Content Filters Test

Content filtering provides another tool to help manage the flow of messages entering and exiting your business's mail stream. Content filtering enables you to filter messages by using a variety of filtering tools. These include:

  • Sender-domains filtering (for Realtime and Manual scan jobs): Sender-domains filtering enables you to filter messages from particular senders or domains.
  • Subject line filtering (for Realtime and Manual scan jobs): Subject line filtering enables you to filter messages based on the content of the subject line of the message.
  • Filter set templates (simplify the creation and management of file and content filters on all scan jobs): Filter set templates can be created for use with any Forefront Security for Exchange Server scan job. A single filter set template can be associated with any or all of the scan jobs and administrators can also create multiple filter set templates for use on different servers or different scan jobs.

The Content Filter agent is the last filter to scan inbound messages. While doing so, the Content Filter agent uses Microsoft SmartScreen technology to assess the contents of the messages and to assign a spam confidence level (SCL) rating to each message. By comparing the SCL threshold configuration with the assigned SCL rating, the content filter feature takes a specific action on a specific message, such as rejecting a message or deleting a message. 

This test monitors the operations of the Content Filtering agent, reports the count of messages that have been assigned various SCL ratings, and also reveals the action the filter has taken on the messages.

Target of the test : A server configured with the Edge Transport role

Agent deploying the test : An internal agent

Outputs of the test : One set of results for the Edge Transport server being monitored.

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

Indicates the IP address of the Edge Transport server.

Port

The port number of the Edge Transport server. By default, this is 50389.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

Messages at Spam Control Level 0

Indicates the number of messages that were assigned a spam confidence level (SCL) rating of 0 during the last measurement period.

Number

Messages with an SCL rating of 0 are considered less likely to be spam.

Messages at Spam Control Level 1

Indicates the number of messages assigned a spam confidence level (SCL) rating of 1 during the last measurement period.

Number

Higher the SCL rating, greater is the likelihood of the message to be spam.

Messages at Spam Control Level 2

Indicates the number of messages assigned a spam confidence level (SCL) rating of 2 during the last measurement period.

Number

Higher the SCL rating, greater is the likelihood of the message to be spam.

Messages at Spam Control Level 3

Indicates the number of messages assigned a spam confidence level (SCL) rating of 3 during the last measurement period.

Number

Higher the SCL rating, greater is the likelihood of the message to be spam.

Messages at Spam Control Level 4

Indicates the number of messages assigned a spam confidence level (SCL) rating of 4 during the last measurement period.

Number

Higher the SCL rating, greater is the likelihood of the message to be spam.

Messages at Spam Control Level 5

Indicates the number of messages assigned a spam confidence level (SCL) rating of 5 during the last measurement period.

Number

Higher the SCL rating, greater is the likelihood of the message to be spam.

Messages at Spam Control Level 6

Indicates the number of messages assigned a spam confidence level (SCL) rating of 6 during the last measurement period.

Number

Higher the SCL rating, greater is the likelihood of the message to be spam.

Messages at Spam Control Level 7

Indicates the number of messages assigned a spam confidence level (SCL) rating of 7 during the last measurement period.

Number

Higher the SCL rating, greater is the likelihood of the message to be spam.

Messages at Spam Control Level 8

Indicates the number of messages assigned a spam confidence level (SCL) rating of 8 during the last measurement period.

Number

Higher the SCL rating, greater is the likelihood of the message to be spam.

Messages at Spam Control Level 9

Indicates the number of messages assigned a spam confidence level (SCL) rating of 9 during the last measurement period.

Number

Messages with an SCL rating of 9 are considered more likely to be spam.

Messages quarantined

Indicates the number of messages that were quarantined during the last measurement period.

Number

Quarantined messages are typically sent to the spam quarantine mailbox that you specified.

Messages scanned

Indicates the number of messages that were scanned for viruses during the last measurement period.

Number

 

Messages rejected

Indicates the number of messages that were rejected during the last measurement period.

Number

If the connection filter rejects a message, it sends sends an SMTP error response to the sending server.

Messages deleted

Indicates the number of messages that were deleted during the last measurement period.

Number

For deleted messages, the computer that has the Edge Transport server role installed sends a fake "OK" Simple Mail Transfer Protocol (SMTP) command to the sending server and then deletes the messages. Because the sending server assumes that the message was sent, the sending server does not retry to send the message in the same session.

Messages with SCL unknown

Indicates the number of messages that could not be scanned by the filter during the last measurement period.

Number

Ideally, this value should be 0.

Messages that bypassed scanning

Indicates the number of messages that bypassed scanning during the last measurement period.

Number

Forefront Security for Exchange Server can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Forefront Security for Exchange Server performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Forefront Security for Exchange Server to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0.