Exchange Server 2010 : Managing Anti-Spam and Antivirus Countermeasures (part 1) - Configuring Anti-Spam Features

Quarantined messages are placed in the spam quarantine mailbox, and this lesson looks at how you specify this mailbox. The lesson also considers how you manage updates for content filters. If you choose to use file-level antivirus scanners, you can avoid the problems associated with such software by configuring exclusions. The lesson looks at directory, process, and file exclusions.

You can configure Exchange Server 2010 to deal with spam and viruses on both Edge Transport and Hub Transport servers. In the production environment, you would typically block spam and viruses (as much as possible) on a perimeter network. Your Edge Transport servers are the first to receive external email, and it is on these servers that you should discard communication that is harmful to your organization’s health. Cleaning your email traffic flow before it reaches the internal network is a superior strategy to relying on mail filters and antivirus software installed on desktop computers.

Although you can configure a Hub Transport server to deal with spam and viruses—and you may have to if you suspect that some of these are internally generated—not all the available anti-spam and antivirus transport agents function on a Hub Transport server. Installing one or more Edge Transport servers in a production organization typically results in a significant reduction virus and spam messages delivered to user mailboxes.

1. Configuring Anti-Spam Features

In Exchange Server 2010, incoming messages pass through a series of transport agents before they are forwarded to user mailboxes. Each of these transport agents concentrates on a different aspect of the incoming message, such as the Internet Protocol (IP) address of the SMTP server where the message originates, the sender’s address, or the likelihood that the message is actually spam. The following built-in transport agents are installed by default on an Edge Transport server:

• Connection Filtering agent

• Address Rewriting Inbound agent

• Edge Rule agent

• Content Filter agent

• Sender ID agent

• Sender Filter agent

• Recipient Filter agent

• Protocol Analysis agent

• Attachment Filtering agent

• Address Rewriting Outbound agent

You can view the transport agents in the order in which they are applied by entering the following EMS command:

Get-TransportAgent

If the Microsoft Exchange Transport service is running and at least one message has been sent through the system, the following command shows all the enabled transport agents—and the SMTP events on which they are registered—that have encountered messages in the transport pipeline between the time when the Microsoft Exchange Transport service was started and the time when the command runs:

Get-TransportPipeline

Only the transport agents that encountered a message are displayed using this command.

1.1. Connection Filtering

You can enable the Connection Filter anti-spam agent and its associated connection filtering features on an Edge Transport server. The agent filters all messages that come through all Receive connectors on that server. Only messages that come from nonauthenticated external sources—that is, anonymous Internet sources—are filtered.

The Connection Filter agent enables the following features:

• IP block list

• IP allow list

• IP block list providers

• IP allow list providers

Each of these features can be enabled or disabled separately. By default, the Connection Filter agent is enabled on Edge Transport servers. To disable connection filtering using the IP allow list, you enter the following EMS command:

Set-IPAllowListConfig -Enabled $false

To enable connection filtering using the IP allow list (assuming it has been previously disabled), you enter the following EMS command:

Set-IPAllowListConfig -Enabled $true

To remove an IP allow list provider (for example, treyresearch.com) from connection filtering configuration, enter the following EMS command:

Remove-IPAllowListProvider -Identity treyresearch.com

To disable connection filtering using the IP block list, you enter the following EMS command:

Set-IPBlockListConfig -Enabled $false

To configure the Connection Filter agent to block an IP address if any IP address status codes are returned by the IP block list provider fabricam.com, you enter the following EMS command:

Set-IPBlockListProvider -Identity fafricam.com -AnyMatch $true

You can also disable connection filtering entirely by disabling the Connection Filtering agent using the following command (note that you need to confirm this action unless you use the –Confirm:$false switch):

Disable-TransportAgent -Identity "Connection Filtering agent"

When an incoming message arrives on an Edge Transport server and connection filtering is enabled, the IP address of the SMTP server that sent the message is compared against IP allow and block lists. Action is then taken, as shown in Table 1.

