CLOUD SOLUTIONS

Exchange Protection settings

The Security for Exchange settings are organized into the following sections:

In this section you can create and manage groups of email accounts, define the age of the quarantined items and ban specific senders.

User Groups

Control Center allows creating user groups to apply different scanning and filtering policies to different user categories. For example, you can create appropriate policies for the IT department, for the sales team or for the managers of your company.

To create a user group:

  1. Click the add.png Add button at the upper side of the table. The details windows is displayed.

  2. Enter the group name, description and the users' email addresses.

    Note

    • For a large list of email addresses, you can copy and paste the list from a text file.

    • Accepted list separators: space, comma, semicolon and enter.

  3. Click Save.

Custom groups are editable. Click the group name to open the configuration window where and you can change the group details or edit the users list.

To remove a custom group from the list, select the group and click the delete.png Delete button at the upper side of the table.

Settings
  • Delete quarantined files older than (days) - By default, quarantined files older than 15 days are automatically deleted. If you want to change this interval, enter a different value in the corresponding field.

  • Connection Blacklist - With this option enabled, Exchange Server rejects all emails from the blacklisted senders.

    To build a blacklist:

    1. Click the Edit blacklisted items link.

    2. Enter the email addresses you want to block. When editing the list, you can also use the following wildcards to define an entire email domain or a pattern for email addresses:

      • Asterisk (*), replacing zero, one or more characters.

      • Question mark (?), replacing any single character.

      For example, if you enter *@boohouse.com, all email addresses from boohouse.com will be blocked.

    3. Click Save.

Domain IP Check (Antispoofing)

Use this filter to prevent spammers from spoofing the sender's email address and making the email appear as being sent by someone trusted.

You can specify the IP addresses authorized to send email for your email domains and, if needed, for other known email domains. If an email appears to be from a listed domain, but the sender's IP address does not match one of the specified IP addresses, the email is rejected.

Warning

Do not use this filter if you are using a smart host, a hosted email filtering service or gateway email filtering solution in front of your Exchange servers.

Important

The filter only checks unauthenticated email connections.

Best practices:

  • It is recommended to use this filter only on Exchange Servers that are directly facing the Internet. For example, if you have both Edge Transport and Hub Transport servers, configure this filter only on the Edge servers.

  • Add to your domains list all internal IP addresses allowed to send email over unauthenticated SMTP connections. These might include automated notification systems, network equipment such as printers, etc.

  • In an Exchange setup using Database Availability Groups, also add to your domains list the IP addresses of all your Hub Transport and Mailbox servers.

  • Use caution if you want to configure authorized IP addresses for specific external email domains that are not under your management. If you do not manage to keep the IP address list up-to-date, email messages from those domains will be rejected. If you are using an MX backup, you must add to all external email domains configured the IP addresses from which MX backup forwards email messages to your primary mail server.

To configure antispoofing filtering, follow the steps described herein:

  1. Select the Domain IP Check (Antispoofing) check box to enable the filter.

  2. Click the add.png Add button at the upper side of the table. The configuration window appears.

  3. Enter the email domain in the corresponding field.

  4. Provide the range of authorized IP addresses to be used with the previously specified domain, using the CIDR format (IP/Network mask).

  5. Click the add.png Add button at the right side of the table. The IP addresses are added to the table.

  6. To delete an IP range from the list, click the corresponding delete_inline.png Delete button at the right side of the table.

  7. Click Save. The domain is added to the filter.

To delete an email domain from the filter, select it in the Antispoofing table and click the delete.png Delete button at the upper side of the table.

Antimalware

The Antimalware module protects Exchange mail servers against all kinds of malware threats (viruses, Trojans, spyware, rootkits, adware, etc.), by detecting infected or suspect items and attempting to disinfect them or isolating the infection, according to the specified actions.

Antimalware scanning is performed at two levels:

Transport-level scanning

Bitdefender Endpoint Security Tools integrates with the mail transport agents to scan all email traffic.

By default, transport level scanning is enabled. Bitdefender Endpoint Security Tools is filtering the email traffic and, if required, informs the users of the taken actions by adding a text in the email body.

Use the Antimalware filtering check box to disable or re-enable this feature.

To configure the notification text, click the Settings link. The following options are available:

  • Add footer to scanned emails. Select this check box to add a sentence at the bottom of the scanned emails. To change the default text, enter your message in the text box below.

  • Replacement text. For emails whose attachments have been deleted or quarantined, a notification file can be attached. To modify the default notification texts, enter your message in the corresponding text boxes.

The antimalware filtering relies on rules. Each email that reaches the mail server is checked against the antimalware filtering rules, by order of priority, until it matches a rule. The email is then processed according to the options specified by that rule.

Managing filtering rules

You can view all existing rules listed in the table, together with information on their priority, status and scope. The rules are ordered by priority with the first rule having the highest priority.

Any antimalware policy has a default rule that becomes active once the antimalware filtering is enabled. What you need to know about the default rule:

  • You cannot copy, disable or delete the rule.

