Configuring content filtering
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic describes how to configure content filtering. You can create content filters to search for specific words within an e-mail message, and for attachments with a specific name and type. There are two types of content filters:
File filters—Identify unwanted file attachments within e-mail messages. You can filter file attachments based on file type, filename, and prefix.
Message body filters—Identify unwanted e-mail messages by analyzing the contents of the message body. By creating keyword lists, you can filter messages based on a variety of words, phrases, and sentences.
The following sections describe how to configure content filtering:
Creating a file filter
Creating a message body filter
Prerequisites
Before you configure content filters, make sure you complete the following:
Install the Exchange Edge Transport server role and Forefront Protection 2010 for Exchange Server (FPES)on each Forefront TMG server in the array, as described in Installing prerequisites for e-mail protection.
Create the initial SMTP routes using the E-Mail Policy Wizard, as described in Configuring SMTP routes.
Enable content filtering, either by using the E-Mail Policy Wizard, or by clicking Enable Content Filtering from the Tasks pane of the Virus and Content Filtering tab.
Creating a file filter
You can configure the file filter by file type, file name, and extension.
Filtering by file type
If you want to filter certain file types, you can create a filter and set the File Types selection to the exact file type you want to filter.
For example, create a filter and set the File Types to MP3. This ensures that all MP3 files are filtered no matter what their file name or extension.
Filtering by file name
If you want to filter all files with a certain name, you can create a filter by adding the file name to the File Names tab. Filter matching is not case-sensitive.
For example, if a virus uses an attached file named payload.doc, you can create the filter payload.doc. This ensures that any file named payload.doc will be filtered no matter what the file type.
Detecting file attachments by name is also useful when there is an outbreak of a new virus and you know the name of the file in which the virus resides before your virus scanners are updated to detect it.
Filtering by extension
If you want to filter any file that has a certain extension, you can create a filter for the extension by adding it to the File Names tab. Filter matching is not case-sensitive.
For example, create a filter for any executable file with the extension .exe by adding *.exe* as the file name on the File Names tab. This will ensure that all files with an .exe extension will be filtered.
Important
When creating generic file filters to stop all of a certain type of file (for example .exe files), it is recommended to write the filter in this format: .exe. The second asterisk (*) will prevent files with extra characters appended after the file extension from bypassing the filter.
Note
It is recommended to avoid the use of a generic filter * (where nothing is defined for filtering) with the File Types set to Select All. This filter configuration could result in the reporting of repeated detections.
To create and configure a file filter
In the Forefront TMG Management console, in the tree, click the E-Mail Policy node.
In the details pane, click the Virus and Content Filtering tab, and then click File Filtering.
On the General tab of the File Filtering properties, verify that Status is set to Enabled.
On the File Filters tab, click Add.
On the General tab of the File Filter properties, verify that the Enable this filter check box is selected. It is enabled by default.
Under Filter name, type a name for this filter.
Select the Action to take if there is a filter match:
Skip—Records the number of messages that meet the filter criteria, but enables messages to route normally.
Identify—Tags the subject line or message header of the detected message with a customizable word or phrase so that it can be identified later for processing into folders by user inboxes.
Delete—Deletes the file attachment. The detected file attachment is removed from the message.
Purge—Deletes the message from your mail system.
Select whether you want this filter to be applied to inbound messages, outbound messages, or both.
On the File Types tab, click the file types that can be associated to the selected file name. You can select one or more file types from the list. If the file type you want to associate to the selected file name is not available in the list, then click Select All.
On the File Names tab, click Add and type the name or extension of the file to be detected.
Creating a message body filter
Use the following procedure to create a message body filter.
To create and configure a message body filter
In the Forefront TMG Management console, in the tree, click the E-Mail Policy node.
In the details pane, click the Virus and Content Filtering tab, and then click Message Body Filtering.
On the General tab of the Message Body Filtering properties, verify that Status is set to Enabled.
On the Message Body Filters tab, click Add.
On the General tab of the Message Body Filter properties, verify that the Enable this filter check box is selected. It is enabled by default.
Under Filter name, type a name for this filter.
Select the Action to take if there is a filter match:
Skip—Records the number of messages that meet the filter criteria, but enables messages to route normally.
Identify—Tags the subject line or message header of the detected message with a customizable word or phrase so that it can be identified later for processing into folders by user inboxes.
Delete—Deletes the file attachment. The detected file attachment is removed from the message.
Purge—Deletes the message from your mail system.
Select whether you want this filter to be applied to inbound messages, outbound messages, or both.
On the Keywords tab, click Add and type the keywords you want to filter. For information about syntax and expressions that you can use with message body filters, see About keyword list syntax rules below.
About keyword list syntax rules
The following are the syntax rules for a keyword list:
Each item (line of text) is considered a search query.
Queries use the OR operator. It is considered to be a positive detection if any entry is a match.
Queries can contain operators that separate text tokens. Such queries are called expressions. The following logical operators are supported. There must be a space between an operator and a keyword, represented in the examples by the • character:
_AND_ (Logical AND). For example: apple•_AND_•orange juice
_NOT_ (Negation). For example: apple•_AND__NOT_•juice
_ANDNOT_ (Same as _AND__NOT_). For example: apple•_ANDNOT_•juice
_WITHIN[#]OF_ (Proximity). If the two terms are within a specified number of words of each other, there is a match. For example: free•_WITHIN[10]OF_•offer. (If free is within 10 words of offer, this query is true.)
_HAS[#]OF_ (Frequency). Specifies the minimum number of times the text must appear for the query to be considered true. For example: _HAS[4]OF_•get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query is true. This operator is implicitly assumed and has a default value of 1 when it is not specified.
Multiple _AND_, _NOT_, _HAS[#]OF_, and _WITHIN[#]OF_ operators are allowed in a single query. The precedence of the operators is (from highest to lowest):
1) _WITHIN[#]OF_
2) _HAS[#]OF_
3) _NOT_
4) _AND_
This precedence cannot be overridden with parentheses.
The logical operators must be entered in uppercase letters.
Phrases can also be used as keywords, for example, apple juice or get rich quick.
Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, A••••B is treated as A•B and matches the phrase A•B.
In HTML encoded message texts, punctuation (any character that is not alphanumeric) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter <html> matches <html>, but not html.
Note
You must leave a space between the operators and the keywords. The logical operators must be entered in uppercase letters as shown to function properly.
Examples (the • character represents a space):
apple•_AND_•orange•_AND_•lemon•_WITHIN[50]OF_•juice
confidential•_WITHIN[10]OF_•project•_AND_•banana•_WITHIN[25]OF_•shake
_HAS[2]OF_•get rich•_WITHIN[20]OF_•quick
Filtering e-mail messages that automatically load HTML images
To filter e-mail messages that automatically load HTML images from a Web server, add the following items to a keyword filter list:
img _WITHIN[6]OF_ src="http"
img _WITHIN[6]OF_ src='http'
These filters will identify instances of the text "img" that occur within six words of the following text: src="http"
If e-mail messages that contain HTML images are not filtered after you add these filters to the keyword list, you can examine the source code of the e-mail messages to see how these e-mail messages identify images. Then, you can create additional customized filters.
Related Topics
Tasks
Installing prerequisites for e-mail protection
Concepts
Configuring protection from e-mail-based threats
Planning to protect against e-mail threats