IP block and allow lists are also known as blacklists and whitelists, respectively. Block lists are also known as real-time block lists (RBLs) because they are queried each time mail arrives from a new IP address. They can be configured by adding entries as the need arises. You can also subscribe to IP block and allow list providers. In particular, third-party IP block list providers are typically used by Exchange Server 2010 organizations. This allows a third-party organization to keep your list of the IP addresses of malware senders up to date. IP block list providers generate their lists based on spam reports and the spam that they have received from SMTP servers located on the Internet.

Messages received from SMTP servers on the block list will always be discarded, even if they also appear on the allow list. The only way to receive email from an SMTP server on a block list is to remove it from the block list. If you added the IP address to the block list during configuration, you can remove it. If, on the other hand, it is obtained from a block list provider, you may need to intercede with the block list provider.

You can add IP addresses, IP subnets, or IP address ranges to the IP allow list. Email messages from these sources will not be blocked by connection filtering. You can also specify a list of IP allow list providers. These providers supply IP addresses for your IP allow list.

The following EMS command adds the IP address 10.20.0.123 to the IP allow list:

Add-IPAllowListEntry -IPAddress 10.20.0.123

Note that the Microsoft Exchange Transport service must be running on the local Edge Transport server. Also, this command requires confirmation unless the –Confirm switch is used. The following EMS command adds the IP address 10.20.0.125 to the IP allow list and configures it to expire on February 2, 2011, at 11:00 AM:

Add-IPAllowListEntry -IPAddress 10.20.0.125 -ExpirationTime "2/2/2011 11:00"

					  

Note:

In Exchange Server 2010, you can configure expiry for both IP allow and IP block lists. In Exchange Server 2007, you could configure this only for IP block lists.

The following EMS command adds the IP subnet 10.30.1.1/25 to the IP allow list:

Add-IPAllowListEntry -IPRange 10.30.1.1/25

The following EMS command adds the IP range 10.20.20.100 through 10.20.20.200 to the IP allow list:

Add-IPAllowListEntry -IPRange 10.20.20.100-10.20.20.200

To remove an address from the IP allow list, you need to specify its ID. The most straightforward way of accomplishing this is to pipe the output of the Get-IPAllowListEntry EMS cmdlet to the Remove-IPAllowListEntry EMS cmdlet. For example, the following command removes the IP address 10.20.0.123 from the IP allow list:

Get-IPAllowListEntry -IPAddress 10.20.0.123 | Remove-IPAllowListEntry

You can use the IP allow list providers feature to determine whether the Messaging server that initiated a connection is a host that can be relied on not to send spam. The Connection Filter agent queries the specified IP allow list provider services to determine if the source IP address of the message is on the IP allow list.

The following EMS command adds a new IP allow list provider called Trey Research Provider:

Add-IPAllowListProvider -Name "Trey Research Provider" -LookupDomain "treyresearch.com"
-AnyMatch $true

					  

Figure 1 shows the output from this command.

You can specify an order of preference for allow list providers. The following EMS command configures the same IP allow list provider to be the top preferred provider:

Set-IPAllowListProvider "Trey Research Provider" -Priority 1

The following EMS command removes the IP allow list provider Trey Research Provider (note that this command requires confirmation):

Remove-IPAllowListProvider -Identity "Trey Research Provider"

Add-IPBlockListEntry -IPAddress 10.50.4.127

The following EMS command adds the IP subnet 10.0.100.1/24 to the IP block list:

Add-IPBlockListEntry -IPRange 10.0.100.1/24

The following EMS command adds the IP range 10.40.150.120 through 10.40.150.179 to the IP block list:

Add-IPBlockListEntry -IPRange 10.40.150.120-10.40.150.179

As with allow lists, the easiest way to remove an address from the IP block list is to pipe the output of the Get-IPBlockListEntry EMS cmdlet to the Remove-IPBlockListEntry EMS cmdlet. For example, the following EMS command removes the IP address 10.50.4.127 from the IP allow list:

