Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Exchange Server TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Exchange Server
Transport
Collapse All/Expand All Collapse All
More Resources
Related Help Topics
Loading...
No resources found.
more...
Related Blog Articles
Loading...
more...
Related Forum Discussions
Ask a question
Visit the forums
Understanding Anti-Spam and Antivirus Functionality

Applies to: Exchange Server 2010 SP2

Topic Last Modified: 2010-01-18

Spammers, or malicious senders, use a variety of techniques to send spam into your organization. No single tool or process can eliminate all spam. Microsoft Exchange Server 2010 builds on the foundation of Exchange Server 2007 to provide a layered, multipronged, and multifaceted approach to reducing spam and viruses. Exchange 2010 includes a variety of anti-spam and antivirus features that are designed to work cumulatively to reduce the spam that enters your organization.

You can reduce the incidences of virus outbreaks and attacks by malicious software, which is also referred to as malware, in your organization if you reduce the overall volume of spam that enters your organization. When you eliminate the bulk of the spam at the computer that has the Edge Transport server role installed, you save processing resources, bandwidth, and storage when the messages are scanned for viruses and other malware further along the mail flow path.

The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.

The following sections provide brief descriptions of each default anti-spam and antivirus feature.

Looking for management tasks related to managing transport servers? See Managing Transport Servers.

Contents

Anti-Spam and Antivirus Filters

Anti-Spam Stamps

Microsoft Update for Anti-Spam Services

Using Exchange Hosted Services

Strategy for Anti-Spam Approach

 Anti-Spam and Antivirus Filters
  

The anti-spam and antivirus filters are applied in a specific order. For more information, see Understanding Anti-Spam and Antivirus Mail Flow. The following order applies:

  1. Connection filtering   Connection filtering inspects the IP address of the remote server that's trying to send messages to determine what action, if any, to take on an inbound message. The remote IP address is available to the Connection Filter agent as a byproduct of the underlying TCP/IP connection that's required for the SMTP session. Connection filtering uses a variety of IP Block lists, IP Allow lists, as well as IP Block List provider services or IP Allow List provider services to determine whether the connection from the specific IP should be blocked or allowed in the organization.
  2. Sender filtering   Sender filtering compares the sender on the MAIL FROM: SMTP command to an administrator-defined list of senders or sender domains who are prohibited from sending messages to the organization to determine what action, if any, to take on an inbound message.
  3. Recipient filtering   Recipient filtering compares the message recipients on the RCPT TO: SMTP command to an administrator-defined Recipient Block list. If a match is found, the message isn't permitted to enter the organization. The recipient filter also compares recipients on inbound messages to the local recipient directory to determine whether the message is addressed to valid recipients. When a message isn't addressed to valid recipients, the message can be rejected at the organization's network perimeter.
  4. Sender ID   Sender ID relies on the IP address of the sending server and the Purported Responsible Address (PRA) of the sender to determine whether the sender is spoofed or not. PRA is calculated based on the following message headers:
    • Resent-Sender:
    • Resent-From:
    • Sender:
    • From:
    For more information about the PRA, see Understanding Sender ID and RFC 4407.
  5. Content filtering   Content filtering uses Microsoft SmartScreen technology to assess the contents of a message. Intelligent Message Filter is the underlying technology of Exchange content filtering. Intelligent Message Filter is based on patented machine-learning technology from Microsoft Research. During its development, Intelligent Message Filter learned distinguishing characteristics of legitimate e-mail messages and spam. Regular updates with Microsoft Exchange Anti-spam Update service ensure that the most up-to-date information is always included when the Intelligent Message Filter runs. Based on the characteristics of millions of messages, Intelligent Message Filter recognizes indicators of both legitimate messages and spam messages. Intelligent Message Filter can accurately assess the probability that an inbound e-mail message is either a legitimate message or spam.
    Spam quarantine is a feature of the Content Filter agent that reduces the risk of losing legitimate messages that are incorrectly classified as spam. Spam quarantine provides a temporary storage location for messages that are identified as spam and that shouldn't be delivered to a user mailbox inside the organization.
    Content filtering also acts on the safelist aggregation feature. Safelist aggregation collects data from the anti-spam safe lists that Microsoft Outlook and Outlook Web App users configure and makes this data available to the Content Filter agent on the computer that has the Edge Transport server role installed in Exchange 2010.
    When an Exchange administrator enables and correctly configures safelist aggregation, the Content Filter agent passes safe e-mail messages to the enterprise mailbox without additional processing. E-mail messages that Outlook users receive from contacts or that those users have added to their Outlook Safe Senders List or have trusted are identified by the Content Filter agent as safe. The result is that messages that are identified as safe aren't classified as spam and unintentionally filtered out of the messaging system.
  6. Sender reputation   Sender reputation relies on persisted data about the IP address of the sending server to determine what action, if any, to take on an inbound message. The Protocol Analysis agent is the underlying agent that implements the sender reputation functionality. A sender reputation level (SRL) is calculated from several sender characteristics that are derived from message analysis and external tests.
    Senders whose SRL exceeds a configurable threshold will be temporarily blocked. All their future connections are rejected for up to 48 hours.
    In addition to the locally calculated IP reputation, Exchange 2010 also takes advantage of IP reputation anti-spam updates, available via Microsoft Update, which provide sender reputation information about IP addresses that are known to send spam.
  7. Attachment filtering   Attachment filtering filters messages based on attachment file name, file name extension, or file MIME content type. You can configure attachment filtering to block a message and its attachment, to strip the attachment and allow the message to pass through, or to silently delete the message and its attachment.
  8. Microsoft Forefront Protection 2010 for Exchange Server   Forefront Protection 2010 for Exchange Server (FPE) is an antivirus software package that's tightly integrated with Exchange 2010 and offers antivirus protection for the Exchange environment. The antivirus protection that's provided by FPE is language independent. However, the setup, administration of the product, and end-user notifications are available in 11 server languages. For more information, see Microsoft Forefront Protection 2010 for Exchange Server.
  9. Outlook junk e-mail filtering   The Outlook junk e-mail filter uses state-of-the-art technology to evaluate whether a message should be treated as a junk e-mail message based on several factors, such as the time that the message was sent, the content and structure of the message, and the metadata collected by the Exchange Server anti-spam filters. Messages caught by the filter are moved to a special Junk E-mail folder, where the recipient can access them later.

