As
Exchange Server has adapted over the years, Microsoft has recognized
the pitfalls encountered by companies overwhelmed by spam and email
viruses. To combat this, they have consistently improved the features of
their bundled tools to provide organizations with protection that would
have had to be addressed with third-party applications in the past.
Exchange Server 2010 Antispam Measures
Spam
is a global problem that affects everyone with an Internet-accessible
email address. The spam problem has grown beyond bothersome; it has
become an issue that negatively impacts end-user productivity and places
a significant burden on messaging systems.
Exchange Server 2010
has many antispam measures built in to the application. These methods
are especially effective when coupled with Outlook 2007. A few of these
features are as follows:
Increased protection through integrated security technologies—
Exchange Server 2010 acts as the first line of defense on incoming
email messages. The Exchange server determines the legitimacy of the
message, and is able to disable links or uniform resource locators
(URLs) to help protect the user community. In addition, Exchange Server
2010 offers new antiphishing capabilities to help prevent emails of this
nature from reaching your users in the first place.
Improved email legitimacy assurance—
Email legitimacy is managed through Email Postmark technology when you
combine Office Outlook 2007/2010 and Exchange Server autoencryption.
Outlook Email Postmark applies a token (actually a computational puzzle
that acts as a spam deterrent) to email messages it sends. This token
can be read by a receiving Exchange Server 2010 server to confirm the
reliability of the incoming message.
Distribution lists restricted to authenticated users—
Using message delivery restrictions, you can configure a distribution
list to accept mail from all senders, or specific senders or groups. In
addition, you can require that all senders be authenticated before their
message is accepted.
Connection filtering—
Improvements have been made in the configuration and management of IP
Block lists, IP Allow lists, IP Block List providers, and IP Allow List
providers. Each of these elements can now be reviewed and configured
directly from the Exchange Management Console.
Content filtering—
Exchange Server 2010 includes the Exchange Intelligent Message Filter,
or IMF, which uses the Microsoft SmartScreen patented “machine-learning”
technology. This content filter evaluates inbound messages and
determines the probability of whether the messages are legitimate,
fraudulent, or spam.
In
addition, the IMF consolidates information that is collected from
connection filtering, sender filtering, recipient filtering, sender
reputation, SenderID verification, and Microsoft Office Outlook
2007/2010 Email Postmark validation. The IMF then applies a Spam
Confidence Level (SCL) rating to a given message. Based on this rating,
an administrator can configure actions on the message based on this SCL
rating. These actions might include the following:
Delivery to a user Inbox or Junk E-Mail folder.
Delivery to the spam quarantine mailbox.
Rejection of the message and no delivery.
Acceptance
and deletion of the message. The server accepts the message and deletes
it instead of forwarding it to the recipient mailbox.
Antispam updates—
Exchange Server 2010 now offers update services for their antispam
components. The standard Exchange Server 2010 antispam filter updates
every 2 weeks. The Forefront Security for Exchange Server antispam
filter updates every 24 hours.
Spam quarantine—
The spam quarantine provides a temporary storage location for messages
that have been identified as spam and that should not be delivered to a
user mailbox. Messages that have been labeled as spam are enclosed in a
nondelivery report (NDR) and are delivered to a spam quarantine mailbox.
Exchange Server administrators can manage these messages and can
perform several actions, such as rejecting the message, deleting it, or
flagging it as a false positive and releasing it to the originally
intended recipient. In addition, messages with an SCL rating that the administrator
has defined as “borderline” can be released to the user’s Junk E-Mail
folder in Outlook. These borderline messages are converted to plain text
to provide additional protection for the user.
Recipient filtering—
In the past, an email that was addressed to a specific domain would
enter that domain’s messaging service, regardless of whether it was
addressed to a valid recipient. This not only utilized bandwidth, but
also required Exchange servers to process the messages, create a
nondelivery report (NDR), and send that message back out. Now, by using
the EdgeSync process on your Hub Transport server, you can replicate
recipient data from the enterprise Active Directory into the Exchange
Active Directory Application Mode (ADAM) instance on the Edge Transport
server. This enables the Recipient Filter agent to perform recipient
lookups for inbound messages. Now, you can block messages that are sent
to nonexistent users (or to internal use only distribution lists).