Get-IPBlockListEntry -IPAddress 10.59.4.127 | Remove-IPBlockListEntry

If you want to remove a range, specify an IP address that is within that range for the IPAddress parameter of the Get-IPBlockListEntry cmdlet. The following EMS command removes the subnet 10.0.100.1/24:

Get-IPBlockListEntry -IPAddress 10.0.100.1 | Remove-IPBlockListEntry

If the IP block list providers feature is enabled on a computer, the Connection Filter agent queries the specified IP block list provider services to determine if the Messaging server that initiated the connection is a host that is known to send spam. By default, this anti-spam feature is only available on Edge Transport servers. The following EMS command adds a new IP block list provider called “Trey Block List Provider” and configures it to use bitmask matching for 127.0.0.1 (block messages from IP addresses that are on the block list):

Add-IPBlockListProvider -Name "Trey Block List Provider" -LookupDomain treyresearch.com
-BitMaskMatch 127.0.0.1

					  

Figure 2 shows the output from this command.

The following EMS command configures the Trey Block List Provider service to use a custom rejection response:

Set-IPBlockListProvider "Trey Block List Provider" -RejectionResponse "Your message was
rejected because the IP address of the server sending your message is in the block list
of the Trey Block List Provider service."

					  

Content filtering uses algorithms to assess the contents of a message and provide a rating that indicates how likely the message is to be spam. How the message is then treated depends on the threshold values that you set. You can configure Exchange to drop any message that has even a minimal likelihood of being spam, you can configure Exchange to reject only those messages that are very likely to be spam, or (typically) you can choose settings that filter out most spam but avoid false positives—that is, filtering out valid messages that are not spam.

The search algorithms look for patterns within messages rather than merely looking for specific words. These algorithms are updated on a regular basis because spammers are continually attempting to get around detection software.

Content filtering is enabled by default on an Edge Transport server only for inbound, unauthenticated messages from the Internet, which are then handled as external messages. The following EMC command disables content filtering:

Set-ContentFilterConfig -Enabled $false

The following EMC command enables content filtering if it has previously been disabled:

Set-ContentFilterConfig -Enabled $true

You can enable or disable content filtering specifically for internal and external messages. By default, content filtering is enabled for external messages and disabled for internal messages.

The following EMS command disables content filtering for external messages:

Set-ContentFilterConfig -ExternalMailEnabled $false

The following EMS command enables content filtering for internal messages:

Set-ContentFilterConfig -InternalMailEnabled $true

However, you should not (as a best practice) filter messages from trusted partners or from inside your organization. When you run anti-spam filters, there is always a risk that the filters detect false positives. To reduce the risk of mishandling legitimate email messages, you should enable anti-spam agents to run only on messages from potentially untrusted and unknown sources.

You can use the Set-ContentFilterConfig, Add-ContentFilterPhrase, and Remove-ContentFilterPhrase EMS cmdlets to modify your content filtering settings. For example, you might want to block all email messages whose subject lines contain the words “lose weight” or “earn extra cash.” On the other hand, if you work for an organization that, for example, manufactures bicycles, you might want to allow email messages whose subject lines contain words such as “bicycle,” “chain,” “wheel,” “handlebars,” and so on.

You can use the Add-ContentFilterPhrase cmdlet to add both allowed and blocked words and phrases. The value of the Influence parameter determines if the word or phrase is allowed or blocked. For example, the following EMS commands allow all messages that contain the word “bicycle” and block all messages that contain the phrase “earn extra cash”:

Add-ContentFilterPhrase -Phrase "bicycle" -Influence GoodWord
Add-ContentFilterPhrase -Phrase "earn extra cash" -Influence BadWord

Figure 3 and Figure 4 show the output from these commands.