  • You can modify only the scanning settings and actions.

  • The default rule priority is always the lowest.

Creating rules

You have two alternatives for creating filtering rules:

  • Start from the default settings, by following these steps:

    1. Click add.png Add button at the upper side of the table to open the configuration window.

    2. Configure the rule settings. For details regarding the options, refer to Rule Options.

    3. Click Save. The rule is listed first in the table.

  • Use a clone of a custom rule as a template, by following these steps:

    1. Select the rule that you want from the table.

    2. Click the clone.png Clone button at the upper side of the table to open the configuration window.

    3. Adjust the rule options according to your needs.

    4. Click Save. The rule is listed first in the table.

Editing rules

To edit an existing rule:

  1. Click the rule name to open the configuration window.

  2. Enter the new values for the options you want to modify.

  3. Click Save. The changes take effect after the policy is saved.

Setting rule priority

To change a rule’s priority:

  1. Select the rule to be moved.

  2. Use the up.png Up or down.png Down buttons at the upper side of the table to increase or decrease the rule priority.

Removing rules

You can delete one or several custom rules at once. All you need to do is:

  1. Select the check box of the rules to be deleted.

  2. Click the delete.png Delete button at the upper side of the table. Once a rule is deleted, you cannot recover it.

Rule options

The following options are available:

  • General. In this section you must set a name for the rule, otherwise you cannot save it. Select the Active check box if you want the rule to be effective after the policy is saved.

  • Rule scope. You can restrict the rule to apply only to a subset of emails, by setting the following cumulative scope options:

    • Apply to (direction). Select the email traffic direction to which the rule applies.

    • Senders. You can decide whether the rule applies for any sender or only for specific senders. To narrow the senders range, click the Specific button and select the desired groups from the table on the left. View the selected groups in the table on the right.

    • Recipients. You can decide whether the rule applies for any recipient or only for specific recipients. To narrow the recipients range, click the Specific button and select the desired groups from the table on the left. You can view the selected groups in the table on the right.

      The rule applies if any of the recipients matches your selection. If you want to apply the rule only if all recipients are in the selected groups, select Match all recipients.

      Note

      The addresses in the Cc and Bcc fields also count as recipients.

      Important

      The rules based on user groups apply only to Hub Transport and Mailbox roles.

  • Options. Configure the scan options for emails matching the rule:

    • Scanned file types. Use this option to specify which file types you want to be scanned. You can choose to scan all files (regardless of their file extension), application files only, or specific file extensions you consider to be dangerous. Scanning all files provides the best protection, while scanning only applications is recommended for a quicker scan.

      Note

      Application files are far more vulnerable to malware attacks than other types of files. For more information, refer to appendices.extensions.app.

      If you want to scan only files with specific extensions, you have two alternatives:

      • User defined extensions, where you must provide only the extensions to be scanned.

      • All files, except specific extensions, where you must enter only the extensions to be skipped from scanning.

    • Attachment / email body maximum size (MB). Select this check box and enter a value in the corresponding field to set the maximum accepted size of an attached file or of the email body to be scanned.

    • Archive maximum depth (levels). Select the check box and choose the maximum archive depth from the corresponding field. The lower the depth level is, the higher the performance and the lower the protection grade.

    • Scan for Potentially Unwanted Applications (PUA). Select this check box to scan for possibly malicious or unwanted applications, such as adware, which may install on systems without user’s consent, change the behavior of various software products and lower the system performance.

  • Actions. You can specify different actions for the security agent to automatically take on files, based on the detection type.

    The detection type separates the files into three categories:

    • Infected files. Bitdefender detects files as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.

    • Suspect files. These files are detected as suspicious by the heuristic analysis and other Bitdefender technologies. These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.

    • Unscannable files. These files cannot be scanned. Unscannable files include but are not limited to password-protected, encrypted or over-compressed files.

    For each detection type, you have a default or main action and an alternative action in case the main one fails. Though not recommended, you can change these actions from the corresponding menus. Choose the action to be taken:

    • Disinfect. Removes the malware code from infected files and reconstructs the original file. For particular types of malware, disinfection is not possible because the detected file is entirely malicious. It is recommended to always keep this as the first action to be taken on infected files. Suspect files cannot be disinfected, because no disinfection routine is available.

    • Reject / Delete email. On servers with Edge Transport role, the detected email is rejected with a 550 SMTP error code. In all other cases, the email is deleted without any warning. It is advisable to avoid using this action.

    • Delete file. Deletes the attachments with issues without any warning. It is advisable to avoid using this action.

    • Replace file. Deletes the files with issues and inserts a text file that notifies the user of the actions taken.

    • Move file to quarantine. Moves detected files to the quarantine folder and inserts a text file that notifies the user of the actions taken. Quarantined files cannot be executed or opened; therefore, the risk of getting infected disappears. You can manage quarantine files from the Quarantine page.

      Note

      The quarantine for Exchange Servers requires additional hard-disk space on the partition where the security agent is installed. The quarantine size depends on the number of items stored and their size.