SenderID—
First implemented in Exchange Server 2003 SP2, Sender ID filtering
technology primarily targets forgery of email addresses by verifying
that each email message actually originates from the Internet domain
that it claims to. Sender ID examines the sender’s IP address, and
compares it to the sending ID record in the originator’s public DNS
server. This is one way of eliminating spoofed email before it enters
your organization and uses your company resources.
Sender reputation—
The Sender Reputation agent uses patented Microsoft technology to
calculate the trustworthiness of unknown senders. This agent collects
analytical data from Simple Mail Transfer Protocol (SMTP) sessions,
message content, Sender ID verification, and general sender behavior and
creates a history of sender characteristics. The agent then uses this
knowledge to determine whether a sender should be temporarily added to
the Blocked Senders list.
IP Reputation Service—
Provided by Microsoft exclusively for Exchange Server 2010 customers,
this service is an IP Block list that allows administrators to implement
and use IP Reputation Service in addition to other real-time Block list
services.
Outlook junk email filter lists aggregation—
This feature helps reduce false positives in antispam filtering by
propagating Outlook 2003/2007/2010 Junk Email Filter lists to Mailbox
servers and to Edge Transport servers.
Additional Antispam Measures
In the battle
against spam, passive measures protect your organization, but more
aggressive measures can help lessen the problem overall. The following
sections cover some suggestions of ways that your organization can help
fight back.
Utilizing Blacklists
Many companies are
unknowingly serving as open relays. Many spammers take advantage of this
lack of security and utilize the organization’s messaging system to
send their unsolicited email. When a company or domain is reported as an
open relay, the domain can be placed on a blacklist. This blacklist, in
turn, can be used by other companies to prevent incoming mail from a
known open relay source.
You can find some organizations that maintain blacklists at the following addresses:
Report Spammers
Organizations and
laws are getting tougher on spammers, but spam prevention requires users
and organizations to report the abuse. Although this often is a
difficult task because many times the source is undecipherable, it is
nonetheless important to take a proactive stance and report abuses.
Users should
contact the system administrator or help desk if they receive or
continue to receive spam, virus hoaxes, and other such fraudulent
offers. System administrators should report spammers and contact mail
abuse organizations, such as those listed earlier in the “Utilizing Blacklists” section.
System administrators
should use discretion before reporting or blocking an organization. For
example, if your company were to receive spam messages that appeared to
originate from Yahoo! or Hotmail, it wouldn’t necessarily be in your
best interest simply to block those domains. In that example, the cure
might be worse than the disease, so to speak.
Third-Party Antispam Products
Although
Microsoft has equipped users, system administrators, and third-party
organizations with many tools necessary to combat spam, the additional
use of a third-party product, or products, can provide additional
protection. These third-party products can also provide a multitude of
features that help with reporting, customization, and filtering
mechanisms to maximize spam blocking, while minimizing false positives.
Do Not Use Open SMTP Relays
By default, Exchange
Server 2010 is not configured to allow open relays. If an SMTP relay is
necessary in the messaging environment, take the necessary precautions
to ensure that only authorized users or systems have access to these
SMTP relays.
Note
You can use the Exchange Best Practice Analyzer, or other tools such as Sam Spade (www.samspade.org/), to check your environment for open mail relays.
Protecting Exchange Server 2010 from Viruses
Exchange Server
2010 includes many improvements to assist organizations with their
antivirus strategies. The product continues to support the Virus
Scanning Application Programming Interface (VSAPI). In addition,
Microsoft has made a significant investment in the creation of more
effective, efficient, and programmable virus scanning at the transport
level.
A few of the antivirus measures included in Exchange Server 2010 are listed as follows:
Transport agents— Exchange Server 2010 improves upon the concept of transport agents that was introduced with Exchange Server 2007. Agents
are managed software components that perform a task in response to an
application event. These agents act on transport events, much like event
sinks in earlier versions of Exchange Server. Third-party developers
can write customized agents that are capable of utilizing the Exchange
Multipurpose Internet Mail Extensions (MIME) parsing engine allowing
extremely robust antivirus scanning. The Exchange Server 2010 MIME
parsing engine has evolved over many years of Exchange Server
development and is likely the most trusted and capable MIME engine in
the industry.