Sometimes you do not want to apply content filtering to email messages sent to a specific recipient or received from a specific sender. You can use the Set-ContentFilterConfig EMS cmdlet to configure both recipient and sender exceptions. For example, the following EMS command creates an exception for the recipient KimAkers@adatum.com so that messages sent to this recipient are not checked by the content filter agent:

Set-ContentFilterConfig -BypassedRecipients KimAkers@adatum.com

The following EMS command creates an exception for the senders PatrickHines@fabrikam.com and RussellKing@fabricam.com so that messages received from these senders are not checked by the content filter agent:

Set-ContentFilterConfig -BypassedSenders PatrickHines@fabrikam.com,
RussellKing@fabricam.com

You can also bypass content filtering for all messages received from specific domains. The following EMS command creates an exception for the domain contoso.com so that messages received from this domain are not checked by the content filter agent:

Set-ContentFilterConfig -BypassedSenderDomains contoso.com

The following EMS command creates an exception for the domain fabricam.com and all its subdomains and for the domain treyresearch.com:

Set-ContentFilterConfig -BypassedSenderDomains *.fabrikam.com,treyresearch.com

					  

After analyzing the content of a message, the content filter assigns an SCL rating to the message. How those messages are treated depends on the configuration. You can use the Set-ContentFilterConfig EMS cmdlet to configure SCL thresholds and actions. The Delete action takes precedence over the Reject action, and the Reject action takes precedence over the Quarantine action. Therefore, the SCL threshold for the Delete action must be greater than the SCL threshold for the Reject action, which in turn should be greater than the SCL threshold for the Quarantine action.

For example, you may want messages that have an SCL rating of 5 or 6 to be forwarded to the quarantine mailbox, messages that have an SCL rating of 7 or 8 to be rejected, and messages with an SCL rating of 9 to be deleted. The difference between rejection and deletion is that the sender is informed when a message is rejected. In the case of deletion, the sender receives no response.

The following EMS commands enable the Delete action and set the corresponding SCL threshold to 9, enable the Reject action and set the corresponding SCL threshold to 7, and enable the Quarantine action and set the corresponding SCL threshold to 5:

Set-ContentFilterConfig -SCLDeleteEnabled $true -SCLDeleteThreshold 9
Set-ContentFilterConfig -SCLRejectEnabled $true -SCLRejectThreshold 7
Set-ContentFilterConfig -SCLQuarantineEnabled $true -SCLQuarantineThreshold 5

					  

Note that the command to enable the Quarantine action works only if a quarantine mailbox has been specified, as described in the next section of this lesson. If you enable the Reject action, you can customize the response sent to the message originator when a message is rejected. The following EMS command configures the content filter agent to send the rejection response “Your message has been rejected because it was judged to be spam”:

Set-ContentFilterConfig -RejectionResponse "Your message has been rejected because it
was judged to be spam."

					  

Note:

MAXIMUM LENGTH OF REJECTION RESPONSE

Your rejection response should not exceed 240 characters.

If you enable message quarantine, you need to specify a quarantine mailbox. This is a specially created mailbox to which all messages that meet the SCL quarantine levels are forwarded. You should place the quarantine mailbox in a separate mailbox database. If you are going to use quarantine, you need to ensure that someone checks the quarantine mailbox on a regular basis to see how much legitimate email and how much spam it contains. By assessing the contents of the quarantine mailbox, you can determine whether your SCL levels are correctly configured. You can also, when appropriate, release legitimate messages to their intended recipients by using the Send Again feature in Microsoft Office Outlook.

You can use the EMS but not the EMC to specify a quarantine mailbox. The following EMS command sends all messages that meet the spam quarantine SCL level to spamquarantine@adatum.com:

Set-ContentFilterConfig -QuarantineMailbox spamquarantine@adatum.com

The following EMS command ensures that all incoming messages that have an SCL rating of 5 or higher are forwarded to the mailbox spamquarantine@adatum.com (unless other settings result in messages with higher SCLs being rejected or deleted):

Set-ContentFilterConfig -SCLQuarantineEnabled $true -SCLQuarantineThreshold
5 -QuarantineMailbox spamquarantine@adatum.com

1.5. Recipient Filtering

Recipient filtering allows you to block messages based on whom they are sent to. This technology is most often used to block messages sent to recipients that are not listed in the global address list (GAL). Some spammers send messages to common names at a particular address, hoping to get a hit. If recipient filtering is enabled, messages will be forwarded from an Edge Transport server to an internal Hub Transport server only if the recipient is listed in the GAL. GAL information is stored within the Active Directory Application Mode directory service. If this setting is not enabled, the Hub Transport server will reject the invalid address.