    • Take no action. No action will be taken on detected files. These files will only appear in the scan log. Scan tasks are configured by default to ignore suspect files. You may want to change the default action in order to move suspect files to quarantine.

    • By default, when an email matches the rule scope, it is processed exclusively in accordance with the rule, without being checked against any other remaining rule. If you want to continue checking against the other rules, clear the check box If the rule conditions are matched, stop processing more rules.

Exchange store scanning

Exchange Protection uses Exchange Web Services (EWS) from Microsoft to allow scanning the Exchange mailbox and public folder databases. You can configure the antimalware module to run on-demand scan tasks regularly on the target databases, according to the schedule you specify.

Note

  • On-demand scanning is available only for Exchange Servers with the Mailbox role installed.

  • On-demand scanning increases resource consumption and, depending on the scanning options and the number of objects to be scanned, can take considerable time to complete.

On-demand scanning requires an Exchange administrator account (service account) to impersonate Exchange users and to retrieve the target objects to be scanned from the user mailboxes and public folders. It is recommended to create a dedicated account for this purpose.

The Exchange administrator account must meet the following requirements:

  • It is a member of the Organization Management group (Exchange 2016, 2013 and 2010)

  • It is a member of the Exchange Organization Administrators group (Exchange 2007)

  • It has a mailbox attached.

Enabling on-demand scanning
  1. In the Scan tasks section, click the Add credentials link.

  2. Enter the service account username and password.

  3. If the email differ from the username, you need to also provide the email address of the service account.

  4. Enter the Exchange Web Services (EWS) URL, necessary when the Exchange Autodiscovery does not work.

Note

  • The username must include the domain name, as in user@domain or domain\user.

  • Do not forget to update the credentials in Control Center, whenever they have changed.

Managing scan tasks

The scan tasks table shows all scheduled tasks and provides information on their targets and recurrence.

To create tasks for scanning the Exchange Store:

  1. In the Scan tasks section, click the add.png Add button at the upper side of the table to open the configuration window.

  2. Configure the task settings as described in the following section.

  3. Click Save. The task is added in the list and it becomes effective once the policy is saved.

You can edit a task at any time by clicking the task name.

To remove tasks from the list, select them and click the delete.png Delete button at the upper side of the table.

Scan task settings

Tasks have a series of settings which you can find described herein:

  • General. Enter a suggestive name for the task.

    Note

    You can view the task name in Bitdefender Endpoint Security Tools timeline.

  • Scheduler. Use the scheduling options to configure the scan schedule. You can set the scan to run every few hours, days or weeks, starting with a specified date and time. For large databases, the scan task may take a long time and may impact the server performance. In such cases, you can configure the task to stop after a specified time.

  • Target. Select the containers and objects to be scanned. You can choose to scan mailboxes, public folders or both. Beside emails, you can choose to scan other objects such as Contacts, Tasks, Appointments and Post items. You can furthermore set the following restrictions to the content to be scanned:

    • Only unread messages

    • Only items with attachments

    • Only new items, received in a specified time interval

    For example, you can choose to scan only emails from user mailboxes, received in the last seven days.

    Select the Exclusions check box, if you want to define scan exceptions. To create an exception, use the fields from the table header as follows:

    1. Select the repository type from the menu.

    2. Depending on the repository type, specify the object to be excluded:

      Repository type

      Object format

      Mailbox

      Email address

      Public Folder

      Folder path, starting from the root

      Database

      The database identity

      Note

      To obtain the database identity, use the Exchange shell command:

      Get-MailboxDatabase | fl name,identity

      You can enter only one item at a time. If you have several items of the same type, you must define as many rules as the number of items.

    3. Click the add.png Add button at the upper side of the table to save the exception and add it to the list.

    To remove an exception rule from the list, click the corresponding delete.png Delete button.

  • Options. Configure the scan options for emails matching the rule:

    • Scanned file types. Use this option to specify which file types you want to be scanned. You can choose to scan all files (regardless of their file extension), application files only, or specific file extensions you consider to be dangerous. Scanning all files provides the best protection, while scanning only applications is recommended for a quicker scan.

      Note

      Application files are far more vulnerable to malware attacks than other types of files. For more information, refer to Application File Types.

      If you want to scan only files with specific extensions, you have two alternatives:

      • User defined extensions, where you must provide only the extensions to be scanned.

      • All files, except specific extensions, where you must enter only the extensions to be skipped from scanning.

    • Attachment / email body maximum size (MB). Select this check box and enter a value in the corresponding field to set the maximum accepted size of an attached file or of the email body to be scanned.

    • Archive maximum depth (levels). Select the check box and choose the maximum archive depth from the corresponding field. The lower the depth level is, the higher the performance and the lower the protection grade.

    • Scan for Potentially Unwanted Applications (PUA). Select this check box to scan for possibly malicious or unwanted applications, such as adware, which may install on systems without user’s consent, change the behavior of various software products and lower the system performance.

