Configuring spam filtering

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic provides information that will help you manage the anti-spam features in Forefront TMG. Spammers, or malicious senders, use a variety of techniques to send spam into your organization. No single tool or process can eliminate all spam. Forefront TMG provides a layered, multipronged, and multifaceted approach to reducing spam. The layered approach to reducing spam refers to the configuration of several anti-spam features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.

The following procedures describe how to access the Spam Filtering tab, and configure the filters you want to use:

  • Accessing the Spam Filtering tab

  • Configuring the IP Allow List

  • Configuring IP Allow List Providers

  • Configuring the IP Block List

  • Configuring IP Block List Providers

  • Configuring Content Filtering

  • Configuring Recipient Filtering

  • Configuring Sender Filtering

  • Configuring Sender ID

  • Configuring Sender Reputation

Prerequisites

Before you configure the spam filters, make sure you complete the following:

  • Install the Exchange Edge Transport server role and Forefront Protection 2010 for Exchange Server (FPES)on each Forefront TMG server in the array, as described in Installing prerequisites for e-mail protection.

  • Create the initial SMTP routes using the E-Mail Policy Wizard, as described in Configuring SMTP routes.

  • Enable spam protection, either by using the E-Mail Policy Wizard, or by clicking Enable Spam Filtering from the Tasks pane of the Spam Filtering tab.

Accessing the Spam Filtering tab

To access the Spam Filtering tab

  1. In the Forefront TMG Management console, in the tree, click the E-Mail Policy node.

  2. In the details pane, click the Spam Filtering tab.

  3. Click the filter you want to configure from the list, and configure it according to the instructions that follow.

Configuring the IP Allow List

Use the IP Allow List to create and manage a list of specific IP addresses for which Forefront TMG should send inbound messages to their destinations without additional processing by other anti-spam agents.

To configure the IP Allow List

  1. Click IP Allow List, and on the General tab, verify that Status is set to Enabled.

  2. On the Allowed Addresses tab, click Add. Type an IP address range, and then click OK to add that range to the Remote IP addresses list.

  3. Click OK. To save your changes, on the Apply Changes bar, click Apply.

Configuring IP Allow List Providers

IP Allow List providers are services that maintain lists of IP addresses that are definitively known not to be associated with any spam activity. When an IP Allow List provider is enabled, messages are checked as they come into the Edge Transport server.

To configure IP Allow List Providers

  1. Click IP Allow List Providers, and on the General tab, verify that Status is set to Enabled.

  2. On the Providers tab, click Add to add a new provider to the IP Allow List providers.

  3. Enter the following information:

    • Provider name—In this field, type the name of the IP Allow List provider service. This name is for your own use to identify the provider.

    • Lookup domain—In this field, type the domain name that the Connection Filter agent queries for updated IP Allow list information.

    • Match any return code—When you select this option, the Connection Filter agent treats any IP address status code that is returned by the IP Allow List provider service as a match.

    • Match to the following mask—When you select this option, the Connection Filter agent acts only on messages that match the return status code of 127.0.0.x, where the integer x is any one of the following values:

      1—The IP address is on an IP Allow list.

      2—The Simple Mail Transfer Protocol (SMTP) server is configured to act as an open relay.

      4—The IP address supports a dial-up IP address.

    • Match any of the following responses—When you select this option, the Connection Filter agent acts only on messages that match the same IP address status code that is returned by the IP Allow List provider service.

  4. Click OK, and to save your changes, on the Apply Changes bar, click Apply.

Configuring the IP Block List

Use the IP Block List feature to designate IP addresses that are not able to submit messages to this server. If an originating IP address matches an IP address or IP address range on the IP Block list, Forefront TMG disconnects the Simple Mail Transfer Protocol (SMTP) session after all RCPT TO: headers in the message are processed.

To configure the IP Block List

  1. Click IP Block List, and on the General tab, verify that Status is set to Enabled.

  2. On the Blocked Addresses tab, click Add, and type an SMTP address or a range of addresses to block. If you want to set an expiration date, under Expiration, click Block until date and time and select a date and time.

  3. Click OK to add the blocked addresses to the Blocked Addresses list.

  4. Click OK. To save your changes, on the Apply Changes bar, click Apply.

Configuring IP Block List Providers

IP Block List providers are services that list IP addresses that are known to send junk e-mail. Your configuration can use multiple IP Block List provider services in addition to a custom IP Block list.

It is recommended that you put the most robust IP Block List provider service first to optimize performance. When Forefront TMG receives an IP Block List match, Forefront TMG stops querying other IP Block List provider services.

To configure IP Block List Providers

  1. Click IP Block List Providers, and on the General tab, verify that Status is set to Enabled.

  2. On the Providers tab, click Add to add a new provider to the IP Allow List providers.

  3. Enter the following information:

    • Provider name—In this field, type the name of the IP Block List provider service. This name is for your own use to identify the provider.

    • Lookup domain—In this field, type the domain name that the Connection Filter agent queries for updated IP Block list information.

    • Match any return code—When you select this option, the Connection Filter agent treats any IP Address status code that is returned by the IP Block List provider service as a match.

    • Match to the following mask—When you select this option, the Connection Filter agent acts only on messages that match the return status code of 127.0.0.x, where the integer x is any one of the following values:

      1—The IP address is on an IP Block list.

      2—The Simple Mail Transfer Protocol (SMTP) server is configured to act as an open relay.

      4—The IP address supports a dial-up IP address.

    • Match any of the following responses—When you select this option, the Connection Filter agent acts only on messages that match the same IP address status code that is returned by the IP Block List provider service.

  4. Click OK, and to save your changes, on the Apply Changes bar, click Apply.

Configuring Content Filtering

The Spam Content filter evaluates inbound e-mail messages, and assesses the probability that an inbound message is legitimate or spam. The filter assigns a spam confidence level (SCL) rating to each inbound message that comes from the Internet. The SCL rating is a number between 1 and 9; the higher the rating, the greater the likelihood that the message is spam.

You can configure the Content Filter agent to take the following actions on messages according to their SCL rating:

  • Delete the message.

  • Reject the message.

  • Quarantine the message.

For example, you might determine that messages that have an SCL rating of 7 or higher must be deleted, messages that have an SCL rating of 6 must be rejected, and messages that have an SCL rating of 5 must be quarantined.

You can adjust the SCL threshold behavior by assigning different SCL ratings to each of these actions. Setting a low value will cause too many messages to be rejected as spam; setting a high value will allow too many to pass through.

The Content Filter is the last filter to scan inbound messages. Therefore, the settings of the SCL thresholds and threshold actions are very important. If you set the SCL thresholds too high, you might not reduce the spam that enters your organization. If you set the SCL thresholds too low, the risk is that you will block messages from legitimate users.

On the Content Filtering properties sheet, you can customize the following:

  • Custom Words—Define custom words and set custom key words for tagging messages to be filtered or not filtered.

  • Exceptions—Designate recipients for which content filtering will not be used.

  • Action—Configure the spam confidence level (SCL) thresholds and set the action to take on messages based on their SCL rating.

To configure Content Filtering

  1. Click Content Filtering, and on the General tab, verify that Status is set to Enabled.

  2. On the Custom Words tab, you can do the following:

    • To specify an Allow word or phrase, under Messages containing these words or phrases will not be blocked, click Add. Type a word or phrase that is not likely to be contained in spam messages, and then click OK.

      Note

      When Forefront TMG encounters an allowed word or phrase, the SCL rating on that message is set to 1.

    • To specify a Block word or phrase, under Messages containing these words or phrases will be blocked, unless the message contains a word or phrase from the list above, click Add. Type a word or phrase that is likely to be contained in a spam message, and then click OK.

      Note

      When Forefront TMG encounters a blocked word or phrase, the SCL rating on that message is set to 9.

  3. To specify recipient exceptions for content filtering, on the Exceptions tab, click Add, type a Simple Mail Transfer Protocol (SMTP) address, and then click OK. Do this for each e-mail address you want to exclude from content filtering scans.

  4. To configure the spam confidence level (SCL) thresholds, click the Action tab, enable the content filter actions, and set the SCL thresholds as appropriate for your organization. You can configure the following options:

    • Delete messages that have a SCL rating greater than or equal to—Deletes the message but does not inform the sending server of the deletion. Instead, the computer that has the Edge Transport server role installed sends a fake "OK" SMTP command to the sending server and then deletes the message. Because the sending server assumes that the message was sent, the sending server does not retry to send the message in the same session. The default SCL threshold setting is 9.