When recipient filtering is enabled on a server, it filters all messages that come through all Receive connectors on that server. Recipient filtering is enabled by default on an Edge Transport server for inbound messages that come from the Internet but are not authenticated.

The following EMS command disables recipient filtering:

Set-RecipientFilterConfig -Enabled $false

You can use the Set-RecipientFilterConfig EMS cmdlet to manage recipient filtering. For example, the following EMS cmdlet configures the recipient filter agent to block recipients on the Recipients block list:

Set-RecipientFilterConfig -BlockListEnabled $true

You can use the BlockedRecipients parameter of the Set-RecipientFilterConfig EMS cmdlet to add SMTP addresses to the Recipient block list. If you want to specify multiple SMTP addresses, you can separate them with commas. The following EMS command adds the email addresses CEO@adatum.com and Comptroller@adatum.com to the Recipient block list:

Set-RecipientFilterConfig -BlockedRecipients CEO@adatum.com,Comptroller@adatum.com

					  

However, you need to be careful when using this type of command. The SMTP addresses that you specify replace the existing list of SMTP addresses. To preserve the existing list, you can use a temporary Shell variable to add an address to the Recipient block list. The following set of EMS commands uses the temporary variable $Listing to hold the current list of SMTP addresses. You add the new address temp@adatum.com to the variable so that the existing addresses are retained and the new address is added when the variable is applied to the Recipient block list:

$Listing = Get-RecipientFilterConfig
$Listing.BlockedRecipients += "temp@adatum.com"
Set-RecipientFilterConfig -BlockedRecipients $Listing.BlockedRecipients

The following EMS command blocks messages to recipients that do not exist in your organization:

Set-RecipientFilterConfig -RecipientValidationEnabled $true

The Sender Filter agent is an anti-spam filter that is enabled by default on Edge Transport servers. The agent relies on the MAIL FROM: SMTP header to determine what action, if any, to take on an inbound email message. When sender filtering functionality is enabled on an Edge Transport server, it filters all messages that come through all Receive connectors on that computer. You use sender filtering to drop messages on the basis of the sender’s email address.

Sender filtering can be configured for a specific sender address or the sender’s domain. For example, you can filter the sender address KimAkers@adatum.com or filter all email messages that come from the @adatum.com domain. Sender filtering is often used to block incoming email from email domains that provide free addresses. It is also possible to configure the blocked senders list to automatically block messages that have no sender information.

The following EMS command disables sender filtering:

Set-SenderFilterConfig -Enabled $false

The following EMS command enables sender filtering if it has previously been disabled:

Set-SenderFilterConfig -Enabled $false

You use the Set-SenderFilterConfig cmdlet to manage sender filtering. You can configure two actions for messages whose sender appears on the blocked senders list. These actions are the following:

• Reject Message The message is deleted.

• Stamp Message with Blocked Sender and Continue Processing The message’s metadata is modified to indicate that the message has come from a blocked sender.

The following EMS command configures the Sender Filter agent to block messages from the specific email addresses KimAkers@adatum.com and DonHall@adatum.com:

Set-SenderFilterConfig -BlockedSenders KimAkers@adatum.com,DonHall@adatum.com

					  

The following EMS command configures the Sender Filter agent to block messages from the specific domain treyresearch.com:

Set-SenderFilterConfig -BlockedDomains treyresearch.com

The following EMS command configures the Sender Filter agent to block messages from the northwindtraders.com domain and all its subdomains:

Set-SenderFilterConfig -BlockedDomainsAndSubdomains *.northwindtraders.com

The values that you specify by using the parameters such as BlockedSenders, BlockedDomains, and BlockedDomainsAndSubdomains replace the existing list of blocked senders. To preserve the existing list, you can use a temporary Shell variable to add an address or domain to the blocked senders list. The following EMS commands use the temporary variable $Listing to add the sender ChenYang@adatum.com and the domain tailspintoys.com to the blocked senders list:

