Microsoft Small Business Server 2003 Spam Filtering

This article takes an in-depth look at the spam filtering features provided with Microsoft SBS 2003 and how to implement them.

Unsolicited commercial email (UCE), generally known as spam, is becoming a bigger and bigger problem for each company and even home users. A lot of time has to be spent on filtering which emails are spam and which are not. So an important task of each Server Administrator who has the responsibility of the Messaging and Collaboration Server System, is to implement a good SPAM Email Filtering System.

Microsoft provides lots of features with Exchange Server 2003 Service Pack 2 to filter Spam and provides a solution to reduce the amount of time spent on filtering SPAM.

These features are included within Exchange Server 2003 and, due to this, are part of each Small Business Server 2003 Implementation within this solution.

Within this article we will now take an in-depth look at the features themselves and how to implement them.

Connection Level Protection

Protecting against SPAM at the connection level has been the best defense for years, because this means that SPAM will never enter the company’s network. This feature does nothing more than evaluate incoming SMTP connections for potential SPAM. If the connection SMTP host is a well known Spammer, the connection can be dropped.

Exchange itself provides two ways for connection level SPAM protection.

IP Connection Filtering

IP Connection filtering is a configurable setting within Exchange Server 2003 that can totally block SMTP connections based on IP-Addresses. This is a rudimentary method of protection because the connection filtering lists need to be administered manually. In addition to this you can allow special explict SMTP connections.

Figure 1: IP-Address Filtering

Real-Time Block Lists

With Exchange Server 2003, you will have a new and more dynamic way of providing connection level protection. This feature is called Real-Time Block Lists. These lists are known as SPAM sources, open relays or part of an IP range. But these lists should not include STMP hosts which are the same as a provider’s dial-up connection. This would lead to thousands of emails sent by dial-up users being rejected.

Block List providers are 3rd party organizations that collect IP addresses of internet SMTP domains. When a host initiates an SMTP session with a subscriber of a block list service, the subscriber issues a DNS query to the block list provider’s DNS Server with the sender’s host IP address. The block list server then checks whether the connecting host is on the block list or not.

To enable this feature you have to install Exchange Server 2003 Service Pack 2 because, in earlier versions of Exchange Server 2003, only the connection host was relevant and not the sending host, which meant that firewalls or SMTP hosts in between could be Spammers. This has been achieved by providing perimeter IP lists and an internal IP range configuration in Exchange System Manager.

Figure 2: Block List Filtering (1)

Figure 3: Block List Filtering (2)

Figure 4: Block List Filtering (3)

Figure 5: Block List Filtering (4)

Protocol Level Protection

Protocol level protection against SPAM is another way of filtering spam in the next layer of defense at the SMTP protocol level. The SMTP traffic between sending and receiving hosts is analyzed to verify that the sender and the recipient are allowed hosts.

Recipient and Sender Blocking

The first way of providing protocol level protection is to define individual senders or domains from who you do not want to accept messages (also known as white and black lists). Exchange Server 2003 can be configured to block blank sender addresses and filter recipients who are not in the Active Directory too.

This blocking method prevents the directory harvesting attack (DHA). Within this attack, the Exchange Server itself responds to RFC2821 RCPT TO: commands are passed in search of valid IP addresses. When it detects an email that is sent to a non-existing recipient, Exchange returns an “Unknown user”. Spammers now have the chance to sell valid email addresses or use them as recipients for unsolicited mail. This threat can be mitigated by using the tarpitting method, which is provided by Windows Server 2003 Service Pack 1. This feature allows the administrator to insert a configurable delay before returning an SMTP protocol response.

Figure 6: Sender Filtering

Figure 7: Recipient Filtering

Sender ID

One of the newest additions to Exchange Server 2003 anti-spam features is Sender ID filtering which comes with Exchange Server 2003 Service Pack 2. Sender ID attempts to verify that the sending host is approved to send messages from the SMTP domain.

There are two parts that need to be available for Sender ID to work. The first is a well-known DNS record known as sender policy framework. It defines which servers are allowed to send SMTP from this domain. The other one is an SMTP host that supports Sender ID.

Sender ID filtering can greatly reduce UCEs if the sending domains have SPF records registered in DNS, but all domains which do not have SPF records might encounter problems.

Figure 8: Sender-ID Filtering

Content Level Protection

The next option for filtering emails for SPAM is by using content level protection. This means that we can now analyze the message content looking for common clues that may indicate unsolicited email.

Exchange Intelligent Message Filter

With Exchange Server 2003 Service Pack 2, Microsoft provided a content filter called Exchange Intelligent Message Filter. It is based on patented machine-learning technology from Microsoft Research. This Smart Screen technology is already in use by MSN, Microsoft Hotmail and Microsoft Office Outlook 2003, and is called Junk Email Filtering.

Intelligent Message Filter was designed to categorize between SPAM and non-SPAM based on the characteristics of each email message.

After IMF adds a Spam Confidence Level (SCL) to the message, it then evaluates two configured thresholds:

• Gateway blocking > messages can be archived, deleted, rejected or nothing can be done
• Store junk email configuration > move emails to junk mail folder

IMF can provide anti-phishing filtering, too. It can be configured in detail using the “Custom Weighting” feature which is implemented by an XML file called MSExchange.UceContentFilter.xml and has to be saved in the same directory as the .dll and .dat files of your Exchange Server. IMF can be updated using Windows Server Update Services (WSUS).

Figure 9: Intelligent Message Filtering

Outlook 2003 and Outlook Web Access Junk E-Mail

The last step to filter Spam is to clean your Outlook client itself by using an anti-SPAM feature called Junk-Email Filtering. At first it collects the SCL information from IMF. In addition it has its own filtering feature where each user can configure their own white and black lists for SPAM.