  • Actions. You can specify different actions for the security agent to automatically take on files, based on the detection type.

    The detection type separates the files into three categories:

    • Infected files. Bitdefender detects files as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.

    • Suspect files. These files are detected as suspicious by the heuristic analysis and other Bitdefender technologies. These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.

    • Unscannable files. These files cannot be scanned. Unscannable files include but are not limited to password-protected, encrypted or over-compressed files.

    For each detection type, you have a default or main action and an alternative action in case the main one fails. Though not recommended, you can change these actions from the corresponding menus. Choose the action to be taken:

    • Disinfect. Removes the malware code from infected files and reconstructs the original file. For particular types of malware, disinfection is not possible because the detected file is entirely malicious. It is recommended to always keep this as the first action to be taken on infected files. Suspect files cannot be disinfected, because no disinfection routine is available.

    • Reject / Delete email. The email is deleted without any warning. It is advisable to avoid using this action.

    • Delete file. Deletes the attachments with issues without any warning. It is advisable to avoid using this action.

    • Replace file. Deletes the files with issues and inserts a text file that notifies the user of the actions taken.

    • Move file to quarantine. Moves detected files to the quarantine folder and inserts a text file that notifies the user of the actions taken. Quarantined files cannot be executed or opened; therefore, the risk of getting infected disappears. You can manage quarantine files from the Quarantine page.

      Note

      Please note that the quarantine for Exchange Servers requires additional hard-disk space on the partition where the security agent is installed. The quarantine size depends on the number and size of the emails stored.

    • Take no action. No action will be taken on detected files. These files will only appear in the scan log. Scan tasks are configured by default to ignore suspect files. You may want to change the default action in order to move suspect files to quarantine.

    • By default, when an email matches the rule scope, it is processed exclusively in accordance with the rule, without being checked against any other remaining rule. If you want to continue checking against the other rules, clear the check box If the rule conditions are matched, stop processing more rules.

Antispam

The Antispam module offers multiple layer protection against spam and phishing by using a combination of various filters and engines to determine whether emails are spam or not.

Note

  • Antispam filtering is available for:

    • Exchange Server 2016/2013 with the Edge Transport or Mailbox role

    • Exchange Server 2010/2007 with the Edge Transport or Hub Transport role

  • If you have both Edge and Hub roles in your Exchange organization, it is recommended to enable the antispam filtering on the server with the Edge Transport role.

Spam filtering is automatically enabled for incoming emails. Use the Antispam filtering check box to disable or re-enable this feature.

Antispam filters

An email is checked against the antispam filtering rules based on the sender and recipients groups, by order of priority, until it matches a rule. The email is then processed according to the rule options, and actions are taken on the detected spam.

Certain antispam filters are configurable and you can control whether to use them or not. This is the list of the optional filters:

  • Charset Filter. Many spam emails are written in Cyrillic or Asian charsets. The Charset Filter detects this kind of emails and tags them as SPAM.

  • Sexually Explicit Tagged Content. Spam that contains sexually oriented material must include the warning SEXUALLY-EXPLICIT: in the subject line. This filter detects emails marked as SEXUALLY-EXPLICIT: in the subject line and tags them as spam.

  • URL Filter. Almost all spam emails include links to various web locations. Usually, these locations contain more advertising and offer the possibility to buy things. Sometimes, they are also used for phishing.

    Bitdefender maintains a database of such links. The URL filter checks every URL link in an email against its database. If a match is made, the email is tagged as spam.

  • Realtime Blackhole List (RBL). This is a filter that allows checking the sender’s mail server against third party RBL servers. The filter uses the DNSBL protocol and RBL servers to filter spam based on mail servers' reputation as spam senders.

    The mail server address is extracted from the email header and its validity is checked. If the address belongs to a private class (10.0.0.0, 172.16.0.0 to 172.31.0.0 or 192.168.0.0 to 192.168.255.0), it is ignored.

    A DNS check is performed on the domain d.c.b.a.rbl.example.com, where d.c.b.a is the reversed IP address of the server and rbl.example.com is the RBL server. If the DNS replies that the domain is valid, it means that the IP is listed in the RBL server and a certain server score is provided. This score ranges between 0 and 100, according to the confidence level you granted to the server.

    The query is performed for every RBL server in the list and the score returned by each one is added to the intermediate score. When the score has reached 100, no more queries are performed.

    If the RBL filter score is 100 or higher, the email is considered spam and the specified action is taken. Otherwise, a spam score is computed from the RBL filter score and added to the global spam score of the email.

  • Heuristic Filter. Developed by Bitdefender, the Heuristic filter detects new and unknown spam. The filter is automatically trained on large volumes of spam emails inside the Bitdefender Antispam Lab. During training, it learns to distinguish between spam and legitimate emails and to recognize new spam by perceiving its similarities, often very subtle, with the emails it has already examined. This filter is designed to improve signature-based detection, while keeping the number of false positives very low.

