Filtering Inbound and Outbound Content | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

Content filtering is a thorny problem in computer science; humans are much better at recognizing patterns than software is, so even though it s possible to construct filters that catch any arbitrary message, it s equally possible for a determined human to come up with an equal message that doesn t match. For proof, look at the ongoing war between spammers and antispam software ”spammers continually change the subject lines and content of their messages in an ongoing attempt to outwit spam-blocking software that scans for characteristics of spam in messages.

Having said that, there are still many applications in which content filtering is useful. The most popular applications revolve around three primary elements: stopping bad content from coming into or out of an organization s mail system, and removing (or at least flagging) any bad content stored in the mailbox stores. I put bad in quotation marks because what one organization considers bad or harmful might be acceptable to another. Examples include the following:

Government agencies that want to block any messages with classification markings or sensitive keywords from leaving their internal mail systems. (Some agencies use automatic systems that sanitize outbound messages ”do a Web search for RADIANT MERCURY to see one example.)
Corporations that want to stop inbound and outbound mail that violates their diversity, sexual harassment , or workplace-environment policies, which of course can vary across companies and jurisdictions in multinational companies.
Organizations that want to prevent internal users from sending confidential or sensitive documents outside the organization (at least over e-mail).

Exchange Server 2003 itself doesn t include any content-filtering capabilities. That means that if you want to be able to filter mail as it arrives or departs, you have two choices: buy a commercial product, or implement your own filters using an event sink. The latter is outside the scope of this book, even though the OnArrival mechanism I mentioned earlier makes it fairly straightforward to get a peek at each inbound or outbound SMTP message. The problem with this approach is that you still have to write the code that does the matching, which is a nontrivial problem. For that reason, most sites that need content inspection end up with one of the several commercial content-filtering products.

These products offer a wide range of capabilities; in many cases, content filtering is integrated with antivirus or attachment control functionality. Overall, when you re looking at commercial content management products you ll probably notice the following:

They can inspect inbound and outbound messages, flagging any that contain keywords you specify. Some products also allow messages to be flagged based on the number, kind, size , or type of attachments in the message, whether or not encryption is used, and so on.
Flagged messages can be blocked (with or without notification to the sender), copied to a mailbox or public folder, or silently deleted.

Messages with attachments can have the attachments removed, stored separately, or otherwise processed (one helpful application of filtering is to automatically compress outbound attachments so that they use less bandwidth).

Tip	The key requirement for a useful content-filtering system is that you be able to tweak the keywords and patterns that it looks for so that you can decide what gets filtered. When you re considering products, be sure to find out how easy, or hard, it is to control the filtering criteria.

Some products, like Nemx PowerTools ( http://www.nemx.com ) and GFI MailEssentials ( http://www.gfi.com ), install on the Exchange server, effectively centralizing the blocking or monitoring functions on an SMTP bridgehead. Others, like the IntelliReach Message Manager Suite ( http://www.intellireach.com ), install on a Microsoft Outlook client and monitor mail using the Collaboration Data Objects (CDO) interfaces. A third class of products are appliances like CipherTrust s IronMail that act as SMTP proxies that coincidentally provide some level of content-filtering services.

Evaluating Filtering Products

Because you re probably not going to create your own filtering product, it s important to know what questions to ask when choosing a filtering system for your network. Prices range from a few hundred dollars for server-side tools up to tens of thousands of dollars for enterprise-scale filtering appliances. How can you tell which one is right for you? Here are some questions to ask during the evaluation process:

What specific kinds of filtering do you want? Keyword filtering is common; more advanced tools, like the Nemx PowerTools suite, offer heuristics that attempt to classify message content by analyzing the text, not just matching strings. In either case, decide whether you need to scan message headers and bodies only, or whether you also need to be able to scan and process attachments. Of course, the more data your filter has to scan, the more likely that there will be a performance impact on the server where the filter runs.
What do you want to be able to do to the filtered messages? If you re filtering content to keep bad material out, you will probably want to reject inbound or outbound messages that fail the filtering checks; if you re monitoring and filtering to keep internal users from sending out sensitive or inappropriate messages, you might prefer to copy the suspect messages to a mailbox or public folder so you can investigate and take action as necessary. In either case, be sure to think about how you want to handle false positives; you re bound to get some messages that trigger the filters but that are actually innocuous .
What volume of messages do you need to filter? For large, high- volume environments, you ll probably have multiple SMTP bridgeheads, which means that you ll probably need multiple licenses if you pick a server- based product. Of course, you can always have your existing bridgeheads pass all their traffic to a single security guard machine, which is essentially what IronMail and other appliance-like products do.
Can you specify policies? Simplistic scanners just look for terms or patterns you specify. More flexible policy-based tools can incorporate multiple criteria into rules and multiple rules into policies. A good policy-based system allows you to create policies based on criteria like sender or recipient domain or Internet Protocol (IP) address, message or header content, attachment presence or absence, and date and time. For example, you might want a policy that adds a disclaimer to mail sent from users in the Legal organizational unit unless it s going to the domain of your company s outside law firm. A separate policy might block all incoming mail with mortgage in the subject that isn t coming from your company s bank.
What kind of management and reporting features do you need? In general, the more customizable the product is, the better; you ll benefit from the additional flexibility. From the management side, be sure to find out how the product you re evaluating handles remote management (so that you can adjust settings without sitting down in front of the server) and whether you can easily create one set of policies and then apply them to multiple machines.