Exchange 2007 AntiSpam / Content Filtering

[Mark]

We have a user who is getting a LOT of SPAM. Many of these contain the word
"Viagra". I went into Exchange Management Console - Organization
Configuration - Hub Transport - Anti-Spam - Content Filtering - Custom
Words, and added Viagra (and other forms of the word) to the "blocked"
section. This did not stop the "viagra" messages. Is there something that I
am missing here? I even tried rebooting the server but still get the SPAM.

Thanks.

[Horst Lange]

Hi Mark,
you had defined an action to delete, deny or isolate the bad mail (mind
the SCL-Level). To check successfull detectin, you can isolate all
badmail to an mailadress / account to analyse it.

Check the sender of the mail. Maybe, the sender use adresses of your own
(Viagra <your...@yourdomain.tld>). Your own adresses you trust :-(
That was the moment, I stoppt to add alle words in antispam...

You write, you add other forms of the word. That had to be very much
variations, cause l coud be L / | / 1 and so on and same spaces will be
added, , V could be \/..., m (nn), w (vv) ans do on....

...you know the story of "Hare and Tortoise" ;-)

HTH

Horst

[S Macneill]

You can check if the message is actually being checked by the content
filter by querying the logs from the Exchange Management Shell:

get-agentlog -StartDate "6/3/2010 00:01" -endDate "6/3/2010 23:59" |
where {$_.agent -eq "Content Filter Agent" -and $_.recipients -like
"<YOUR-USER-EMAIL>" } | FL Timestamp,P1FromAddress,
P2FromAddress,Action,ReasonData

Replace <YOUR-USER-EMAIL> with the mail address of your user. The
date format depends on your server settings - if you know when a
message was delivered you ought to be able to return a manageable
result set. Or filter on the message ID if you know it.

The ReasonData field should either show you an SCL score or a message
stating that the filtering was bypassed.

HTH

Stewart