Exchange Edge Anti-Spam Agent

Install

& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
Restart-Service MSExchangeTransport

Specify the internal SMTP servers in your organization

Set-TransportConfig -InternalSMTPServers @{Add="",""…}
Set-TransportConfig -InternalSMTPServers @{Add="10.0.1.10","10.0.1.11"}
Get-TransportConfig | Format-List InternalSMTPServers

Get-TransportAgent
Get-ContentFilterConfig | Format-Table Name,Enabled; Get-SenderFilterConfig | Format-Table Name,Enabled; Get-SenderIDConfig | Format-Table Name,Enabled; Get-SenderReputationConfig | Format-Table Name,Enabled

To see Detailed information

Get-ContentFilterConfig | Format-List Enabled,RejectionResponse,Postmark,Bypassed,Quarantine*;
Get-SenderFilterConfig | Format-List *Enabled,Block
Get-SenderIDConfig | Format-List Enabled,Action,Bypassed
Get-SenderReputationConfig | Format-List Enabled,Proxy,Block,Ports

Use the Exchange Management Shell to enable or disable content filtering

Set-ContentFilterConfig -Enabled $false
Set-ContentFilterConfig -Enabled $true
Get-ContentFilterConfig | Format-List Enabled

Use the Exchange Management Shell to enable or disable content filtering for external messages

Set-ContentFilterConfig -ExternalMailEnabled $false
Set-ContentFilterConfig -ExternalMailEnabled $true
Get-ContentFilterConfig | Format-List ExternalMailEnabled

Use the Exchange Management Shell to enable or disable content filtering for internal messages

Set-ContentFilterConfig -InternalMailEnabled $true
Set-ContentFilterConfig -InternalMailEnabled $false
Get-ContentFilterConfig | Format-List InternalMailEnabled

Use the Exchange Management Shell to configure recipient and sender exceptions for content filtering

Set-ContentFilterConfig -BypassedRecipients -BypassedSenders -BypassedSenderDomains

This example configures the following exceptions in content filtering:
The recipients laura@contoso.com and julia@contoso.com aren’t checked by content filtering.
The senders steve@fabrikam.com and cindy@fabrikam.com aren’t checked by content filtering.
All senders in the domain nwtraders.com and all subdomains aren’t checked by content filtering.

Set-ContentFilterConfig -BypassedRecipients laura@contoso.com,julia@contoso.com -BypassedSenders steve@fabrikam.com,cindy@fabrikam.com -BypassedSenderDomains *.nwtraders.com

To add or remove entries without modifying other existing values, use the following syntax:

Set-ContentFilterConfig -BypassedRecipients @{Add="",""…; Remove="",""…} -BypassedSenders @{Add="",""…; Remove="",""…} -BypassedSenderDomains @{Add="",""…; Remove="",""…}

This example configures the following exceptions in content filtering:
Add tiffany@contoso.com and chris@contoso.com to the list of existing recipients who aren’t checked by content filtering.
Add joe@fabrikam.com and michelle@fabrikam.com to the list of existing senders who aren’t checked by content filtering.
Add blueyonderairlines.com to the list of existing domains whose senders aren’t checked by content filtering.
Remove the domain woodgrovebank.com and all subdomains from the list of existing domains whose senders aren’t checked by content filtering.

Set-ContentFilterConfig -BypassedRecipients @{Add="tiffany@contoso.com","chris@contoso.com"} -BypassedSenders @{Add="joe@fabrikam.com","michelle@fabrikam.com"} -BypassedSenderDomains @{Add="blueyonderairlines.com"; Remove="*.woodgrovebank.com"}

Get-ContentFilterConfig | Format-List Bypassed*

Use the Exchange Management Shell to configure allowed and blocked phrases for content filtering
To add allowed and blocked words and phrases, use the following syntax:

Add-ContentFilterPhrase -Influence GoodWord -Phrase -Influence BadWord -Phrase

This example allows all messages that contain the phrase “customer feedback”.

Add-ContentFilterPhrase -Influence GoodWord -Phrase "customer feedback"

This example blocks all messages that contain the phrase “stock tip”.

Add-ContentFilterPhrase -Influence BadWord -Phrase "stock tip"

To remove allowed or blocked phrases, use the following syntax:

Remove-ContentFilterPhrase -Phrase

This example removes the phrase “stock tip”:

Remove-ContentFilterPhrase -Phrase "stock tip"

Get-ContentFilterPhrase | Format-Table -Auto Influence,Phrase

Use the Exchange Management Shell to configure SCL thresholds for content filtering
To configure the spam confidence level (SCL) thresholds and actions, use the following syntax:

Set-ContentFilterConfig -SCLDeleteEnabled <$true | $false> -SCLDeleteThreshold -SCLRejectEnabled <$true | $false> -SCLRejectThreshold -SCLQuarantineEnabled <$true | $false> -SCLQuarantineThreshold

Notes:
The Delete action takes precedence over the Reject action, and the Reject action takes precedence over the Quarantine action. Therefore, the SCL threshold for the Delete action should be greater than the SCL threshold for the Reject action, which in turn should be greater than the SCL threshold for the Quarantine action. Only the Reject action is enabled by default, and it has the SCL threshold value 7.
The Quarantine action requires a spam quarantine mailbox. For more information, see Configure a spam quarantine mailbox.