  • Bitdefender Cloud Query. Bitdefender maintains a constantly evolving database of spam mail "fingerprints" in the cloud. A query containing the email fingerprint is sent to the servers in the cloud to verify on the fly if the email is spam. Even if the fingerprint is not found in the database, it is checked against other recent queries and, provided certain conditions are met, the email is marked as spam.

Managing antispam rules

You can view all existing rules listed in the table, together with information on their priority, status and scope. The rules are ordered by priority with the first rule having the highest priority.

Any antispam policy has a default rule that becomes active once the module is enabled. What you need to know about the default rule:

  • You cannot copy, disable or delete the rule.

  • You can modify only the scanning settings and the actions.

  • The default rule priority is always the lowest.

  • Creating Rules

    To create a rule:

    1. Click the add.png Add button at the upper side of the table to open the configuration window.

    2. Configure the rule settings. For details regarding the options, refer to Rule Options.

    3. Click Save. The rule is listed first in the table.

  • Editing Rules

    To edit an existing rule:

    1. Click the rule name to open the configuration window.

    2. Enter the new values for the options you want to modify.

    3. Click Save. If the rule is active, changes take effect after the policy is saved.

  • Setting Rule Priority

    To change a rule priority, select the rule that you want and use the up.png Up and down.png Down arrows at the upper side of the table. You can move only one rule at a time.

  • Removing Rules

    If you do not want to use a rule anymore, select the rule and click the delete.png Delete button at the upper side of the table.

Rule Options

The following options are available:

  • General. In this section you must set a name for the rule, otherwise you cannot save it. Select the Active check box if you want the rule to be effective after the policy is saved.

  • Rule scope. You can restrict the rule to apply only to a subset of emails, by setting the following cumulative scope options:

    • Apply to (direction). Select the email traffic direction to which the rule applies.

    • Senders. You can decide whether the rule applies for any sender or only for specific senders. To narrow the senders range, click the Specific button and select the desired groups from the table on the left. View the selected groups in the table on the right.

    • Recipients. You can decide whether the rule applies for any recipient or only for specific recipients. To narrow the recipients range, click the Specific button and select the desired groups from the table on the left. You can view the selected groups in the table on the right.

      Note

      The addresses in the Cc and Bcc fields also count as recipients.

      Important

      The rules based on user groups apply only to Hub Transport and Mailbox roles.

  • Settings. Click the security level that best suits your needs (Aggressive, Normal or Permissive). Use the description on the right side of the scale to guide your choice.

    Additionally, you can enable various filters. For detailed information regarding these filters, refer to Antispam Filters.

    Important

    The RBL filter requires additional configuration. You can configure the filter after you have created or edited the rule. For more information, refer to Configuring the RBL Filter.

    For the authenticated connections you can choose whether to bypass or not the antispam scanning.

  • Actions. There are several actions which you can take on detected emails. Each action has, at its turn, several possible options or secondary actions. Find them described herein:

    • Main actions:

      • Deliver email. The spam email reaches the recipients mailboxes.

      • Quarantine email. The email is encrypted and saved in the quarantine folder from the Exchange Server, without being delivered to recipients. You can manage the quarantined emails in the Quarantine page.

      • Redirect email to. The email is not delivered to the original recipients, but to a mailbox you specify in the corresponding field.

      • Reject / Delete email. On servers with Edge Transport role, the detected email is rejected with a 550 SMTP error code. In all other cases, the email is deleted without any warning. It is advisable to avoid using this action.

    • Secondary actions:

      • Integrate with Exchange SCL. Adds a header to the spam email, allowing Exchange Server or Microsoft Outlook to take action according to the Spam Confidence Level (SCL) mechanism.

      • Tag the email subject as. You can add a label to the email subject to help users filter detected emails in the email client.

      • Add an email header. A header is added to emails detected as spam. You can modify the header name and value by entering the desired values in the corresponding fields. Further on, you can use this email header to create additional filters.

      • Save email to disk. A copy of the spam email is saved as a file to the specified folder. Provide the absolute path of the folder in the corresponding field.

        Note

        This option supports only emails in MIME format.

      • Archive to account. A copy of the detected email is delivered to the specified email address. This action adds the specified email address to the email Bcc list.

  • By default, when an email matches the rule scope, it is processed exclusively in accordance with the rule, without being checked against any other remaining rule. If you want to continue checking against the other rules, clear the check box If the rule conditions are matched, stop processing more rules.

Configuring the RBL Filter

If you want to use the RBL filter, you must provide a list of RBL servers.

To configure the filter:

  1. In the Antispam page, click the Settings link to open the configuration window.

  2. Provide the IP address of the DNS server to query and the query timeout interval in the corresponding fields. If no DNS server address is configured, or if the DNS server is unavailable, the RBL filter uses the system's DNS servers.

  3. For each RBL server:

    1. Enter the server hostname or IP address and the confidence level you have assigned to the server, in the fields from the table header.

