Understanding Antispam Protection
Applies to: Office 365 Enterprise, Live@edu, Forefront Online Protection for Exchange
Topic Last Modified: 2012-02-29
This topic provides an overview of the anti-spam features available in Microsoft® Forefront® Online Protection for Exchange (FOPE).
FOPE has four options for managing and storing spam. Settings for these options are handled at the domain level.
Configuring Spam Quarantine: Spam Quarantine is the most widely used option for storing spam because it relieves corporate email servers of the need to process and store this type of email. Additionally, this option lets users avoid sorting through spam messages, which ultimately improves employee productivity. For this option, email that is identified as spam is redirected to the individual user’s Web-based spam mailbox that is hosted by the FOPE service. Spam messages are stored for 15 days, and then they are automatically deleted.
Configuring X-Header in FOPE: This option delivers email normally, but inserts a special X-spam header into the mail header of the email. You can add customized X-Header comments to messages that have been identified as spam by the FOPE service. The X-Header is then added to the Internet header of all subsequent spam messages. The X-Header option gives you a legitimate count of how many email messages were filtered as spam. You can also establish mail server rules or client-side rules to filter email messages that are marked with X-Headers, if needed.
Understanding Spam Redirection: Email that is identified as spam is redirected to a single SMTP address within the domain. You can then review these messages at your convenience from a single location that is hosted on your mail server.
Understanding Modify Subject in FOPE: You can add an identifying word or phrase to the subject line of messages that have been identified as spam, such as SPAM. If needed, you can then create client-side rules to filter the spam messages.
More information about each option can be found in Understanding Spam Action Settings in FOPE.
FOPE achieves enhanced accuracy with proprietary, multilayer anti-spam technology that helps ensure that unsolicited email is automatically filtered before it enters your corporate messaging systems. Once a domain has been configured and enabled for the FOPE service, an MX record for your domain is appointed to route mail through the service. After this, ongoing intervention by your IT users or administrators is no longer needed.
FOPE IP-reputation blocking serves as the first line of defense against unwanted email and blocks about 90 percent of inbound junk email through connection analysis and reputation analysis.
Each connection to the FOPE network is monitored closely and evaluated based on the SMTP commands issued by the connecting server. Nonstandard connection requests that deviate significantly from RFC standards and spoofed connection attempts are immediately dropped. This helps to shield your networks from these invalid connection attempts.
FOPE reputation-based connection blocking employs a proprietary list that, based on analysis of historical data, contains the addresses of computers connected to the Internet that are responsible for the majority of spam. Through an ongoing partnership with Microsoft® Windows Live™ Hotmail®, FOPE aggregates both consumer and corporate junk email data to populate a massive and comprehensive reputation database.
FOPE also utilizes IP reputation information from other companies and ISPs in order to provide enhanced protection from questionable IP’s and botnet attacks, which come from a collection of compromised computers running software under a common infrastructure of command and control. Spammers are frequently creating malicious web sites that they use for phishing and infecting malware. FOPE leverages a variety of sources to quickly update lists of known malicious URLs and update its content filters to block these messages.
Once a message passes the edge blocking, it must then pass the following four additional layers of anti-spam technology:
Many customers want more control over email that may contain obscene graphics, affect privacy, or attempt to trick users into disclosing sensitive information. The additional spam filter (ASF) feature within FOPE enables you apply filtering flags and quarantine messages that contain various kinds of active or suspicious content. For detailed information about the ASF filtering flags that are available, see Configuring Additional Spam Filtering Options.
The FOPE service authenticates the identity of the sender of each email message. If a message cannot be authenticated and the message is determined to be from a spoofed sender, it is more likely to be scored as spam. Sender Policy Framework (SPF), an industry standard that prevents return-path address forgery by using SMTP Mail From identity in email, makes it easier to identify spoofs. SPF lookups help verify that the entity listed as the sender did indeed send the email message.
When messages contain known spam characteristics, they are identified and fingerprinted. When a message is fingerprinted it is given a unique ID based on its content. The fingerprinting database aggregates data from all spam that is blocked by the FOPE system, which improves and refines the fingerprinting process as more messages are processed. If a message with a particular fingerprint passes through the system a second time, the fingerprint is detected and the message is marked as spam. The system continually analyzes incoming messages to determine new spamming methods. The FOPE spam analysis team updates the fingerprint layer as new campaigns are detected.
The FOPE service scores messages based on more than 20,000 rules that embody and define characteristics of spam and legitimate emails. Points are added to the score if a message contains characteristics of spam, while points are subtracted if it contains characteristics of legitimate email. When a message’s score reaches a defined threshold, the message is flagged as spam.
Message characteristics that FOPE evaluates and scores include the following:
Phrases in the body and subject of the message, including URLs
HTTP obfuscation, which is disguising spam URLs as legitimate URLs
Malformed headers, which are headers that have been incorrectly constructed
Email client type
Formation of headers; for example Message-ID, Received, random characters
Originating mail server
Originating mail agent
From and SMTP From address
The current rules are modified and new rules are added as needed many times each day, every day, by the spam team.
There are a number of causes for a surge in non-delivery reports (NDRs) that may affect an email environment. For example, one of the email addresses within a domain may be affected by a spoofing campaign or be the source address for a directory-harvest attack. Any of these issues could result in a sudden increase in the number NDRs being delivered to end users. NDR backscatter, which refers to the many messages received when an email address is forged as the sender of spam, has become a serious issue for many businesses. In addition to NDR detection rules, an additional FOPE ASF rule helps block backscatter. This option will filter out NDR messages and send them to the quarantine.
For outbound filtering customers, logic is used to help detect NDRs that are legitimate bounce messages, and these are delivered to the original sender without enabling the ASF option. For outbound customers, intelligent detection of legitimate NDRs is enabled by default.