This example configures the following values for the SCL thresholds:
The Delete action is enabled and the corresponding SCL threshold is set to 9.
The Reject action is enabled and the corresponding SCL threshold is set to 8.
The Quarantine action is enabled and the corresponding SCL threshold is set to 7.

Set-ContentFilterConfig -SCLDeleteEnabled $true -SCLDeleteThreshold 9 -SCLRejectEnabled $true -SCLRejectThreshold 8 -SCLQuarantineEnabled $true -SCLQuarantineThreshold 7

Get-ContentFilterConfig | Format-List SCL*

Use the Exchange Management Shell to configure the rejection response for content filtering
When the Reject action is enabled, you can customize the rejection response that’s sent to the message sender. The rejection response can’t exceed 240 characters.
To configure a custom rejection response, use the following syntax:

Set-ContentFilterConfig -RejectionResponse “”

This example configures the Content Filter agent to send a customized rejection response.

Set-ContentFilterConfig -RejectionResponse "Your message was rejected because it appears to be SPAM."

Get-ContentFilterConfig | Format-List Reject

Use the Exchange Management Shell to enable or disable Outlook Email Postmarking
Outlook Email Postmarking validation is a computational proof that Microsoft Outlook applies to outgoing messages to help messaging systems distinguish legitimate email from junk email (reduce false positives). Postmarking was first introduced in Outlook 2007, and is enabled in Outlook by default.
To disable Outlook Email Postmarking, run the following command:

Set-ContentFilterConfig -OutlookEmailPostmarkValidationEnabled $false

To enable Outlook Email Postmarking, run the following command:

Set-ContentFilterConfig -OutlookEmailPostmarkValidationEnabled $true

Get-ContentFilterConfig | Format-List OutlookEmailPostmarkValidationEnabled

Use the Exchange Management Shell to enable or disable sender reputation
To disable sender reputation, run the following command:

Set-SenderReputationConfig -Enabled $false

To enable sender reputation, run the following command:

Set-SenderReputationConfig -Enabled $true

Get-SenderReputationConfig | Format-List Enabled

Use the Exchange Management Shell to enable or disable sender reputation for external messages
By default, sender reputation is enabled for external messages (messages from external sources).
To disable sender reputation for external messages, run the following command:

Set-SenderReputationConfig -ExternalMailEnabled $false

To enable sender reputation for external messages, run the following command:

Set-SenderReputationConfig -ExternalMailEnabled $true

Get-SenderReputationConfig | Format-List ExternalMailEnabled

Use the Exchange Management Shell to enable or disable sender reputation for internal messages
To enable sender reputation for internal messages, run the following command:

Set-SenderReputationConfig -InternalMailEnabled $true

To disable sender reputation for internal messages, run the following command:

Set-SenderReputationConfig -InternalMailEnabled $false

Get-SenderReputationConfig | Format-List InternalMailEnabled

Use the Exchange Management Shell to configure sender blocking in sender reputation

Set-SenderReputationConfig -SenderBlockingEnabled <$true | $false> -SrlBlockThreshold <0 - 9> [-SenderBlockingPeriod <0 - 48>]
Set-SenderReputationConfig -SrlBlockThreshold 6 -SenderBlockingPeriod 36

This example disables sender blocking.

Set-SenderReputationConfig -SenderBlockingEnabled $false

Notes:
The default value of the SenderBlockingEnabled parameter is $true.
The default value of the SenderBlockingPeriod parameter is 24.
The default value of the SrlBlockThreshold parameter is 7.
You can’t disable sender blocking and open proxy server detection at the same time. One must be enabled when the other is disabled, or they both can be enabled.

Get-SenderReputationConfig | Format-List block

Use the Exchange Management Shell to configure open proxy server detection in sender reputation
By default, sender reputation uses open proxy server detection as one of the criteria to calculate the SRL of the source server. In open proxy server detection, the Exchange server tries to send a test message from the source messaging server. If the test message is successfully delivered back to the Exchange server, it indicates the source server is configured as an open proxy server (intentionally or unintentionally).

Open proxy server detection uses the protocols and TCP ports that are described in the following table, so these outbound ports need to be open in your firewall:
Use the Exchange Management Shell to configure open proxy server detection in sender reputation
Protocols Ports
SOCKS4, SOCKS5 1081, 1080
Wingate, Telnet, Cisco 23
HTTP CONNECT, HTTP POST 6588, 3128, 80

Also, if your organization uses a proxy server to control outbound Internet traffic, you need to configure sender reputation to use your proxy server to access the Internet. Specifically, you need to define the proxy server name, type, and TCP port that sender reputation requires to access the Internet.