    2. Click the add.png Add button at the upper side of the table.

  4. Click Save.

Configuring Sender Whitelist

For known email senders, you can prevent unnecessary server resource consumption, by including them into lists for trusted or untrusted senders. Thus, the mail server will always accept or reject emails coming from these senders. For example, you have an intense email communication with a business partner and to make sure you receive all emails, you can add the partner to the whitelist.

To build a whitelist of trusted senders:

  1. Click the Whitelist link to open the configuration window.

  2. Select the Sender Whitelist check box.

  3. Enter the email addresses in the corresponding field. When editing the list, you can also use the following wildcards to define an entire email domain or a pattern for email addresses:

    • Asterisk (*), replacing zero, one or more characters.

    • Question mark (?), replacing any single character.

    For example, if you enter *.gov, all emails coming from the .gov domain will be accepted.

  4. Click Save.

Note

To blacklist known spam senders, use the Connection Blacklist option from the Exchange Protection > General > Settings section.

Content Control

Use Content Control to enhance email protection by filtering all email traffic that is non-compliant with your company policies (unwanted or potentially sensitive content).

For an overall control of the email content, this module comprises two email filtering options:

Note

Content Filtering and Attachment Filtering are available for:

  • Exchange Server 2016/2013 with the Edge Transport or Mailbox role

  • Exchange Server 2010/2007 with the Edge Transport or Hub Transport role

Managing filtering rules

Content Control filters rely on rules. You can define various rules for different users and user groups. Each email that reaches the mail server is checked against the filtering rules, by order of priority, until it matches a rule. The email is then processed according to the options specified by that rule.

The content filtering rules precede the attachment filtering rules.

Content and attachment filtering rules are listed in the corresponding tables ordered by priority, with the first rule having the highest priority. For each rule, the following information is provided:

  • Priority

  • Name

  • Traffic direction

  • Senders and recipients groups

Creating Rules

You have two alternatives for creating filtering rules:

  • Start from the default settings, by following these steps:

    1. Click the add.png Add button at the upper side of the table to open the configuration window.

    2. Configure the rule settings. For details about specific content and attachment filtering options, refer to:

    3. Click Save. The rule is listed first in the table.

  • Use a clone of a custom rule as a template, by following these steps:

    1. Select the desired rule from the table.

    2. Click the clone.png Clone button at the upper side of the table to open the configuration window.

    3. Adjust the rule options to your needs.

    4. Click Save. The rule is listed first in the table.

Editing Rules

To edit an existing rule:

  1. Click the rule name to open the configuration window.

  2. Enter the new values for the options you want to modify.

  3. Click Save. The changes take effect after the policy is saved.

Setting Rule Priority

To change a rule’s priority:

  1. Select the rule to be moved.

  2. Use the up.png Up or down.png Down buttons at the upper side of the table to increase or decrease the rule priority.

Removing Rules

You can delete one or several custom rules. All you need to do is:

  1. Select the rules to be deleted.

  2. Click the delete.png Delete button at the upper side of the table. Once a rule is deleted, you cannot recover it.

Content filtering

Content Filtering helps you filter email traffic based on the character strings you have previously defined. These strings are compared with the email subject or with the text content of the email body. By using Content Filtering, you can achieve the following goals:

  • Prevent unwanted email content from entering the Exchange Server mailboxes.

  • Block outgoing emails containing confidential data.

  • Archive emails that meet specific conditions to a different email account or on the disk. For example, you can save the emails sent to your company's support email address to a folder on the local disk.

Enabling Content Filtering

If you want to use content filtering, select the Content filtering check box.

For creating and managing content filtering rules, refer to Content Control.

Rule Options

The following options are available:

  • General. In this section you must set a name for the rule, otherwise you cannot save it. Select the Active check box if you want the rule to be effective after the policy is saved.

  • Rule scope. You can restrict the rule to apply only to a subset of emails, by setting the following cumulative scope options:

    • Apply to (direction). Select the email traffic direction to which the rule applies.

    • Senders. You can decide whether the rule applies for any sender or only for specific senders. To narrow the senders range, click the Specific button and select the desired groups from the table on the left. View the selected groups in the table on the right.

    • Recipients. You can decide whether the rule applies for any recipient or only for specific recipients. To narrow the recipients range, click the Specific button and select the desired groups from the table on the left. You can view the selected groups in the table on the right.

      Note

      The addresses in the Cc and Bcc fields also count as recipients.

      Important

      The rules based on user groups apply only to Hub Transport and Mailbox roles.

  • Settings. Configure the expressions to be searched for in emails as described herein:

    1. Choose the part of the email to be checked:

      • The email subject, by selecting the Filter by subject check box. All emails whose subject contains any of the expressions entered in the corresponding table are being filtered.

      • The body content, by selecting the Filter by body content check box. All emails that contain in their body any of the defined expressions are being filtered.

      • Both the subject and the body content, by selecting both check boxes. All emails whose subject matches any rule from the first table AND their body contains any expression from the second table, are being filtered. For example:

        The first table contains the expressions: newsletter and weekly. The second table contains the expressions: shopping, price and offer.

