Best Practices for Configuring FOPE
Applies to: Office 365 Enterprise, Live@edu, Forefront Online Protection for Exchange
Topic Last Modified: 2013-05-17
Our customers have found that knowing the following about their Forefront Online Protection for Exchange (FOPE) service has helped them get the most out of the service and ensure that it runs as smoothly as possible. To view a video that demonstrates how to configure options described in this topic, see Best practices for Configuring Forefront Online Protection for Exchange (English only).
The free Directory Synchronization Tool is a good way to securely and automatically synchronize valid end-user proxy addresses (and their Safe Senders if available) between an on-premise Active Directory, FOPE, and Exchange Hosted Archive services. The Directory Synchronization Tool is located at the following address:http://www.microsoft.com/downloads/details.aspx?FamilyID=3cda6dcc-1124-4e0b-b991-de9d85ed12e1&DisplayLang=en
Once the Directory Synchronization Tool (DST), has been downloaded, a list of users (and their email addresses) can be uploaded via the DST to the Hosted Services network. The uploaded list of users can then be used for Directory Based Edge Blocking (by setting the domain’s Directory Based Edge Blocking to Reject mode), Quarantine access, or Archive services.
If your company does not have a Microsoft Windows Active Directory environment, you can set the User List source to Admin Center or Secure FTP (alternate options for uploading user lists).
For more information such as a conceptual overview, installation instructions, and support information about the FOPE DST, see The Directory Synchronization Tool.
SPF is employed to prevent unauthorized use of a domain name when sending email communications, a technique also known as "spoofing", by providing a mechanism to validate sending hosts. If you wish to configure SPF record settings, use the following tips as a guide:
For domains sending outbound through the filtering network, you can include "spf.messaging.microsoft.com" in your SPF record as well as your individual outbound mail server IP addresses. SPF is employed to prevent unauthorized use of a domain name when sending email communications, a technique also known as "spoofing", by providing a mechanism to validate sending hosts.
Important: These instructions are only valid for domains sending email outbound through the filtering network.
Since SPF is used to validate that a given IP address is authorized to send mail for a given domain, the outbound IP addresses for the filtering network need to be included in the SPF record. The easiest way to add the entire set of IPs is to use the "include: spf.messaging.microsoft.com" statement in your SPF record.
Additionally, you can list all of your outbound mail server IP addresses. These IP addresses are required to ensure mail delivery to other FOPE clients. Each IP address should be added via an ip4: statement. For example, to include "127.0.0.1" as an accepted outbound sending IP you would add "ip4:127.0.0.1" to your SPF record. If you know all of the authorized IPs they should be added using the –all (Fail) qualifier. If you are not sure that you have the complete list of IPs then you should use the ~all (SoftFail) qualifier.
Contoso.com has three outbound mail servers as follows:
Contoso's original SPF record looked like this:
"v=spf1 ip4:127.0.0.1 ip4:127.0.0.2 ip4:127.0.0.3 -all"
After routing mail through FOPE, Contoso's SPF record looks like this:
"v=spf1 include:spf.messaging.microsoft.com ip4:127.0.0.1 ip4:127.0.0.2 ip4:127.0.0.3 -all"
The following tips will help ensure a smooth and continuous data transfer to the Hosted Filtering service.
Configure settings on the SMTP server with a connection time out of 60 seconds.
Once your firewall rules have been restricted to only allow inbound SMTP connections from the IP addresses used by the Hosted Filtering service, we recommend that the SMTP server be configured to accept the highest number of concurrent inbound connections from the service that you feel comfortable with.
If the server is sending outbound email through the Hosted Filtering service, we also recommend that the server be configured to send no more than 50 messages per connection and to use fewer than 50 concurrent connections. Under normal circumstances, these settings will help ensure that the server has smooth and continuous data transfer to the service.