    • Reject messages that have a SCL rating greater than or equal to—Rejects the message and sends an SMTP error response to the sending server. The default SCL threshold setting is 9.

    • Quarantine messages that have a SCL rating greater than or equal to—Quarantines the message and sends it to the spam quarantine mailbox that you specify in the Quarantine mailbox address box. The default SCL threshold setting is 9.

  5. Click OK. To save your changes, on the Apply Changes bar, click Apply.

Configuring Recipient Filtering

Use recipient filtering to help you prevent the acceptance of messages in the following scenarios:

  • Nonexistent recipients—You can prevent delivery to recipients that are not in the Global Address list. For example, you might want to stop delivery to frequently misused account names (for example, administrator@contoso.com, or support@contoso.com).

    Note

    • The nonexistent recipients feature is only available if your Forefront TMG array is subscribed to a Microsoft Exchange organization.

    • For more information about the Global Address list, see Understanding Address Lists in the Microsoft Exchange 2007 documentation.

  • Restricted distribution lists—You can prevent delivery of Internet mail to distribution lists that should be used only by internal users.

    Note

    • The restricted distribution lists feature is only available if your Forefront TMG array is subscribed to a Microsoft Exchange organization.

    • For more information about restricted distribution lists, see Recipient Filtering in the Microsoft Exchange 2007 documentation.

  • Mailboxes that should never receive messages from the Internet—You can prevent delivery of Internet mail to a specific mailbox or alias that is typically used inside the organization (e.g., Helpdesk).

To configure Recipient Filtering

  1. Click Recipient Filtering, and on the General tab, verify that Status is set to Enabled.

  2. On the Blocked Recipients tab, do the following:

    • To automatically block messages to addresses that are for internal use only, select the Block messages sent to recipients not listed in the Global Address list check box.

    • To enable recipient blocking, select the Block the following recipients check box. Click Add and type the SMTP address for a recipient, and then click OK to add that recipient to the Recipient Block list.

  3. Click OK. To save your changes, on the Apply Changes bar, click Apply.

Configuring Sender Filtering

The Sender Filter allows you to block single senders (for example, kim@contoso.com), whole domains (for example, .contoso.com), or domains and all subdomains (for example, *.contoso.com). You can also configure what action the Sender Filter should take when a message that has a blocked sender is found. You can configure the following actions:

  • Reject the SMTP request with a "554 5.1.0 Sender Denied" SMTP session error, and close the connection.

  • Stamp the message as a "blocked sender" and continue processing. Because the message came from a blocked sender and it is marked as such, the Content Filter agent will use this information when it calculates the spam confidence level (SCL).

Important

The MAIL FROM: SMTP headers can be spoofed. Therefore, you should not rely on the Sender Filter agent only. Use the Sender Filter agent and the Sender ID agent together. The Sender ID agent uses the originating IP address of the sending server to try to verify that the domain in the MAIL FROM: SMTP header matches the domain that is registered. For more information about the Sender ID agent, see Configuring Sender IDbelow.

To configure Sender Filtering

  1. Click Sender Filtering, and on the General tab, verify that Status is set to Enabled.

  2. On the Blocked Senders tab, click Add.

    1. To block a specific sender, select the Individual e-mail address option, and then type the e-mail address in the text box (for example, kim@contoso.com).

    2. To block a domain, select the Domain option, and type the domain in the text box (for example, contoso.com). If you want to block all subdomains of the domain that is specified in the text box (for example, mail.contoso.com), select the Include all subdomains check box.

  3. Select the Block Messages from blank senders check box to block inbound messages from senders that do not specify a sender and a domain in the MAIL: FROM SMTP header. This feature helps prevent denial of service attacks (DoS) on your SMTP server. Most legitimate Simple Mail Transfer Protocol (SMTP) messages come from SMTP servers that provide a sender and a domain in the MAIL FROM SMTP command.

  4. On the Action tab, select the action to take when the message is generated from a sender or domain on the Blocked Senders list.

    Note

    Reject message is the default setting.

