Chapter 17 - Antigen Spam Manager overview
Applies to: Microsoft Antigen
The Antigen Spam Manager (ASM) provides sophisticated and robust spam detection and removal through the integration of Cloudmark anti-spam engine. The Antigen Spam Manager also provides the following features:
- Identify: tag message action on detection to allow the routing of spam messages to Junk Mail folders.
- Integration with Microsoft® Exchange Server 2003 anti-spam options.
- ASM Junk Folder for Microsoft Office Outlook® users and the ability for Outlook users to create allowed senders lists and block lists (Microsoft Exchange 2000 Server only).
With the release of Microsoft Antigen and the Antigen Spam Manager, the Junk Mail Folder features on the Exchange 2003 platform are unified. This improves usability and consolidates feature sets across the Antigen and Exchange platforms. Therefore, the ASM Junk Mail Folder feature has been removed for the Exchange 2003 platform.
Antigen continues to support the ASM Junk Mail Folder for the Exchange 2000 platform.
Exchange 2003 provides built-in Junk E-Mail folder functionality in conjunction with Microsoft Outlook 2003. ASM fully supports this Junk E-Mail folder functionality through the use of the Spam Confidence Level (SCL) rating, which ASM can apply to e-mail messages determined to be spam.
When upgrading from older Antigen installations on an Exchange 2003 Server, existing ASM Junk Folders are left in the users’ Microsoft Office Outlook® clients, but do not receive suspected spam e-mail unless the user sets client-side rules to route messages that have been tagged by Antigen. The Block and Allow Sender buttons are still displayed in the folder, but any rules created by using them do not function.
If ASM is configured to set the SCL rating for a suspected spam e-mail and the SCL rating for a particular message is higher than the Store Action Threshold configured in the SMTP Scan Job pane, the message is routed to the Outlook Junk Mail folder.
For new ASM installations, the functionality for Microsoft Exchange 2000 Server and Exchange 2003 installations is:
- Exchange 2000—All functionality described in this chapter.
- Exchange 2003—All functionality with the exception of ASM Junk Folders and automatic routing of tagged messages (MIME header or subject line) to that folder. If messages are tagged by ASM, they will be delivered to the user’s inbox unless the user sets a client-side rule to route tagged messages to a Junk Mail folder.
Configuring the anti-spam scanning settings
ASM includes anti-spam settings that use the Cloudmark anti-spam engine to detect spam e-mail.
In Antigen Version 9 with Service Pack 2, the Cloudmark anti-spam engine was introduced as an improved anti-spam option. When performing a fresh installation of Antigen version 9 with Service Pack 2, Cloudmark is the anti-spam solution. To enable the Cloudmark engine for scanning, in the Antigen Administrator, click SETTINGS and then click Anti-Spam. In the Anti-Spam Settings pane, select the SMTP Scan Job and then select the Cloudmark Authority Engine check box. Next, configure the Action and whether to Send Notifications and Quarantine Files.
The action choices for the anti-spam scanning settings are as follows:
- Skip: detect only—Spam is reported but no other action is taken on the message.
- Purge: eliminate message—Deletes the entire message from your mail system. It cannot be recovered unless you selected to quarantine the message.
- Identify: tag message—For details, see About the Identify: tag message action .
Configuring Cloudmark updates
Cloudmark distributes anti-spam signature updates directly to the Antigen server. This differs from the other scan engines, which receive signature updates directly from Microsoft. Cloudmark signature updates occur automatically throughout the day; they are not configurable in the Antigen Administrator.
However, administrators can schedule Antigen to check to see if Cloudmark has released an engine update. (An engine update refers to updating to a new version of a scan engine (which replaces the old version), whereas a signature update refers to new signatures being added to an existing scan engine.) Because engine updates occur much less frequently than signature updates, it is recommended that engine updates be scheduled to occur once daily during off hours. Historically, an engine update occurs once every several months but these occur as needed. In the Antigen Administrator, click SETTINGS, and then click Scanner Updates. Use the Scanner Update Settings pane to schedule Cloudmark engine updates. It is also recommended that you click the Update Now button before scanning.