Antivirus stamping—
Exchange Server 2010 provides antivirus stamping, a method of stamping
messages that were scanned for viruses with the version of the antivirus
software that performed the scan and the result of the scan. This
feature helps reduce the volume of antivirus scanning across an
organization because, as the message travels through the messaging
system with the antivirus stamp attached, other systems can immediately
determine whether additional scanning must be performed on the message.
Attachment filtering—
In Exchange Server 2010, Microsoft has implemented attachment filtering
by a transport agent. By enabling attachment filtering on your
organization’s Edge Transport server, you can reduce the spread of
malicious attachments before they enter the organization.
Note
Although
Exchange Server 2010 provides features to help minimize an
organization’s exposure to viruses, it does not have true, built-in
antivirus protection, as Exchange Server does not actually scan messages
or attachments to look for infection. However, continued support for
the built-in Virus Scanning Application Program Interface (VSAPI) allows
specialized antivirus programs to connect their applications to your
Exchange Server environment to scan messages as they are handled by
Exchange Server.
Forefront Security for Exchange Server
Designed by
Microsoft specifically for Exchange Server 2010, Forefront Security for
Exchange Server is the next generation of Microsoft Antigen for Exchange
Server. Because these products were designed specifically to work
together, Forefront integrates with Exchange Server 2010 to provide
improved protection, performance, and centralized management.
Forefront Security for Exchange Server delivers the following:
Advanced
protection against viruses, worms, phishing, and other threats by
utilizing up to five antivirus engines simultaneously at each layer of
the messaging infrastructure
Optimized
performance through coordinated scanning across Edge, Hub, and Mail
servers and features such as in-memory scanning, multithreaded scanning
processes, and performance bias settings
Centralized
management of remote installation, engine and signature updating,
reporting, and alerts through the Forefront Server Security Management
Console
Although the client
antivirus protection that is provided by Forefront Security for Exchange
Server is language independent, the setup, administration of the
product, and end-user notifications are currently available in 11 server
languages. When Forefront Security for Exchange Server detects a
message that appears to be infected with a virus, the system generates a
notification message and sends it to the recipient’s mailbox. This
message is written in the language of the server running Forefront
because the server is not able to detect the language of the destination
mailbox.
Third-Party Antivirus Products for Exchange Server
In addition, there are
many third-party antivirus vendors in the marketplace. At the time of
this writing, there was little to no documentation on their websites
about future integration with Exchange Server 2010; however, there is no
doubt that most of these companies will have compatible products ready
by the time the product is released.
Many mechanisms can be
used to protect the messaging environment from viruses and other
malicious code. Most third-party virus-scanning products scan for known
virus signatures and provide some form of heuristics to scan for unknown
viruses. Other antivirus products block suspicious or specific types of
message attachments at the point of entry before a possible virus
reaches the Information Store.
Antivirus products keep viruses from reaching the end user in two fundamental ways:
Gateway scanning—
Gateway scanning works by scanning all messages as they go through the
SMTP gateway (typically connected to the Internet). If the message
contains a virus or is suspected of carrying a virus, the antivirus
product can clean, quarantine, or delete it before it enters your
Exchange Server organization.
Mailbox scanning—
Mailbox scanning is useful to remove viruses that have entered the
Information Store. For example, a new virus might make it into the
Exchange Server environment before a signature file that can detect it
is in place. These messages on the Information Store cannot be scanned
by a gateway application; however, with an antivirus product that is
capable of scanning the Information Store, these messages can be found
and deleted.
Antivirus Outsourcing
Although an organization
can put in place many gateway antivirus products to address antispam and
antivirus issues, outsourcing these tasks has gained popularity in
recent years.
Companies specializing in antivirus and antispam are able to host your
organization’s MX records, scanning all messages bound for your company,
and forwarding the clean messages to your organization. Although this
removes a level of control from your administrators, many organizations
are finding this outsourcing cost-effective, as they no longer have to
maintain staff devoted strictly to these measures.