  5. To save your changes, click OK, and then on the Apply Changes bar, click Apply.

Configuring Sender ID

Sender ID tries to verify that every e-mail message originates from the Internet domain from which it claims to have been sent. Sender ID is intended to combat the impersonation of a sender and a domain; a practice that is frequently called spoofing. A spoofed mail is an e-mail message that has a sending address that was modified to appear as if it originates from a sender other than the actual sender of the message.

Sender ID makes spoofing more difficult. When you enable Sender ID, Forefront TMG checks the address of the server that sends the message against a registered list of servers that the domain owner has authorized to send e-mail.

You can configure Sender ID to take one of the following actions when Sender ID determines that a message is spoofed, or when a transient error is returned:

  • Reject message—This is the default action. It rejects the message and sends an SMTP error response to the sending server. The SMTP error response is a 5xx level protocol response with text that corresponds to the Sender ID status.

  • Delete message—Deletes the message without informing the sending server of the deletion. Instead, the server that has Edge Transport installed sends a fake "OK" SMTP command to the sending server and then deletes the message. Because the sending server assumes that the message was sent, the sending server will not retry sending the message in the same session.

  • Stamp message with Sender ID result and continue processing—The Sender ID status is included in the metadata of all inbound messages to your organization. This metadata is evaluated by the Content Filter when a spam confidence level (SCL) is calculated. Additionally, sender reputation uses the message metadata when it calculates a sender reputation level (SRL) for the sender of the message.

To configure Sender ID

  1. Click Sender ID, and on the General tab, verify that Status is set to Enabled.

  2. On the Action tab, select the action to take if the Sender ID check fails.

    Note

    Reject message is the default setting.

  3. Click OK to save your changes and close the dialog box, and then on the Apply Changes bar, click Apply.

Configuring Sender Reputation

Sender reputation continuously monitors senders and their past SMTP interactions, such as the amount of spam and messages that are not spam that a sender has sent. Sender reputation relies on such data about the sender to determine what action, if any, to take on an inbound message.

The Sender Reputation filter generates a sender reputation level (SRL) for the sender of a message. The SRL is a number between 0 and 9 that predicts the probability that a specific sender is a spammer or malicious sender. A value of 0 indicates that the message is not likely to be spam. A value of 9 indicates that a message is likely to be spam.

Testing for open proxy servers

Sender reputation uses a number of criteria to calculate the SRL. One optional element of the SRL calculation is a test for open proxy servers. An open proxy is a proxy server that accepts connection requests from anyone anywhere, and forwards the traffic as if it originated from the local hosts. Open proxies can exist because of either the following conditions:

  • Unintentional misconfiguration

  • Malicious Trojan horse programs. A Trojan horse program is a program that masquerades as another common program in an attempt to receive information.

Frequently with insufficient logging, open proxies provide an ideal way for malicious users to hide their true identities and launch denial of service (DoS) attacks or send spam.

Configuring the sender reputation level block threshold

You can configure the threshold for sender blocking by SRL. This SRL block threshold defines the SRL value that must be exceeded for sender reputation to block a sender. By default, the SRL threshold value is 7. Use caution when you set the SRL threshold. A threshold that is too low may unintentionally block legitimate senders. A threshold that is too high may not block malicious senders or spammers. If a message is equal to or greater than the SRL block threshold, that sender will be added to the IP Block list from 0 to 48 hours. The default is 24 hours.

Tip

You should monitor the effectiveness of the agent at the default level and then adjust the value to meet the needs of your organization.

To configure Sender Reputation

  1. Click Sender Reputation, and on the General tab, verify that Status is set to Enabled.

  2. On the Sender Confidence tab, select or clear the Perform an open proxy test when determining sender confidence level check box as appropriate.

  3. On the Action tab, drag the Sender Reputation Level Block Threshold slider to the required threshold.

  4. Under Threshold Action, click the Up or Down arrow on the When the sender reputation block threshold is exceeded, add the sender to the IP Block list for the following duration (hours) box to set the number of hours that the sender remains on the IP Block list.

    Tip

    You can set the number of hours to be added to the IP Block list to 0, in order to monitor sender reputation without disrupting mail flow.

  5. Click OK to save your changes, and then on the Apply Changes bar, click Apply.

Tasks

Installing prerequisites for e-mail protection

Concepts

Configuring protection from e-mail-based threats
Planning to protect against e-mail threats