The Cloudmark engine utilizes HTTPS (port 443) to verify the user license while signatures are updated via HTTP (port 80). This requires that the Antigen server has the ability to connect to the Internet and that both port 80 and port 443 are open on any firewall through which the Antigen server connects. Administrators can verify the connection to the Cloudmark servers by running the following commands on the Antigen server:
- telnet cdn-microupdates.cloudmark.com 80
- telnet lvc.cloudmark.com 443
If you are not connecting to the required ports, you must configure your firewall to allow these connections.
Note
Cloudmark uses the FSEContentScanner.exe process to receive signature updates. This uses approximately 80 MB initially, after which it uses an average of between 80 MB to 150 MB per 24-hour period, so that only a small amount of bandwidth is used every minute.
Warning
The Cloudmark anti-spam signature updates may fail when passing through a proxy server if NTLM Authentication is enabled. As a workaround, configure the proxy server to allow the Antigen server through anonymously.
Managing Cloudmark updates with FSSMC or AEM
Support for distributing Cloudmark engine updates is available in FSSMC Version 10 Rollup 3. You must have this version installed in order to be able to administer your Cloudmark engine updates using FSSMC. Note that Cloudmark signature updates are not managed by FSSMC because they are distributed directly from the Cloudmark servers. Cloudmark is not supported in Antigen Enterprise Manager (AEM).
Submitting false positives and false negatives to Cloudmark
You can submit false positives and false negatives to Cloudmark for analysis. Information regarding target spam catch-rates, false positive and false negative rates, and other advantages of using the Cloudmark anti-spam solution can be found on the Cloudmark anti-spam Web site.
To submit false positive or false negative spam e-mails to Cloudmark, send the e-mail as an RFC 2822 attachment (.eml). Do not send misclassified messages by using the Forward command; this strips them of essential header information and results in an invalid submission.
False positives (legitimate e-mail marked as spam by Cloudmark) should be sent to: Forefront-legit@submit.cloudmark.com
False negatives (spam not detected by Cloudmark) should be sent to: Forefront-spam@submit.cloudmark.com
To attach an e-mail message as an RFC 2822 attachment
In Microsoft Outlook, create a new e-mail message.
Address it to the appropriate address.
Click the Attach Item button, select the e-mails that were falsely classified, and then click OK.
Using the GTUBE anti-spam test file to determine whether Cloudmark is detecting spam
To ensure that spam is being properly detected by the Cloudmark engine, you should verify that a GTUBE message is caught as spam. Similar to the EICAR antivirus test file, GTUBE provides a test by which you can verify that Cloudmark is detecting incoming spam. A GTUBE message should always be detected as spam by the Cloudmark engine.
Include the following GTUBE text in a mail message on a single line, without any spaces or line breaks:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
About the Identify: tag message action
When ASM is enabled, the Identify: tag message action is available for all filtering and anti-spam functions. This action enables administrators to select how they would like a suspect message to be tagged for later identification. You can choose from the following options:
| Setting | Description |
|---|---|
Tag subject line |
The text specified in the Tag Text dialog box is added to the subject line of the message. The Tag Text dialog box can be accessed by clicking the Tag Text button on the SMTP Scan Job Settings pane. This setting can be used to enable Outlook users to route suspected spam e-mail to a Junk Mail folder by setting client-side rules in their Outlook client. |
Message Header |
The text specified in the Tag Text dialog box is added to the MIME header. This setting can be used to enable Outlook users to route suspected spam e-mail to a Junk Mail folder by setting client-side rules in their Outlook client. |
Set SCL property |
Sets the SCL Rating on the message indicating whether Antigen determined the message to be spam. To use this action, you must select the Enable SCL Rating option in the General Options pane. Antigen always sets the SCL Rating to level 9. The Store Action Threshold in the SMTP Scan Job Settings work pane must also be set to 8 or lower. Using this setting allows Outlook to route suspected spam e-mail to the Outlook Junk Mail folder. |
Move to ASM Junk Mail |
Routes all messages that match a content filter or are identified as spam to the ASM Junk Mail folder in the user’s Outlook desktop. Note To use this action, you must select the Enable Junk Mail Folders option in the General Options pane (Exchange 2000 only). |
Note
Multiple options may be checked for each filter.