$Listing = Get-SenderFilterConfig
$Listing.BlockedSenders += "ChenYang@adatum.com"
$Listing.BlockedDomains += "tailspintoys.com"
Set-SenderFilterConfig -BlockedSenders $Listing.BlockedSenders -BlockedDomains $Listing.
BlockedDomains

					  

The following EMS command configures the Sender Filter agent to block messages that do not specify a sender in the MAIL FROM: SMTP header:

Set-SenderFilterConfig -BlankSenderBlockingEnabled $true

The Sender ID agent is an anti-spam agent enabled on Edge Transport servers. The agent relies on the RECEIVED SMTP header and queries the sending system’s DNS service to determine what action, if any, to take on an inbound message.

Sender ID is designed to combat spoofing, which is the impersonation of a sender and a domain. A spoofed email is a message that has a modified sending address and appears as if it originates from a sender other than its actual sender. Spoofed mails typically contain a From address that purports to be from a reputable organization.

When you enable Sender ID in Exchange Server 2010, each message contains a Sender ID status in the metadata of the message. When an email message is received, the Edge Transport server queries the sender’s DNS server to verify that the IP address from which the message was received is authorized to send messages for the domain that is specified in the message headers. The IP address of the authorized sending server is referred to as the Purported Responsible Address (PRA).

The Edge Transport server updates the message metadata with the Sender ID status based on the SPF record. After the Edge Transport server updates the message metadata, it delivers the message as normal.

The Sender ID evaluation process generates a Sender ID status for the message, which used to evaluate the SCL rating. This status can be set to one of the following values:

• Pass Both the IP address and PRA passed the Sender ID verification check.

• Neutral The published Sender ID data is inconclusive.

• Soft fail The IP address for the PRA may not be permitted.

• Fail The IP Address is not permitted, no PRA is found in the incoming mail, or the sending domain does not exist.

• None No published SPF data exists in the sender’s DNS.

• TempError A temporary DNS failure occurred (for example, an unavailable DNS server).

• PermError The DNS record is invalid. For example, there is an error in the record format.

The Sender ID status is added to the message metadata and is later converted to a Messaging Application Program Interface (MAPI) property. The junk email filter in Office Outlook uses the MAPI property during the generation of the SCL value.

The Sender ID evaluation process may reveal instances where the From IP address is missing. If the From IP address is missing, the Sender ID status cannot be set. In this case, Exchange Server 2010 continues to process the message without including a Sender ID status on the message. The message is not discarded or rejected, but an application event is logged.

You can define how an Edge Transport server handles messages that are identified as spoofed mail and how it handles messages when a DNS server cannot be reached. The available options include the following:

• Delete This option deletes the message without informing the sending system of the deletion. Instead, the Edge Transport server sends a fake OK SMTP command to the sending server and then deletes the message. Because the sending server assumes the message was sent, it does not retry sending the message.

• Reject The message is rejected, and an SMTP error response is returned to the sending server. The error response is a 5xx-level protocol response with text that corresponds to the Sender ID status.

• Stamp the status All inbound messages to your organization have the Sender ID status included in the metadata of the message. This is the default action.

The effectiveness of Sender ID in combating spoofing depends on specific DNS data. The more organizations that update their Internet-facing DNS servers by using an SPF record, the more effectively Sender ID identifies spoofed email messages. To support the Sender ID infrastructure, you need to update your Internet-facing DNS data by creating an SPF record and hosting the SPF record on your public DNS servers.

