Preventing confidential emails from being sent around in your company with Forefront Security for Exchange


Forefront Server Security for Exchange (referred to as FSS-E from now on) has options to setup keyword lists that can be used monitor (Via the Skip: detect only option), delete or tag the message that contains the filtered words.


In this blog entry, I would like to walk you through setting up your own filter list and then using that filter list to block out any email that contains restricted words. So for example, you would be able to block an email that contains the following text:

Confidential: Do not forward

Hey J.

I firmly believe that we can beat competition by …




One more thing before I start. You can do everything I am doing in a safe test environment in a virtual lab hosted on the Microsoft site. You can easily get access to a virtual machine setup that has FSS, Exchange or Sharepoint installed.

At a higher level, here are the things you have to accomplish this task:

1.       Create a list of words you want to filter out (you can also import a text file if you don’t want to enter everything by hand)

2.       Set the keyword filter for the message body

3.       Send email

So, let’s start.

Step 1: Create a list of words to filter

1.       In the Forefront Server Security Administrator, select “Filtering” on the left

2.       Select “Keywords” in the window labeled List Types.

3.       Press the “Add” button and type in a name you like. Mine was “Neetu-test”. Press Enter

4.       Select the list you just created. Notice that the window on the bottom right of your screen is empty. This is because you have just created a list and it is empty.

5.       Select the list you have just created and press “Edit”. This gives you a window that you can use to add keywords to this list. Press “Add” at the bottom of the new window to start adding items to the list. You can also select “Import” if you already have a test file with a list of words. Figure 1 is what my screen looks like after this step.


Figure 1

Figure 1

6.       Press “OK” and now you have saved that list. Now you should see your list name in the bottom left window and the items in the list in your bottom right window. Figure 2 is what my screen looks like. Press “Save” to save your list and its contents.



Figure 2

7.       Select “Keyword” in the filtering section and select “Transport Scan Job”. You will see that “Message Body” is highlighted in the bottom left window, the middle windows has your list in it and if it is selected, it is marked as “Disabled” in the filter selection. Enable that list. Figure 3 shows what my screen looked like after this step.


Figure 3

Figure 3


8.       Next thing to do here is to select the action that will be taken once some keyword from this list has been matched. Select “Skip: detect only” if you want to just monitor the usage for a while before you decide what real action you want to take. Select “Purge: eliminate email” if you want to get rid of the email all together. The recipient will never know that an email was sent to them. I have selected “Identify: tag message”. The recipient will get the email but the subject of the email will be tagged when they get it. Click “Save” to save your changes.

9.       From your client machine (Cairo in my case) send some email that includes the filtered out words. Figure 4 were my results. Notice that I sent an email (from the sent folder) with a subject of “Test Email” and got back an email with subject of “SUSPECT: Test Email”.


Figure 4

Figure 4


10.   Check out the incident logs in Forefront Server Security Administrator (Figure 5). The incidents log includes that email that we sent in step 9. The incident indicates that the match with for the filter we setup with the list (“Neetu-test” in my case) was the reason for this incident.


Figure 5

Figure 5


Some more advanced filtering options:

I have tried to show you give you a starting point. There are several other things that possible when it comes to combining filters. The first one is the ability to specify how many words have to match before the filter is invoked (check out the “Maximum Unique Keyword Hits” in figure 3). The default value = 1.

Example: You have set the minimum unique keyword hits value to 3. The word “confidential” is in the list and appears three times. However, no other word in the list appears at all. The keyword filter will not be invoked. This is because only one term in the list was matched and according to your settings, 3 unique keywords need to be matched.

Secondly, I want to point out a few modifiers you can use in your filters (the “_” represents a space):

    • _AND_ (Logical AND). For example,  apple_AND_orange juice.

    • _NOT_ (Negation). For example,  apple_AND__NOT_juice.

    • _ANDNOT_ (Same as _AND__NOT_). For example, apple_ANDNOT_juice

    • _WITHIN[#]OF_ (Proximity). If the two terms are within a specified number of words of each other, there is a match. For example, free_WITHIN[10]OF_offer. (If  free is within 10 words of offer, this query will be true.)

    • _HAS[#]OF_ (Frequency). Specifies the minimum number of times the text must appear for the query to be considered true. For example, _HAS[4]OF_get rich quick. If the phrase get rich quick is found in the text four or more times, this query will be true. This operator is implicitly assumed and has a default value of 1 when it is not specified.


Hope you found this informative. Please follow up with comments/questions. If you have ideas for what you would like us to write about, please share via the comments.


Neetu Rajpal

Lead Program Manager

Forefront Server Security

Skip to main content