In his article, “Preventing Internal Email Abuse with Exchange Server 2010”, Paul Cunningham has stated,”… there is a lesser amount of attention given to preventing internal abuse of email systems. The risk of internal email abuse may seem low but for some organizations the risk is actually quite significant.”

In Exchange Server 2010, one of the more interesting features that have been improved is that of Transport Rule Predicates and Actions. Using Transport rules an administrator can create a rule which will inspect messages for conditions specified in the rules. The administrator can also create exceptions to the rules such that if those exceptions are met then no actions are applied to the email messages that have been identified by the rule which filtered out the identified message. With Exchange Server 2010 additional flexibility has been added for creating rules and actions to be taken against those identified messages.

In Paul Cunningham’s post he discusses how Transport Rules can be created and applied to internal messages with the purpose of identifying abusive email practices and their originators.

It is nice to have such a feature added to Exchange Server that can be used to help eliminate or at least reduce abusive internal emails sent and received within an organization. But I think companies and their IT departments will also have to speak with their legal departments to ensure they are not encroaching on any privacy laws.

The situation which Paul describes in his post is that of essentially creating filters so as to prevent abusive emails sent to co-workers but this capability could also be used to block or filter out emails of a political nature which could become the basis for a challenge to the right of free speech. I know this sounds a little extreme but let’s see how this could possibly play out using Transport rules.

The way this type of a word filtering Transport rule would work is that a rule would be configured to include:

• A condition that would identify email messages sent from internal senders to internal recipients.
• The condition would identify certain words or phrases in the email subject, body, or attachments.
• An action to be applied against any email that matched the condition above.
• And any exceptions to that rule would also be created.

So in our example, if a company or any other organization decided that email messages that contained the words “Libertarian Party” were to be identified as inappropriate they could create a Transport rule which recognized those key words and then sent those emails to the “bit bucket” or trash can. Exceptions to the rule might be something along the lines of if no profanities were found in the email then let the email message pass through to the internal recipient.

Another possible action to be taken when a Transport rule was initiated is to redirect the filtered email to the company’s legal department or to security for further review.

I do agree with Paul that implementing a company wide filtering system such that every internal email sent is scrutinized by a key word or phrase methodology would be very complex and costly in terms of not only compute resources but capital outlays.  There would sure to be some overhead from using a single centralized filtering system as a single point of failure that would most likely impact performance and prove costly should the system ever go down.

Paul points out that even “…Exchange Server’s own anti-spam filtering can’t help.”  He notes that any emails sent between mailboxes within the same organization is given a Spam Confidence Level (SCL) of -1 (on a scale of 0 to 9) which means that Exchange Server is treat the email message as trusted.  With a “-1” SCL value assigned to the email message this basically eliminates any further SCL-based filtering decisions from being applied to those emails. This could also mean that the email sender had possibly been white listed in some manner.

A SCL value of 0 means that email message is most likely not spam whereas a SCL value of 9 means that the email message is most likely spam which would make that email message obviously eligible for SCL-based filtering decisions to be applied.

It is for these reasons that Transport rules should be considered as a component for any email content filtering system that requires an intra-company email messaging filtering capability. And since administrators can configure this feature centrally the benefit is that the effect is rippled across all Hub Transport servers in the organization allowing for a streamlined and distributed implementation.