Access to the subscribed services can be restricted to users connecting to the Web sites from specified IP addresses. Access from other IP addresses would not be allowed with this configuration, which minimizes probability of unauthorized access. IP restriction settings are available at the company scope, the domain scope, and at the user scope.
Strong passwords should be used at all times and for all accounts, especially administrator accounts. The following guidelines can help you create strong passwords:
Require lower and upper case letters, numbers, and special characters (?, !, @, $)
Set passwords to expire frequently, such as every 3, 4, or 6 months.
Additional spam filtering (ASF) options are also available. By default, it is recommended that you turn off all ASF options, with the following possible exceptions:
Image links to remote sites—This setting is recommended for users that receive a lot of marketing mail, advertisements, or newsletters that contain content with spam characteristics.
SPF Record Hard Fail—This setting is recommended for organizations who are concerned about receiving phishing messages.
From Address Authentication—Turning on this setting is recommended for organizations who are concerned about phishing, especially if their own users are being spoofed. However, we generally recommend that users turn this option on in response to an escalation rather than having it turned on as the default.
For more detailed information about these ASF options and others, see Configuring Additional Spam Filtering Options.
The vast majority of messages submitted as false positives are indeed spam messages that were accurately filtered, but are still wanted by the intended recipients.
In order to gain insight into the type and number of messages reported to the Hosted Filtering service as false positives, administrators should configure the false positive submission copy feature of the spam filter to provide them with a copy of the messages for review.
|Prior to sending false-positive submission, end users must either sign in to the Quarantine Web site to view the message first, or salvage the message to view it, and then forward to firstname.lastname@example.org.|
False positive messages must be submitted by forwarding the entire message and all Internet headers to the false_positive mailbox. For more information, see Understanding Spam Submission and Evaluation in FOPE.
In addition to spam and virus filtering, the FOPE Administration Center Policy Rules allow you to enforce specific company policies by configuring customizable filtering rules. You can create a specific set of rules that identify messages and take a specific action against them while they are being processed by the Hosted Filtering service. For example, you can create a policy rule that will reject any incoming emails that have a certain word or phrase in the Subject field. Additionally, Policy Rules Filters allow you to add and manage large lists of values (such as email addresses, domains, and keywords) for multiple policy rules by uploading a file (Dictionary).
Policy rules can be configured for a variety of email match criteria:
Header field names and values
Sender IP addresses, domains, and email addresses
Recipient domains and email addresses
Attachment file names and file extensions
Email subject, body, and other message properties (size, number of recipients)
For more information about Policy Rules, see Policy Rules.
The policy filter may be used to help defend corporate networks from email attacks and protect end users’ confidential information.
Additional anti-phishing protection can be accomplished through the detection of personal information in emails exiting the organization. The following regular expressions, for example, can be used to detect transmission of personal financial data or information that may compromise privacy:
\d\d\d\d\s\d\d\d\d\s\d\d\d\d\s\d\d\d\d (MasterCard Visa)
\d\d\d\d\s\d\d\d\d\d\d\s\d\d\d\d\d (American Express)
\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d (any 16 digit number)
\d\d\d\-\d\d\-\d\d\d\d (Social Security Numbers)
Spam and phishing can be prevented by blocking inbound emails that appear to have been sent from your own domain. You can create a reject rule for messages from your company domain sent to the same company domain yourdomain.com to block this type of sender forgery.
|We recommend creating this reject rule only in cases where you are certain that no legitimate email from your domain is sent from the Internet to your mail server. This can happen in cases where a message is sent from a user in your organization to an outside recipient and subsequently forwarded to another recipient in your organization.|
|This rule should only be created if you are certain that no legitimate email from your domain is sent from the Internet to your mail server.|
The policy filter can be used in various ways to defend corporate networks from email attacks and protect end users’ confidential information.
Threat prevention through file extension blocking should, at a minimum, block the following extensions: EXE, PIF, SCR, VBS
For increased protection, blocking some or all of the following extensions is recommended: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, exe, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh