Planning for anti-spam
to reduce the massive number of spam messages that circulate nowadays
through the Internet has become one of the most important tasks of
message administrators. Unfortunately, spammers and malicious senders
use a variety of techniques to send unwanted messages to your
organization. No single tool or process can eliminate all spam.
By default the anti-spam
agents are installed only on the Edge Transport server role. However,
they can also be enabled on Hub Transport servers where needed.
Note: Any change to the anti-spam agents is immediately activated. If, for example, you add an IP address to an IP Block List, it is immediately blocked without any service restart.
1. How Exchange 2010 Does Spam Filtering
Exchange 2010 includes a
variety of anti-spam features designed to work cumulatively to reduce
the amount of spam messages that enter your organization. This is done
by using spam-filtering agents to examine each SMTP connection and each
message sent through it.
As illustrated in Figure 1 the sequence of spam agents that will inspect a connection or message is defined carefully.
When an SMTP server on the
Internet connects to the Edge Transport server and initiates an SMTP
session, the Edge Transport server examines each message using the
following sequence:
When the SMTP session is initiated, the Transport server applies connection filtering using the following criteria:
The Transport server compares the sender's e-mail address with the list of senders configured in sender filtering.
The Transport server examines the recipient against the Recipient Block list configured in recipient filtering.
Exchange Server 2010 applies Sender
ID filtering. Depending on how the Sender ID filtering is configured,
the agent might delete, reject, or accept the message that failed
Sender ID validation. If the message is accepted, the server adds the Sender
ID validation stamp to the message properties. Although incremental,
the failed Sender ID status is included as one of the criteria when content filtering processes the message.
The Edge Transport server applies content filtering and performs one of the following actions:
Content
filter compares the purported sender to the list of senders in the
per-recipient Safelists aggregated from Microsoft Office Outlook users.
If the sender is on the recipient's Safe Senders List, the message is assigned a spam confidence level (SCL) rating of -1, excluded from further anti-spam
processing, and after antivirus scanning delivered directly to the end
user's Inbox richly rendered. If the sender is not on the recipient's
Safe Senders List, the message is scanned and assigned an SCL rating.
If
the SCL rating is higher than one of the configured SCL thresholds, a
content filtering agent takes the appropriate action of deleting,
rejecting, or quarantining the message.
If
the SCL rating is lower than one of the SCL thresholds, the message is
assigned an appropriate SCL verdict and delivered to the Mailbox
server, which decides where to deposit the message based on the
recipient's mailbox settings. The message can end up either in the Junk
E-mail folder or in the Inbox.
2. How Anti-Spam Updates Work
Spam is changing continuously, so Exchange 2010 also includes an automatic anti-spam update service that handles content filter updates.
This service requires your Transport server to have either direct
Internet access, Web access using a proxy, or a Windows Update Service
(WUS). Anti-spam updates can be configured in two different types: manual or automatic.
Manual updates only include Content Filter updates but do not require additional licenses; automatic updates also include Content Filter and add Spam Signature and IPReputation updates. However, automatic updates require an Enterprise Client Access License (E-CAL) that needs to be purchased for every mailbox in your organization.
Manual Content Filter
updates will be downloaded and installed when the update is made
available by Microsoft; this is commonly done on a biweekly basis. Thus
you can only describe this anti-spam protection as being very basic—more suitable for small organizations. You should consider purchasing E-CALs for automatic updates which provide multiple anti-spam updates per day if you're planning for a larger company. E-CALs also include the required licenses for Forefront
Protection 2010 for Exchange Server (FPE 2010), which you can
optionally deploy to add an extra level of protection for anti-spam.
You configure the anti-spam update service using the Enable-AntispamUpdates cmdlet and receive information on what pattern versions are installed using the Get-AntispamUpdates cmdlet as shown in Figure 2.
You can see that multiple update patterns are available in the anti-spam update of Exchange 2010. Table 3 lists all available pattern updates.
Table 3. Anti-Spam Pattern Updates
| PATTERN UPDATE | PURPOSE |
|---|
| Content Filter | Content Filter updates.