Read more!

Exchange Server 2007 SPAM filtering features without using Exchange Server 2007 Edge Server

Using Exchange Server 2007 SPAM filtering features without using Exchange Server 2007 Edge Server Role.
Exchange Server 2007 SPAM filtering features without using Exchange Server 2007 Edge Server

Introduction

Many Exchange Server administrators know how to use features from Exchange Server 2003 which will not be available by default, if they do not use Exchange Server 2007 Edge Server Role as message hygiene server in the DMZ. This feature is only available within that role by default but can be enabled on each Exchange Server 2007 running Hub Transport Role. In this article we will have a look how to enable and configure this feature.

Activating AntiSpamAgent Feature

Adding this functionality to your Hub Transport servers is a pretty simple process. First, launch the Exchange Management Shell. In the Scripts folder that was created, you will find a PowerShell script to install the Anti-spam agents. After you run this command, you will need to restart your transport service and restart the Exchange Management Console. The script we need to run is called install-AntiSpamAgents.ps1.

Figure 1: Activating AntiSpamAgent Feature

After restarting the Exchange Transport Service, we have a new tab in Exchange Management Console available which will look like this:

Figure 2: The Anti-Spam Tab of Exchange Management Console

Note:

We will now take a closer look into each feature of Anti-Spam:

• Content Filtering
• IP Allow List
• IP Allow List Providers
• IP Block List
• IP Block List Providers
• Recipient Filtering
• Sender Filtering
• Sender ID
• Sender Reputation

Content Filtering

The Content Filter agents works with spam confidence level rating. This rating is a number from 0-9 for each message; a high SCL will mean that it is most likely spam. You can configure the agent according to the message ratings to:

• Delete the message
• Reject the message
• Quarantine the message

You can also customize this filter using your own custom words and configure exceptions if you wish.

IP Allow List

With this feature you are able to configure which IP addresses are allowed to successfully connect to your Exchange Server. So, if you probably have a dedicated mail relay server in your DMZ, you can add its IP addresses so that your server will not accept connections from other servers anymore.

IP Allow List Providers

In general, you are unable to configure your own “IP Allow Lists” without making mistakes that will lead to problems receiving emails from your customers or any other business partners. Therefore, you should contact a public IP allow list provider which does the work for you. This would mean that you will have more quality in this service and a higher business value.

IP Block Lists

This feature gives you the possibility to configure IP addresses that are not allowed to connect to your server. Contrary to “IP Allow Lists”, this feature provides a black list and not a white one.

IP Block List Providers

“IP Block List Providers” have been known in the past as “Blacklist Providers” too. Their task is to publish lists from servers / IP addresses that are spamming. If you want to read more about this, click here.

Recipient Filtering

If you need to block emails to specific internal users or domains, this feature is the one you will need. You can configure this feature and then add the appropriate addresses or SMTP domains to your black list. Another interesting feature is that it allows you to set up the configuration so that only you will accept emails from recipients that are included in your global address lists.

Sender Filtering

If you need to block specific domains or external email addresses, you will have to use this feature. You can configure a black list of what sender addresses or domains you will accept or not.

Sender ID

The Sender ID agent relies on the RECEIVED Simple Mail Transfer Protocol (SMTP) header and a query to the sending system's domain name system (DNS) service to determine what action, if any, to take on an inbound message. This feature is relatively new and relies on the need of a specific DNS setting.

Sender ID is intended to combat the impersonation of sender and domain also called spoofing. A spoofed mail is an e-mail message that has a sending address that was modified to appear as if it originates from a sender other than the actual sender of the message. Spoofed mails typically contain a FROM in the header of a message that claims to originate from a dedicated organization.

The Sender ID evaluation process generates a Sender ID status for each message. The Sender ID status is used to evaluate the SCL rating for that message. This status can have one of the following settings:

• Pass - IP address is included the permitted set
• Neutral - Published Sender ID data is explicitly inconclusive.
• Soft fail - IP address may be in the not permitted set.
• Fail - IP address is in the not permitted set.
• None - No published data in DNS.
• TempError - transient error occurred, such as an unavailable DNS server
• PermError - unrecoverable error occured, such as the record format error

The Sender ID status is added to email metadata and is then converted to a MAPI property. The Junk E-mail filter in Microsoft Office Outlook uses the MAPI property during the generation of the spam confidence level (SCL) value.

You can configure this feature to act as the following:

• Stamp the status
• Reject
• Delete

Additional information on how to setup your Sender-ID setting in your public DNS can be found here.

Sender Reputation

Sender Reputation is a new Exchange Server 2007 anti-spam functionality that is intended to block messages based on many characteristics.

The calculation of the Sender Reputation Level is based on the following information:

• HELO/EHLO analysis
• Reverse DNS lookup
• Analysis of SCL
• Sender open proxy test

Sender reputation weighs each of these statistics and calculates an SRL for each sender. The SRL is a number between 0 and 9. You can then configure what to do with the message in one of the following ways:

• Reject
• Delete and archive
• Accept and mark as blocked sender

Conclusion

As you have seen in this article, Exchange Server 2007 provides a lot of features to increase anti-spam functionality on each Exchange Server box. If you do not use a dedicated Exchange Edge Server, you can add this functionality to Exchange Server 2007 Hub Transport as described above. If you define a configuration for your specific server design, you will not have to add third party software to meet your basic business needs.

If you decide to have more than the described functions above, you should think of implementing Microsoft ForeFront Security for Exchange Servers.

Read more!