New Anti-Spam and Antivirus Functionality
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2006-10-11
Microsoft Exchange Server 2007 includes several improvements to the suite of anti-spam and antivirus features that was introduced in Exchange Server 2003.
Management of these features has improved in Exchange 2007. For example, you implement all anti-spam and antivirus features as transport-level agents, and you can manage and script the anti-spam and antivirus features by using the Exchange Management Shell.
Also, you can use a synchronization service named the Microsoft Exchange EdgeSync service to update configuration information and user data on computers that have the Edge Transport server role installed. The Microsoft Exchange EdgeSync service is a collection of processes that are run on the computer that has the Exchange 2007 Hub Transport server role installed to establish one-way replication of recipient and configuration information from the Active Directory directory service to the Active Directory Application Mode (ADAM) instance on the Edge Transport server. The Microsoft Exchange EdgeSync service copies only the information that is required for the Edge Transport server to perform anti-spam and message security configuration tasks and the information about the Send connector configuration that is required to enable mail flow from the Hub Transport servers in the Exchange 2007 organization to the Internet through one or more Edge Transport servers. The Microsoft Exchange EdgeSync service performs scheduled updates so that the information in ADAM remains current.
The following anti-spam and antivirus features are new or improved in Exchange 2007:
- Connection filtering The configuration and management of IP Block lists, IP Allow lists, IP Block List providers, and IP Allow List providers have been improved by displaying each of these elements in the Exchange Management Console. For more information, see Connection Filtering.
- Content filtering Exchange Intelligent Message Filter, which uses Microsoft SmartScreen patented machine-learning technology, is the underlying technology of the content filter that evaluates inbound messages and determines the probability of whether the messages are legitimate, fraudulent, or spam.
In addition to scanning message content, Intelligent Message Filter consolidates data that is collected from connection filtering, sender filtering, recipient filtering, sender reputation, Sender ID verification, and Microsoft Office Outlook 2007 E-mail Postmark validation to apply a spam confidence level (SCL) rating to a given message. You can configure actions on the message based on this SCL rating. These actions may include the following:
Delivery to an Outlook user Inbox or Junk E-mail folder
Delivery to the spam quarantine mailbox
Rejection of the message and no delivery
Acceptance and deletion of the message. The server accepts the message and deletes it instead of forwarding it to the recipient mailbox.
Finally, Exchange 2007 now offers additional services to help keep anti-spam components up to date. The following update services are available:
Microsoft Exchange 2007 Standard Anti-spam Filter Updates: Filter updates every two weeks
Microsoft Forefront Security for Exchange Server: Filter updates every 24 hours
- Microsoft Update
- Delivery to an Outlook user Inbox or Junk E-mail folder
- Spam quarantine Spam quarantine provides a temporary storage location for messages that are identified as spam and that should not be delivered to a user mailbox inside the organization. Spam quarantine functionality is available during the content filtering process. Messages that are identified as spam are wrapped in a non-delivery report (NDR) and are delivered to a spam quarantine mailbox inside the organization. Exchange administrators can manage messages that are delivered to the spam quarantine mailbox and can take appropriate actions, such as deleting messages or letting messages that are flagged as false positives in anti-spam filtering be routed to their intended recipients.
The Exchange 2007 environment enables two-tiered spam quarantine functionality. First, administrators can access the spam quarantine mailbox. By using Outlook, administrators can access the spam quarantine mailbox to search for messages, release messages to the intended recipients, or reject and delete messages. Messages that have an SCL rating that the administrator has defined as borderline can be released to the user's Junk E-mail folder in Outlook. The borderline messages are converted to plain text for additional protection before they are sent to the user's Junk E-mail folder. For more information, see Spam Quarantine.
- Recipient filtering By using the Microsoft Exchange EdgeSync service, you can now replicate recipient data from the enterprise Active Directory into the Exchange Active Directory Application Mode (ADAM) instance on the Edge Transport server role. This enables the Recipient Filter agent to perform recipient lookups for inbound messages so that you can block messages that are sent to nonexistent users or internal-only distribution lists. Also, in Exchange 2007, you can configure the tarpitting interval on each inbound Receive connector. For more information, see Recipient Filtering.
- Sender ID Sender ID verifies that each e-mail message originates from the Internet domain from which the message claims to come by examining the sender's IP address and comparing the IP address to the Sender ID record in the sender's public Domain Name System (DNS) server. The Sender ID record in the sender's public DNS server is the sender policy framework (SPF) record. The SPF defines the IP addresses that are authorized to send messages for the domain in which the SPF record resides. When the receiving system queries the SPF record, and a "Pass" status is returned, the receiving system has a higher assurance that the message is not being spoofed by an illegitimate sender.
You can specify how the Sender ID agent handles temporary errors, such as DNS failures, when it performs an SPF query. For more information, see Sender ID.
- Sender reputation Sender reputation uses patented Microsoft technology to calculate the trustworthiness of unknown senders. Sender reputation gathers analytical data from Simple Mail Transfer Protocol (SMTP) sessions, message content, Sender ID verification, and general sender behavior and creates a history of sender characteristics. Sender reputation uses this knowledge to determine whether a sender should be temporarily added to the Blocked Senders list. For more information, see Sender Reputation.
- IP Reputation Service This service, which is provided by Microsoft, is an IP Block list that is offered exclusively to Exchange 2007 customers. Administrators can choose to implement and use IP Reputation Service in addition to other real-time block list services.
- Aggregation of Outlook Junk E-mail Filter Lists This feature helps reduce false positives in anti-spam filtering by propagating Outlook 2003 and Outlook 2007 Junk E-mail Filter Lists to Mailbox servers and to Edge Transport servers. For more information, see Safelist Aggregation.
Exchange 2007 includes many improvements to antivirus protection. In addition to continued support of the Virus Scanning API (VSAPI), Microsoft has made a significant investment in more effective, efficient, and programmable virus scanning at the transport level.
Exchange 2007 introduces the concept of transport agents. Agents are managed software components that perform a task in response to an application event.
Exchange 2007 also provides antivirus stamping, which helps reduce the volume of antivirus scanning across an organization by stamping messages that were scanned for viruses with the version of the antivirus software that performed the scan and the result of the scan. This antivirus stamp travels with the message as the message is routed through the organization. The stamp is used to determine whether additional antivirus scanning must be performed on the message.
In Exchange 2007, agents act on transport events, much like event sinks in earlier versions of Exchange. Third-party developers can write customized agents to take advantage of the underlying Exchange MIME parsing engine for robust transport-level antivirus scanning. The Exchange 2007 MIME parsing engine, developed and evolved through many years of MIME-handling exposure, is likely the most trusted and robust MIME engine in the industry.
Another Exchange 2007 antivirus improvement is the implementation of attachment filtering by a transport agent. By running attachment filtering on the Edge Transport server role in your organization, you can reduce the spread of malware attachments before they enter your organization. For more information about attachment filtering, see Attachment Filtering.
Spam and virus filtering is enhanced by or is also available as a service from Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted services:
Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware
Hosted Archive, which helps them satisfy retention requirements for compliance
Hosted Encryption, which helps them encrypt data to preserve confidentiality
Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.