For example, the following EMS command configures the Sender ID agent to reject any messages that were spoofed—these are messages where the IP address of the sending server is not listed as an authoritative SMTP sending server in the DNS SPF record for the sending domain:

Set-SenderIDConfig -SpoofedDomainAction Reject

You can also configure Sender ID action for transient errors. For example, it is considered a transient error if a DNS server is unavailable when Exchange attempts to verify the Sender ID for a sending domain. The following EMS command configures the Sender ID agent to stamp the messages for which the Sender ID status cannot be determined because of a temporary error—the message is processed by other anti-spam agents, and the Content Filter agent uses the mark when determining the SCL value for the message:

Set-SenderIDConfig -TempErrorAction StampStatus

You can set exceptions so that messages sent to a specific recipient or received from a specific sender domain bypass the Sender ID check. For example, the following EMS command configures the Sender ID agent to bypass the Sender ID check for the recipients KimAkers@adatum.com and DonHall@adatum.com:

Set-SenderIDConfig -BypassedRecipients KimAkers@adatum.com,DonHall@adatum.com

					  

The following EMS command configures the Sender ID agent to bypass the Sender ID check for messages that are received from the domain northwindtraders.com:

Set-SenderIDConfig -BypassedSenderDomains northwindtraders.com

However, the values that you specify by using the BypassedRecipients and BypassedSenderDomains parameters replace the existing exceptions. To preserve the existing listing of recipients or sender domains, you can use a temporary Shell variable to add a recipient or domain to the exceptions list. The following EMS commands use the temporary variable $Listing to add the domain treyresearch.com to the list of domains for which you want to bypass Sender ID check:

$Listing = Get-SenderIDConfig
$Listing.BypassedSenderDomains += "treyresearch.com"
Set-SenderIDConfig -BypassedSenderDomains $Listing.BypassedSenderDomains

ANTI-SPAM STAMPS

Sender ID, SCL, and PCL are also types of anti-spam stamps. You can use anti-spam stamps as diagnostic tools to determine what actions to take on false positives and on suspected spam messages that individuals receive in their mailboxes. You can view anti-spam stamps in Office Outlook, and you can generate an anti-spam report.

1.7. Sender Reputation

Sender reputation is used on Edge Transport servers to block messages according to various sender characteristics. It relies on these characteristics to determine the action to take on an inbound message. By default, sender reputation processing is enabled on an Edge Transport server for inbound messages that come from the Internet and are not authenticated. Such messages are handled as external messages. The following EMS command disables sender reputation for all messages:

Set-SenderReputationConfig -Enabled $false

The following EMS command disables sender reputation specifically for external messages:

Set-SenderReputationConfig -ExternalMailEnabled $false

By default, sender reputation is disabled for internal messages. The following EMS command enables sender reputation for internal messages:

Set-SenderReputationConfig -InternalMailEnabled $true

An SRL is calculated from the following statistics:

• Analysis of SCL ratings on messages from a particular sender When the Content Filter agent processes a message, it assigns an SCL rating to the message. Sender reputation calculates statistics about a sender according to the ratio between previous messages from that sender that had a low SCL rating and previous messages from the same source that had a high SCL rating. In addition, the number of messages with a high SCL rating sent in the past day is applied to the overall SRL.

• Reverse DNS lookup Sender reputation verifies that the originating IP address from which the sender transmitted the message matches the registered domain name that the sender submits in the HELO or EHLO SMTP command by performing reverse DNS query and submitting the originating IP address to DNS. Sender reputation compares the domain name returned by DNS to the domain name that the sender submitted in the HELO/EHLO SMTP command. If the domain names do not match, the sender is likely to be a spammer, and the overall SRL rating for the sender is adjusted upward.

• HELO/EHLO analysis The HELO and EHLO SMTP commands provide the domain name or IP address of the sending SMTP server to the receiving SMTP server. Spammers may attempt to forge the HELO/EHLO statement, and analysis of this statement on a per-sender basis may indicate that the sender is likely to be a spammer. For example, a sender that provides many different unique HELO/EHLO statements in a specific time period is more likely to be a spammer, as is a sender who consistently provides an IP address in the HELO statement that does not match the originating IP address as determined by the Connection Filter agent.

