Configuring Sender Reputation
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2010-01-08
This topic explains how to configure sender reputation functionality. For customized or more advanced configuration, see the links in each section of this topic. For more information about how sender reputation works, see Sender Reputation.
When sender reputation is enabled on a computer, sender reputation filters all messages that come through all Receive connectors on that computer. Only messages that come from external sources are filtered. External sources are defined as non-authenticated sources, which are considered anonymous Internet sources.
For more information about how to configure Receive connectors and how source message categories are determined, see Receive Connectors.
As a best practice, you should not filter messages from trusted partners or from inside your organization. When you run anti-spam filters, there is always a chance that the filters will detect false positives. To reduce the chance that legitimate e-mail messages will be mishandled, you should enable anti-spam agents to run only on messages from potentially untrusted and unknown sources.
When you configure sender reputation, you must follow these steps:
Enable sender reputation.
Set the threshold for sender blocking by sender reputation level (SRL).
Set the duration for sender blocking.
Enable detection of open proxy servers.
Configure outbound access for detection of open proxy servers.
|Configuration changes that you make to the sender reputation settings by using the Exchange Management Console or the Exchange Management Shell are made only to the local computer that has the Edge Transport server role installed. If multiple instances of the Edge Transport server role are running in your organization, you must apply sender reputation configuration changes to each computer.|
By default, sender reputation processing is enabled on the Edge Transport server for inbound messages that come from the Internet but are not authenticated. For more information, see How to Enable Sender Reputation.
The SRL is a number between 0 and 9 that predicts the probability that a specific sender is a spammer or otherwise malicious user. For more information about how sender reputation calculates an SRL, see Sender Reputation. You must set a threshold for sender blocking by SRL. This SRL block threshold defines the SRL value that must be exceeded for sender reputation to block a sender. By default, the SRL is set at 7. You should monitor the effectiveness of the agent at the default level. You may find that you can adjust the value to meet the needs of your organization. If you set other anti-spam agents aggressively, you may be able to set a higher SRL threshold for sender reputation than you would if the other anti-spam agents were not set aggressively. For more information about how to adjust anti-spam configurations so that they work together to reduce spam, see Anti-Spam and Antivirus Functionality.
If the SRL block threshold is exceeded for a particular sender, sender reputation adds the sender to the IP Block list on the Connection Filter agent. Sometimes, spammers send batches of spam from a single sender. In this scenario, if sender reputation calculates an SRL that exceeds the SRL block threshold, the sender is added to the Sender Block list for a configurable duration of time. The default duration is 24 hours. After 24 hours, the sender is removed from the Sender Block list and can send messages again.
When a sender is added to the IP Block list, sender reputation deletes the profile for the sender. Sender reputation deletes the profile because the blocked sender's existing profile indicates that the sender's SRL exceeds the SRL block threshold. This would cause the blocked sender to be added to the IP Block list again as soon as the duration for sender blocking ends.
For more information, see How to Set the Sender Reputation Level Block Threshold.
As explained in Sender Reputation, sender reputation evaluates several sender characteristics to calculate an SRL. Among the characteristics that sender reputation evaluates are the results of a test for open proxy servers. Frequently, spammers route messages through open proxy servers on the Internet. By routing spam through open proxy servers, spammers can send messages that appear to originate from a different server than their own.
When sender reputation calculates an SRL, sender reputation tries to connect to the sender's originating IP address by using a variety of common proxy protocols, such as SOCKS4, SOCKS5, HTTP, Telnet, Cisco, and Wingate. Sender reputation formats a protocol-specific request in an attempt to connect back to the Edge Transport server from the open proxy server by using a Simple Mail Transfer Protocol (SMTP) request. If an SMTP request is received from the proxy server, sender reputation verifies that the proxy server is an open proxy server and adjusts the SRL rating according to this result. By default, detection of open proxy servers is enabled on sender reputation.
For more information about how to enable detection of open proxy servers, see How to Enable or Disable Open Proxy Server Detection for Sender Reputation.
For more information about how to configure detection of open proxy server, see How to Configure Outbound Access for Detection of Open Proxy Servers for Sender Reputation.
For more information about how to configure sender reputation by using the Exchange Management Shell, see the following topics:
For more information about sender reputation, see the following topics: