A Comprehensive Anti-Spam and Antivirus Solution: Microsoft IT's Rollout

A Comprehensive Anti-Spam and Antiv...

Collapse All

Topic Last Modified: 2007-08-06

Looking for ways to help secure your corporate mail network from spam, viruses, and worms? In this article, we'll look at how Microsoft IT has implemented messaging protection for the Microsoft corporate mail network by using the enhancements in Microsoft Exchange Server 2007, which includes the Edge Transport server role, and Microsoft Forefront Security for Exchange Server. We'll focus on the following:

Microsoft IT's approach to messaging protection by using the Edge Transport server role
How Microsoft IT implemented Forefront Security for Exchange Server
How Microsoft IT uses Exchange Hosted Services

Microsoft IT's Approach to Messaging Protection by Using Exchange 2007

In a large corporation like Microsoft, you can imagine the volume of e-mail and the potential spam and virus threats. The folks at Microsoft IT process close to 14 million messages per day for 130,000 mailboxes on the network. With the help of anti-spam and antivirus processing, they get rid of 95 percent of all spam messages and viruses.

How does Microsoft IT do it? They deploy Edge Transport servers at the perimeter network to perform the bulk of the spam and virus filtering before messages enter the network, thus minimizing internal network security risks and reducing the hardware costs that are associated with routing and Internet mail gateway servers. The Edge Transport server role, which is outside the Active Directory directory service forest, uses the Microsoft Exchange EdgeSync service to retrieve configuration information from the Hub Transport server. The Microsoft Exchange EdgeSync service periodically replicates recipient and configuration data from Active Directory to the Active Directory Application Mode (ADAM) instance on a computer that has the Edge Transport server role installed. For detailed information about that technology, see Kate Follis' White Paper: Edge Subscription and Synchronization.

In Exchange 2007, the Edge Transport server role is deployed as a stand-alone server in the perimeter network to provide improved antivirus and anti-spam protection for the Exchange organization. The Edge Transport server handles all Internet-facing mail flow and provides Simple Mail Transfer Protocol (SMTP) relay and smart host services for the Exchange organization.

Additional layers of messaging protection are provided by a series of agents that run on the Edge Transport server to act on messages as they are processed by the transport components. These agents support the features that provide antivirus and anti-spam protection and apply transport rules to control message flow.

For more information about how to plan for and deploy an Edge Transport server and manage anti-spam and antivirus protection on the Edge Transport server, see the following topics in Exchange Server 2007 Help:

Microsoft IT also uses Forefront Security for Exchange Server to enable multi-layered transport-based antivirus scanning and advanced anti-spam functionality on the Edge Transport server and Hub Transport servers. This helps block out most spam and viruses.

For all the details about Microsoft IT’s real-world messaging protection strategy, implementation, and best practices for using Exchange 2007 and Exchange Hosted Services, check out this great white paper at Microsoft IT Showcase: Microsoft Exchange Server 2007 Edge Transport and Messaging Protection.

Forefront Security for Exchange Server and Microsoft IT

Forefront Security for Exchange Server provides enhanced and efficient antivirus protection by using multiple scan engines that provide distributed protection through the transport pipeline on all storage and transport Exchange server roles, including Edge Transport servers, Hub Transport servers, Mailbox servers, and public folder servers.

Forefront Security for Exchange Server adds its own FSE Routing Agent to the Edge Transport server. The FSE Routing Agent integrates the antivirus solution with the Edge Transport subsystem to scan messages in MIME and UNIX to UNIX Encoding (UUENCODE) format.

When it is deployed on Edge Transport servers, Forefront Security for Exchange Server helps activate the Microsoft Update anti-spam update service. This allows an Edge Transport server that has Forefront Security for Exchange Server configured to connect to the Microsoft Update service for optimized frequent checks for updates of spam signature data and Microsoft IP Reputation Service data. This helps Exchange Server maintain a high-level of protection against spam. You can deploy Forefront Security for Exchange Server on the Edge Transport servers, Hub Transport servers, and Mailbox servers in an Exchange 2007 organization. For more information, see Microsoft Forefront Security for Exchange Server User Guide.