Return to top
 Anti-Spam Stamps

Anti-spam stamps help you diagnose spam-related problems by applying diagnostic metadata, or stamps, such as sender-specific information, puzzle validation results, and content filtering results, to messages as they pass through the anti-spam features that filter inbound messages from the Internet. These stamps are visible to the end-user mail client and encode sender-specific information, the version of the spam filter definition file, Outlook puzzle validation results, and content filtering results.

Return to top
 Microsoft Update for Anti-Spam Services

Exchange 2010 offers additional services to help keep anti-spam components up to date, taking advantage of the proven Microsoft Update infrastructure.

Microsoft Exchange 2010 Standard Anti-spam Filter Updates offer anti-spam updates every two weeks via Microsoft Update.

The Forefront Security for Exchange Server Anti-spam Update service is a premium service that updates the content filter daily via Microsoft Update. In addition, the premium service includes the spam signature and IP Reputation Service updates that are available on an as-needed basis, up to several times a day. Spam signature updates identify the most recent spam campaigns. IP Reputation Service updates provide sender reputation information about IP addresses that are known to send spam.

Aa997658.note(en-us,EXCHG.141).gifNote:
To use the premium service, you must have the Exchange Enterprise client access license (CAL).

Return to top
 Using Exchange Hosted Services

Spam filtering is enhanced by or is also available as a service from Microsoft Exchange Hosted Services.

Exchange Hosted Services is a set of four distinct hosted services:

  • Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware
  • Hosted Archive, which helps them satisfy retention requirements for compliance
  • Hosted Encryption, which helps them encrypt data to preserve confidentiality
  • Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations

These services integrate with any on-premises Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.

Return to top
 Strategy for Anti-Spam Approach

Your strategy for how to configure the anti-spam features and establish the aggressiveness of your anti-spam agent settings requires that you plan and calculate carefully. If you set all anti-spam filters to their most aggressive levels and configure all anti-spam features to reject all suspicious messages, you're more likely to reject messages that aren't spam. On the other hand, if you don't set the anti-spam filters at a sufficiently aggressive level and don't set the spam confidence level (SCL) threshold low enough, you probably won't see a reduction in the spam that enters your organization.

