-4766-ad51-a7edd510b215/exchange-2010-content-filter-agent-not-working?forum=exchangesvrsecuremessaginglegacy

    Thursday, May 28, 2020 10:35 AM
  • Thanks for the answer.
    So I came across the fact that filtering does not work for internal senders, although the InternalMailEnabled parameter in Get-ContentFilterConfig indicates what should work.
    Perhaps this article can somehow help, but I do not know how to put it into practice.

    https://social.technet.microsoft.com/Forums/de-DE/7945c98d-9db8-4766-ad51-a7edd510b215/exchange-2010-content-filter-agent-not-working?forum=exchangesvrsecuremessaginglegacy

    So, question. Why the requirement to filter internal users? 
    Thursday, May 28, 2020 12:15 PM
  • The requirement is common: filter the message of internal users specifically by phrases or words and do it using the content filter agent because in the future it is planned to use all its functionality, including using scl.
    Now I have implemented this task at the transport rule level, but now I want to find out why this does not work at the content filter agent level, because in the future there are plans to include other agents that are part of the exchange server anti-spam protection.
    Thursday, May 28, 2020 3:16 PM
  • The requirement is common: filter the message of internal users specifically by phrases or words and do it using the content filter agent because in the future it is planned to use all its functionality, including using scl.
    Now I have implemented this task at the transport rule level, but now I want to find out why this does not work at the content filter agent level, because in the future there are plans to include other agents that are part of the exchange server anti-spam protection.

    Well, that didnt really answer my question :)

    Let me rephrase, Whats the business requirement? What problem are you trying to solve?

    I will say that using the built-in anti spam capabilities is not recommended in most scenarios. Its very basic and well, not very reliable in my opinion.

    Thursday, May 28, 2020 3:56 PM
  • Yes, this is a business requirement, it can be regarded as a fight against internal spam.
    Thursday, May 28, 2020 4:16 PM
  • Yes, this is a business requirement, it can be regarded as a fight against internal spam.

    Ok, in that case, I would recommend using a 3rd party anti-malware solution if you really want to leverage a solution that is robust

    Thursday, May 28, 2020 5:22 PM
  • Thanks for the recommendation.
    Why doesn't filtering work in my cases? After all, this functionality is declared. What am I doing wrong?
    Friday, May 29, 2020 2:36 AM
  • Thanks for the recommendation.
    Why doesn't filtering work in my cases? After all, this functionality is declared. What am I doing wrong?
    I dont think you are necessarily doing anything wrong, I just dont think the anti-spam stuff installed on the mailbox role works that well.
    • Marked as answer by Andy DavidMVP Tuesday, June 2, 2020 11:23 AM
    Friday, May 29, 2020 10:57 AM
  • OK, thanks for answer.
    The topic can be closed.
    Sunday, May 31, 2020 9:47 AM
  • Here is a brief summary about replies above for quick reference.

    Request:

    Help set up the Content Filter Agent. The task is simple: Send letters to the quarantine mailbox if there is a match for a phrase or a word. This filtering must be done for internal users.

    To do this, I installed antispam agents using the Install-AntiSpamAgents.ps1 script and disabled all agents except the "Content Filter Agent". For starters, I configured it as a test for internal and external users (ExternalMailEnabled and InternalMailEnabled $ true).

    Messages are successfully quarantined if there is a match for a phrase if it came from outside, but messages from Exchange users are not cut, in the properties of the message X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypass which indicates that it passed the agent.

    Tell me how to work out for internal users?

    Summary and Suggestions:

    MessageSecurityAntispamBypass indicates that the message wasn't filtered for content and that the sender has been granted permission to bypass the antispam filters. 

    The test result shows that content filter agent doesn't work for internal senders by default.

    As a best practice, you don't need to apply antispam filters to messages from trusted partners or from inside your organization. There's always a chance that the filters will detect false positives. To reduce the chance that filters will mishandle legitimate email messages, you should typically configure antispam agents to only run on messages from untrusted and unknown sources.

    Reference Link:

    Content filtering procedures

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, June 2, 2020 9:08 AM