To configure open proxy server detection in sender reputation, use the following syntax:

Set-SenderReputationConfig -OpenProxyDetectionEnabled <$true | $false> [-ProxyServerName -ProxyServerPort -ProxyServerType ]

This example configures sender reputation to connect to the Internet through the proxy server named SERVER01 that uses the HTTP CONNECT protocol on port 80.

Set-SenderReputationConfig -ProxyServerName SERVER01 -ProxyServerPort 80 -ProxyServerType HttpConnect

This example disables open proxy server detection in sender reputation.

Set-SenderReputationConfig -OpenProxyDetectionEnabled $false

Notes:
The default value of the OpenProxyDetectionEnabled parameter is $true.
The default value of the ProxyServerName parameter is blank ($null).
The default value of the ProxyServerPort parameter is 0.
The default value of the ProxyServerType parameter is None.
You can’t disable open proxy server detection and sender blocking at the same time. One must be enabled when the other is disabled, or they both can be enabled.

How do you know this worked?

To verify that you have successfully configured open proxy server detection in sender reputation, run the following command to verify the property values:
PowerShell

Get-SenderReputationConfig | Format-List proxy

Use the Exchange Management Shell to enable or disable attachment filtering
When you enable or disable the Attachment Filtering agent, the change takes effect after you restart the Microsoft Exchange Transport service. When you restart the Microsoft Exchange Transport service on an Edge Transport server, mail flow on the server is temporarily interrupted.

To disable attachment filtering, run the following command:

Disable-TransportAgent "Attachment Filtering Agent"

To enable attachment filtering, run the following command:

Enable-TransportAgent "Attachment Filtering Agent"

After you enable or disable attachment filtering, restart the Microsoft Exchange Transport service by running the following command:

Restart-Service MSExchangeTransport

How do you know this worked?
To verify that you successfully enabled or disabled attachment filtering, run the following command to verify the Enabled property value:

Get-TransportAgent "Attachment Filtering Agent"

Use the Exchange Management Shell to view and find attachment filtering entries
Attachment filtering entries define the message attachments that you want to keep out of your organization. To view the attachment filtering entries that are used by the Attachment Filtering agent, run the following command:

Get-AttachmentFilterEntry | Format-Table -Auto Type,Name

To find a specific MIME content type entry, use the following syntax:

Get-AttachmentFilterEntry ContentType:

For example, to see if there’s a MIME content type entry for JPEG images, run the following command:

Get-AttachmentFilterEntry ContentType:image/jpeg

If you receive the error, Couldn’t find the specified identity., then the MIME content type isn’t defined in the attachment filtering entries.

To view a specific file name or file name extension entry, use the following syntax:
Get-AttachmentFilterEntry FileName:

For example, to see if there’s a file name extension entry for JPEG attachments, run the following command:

Get-AttachmentFilterEntry FileName:*.jpg

If you receive the error, Couldn’t find the specified identity., then the file name or file name extension isn’t defined in the attachment filtering entries.

Use the Exchange Management Shell to remove attachment filtering entries

To remove an attachment filtering entry that filters attachments by MIME content type, use the following syntax:
Remove-AttachmentFilterEntry ContentType:

The following example removes the MIME content type entry for JPEG images.

Remove-AttachmentFilterEntry ContentType:image/jpeg

To remove an attachment filtering entry that filters attachments by file name or file name extension, use the following syntax:
Remove-AttachmentFilterEntry FileName:

The following example removes the file name entry for the .jpg file name extension.

Remove-AttachmentFilterEntry FileName:*.jpg

How do you know this worked?
To verify that you successfully removed an attachment filtering entry, send a test message that contains the allowed attachment from an external mailbox to an internal recipient, and verify that the message was successfully delivered with the attachment.

Use the Exchange Management Shell to view the attachment filtering action

To view the attachment filtering action that’s used when a prohibited attachment is detected in a message, run the following command:

Get-AttachmentFilterListConfig | Format-List Action,AdminMessage,RejectResponse,ExceptionConnectors

Use the Exchange Management Shell to configure the attachment filtering action

To configure the attachment filtering action that’s used when a prohibited attachment is detected in a message, use the following syntax:
Set-AttachmentFilterListConfig [-Action ] [-RejectResponse “”] [-AdminMessage “”] [-ExceptionConnectors ]

This example makes the following changes to the attachment filtering configuration:
Reject (block) messages that have prohibited attachments. Note that you can’t specify different actions for different types of attachments.
Use a custom response for rejected messages.

Set-AttachmentFilterListConfig -Action Reject -RejectResponse "This message contains a prohibited attachment. Your message can't be delivered. Please resend the message without the attachment."

For more information, see Set-AttachmentFilterListConfig.
How do you know this worked?

To verify that you successfully configured the attachment filtering action, send a test message that contains a prohibited attachment from an external mailbox to an internal recipient and verify that the message and the attachment are processed as you expect.

Change tarpit interval

set-ReceiveConnector “Receive Connector Name” -tarpitinterval 00:00:10

Disable SMTP tarpit

Set-ReceiveConnector “Receive Connector Name” -tarpitinterval 00:00:00