Step 7: Set up Edge Transport server advanced content-filtering features

Learn how to set up Edge Transport server puzzle validation feature and block incoming and outgoing email attachments by filename or the file extension type.

In Step 4, I showed you some basic techniques for configuring an Edge Transport server to filter out spam, viruses and malware. Now let's review some more advanced content-filtering features.

Puzzle validation

Any inbound email message that passes through an Edge Transport server is analyzed and then assigned a Spam Confidence Level (SCL) number, which correlates to the percentage chance that the email message is spam. As we all know though, sometimes messages that are perfectly legitimate have some of the same characteristics as spam, and oftentimes these email messages are incorrectly rejected.

To help with these types of situations, Microsoft has created a mechanism for reducing false positives called puzzle validation. Puzzle validation only works when the sender is using Exchange Server 2007 and Outlook 2007. Assuming that the sender meets these criteria, Microsoft Outlook will digitally postmark each message that is sent. The digital postmark is essentially a hash based on the sender's identity.

When an Edge Transport server receives an email message, it checks to see if the message contains a digital postmark. If the message does contain such a postmark, the server creates its own hash based on the sender information contained in the email message.

If the number that is derived through this computation matches the contents of the digital postmark, the message is less likely to be spam. The Edge Transport server then lowers the message's SCL level accordingly.

If an inbound message does not contain a digital postmark, or if the message contains an invalid digital postmark, the message is not automatically classified as spam. Instead, the SCL that had already been calculated for the message continues to be in effect.

You can enable puzzle validation by opening the Exchange Management Shell on the Edge Transport server and execute the following command:

Set-ContentFilterConfig[-OutlookEmailPostmarkValidationEnabled $True

If you should decide later on that you want to disable puzzle validation, you can do so by entering this command:

Set-ContentFilterConfig[-OutlookEmailPostmarkValidationEnabled $False

Attachment filtering

Most of the filtering capabilities I have talked about so far can be found in just about any antispam product. One feature that helps to set an Edge Transport server apart from some of the other antispam products available is attachment filtering.

Since just about everybody uses antispam filters, some spammers choose to place their messages in documents that are attached to an email so that the message will be more likely to pass through the spam filter. At best, these types of messages are annoying, but they often also contain offensive and malicious content.

Since you probably don't want these types of messages reaching your end users, you can configure your Edge Transport server to scan email attachments -- not just the messages themselves -- and remove unwanted content.

Attachment filtering can be applied to both inbound and outbound email messages. One of the primary techniques for filtering inbound messages involves blocking file extensions for which you know that nobody in the organization has any legitimate business need.

At the very least, you should block executable files (.EXE, .BAT, .COM, .PIF, etc.) as a way of helping to keep viruses out of your organization. Keep in mind though that blocking executable files does not completely guarantee that no viruses will find their way into your organization.

It is still very common for legitimate looking messages to contain links to malicious files rather than including the file as an attachment. Such messages are harmless unless a user decides to click on the link. Fortunately, Microsoft Outlook contains some mechanisms to prevent users from accidentally executing malicious code from a link found in email.

Blocking unused file types and specific filenames

Blocking executable files is just the beginning of what you can do though. You can also block unused file types. For example, if you know that nobody in your organization uses Microsoft Excel, then you could block .xls files.

Although blocking certain file extensions certainly has its place, you also have the option of blocking specific files. For example, suppose that the latest email virus is a message with an attachment named virus.exe. You could actually configure Exchange Server to block any file named virus.exe.

I have talked a lot about preventing unwanted content from reaching your mailbox server, but remember that you can also use attachment filtering to block outbound message attachments.

At the very least, I would recommend configuring Exchange Server to prevent executable files from being emailed to the outside world. Although I'm sure that you probably take the appropriate precautions to prevent viruses, even the most cautious organizations can inadvertently become infected with viruses.

If an infection does occur, you don't want a virus to email itself to all of your company's clients. Not only could you potentially infect your clients, it might make your clients think twice about doing business with you if you send them viruses.

Attachment filtering is also good for making sure that confidential documents are not leaked to the outside world. For example, if you had a super secret document named Evil_Plan_for_World_Domination.doc, you could prevent someone from emailing the document to the outside world (accidentally or on purpose) by blocking the document's filename. The filter won't help you if someone renames the document prior to sending it though.

In order to implement attachment filtering, you need to make three basic decisions:

  • Which filename or file extension you want to block
  • If the block should apply to inbound email, outbound email, or both
  • What will happen when the Edge Transport server finds an email message with an attachment that has been blocked

You have three options for dealing with blocked attachments:

  1. Reject the message: Doing so will prevent delivery to the intended recipient and will issue a non-delivery report (NDR) to the sender.

  2. Strip the attachment from the email message:The offending attachment will be removed and replaced by a notification telling the recipient that an attachment has been removed. The nice thing about using this option is that if a message contains multiple attachments, then any email attachments that have not been blocked will still be available to the recipient.

  3. Silent delete: This option deletes the email message just like the reject option does. The difference is that the silent delete option does not produce non-delivery reports.

Checking the filter status of a filename or file extension

There are a handful of different Exchange Management Shell commands that are used to filtering email attachments. In the commands below, filename.ext is a generic representation of the filename of your choice.

  1. Check the status of a file or file extension to see if it is currently being blocked:

    Get-AttachmentFilterEntry filename.ext

  2. Block a particular filename:

    Add-AttachmentFilterEntry –name filename.ext –Type FileName

  3. Remove a block on a filename:

    Remove-AttachmentFilterEntry –Identity Filename:filename.ext

  4. If you want to work with an extension as opposed to a specific filename, leave the Type setting set to filename, but enter the extension as a wildcard. For example, if you wanted to block .exe files, you could use the following command:

    Remove-AttachmentFilterEntry –Identity Filename:*.exe

  5. You can perform a reject, strip, or silent delete on blocked files or file types using the Set-AttachmentListConfig command and then specifying the desired action. If you set the action to Reject, you also have the option of specifying the contents of the non-delivery report, as shown below:

    SetAttachmentFilterListConfig –Action Reject –RejectResponse "This attachment is not allowed"

When inbound email messages are rejected

When an email message is rejected by an Edge Transport server, it does not simply fall into some email black hole. Instead, Exchange Server embeds a rejection message into the SMTP non-delivery report (NDR). The default rejection message simply states: "Message Rejected Due to Content Restriction."

What you might not realize though, is that you can customize this message to meet your needs. The only real restriction is that your message can not exceed 240 characters in length. The command for customizing the rejection message through the Exchange Management Shell is:

Set-ContentFilterConfig –RejectionResponse "I don't want your spam. Stop bothering me."

Note that the actual message text must be enclosed in quotation marks.


 Home: Introduction
 Step 1: How an Edge Transport server works
 Step 2: Install the Edge Transport server
 Step 3: Create an Edge Subscription
 Step 4: Replicate Active Directory data to the Edge Transport server
 Step 5: Verify communication with the Hub Transport server
 Step 6: Configure Edge Transport server email filtering agents
 Step 7: Set up Edge Transport server advanced content-filtering features

Brien M. Posey, MCSE
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at

Dig Deeper on Exchange Server setup and troubleshooting