        An email with the subject "Monthly newsletter from your favorite watch vendor" and the body containing the phrase "We have the pleasure to present you our latest offer containing sensational watches at irresistible prices." will make a match on the rule and will be filtered. If the subject is "News from your watch vendor", the email is not filtered.

    2. Build the lists of conditions, using the fields from the table headers. For each condition, follow these steps:

      1. Select the expression type used in searches. You can choose to enter the exact text expression or to build text patterns with the use of regular expressions.

        Note

        The syntax of regular expressions is validated against the ECMAScript grammar.

      2. Enter the search string in the Expression field.

        For example:

        1. The expression 5[1-5]\d{2}([\s\-]?\d{4}){3} matches the bank cards with numbers that start with fifty-one through fifty-five, have sixteen digits in groups of four, and the groups may be separated by space or hyphen. Therefore, any email containing the card number in one of the formats: 5257-4938-3957-3948, 5257 4938 3957 3948 or 5257493839573948, will be filtered.

        2. This expression detects emails with the words lottery, cash and prize, found in this exact order:

          (lottery)((.|\n|\r)*)( cash)((.|\n|\r)*)( prize)

          To detect emails that contain each of the three words regardless of their order, add three regular expressions with different word order.

        3. This expression detects emails that include three or more occurrences of the word prize:

          (prize)((.|\n|\r)*)( prize)((.|\n|\r)*)( prize)
      3. If you want to differentiate the capital letters from the small letters in text comparisons, select the Match case check box. For example, with the check box selected, Newsletter is not the same with newsletter.

      4. If you do not want the expression to be a part of other words, select the Whole word check box. For example, with the check box selected, the expression Anne's salary does not make a match with MariAnne's salary.

      5. Click the add.png Add button from the Action column header to add the condition to the list.

  • Actions. There are several actions which you can take on emails. Each action has, at its turn, several possible options or secondary actions. Find them described herein:

    • Main actions:

      • Deliver email. The detected email reaches the recipients mailboxes.

      • Quarantine. The email is encrypted and saved in the quarantine folder from the Exchange Server, without being delivered to recipients. You can manage the quarantined emails in the Quarantine page.

      • Redirect to. The email is not delivered to the original recipients, but to a mailbox you specify in the corresponding field.

      • Reject / Delete email. On servers with Edge Transport role, the detected email is rejected with a 550 SMTP error code. In all other cases, the email is deleted without any warning. It is advisable to avoid using this action.

    • Secondary actions:

      • Tag the email subject as. You can add a label to the detected email subject to help users filter emails in the email client.

      • Add a header to the email messages.You can add a header name and a value to the headers of the detected email, by entering the desired values in the corresponding fields.

      • Save mail to disk. A copy of the detected email is saved as a file to the specified folder on the Exchange Server. If the folder does not exist, it will be created. You must provide the absolute path of the folder in the corresponding field.

        Note

        This option supports only emails in MIME format.

      • Archive to account. A copy of the detected email is delivered to the specified email address. This action adds the specified email address to the email Bcc list.

  • By default, when an email matches the conditions of a rule, it is no longer checked against any other rules. If you want to continue processing rules, clear the check box If the rule conditions are matched, stop processing more rules.

Exclusions

If you want the email traffic for specific senders or recipients to be delivered regardless of any content filtering rule, you can define filtering exclusions.

To create an exclusion:

  1. Click the Exclusions link next to the Content filtering check box. This action opens the configuration window.

  2. Enter the email addresses of the trusted senders and/or recipients in the corresponding fields. Any email coming from a trusted sender or going to a trusted recipient is excluded from filtering. When editing the list, you can also use the following wildcards to define an entire email domain or a pattern for email addresses:

    • Asterisk (*), replacing zero, one or more characters.

    • Question mark (?), replacing any single character.

    For example, if you enter *.gov, all emails coming from the .gov domain will be accepted.

  3. For emails with multiple recipients, you can select the check box Exclude email from filtering only if all recipients are trusted to apply the exclusion only if all email recipients are present in the trusted recipients list.

  4. Click Save.

Attachment filtering

The Attachment Filtering module provides filtering features for mail attachments. It can detect attachments with certain name patterns or of a certain type. By using Attachment Filtering, you can:

  • Block potentially dangerous attachments, such as .vbs or .exe files, or the emails containing them.

  • Block attachments having offensive names or the emails containing them.

Enabling Attachment Filtering

If you want to use attachment filtering, select the Attachment filtering check box.

For creating and managing attachment filtering rules, refer to Content Control.

Rule Options

The following options are available:

  • General. In this section you must set a name for the rule, otherwise you cannot save it. Select the Active check box if you want the rule to be effective after the policy is saved.

  • Rule scope. You can restrict the rule to apply only to a subset of emails, by setting the following cumulative scope options:

    • Apply to (direction). Select the email traffic direction to which the rule applies.

    • Senders. You can decide whether the rule applies for any sender or only for specific senders. To narrow the senders range, click the Specific button and select the desired groups from the table on the left. View the selected groups in the table on the right.