Outlook Junk Mail folders and user Junk Mail options
When installed on Exchange 2000 servers, ASM enables Outlook users to configure their own Junk Mail settings to block or approve specific senders. When the Junk Mail folders are enabled, administrators can use Antigen to tag suspected spam messages so that the messages are automatically routed to the ASM Junk Mail folder in Outlook.
To enable Junk Mail folders, administrators must first create the client side Junk Mail folders using the Antigen General Options setting Enable Junk Mail Folders. When the Junk Mail folders have been enabled, you must select the option Move to ASM Junk Mail as one of the actions in the Identify: tag message action selection box for the anti-spam scanning settings or for content filters.
Note
The Windows® World Wide Web Publishing Service must be started, IIS must be installed, and for Exchange 2000, the .NET Framework must be installed for ASM Junk Mail folders to function properly.
If your IIS server is configured to use SSL and you are using the ASM Junk Mail feature, you must change the Antigen registry DWORD value named UsingSSL to 1.
When the ASM Junk Mail folders have been created, the following settings will be enabled in Outlook for each user:
| Setting | Description |
|---|---|
Approve Sender |
Enables users to add safe e-mail senders to a personal allowed senders list. |
Block Sender |
Enables users to add unwanted e-mail senders to a personal block list. |
ASM Manager |
Enables users to edit their approve sender and block sender rules. |
Purge Junk Mail |
Enables users to purge their Junk Mail folder manually or schedule a purge cycle. |
To access the Junk Mail folder, click the ASM Junk Mail folder that appears in the Outlook All Mail Folders area of the navigation shuttle.
The page displays any junk mail that is addressed to the user that has been identified by Antigen. Click the appropriate button in the menu bar to approve or block specific senders, edit rules, or configure the purge cycle for the Junk Mail folder. Each job is described in the following sections.
Note
Outlook server-side rules take precedence over ASM Junk Mail folder settings.
If the Outlook user’s Microsoft Internet Explorer® settings are configured to use a proxy server, the Bypass proxy server for local addresses option must be checked for the user to access the ASM Junk Mail homepage. (To set this option in Internet Explorer, select Internet Options from the Tools menu. Next, click the Connections tab and then click LAN Settings. In the Local Area Network (LAN) Settings dialog box, select the Bypass proxy server for local addresses check box, and then click OK two times to exit the Internet Options dialog box.)
If a user sets the AutoArchive feature for the ASM Junk Mail folder by using the Properties settings for the folder, the setting overrides the ASM Purge: eliminate message setting.
Approving senders
If mail is incorrectly identified as spam, you can configure Antigen to allow future messages from the user to bypass spam filtering or content filtering. To do so, select a message from a sender you trust and click the Approve Sender button. The message is moved to the inbox and future messages from the sender are not filtered by the anti-spam engine or content filtering. Each sender to be trusted must be configured individually.
Blocking senders
If spam has been missed and delivered to your inbox, you can configure Antigen to block messages from the same user in the future. To do so, you must first move unwanted messages from your inbox to the ASM Junk Mail folder using Outlook’s Move to Folder function. When the mail is in the ASM Junk Mail folder, select the message, and then click the Block Sender button. The message is deleted from the Junk Mail folder and future messages from the sender are automatically blocked. Each sender to be blocked must be configured individually.
Managing rules
To edit the approve sender and block sender rules, click ASM Manager. The Advanced Spam Manager work pane opens to enable you to modify your Junk Mail folder rules.
All rules that are currently enabled are displayed in the window. You can edit, delete, or add rules as needed.
To delete a rule, click Delete in the column of the rule that you want to delete.
To edit a rule, click Edit in the column of the rule that you want to edit. A work pane appears so that you can modify the sender e-mail address.
To modify the e-mail address in the rule, click Update. A dialog box appears for the e-mail address field. After you make changes, click OK to accept the changes or click Cancel to discard the changes.To add a rule, click the Add Rule button, and then complete the following fields in the Add Rule dialog box:
Setting Description Rule Type
Select Approve or Block.
Sender
Enter the e-mail address that you would like to approve or block.
Click OK when you have completed both fields.
Purging Junk Mail
Antigen can be configured to purge your ASM Junk Mail folder at set intervals. Click the Mail Purge button and enter the number of days that you would like messages to remain in your ASM Junk Mail folder.