The filter is based on Microsoft's SmartScreen technology and is used
for scanning the body of the messages and assigning SCL ratings. |
| Spam Signature (E-CAL required) | Identifies the most recent spam campaigns. |
| IP Reputation (E-CAL required) | Provides sender reputation information about IP addresses that are known to send spam. |
All patterns are part of a single update process—no separate processes are required.
|
Alexander Nikolayev
Program Manager, Forefront Server Security, Microsoft Corporation
At Microsoft, we use
Forefront Protection 2010 for Exchange (FPE) for anti-spam. If you use
FPE 2010, you might consider these three best practices for enabling
the most effective anti-spam defense.
First, where will you reject spam?
The most efficient FPE positioning is to scan the messaging stream at
the entry point into Exchange organization. An early rejection of
unwanted e-mail will prevent wasted resources to push unnecessary
payloads through the network and save some bandwidth. Best hygiene
practices call not only for physical positioning of FPE on the
perimeter of the organization's network but also to enable early
rejection of spam inside the FPE, which is a layered anti-spam
solution. The first layer, Connection Filtering, is based on new Forefront
DNSBL technology. When enabled, our testing shows that Forefront DNSBL
will reject around 90 percent of spam based on the connecting IP
address even before it begins to examine the content of the message.
Forefront aggregates RBL feeds from multiple vendors, and the DNSBL
feature is configuration-free, so it's not only very effective but also
simple to use.
Second, what messages will
you reject? One person's ceiling is another person's floor, right? What
is considered as spam by some recipients is legitimate mail to others.
To help FPE figure out for whom to reject and for whom to accept a
given piece of mail, it is important to enable recipients' Outlook
Safe/Block Lists aggregation. The FPE Content Filter, based on
Cloudmark CMAE engine, will take these lists into consideration on a
per-recipient basis to provide the desired granularity level. Using the
default SCL settings on the content filter will reject the rest of
spam; however, if you need to relax the filter you can lower SCL
thresholds to quarantine questionable mail for triaging.
And finally,
where to triage? Previously, Microsoft recommended quarantining
questionable e-mail in a dedicated Exchange mailbox so that an
administrator could access, review, retrieve, and resend false
positives. This was not always an easy task because of the volume of
quarantined messages. Forefront makes triaging easier because the
messages by default are stored in Forefront quarantine. However, with
the volume of quarantined messages now drastically reduced, it makes
sense to review our default approach to triaging and perhaps allow
these messages to be deposited into a recipient's Junk Mail folders.
The amount of suspected spam is very small. For example, based on
internal Microsoft data, only about 50 messages per 1 million of
external mail submissions are quarantined. To determine the volume of
quarantined mail, run the Get-FseSpamReport
cmdlet and look for the number of messages with SCLs between five and
eight inclusive—these are the messages that will be quarantined by
default. If you see that the amount is small, maybe it's time to
entrust your recipients with the responsibility of triaging suspected
spam, considering that they will get only a couple of such messages per
month.
In addition, do not forget to enable Backscatter
filtering. Backscatter filtering will protect your organization from
bogus NDRs to recipients who never sent the NDR mail in the first
place. This happens when a malicious user spoofs the MAIL FROM address
as someone from your organization; the receiving server might generate
an NDR back to an unsuspecting victim. For the filter to work correctly
you need to have the same set of keys installed on every transport
server that participates in sending to or receiving mail from the
Internet.
|
3. Enable Anti-Spam on Hub Transport Servers
Even though it is not enabled by default, you can also enable anti-spam on Hub
Transport servers. This is especially a good idea if your Hub Transport
server connects Exchange to a smart host that handles inbound Internet
traffic for a company. Many companies deploy UNIX- or Linux-based
servers in this role, so you can provide another, different layer of
anti-spam if you enable it on the Hub Transport servers.
You enable the anti-spam features by running the Install-AntispamAgents.ps1 script available in the \Scripts
folder. After running the script you need to restart the Microsoft
Exchange Transport service to make sure the changes are applied.
Note: For anti-spam features to work correctly, you must have at least one IP address of an internal SMTP server set on the InternalSMTPServers parameter on the Set-TransportConfig cmdlet. If you only have one Hub Transport server in your organization, enter the IP address of that computer.