    • Recipients. You can decide whether the rule applies for any recipient or only for specific recipients. To narrow the recipients range, click the Specific button and select the desired groups from the table on the left. You can view the selected groups in the table on the right.

      Note

      The addresses in the Cc and Bcc fields also count as recipients.

      Important

      The rules based on user groups apply only to Hub Transport and Mailbox roles.

  • Settings. Specify the files that are allowed or denied in email attachments.

    You can filter email attachments by file type or by file name.

    To filter attachments by file type, follow these steps:

    1. Select the Detect by Content Type check box.

    2. Select the detection option that is more suitable for your needs:

      • Only the following categories, when you have a limited list of forbidden file type categories.

      • All except the following categories, when you have a limited list of allowed file type categories.

    3. Select the file type categories of your interest from the available list. For details on the extensions of each category, refer to Attachment Filtering File Types.

      If you are interested in some specific file types only, select the Custom extensions check box and enter the list of extensions in the corresponding field.

    4. Select the Enable true type detection check box to check file headers and correctly identify the attachment file type when scanning for restricted extensions. This means an extension cannot be simply renamed to bypass attachment filtering policies.

      Note

      True type detection can be resource intensive.

    To filter attachments by their name, select the Detect by Filename check box and enter the filenames you want to filter, in the corresponding field. When editing the list, you can also use the following wildcards to define patterns:

    • Asterisk (*), replacing zero, one or more characters.

    • Question mark (?), replacing any single character.

    For example, if you enter database.*, all files named database, regardless of their extension, will be detected.

    Note

    If you enable both content type and filename detections (without true type detection), the file must simultaneously meet the conditions for both detection types. For example, you have selected the Multimedia category and entered the filename test.pdf. In this case any email passes the rule because the PDF file is not a multimedia file.

    Select the Scan inside archives check box to prevent blocked files from being hidden in apparently inoffensive archives and thus by-passing the filtering rule.

    The scan is recursive inside archives and by default it goes until the fourth archive depth level. You can optimize the scan as described herein:

    1. Select the Archive maximum depth (levels) check box.

    2. Choose a different value from the corresponding menu. For best performance choose the lowest value, for maximum protection choose the highest value.

    Note

    If you have selected to scan archives, Scan inside archives is disabled and all archives are scanned.

  • Actions. There are several actions which you can take on detected attachments or on the emails containing them. Each action has, at its turn, several possible options or secondary actions. Find them described herein:

    • Main actions:

      • Replace file. Deletes the detected files and inserts a text file that notifies the user of the actions taken.

        To configure the notification text:

        1. Click the Settings link next to the Attachment filtering check box.

        2. Enter the notification text in the corresponding field.

        3. Click Save.

      • Delete file. Deletes the detected files without any warning. It is advisable to avoid using this action.

      • Reject/Delete email. On servers with Edge Transport role, the detected email is rejected with a 550 SMTP error code. In all other cases, the email is deleted without any warning. It is advisable to avoid using this action.

      • Quarantine email. The email is encrypted and saved in the quarantine folder from the Exchange Server, without being delivered to recipients. You can manage the quarantined emails in the Quarantine page.

      • Redirect email to. The email is not delivered to the original recipients, but to an email address you specify in the corresponding field.

      • Deliver email. Lets the email pass through.

    • Secondary actions:

      • Tag the email subject as. You can add a label to the detected email subject to help users filter emails in the email client.

      • Add an email header. You can add a header name and a value to the headers of the detected email, by entering the desired values in the corresponding fields.

      • Save email to disk. A copy of the detected email is saved as a file to the specified folder on the Exchange Server. If the folder does not exist, it will be created. You must provide the absolute path of the folder in the corresponding field.

        Note

        This option supports only emails in MIME format.

      • Archive to account. A copy of the detected email is delivered to the specified email address. This action adds the specified email address to the email Bcc list.

  • By default, when an email matches the rule scope, it is processed exclusively in accordance with the rule, without being checked against any other remaining rule. If you want to continue checking against the other rules, clear the check box If the rule conditions are matched, stop processing more rules.

Exclusions

If you want the email traffic for specific senders or recipients to be delivered regardless of any attachment filtering rule, you can define filtering exclusions.

To create an exclusion:

  1. Click the Exclusions link next to the Attachment filtering check box. This action opens the configuration window.

  2. Enter the email addresses of the trusted senders and/or recipients in the corresponding fields. Any email coming from a trusted sender or going to a trusted recipient is excluded from filtering. When editing the list, you can also use the following wildcards to define an entire email domain or a pattern for email addresses:

    • Asterisk (*), replacing zero, one or more characters.

    • Question mark (?), replacing any single character.

    For example, if you enter *.gov, all emails coming from the .gov domain will be accepted.

  3. For emails with multiple recipients, you can select the check box Exclude email from filtering only if all recipients are trusted to apply the exclusion only if all email recipients are present in the trusted recipients list.

  4. Click Save.