It's a best practice to reject a message when Exchange detects a bad message through the Connection Filter agent, Recipient Filter agent, or Sender Filter agent. This approach is better than quarantining such messages or assigning metadata, such as anti-spam stamps, to such messages. The Connection Filter agent and Recipient Filter agent automatically block messages that are identified by the respective filters. The Sender Filter agent is configurable.

This best practice is recommended because the SCL that underlies connection filtering, recipient filtering, or sender filtering is relatively high. For example, with sender filtering, where the administrator has configured specific senders to block, there's no reason to assign the sender filtering data to such messages and to continue to process them. In most organizations, blocked messages should be rejected. (If you didn't want the messages rejected, you wouldn't have put them on the Blocked Senders List.)

The same logic applies to real-time block list services and recipient filtering, although the underlying confidence isn't as high as the IP Block list. You should be aware that the further along the mail flow path a message travels, the greater the probability of false positives, because the anti-spam features are evaluating more variables. Therefore, you may find that if you configure the first several anti-spam features in the anti-spam chain more aggressively, you can reduce the bulk of your spam. As a result, you'll save processing, bandwidth, and disk resources so that you can process more ambiguous messages.

Ultimately, you must plan to monitor the overall effectiveness of the anti-spam features. If you monitor carefully, you can continue to adjust the anti-spam features to work well together for your environment. With this approach, you should plan on a fairly non-aggressive configuration of the anti-spam features when you start. This approach lets you minimize the number of false positives. As you monitor and adjust the anti-spam features, you can become more aggressive about the type of spam and spam attacks that your organization experiences.

Return to top
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Setting up DNSBLs and DNSWLs      ObiWan   |   Edit   |   Show History
While I'm not endorsing any of the following DNS filtering lists, I think that they may be useful when setting up spam filtering on an exchange server, be it an older 2003 using IMF or a newer one

Let's start with the DNS blacklists, those are used to check if a given IP address connecting to an exchange server and trying to send (us) email(s) is "good" or "bad", the following lists are quite "conservative" ones, that is, won't list an IP just for a few "bad mails" and will only, in general, list known, almost sure, "bad" sending IPs

zen.spamhaus.org
bb.barracudacentral.org
ix.dnsbl.manitu.net
bl.spamcop.net
combined.njabl.org
v4.fullbogons.cymru.com

the above lists, as I wrote, are quite reliable and conservative, this means that you will get really few false-positives (if any); to configure them, just add the above to the Exchange spam filter; when doing so, it may be a good idea to configure the "reject message" (the one used by exchange to refuse an email if the sender is listed by a given DNSBL) to something meaningful, for example, something like the following

Message refused, your IP {0} is blacklisted by {2} (see http://multirbl.valli.org/lookup/{0}.html).

using the above message, exchange will automatically replace {0} with the IP the connection came from (the one from the sending server) and {2} with the name of the blacklist which caused the reject; the URL will then allow to perform a straight check against the IP to find out which DNS blacklists are listing that IP and the reasons for the listing, this in turn may allow the remote (sending) server admins to fix the issue, so being able to send you emails again.

Note: in Exchange 2003 the above "variables" (or macros if you prefer) used a different syntax, so, in place of {0} or {2} you'd have %0 or %2; in any case, the meaning of the variables remained the same, that is 0=IP address of sender, 1=Rule name, 2=The RBL provider.

Anyhow, as for the subject, you may also want to use some DNS whitelists (DNSWL); those lists are the opposite of the above ones (blacklists), that is, they list IPs known to "be good" so, a sender whose IP is listed into a whitelist should never be blocked.

The whitelists I suggest for a start (and which are as conservative as the black ones) are the following

swl.spamhaus.org
query.bondedsender.org
list.dnswl.org

the above will allow you to avoid false positives; to be clear, in some cases, a DNS blacklist may be "forced" to list a whole netblock (e.g. 192.0.2.0/24) but then, some hosts sitting on such a subnet may be "good ones", the DNS whitelists will help you avoiding issues (that is blocking those hosts), since a host which is whitelisted, will skip the blacklist checks so, mail sent from such a host won't be incorrectly blocked; to use the above whitelists in exchange you'll need to add them to the "IP allow list providers" (see http://technet.microsoft.com/en-us/library/bb123964.aspx) for details


Tags What's this?: allow (x) dnsbl (x) dnswl (x) ham (x) ip (x) list (x) spam (x) Add a tag
Flag as ContentBug
© 2012 Microsoft. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker