Keyword filtering helps you identify unwanted e-mail messages by analyzing the contents of the message body as it is being delivered by the transport scan. (Keyword filtering is only available for transport scanning.) By creating keyword lists, you can filter messages based on a variety of words, phrases, and sentences.

For maximum flexibility, you can create your own lists of keywords for which to scan.

To create a new keyword list

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and then under the Filters section, click Filter Lists.

  2. In the Filters – Filter Lists pane, click the Create button.

  3. In the Select Filter Type dialog box, select Keyword and then click Next.

  4. In the Filter Details dialog box, specify the filter list name and filter details:

    1. In the Filter list name box, type a name for the new list.

    2. In the Filter criteria box, type a word or phrase to be included in the filter list, and then click Add. You can repeat this step in order to add multiple words or phrases, or you can add multiple words or phrases on the same line, separated by a comma. There is no limit to the amount of items that you can include in the list.

      Note:
      You can edit items in a keyword filter list by double-clicking the item, editing the item, and then pressing ENTER. You can delete items from a keyword filter list by selecting the item and then clicking Remove. You can also import items into a keyword filter list (for more information, see Importing items into a filter list), including sample keyword lists (for more information, see Using example keyword lists), and export items from a keyword filter list (for more information, see Exporting items from a filter list). For more information about syntax rules, see About keyword filter list syntax rules.
    3. Indicate the Minimum unique keyword hits. This setting enables you to specify how many unique keywords must be matched for the action to be taken. The default is one (1). For example, you have set the minimum unique keyword hits value to 3. The word "wonderful", which is in the list, appears three times in the message. However, no other keyword in the list appears at all. The keyword filter has not been matched, because only one keyword in the list was matched when a minimum of three are required.

    4. Click Next.

  5. In the Target dialog box, configure how you want the filter list to be applied to the Hub/Edge Transport Scan:

    1. To enable the filter list for use with the transport scan job, using the Enabled drop-down list, select Yes.

    2. To configure the action that FPE should take when a keyword filter is matched, using the Action drop-down list, select Skip detect, Purge, Identify in subject line (the default), Identify in message header, or Identify in subject line and message header. For more information about these options, see Configuring the action when a filter is matched.

    3. To configure FPE to quarantine messages and attachments when the filter is matched, using the Quarantine files drop-down list, select Yes. Quarantining for filters is enabled by default. Enabling quarantining causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.

    4. To configure notifications when the filter is matched, using the Notifications drop-down list, you can select Never send notifications to prevent the sending of the Keyword filter matched notification, even if it is enabled. Otherwise, FPE uses the configured Keyword filter matched notification settings; Use notification settings is the default.

    5. You can perform keyword filtering on inbound, outbound, and internal mail by selecting their respective check boxes under Apply the filter list to these message types. By default, these settings are enabled.

      If you want to configure FPE to scan all inbound e-mail messages, ensure that the Inbound check box is selected. A message is designated as inbound if it originated from or relayed through an external server.

      If you want to configure FPE to scan all outbound e-mail messages, ensure that the Outbound check box is selected. A message is designated as outbound if at least one recipient has an external address.

      If you want to configure FPE to scan all internal e-mail messages, ensure that the Internal check box is selected. A message is designated as internal if it originates from inside your domain and all the recipients are located inside your domain.

      For more information about configuring internal and external (inbound) addresses in FPE, see Identifying external and internal addresses.

      Note:
      You can globally configure all keyword filters for inbound and outbound mail; for more information, see Globally configuring keyword filter lists for inbound and outbound mail. All inbound and outbound filtering settings are enabled by default. If you disable the global inbound or outbound setting, then the specified message direction is disabled for all keyword filter lists. If the global setting is enabled, but you disable the inbound or outbound setting for the specific filter, then the message direction is disabled only for that filter list. This feature is useful because it enables you to target a specific message direction (the one that is not disabled) for testing purposes for individual filter lists.
    6. Click Create.

      The filter list you just created appears on the Filters – Filter Lists pane.

  6. Click Save.

For more information about viewing and managing this filter list and others, see Viewing and managing filter lists.

Related Topics