• Sender open proxy test An open proxy is a proxy server that accepts connection requests and forwards the traffic as if it originated from the local host. Proxy servers relay Transmission Control Protocol traffic through firewalls to provide user applications transparent access across the firewall. Proxies can also be used to permit multiple hosts to share a single Internet connection. Proxies are usually set up so that only trusted hosts inside the firewall can cross through the proxies. However, open proxies can exist because of misconfiguration or malicious Trojan horse programs and can provide a method for malicious users to hide their true identities and launch denial-of-service attacks or send spam. When sender reputation performs an open proxy test, it generates an SMTP request in an attempt to connect back to the Edge Transport server from the open proxy. If an SMTP request is received from the proxy, sender reputation verifies that the proxy is an open proxy and updates the open proxy test statistic for that sender.

Sender reputation weighs each of these statistics and calculates an SRL for each sender. The SRL is a number from 0 through 9 that predicts the probability that a specific sender is a spammer or other type of malicious user. A value of 0 indicates that the sender is most unlikely to be a spammer; a value of 9 indicates that the sender very likely is a spammer.

The following EMS command configures sender reputation to perform an open proxy test for determining sender confidence:

Set-SenderReputationConfig -OpenProxyDetectionEnabled $true

The following EMS command configures sender reputation to add the IP addresses of hosts that fail the open proxy test to the IP block list:

Set-SenderReputationConfig -SenderBlockingEnabled $true -OpenProxyDetectionEnabled $true

					  

Sender reputation is used to add SMTP servers to the IP block list for a limited duration based on the characteristics of the messages sent. You can configure an SRL block threshold at which sender reputation issues a request to the Sender Filter agent to block the sender from sending a message into your organization. A blocked sender is added to the blocked senders list for a configurable time period. The following EMS command sets the SRL block threshold to 5 (it is 7 by default) and configures sender reputation to add offending senders to the IP block list for 48 hours:

Set-SenderReputationConfig -SenderBlockingEnabled $true -SrlBlockThreshold
5 -SenderBlockingPeriod 48

The following options are available for blocked messages:

• Accept and mark as a blocked sender

• Delete and archive

• Reject

If a sender is included in the Microsoft block list or Microsoft IP Reputation Service sender reputation issues, an immediate request is made to the Sender Filter agent to block the sender. To take advantage of this functionality, you must enable the Microsoft Exchange Anti-Spam Update Service. By default, an Edge Transport server sets an SRL of 0 for senders that have not been analyzed. After a sender has sent 20 or more messages, sender reputation calculates an SRL that is based on the statistics returned by analyzing these messages.

Exchange 2010 offers additional services to help keep anti-spam components up to date through the Microsoft Update infrastructure. Microsoft Exchange 2010 Standard Anti-Spam Filter Updates offer anti-spam updates every two weeks.

The Microsoft Forefront Protection 2010 for Exchange Server Anti-Spam Update service is a premium service that updates the content filter daily via Microsoft Update. In addition, this service includes available spam signature and IP Reputation Service updates on an as-needed basis up to several times a day. Spam signature updates identify the most recent spam campaigns. IP Reputation Service updates provide sender reputation information about IP addresses that are known to send spam.

To ensure that Forefront Protection 2010 for Exchange Server stays up to date, you run the Enable Anti-Spam Updates Wizard, as shown in Figure 5. To use Microsoft Update to update the Forefront Protection 2010 for Exchange Server anti-spam definitions automatically, you select the Use Microsoft Update To Help Keep Your Exchange Server Up-To-Date With Anti-Spam Definition Updates check box.

You can also ensure that spam signature updates are downloaded automatically by selecting Automatic under Enable Anti-Spam Updates and selecting the Spam Signature Updates check box. You can ensure that the Edge Transport server is kept up to date with information about IP addresses that are known to forward spam by selecting Automatic under Enable Anti-Spam Updates and selecting IP Reputation Updates. Both of these options exist independently of updating Forefront Protection 2010 for Exchange Server’s anti-spam definitions using Microsoft Update.

The Manual — Updates For This Server Will Be Applied Manually option allows you to manually apply updates. This option also exists independently of updating Forefront Protection 2010 for Exchange Server’s anti-spam definitions using Microsoft Update.