Microsoft IT deployed Forefront Security for Exchange Server not only on Edge Transport servers but also on all Hub Transport servers in the corporate production environment. In addition, Microsoft IT's defense-in-depth strategy combats spam and viruses in a layered approach by configuring Exchange Server anti-spam, antivirus scanning on the Edge Transport server and by implementing Exchange Server antivirus scanning at all transport layers, including antivirus checks on the client desktop.

Forefront Security for Exchange Server plays a large role in the antivirus solutions for Microsoft IT. Here is how Microsoft IT deployed Forefront Security for Exchange Server:

Microsoft IT deployed Forefront Security for Exchange Server on all Edge Transport servers and Hub Transport servers in the corporate production environment. The Edge Transport servers in the perimeter network scan all inbound messages from the Internet and stamp the messages by adding a secure antivirus header so that Hub Transport servers don't have to scan the messages later.
The same principle applies to outbound messages. Hub Transport servers scan all outbound messages before the messages reach the Edge Transport servers. Based on the security-enhanced antivirus header, Edge Transport servers recognize that an outbound message doesn't require an additional virus scan. This reduces processing overhead and maintains an effective level of antivirus protection for all inbound, outbound, and internal e-mail messages. It also enables Microsoft IT to deploy the Exchange 2007 Mailbox servers without Forefront Security for Exchange Server.
As discussed earlier, with Microsoft IT's multi-layered defense-in-depth strategy for anti-spam and antivirus protection, running an in-store virus scanning application is redundant. However, if there is a virus outbreak, Microsoft IT uses a virus scanning API (VSAPI) engine to clean up virus messages on Mailbox servers. Also, you can configure file-level antivirus scanning on computers that are running Exchange 2007. For more information about how to do this, see File-Level Antivirus Scanning on Exchange 2007.
Microsoft IT configured Forefront Security for Exchange Server on Edge Transport servers to automatically retrieve sender reputation and spam signature updates several times a day via Microsoft Update. By updating this information several times a day, you get more accurate connection filtering and content filtering, which recognize the most recent spam campaigns. For more information, see this article in the Exchange Server 2007 help, How to Configure Anti-Spam Automatic Updates.
Microsoft IT updates most of the antivirus scan settings on Edge Transport servers automatically through Forefront Security for Exchange Server and Microsoft Update, or through one-way replication of Active Directory data via the Microsoft Exchange EdgeSync service.

For more information about Forefront Security for Exchange Server, see the following documentation:

How Microsoft IT Uses Exchange Hosted Services

Microsoft IT uses Hosted Filtering, one of four distinct services available from Microsoft Exchange Hosted Services, as an alternative to using Edge Transport servers to provide anti-spam and antivirus protection for several of the SMTP domain namespaces at Microsoft. Hosted Filtering is a fully managed service that provides anti-spam, antivirus, and policy filtering, and failure recovery to e-mail domains. You don't have to install any additional software or hardware to use Hosted Filtering. All that you need is a Mail Exchange (MX) record change to route all inbound e-mail for a domain to the Exchange Hosted Services network for filtering. Similarly, you can route outbound e-mail to Hosted Filtering for virus scanning and policy enforcement, although Microsoft IT doesn't use this option. To help protect organizations from spam and viruses, Hosted Filtering updates spam and virus signatures several times a day and uses multiple antivirus engines.

In addition to Hosted Filtering, Exchange Hosted Services provides the following hosted services:

Hosted Archive, which helps customers satisfy retention requirements for compliance
Hosted Encryption, which helps them encrypt data to preserve confidentiality
Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations

These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information, see Microsoft Exchange Hosted Services.

For More Information

As noted earlier, Microsoft IT has documented their messaging protection strategy and best practices in the following white paper: Microsoft Exchange Server 2007 Edge Transport and Messaging Protection.

For more information about anti-spam and antivirus protection, we also recommend that you check out the following topics in the Exchange Server 2007 Help:

And again, for more information about Forefront Security for Exchange Server, see the following articles:

Bb430746.4172e5e2-9b68-4703-99e8-7a600d8fae44(en-us,EXCHG.80).jpg Mrina Natarajan - Technical Writer, Microsoft Exchange Server