Approaches to Fighting Spam in an Exchange Server Environment

On This Page

Introduction
Definition
Challenges
Solutions
Summary
References

Introduction

Welcome to this document from the Midsize Business Security Guidance collection. Microsoft hopes that the following information will help you create a more secure and productive computing environment.

Executive Summary

Unsolicited e-mail messages, also known as junk e-mail messages or spam, are messages sent from a single source with the intent of broadcasting to many mailboxes at one time. The goal of the spammer is to deliver the message to the end user so that they open it and actually read it, which is how the spammer makes money. There are definitely many different techniques spammers use to put the messages in gray areas, where they cannot be easily detectable at the gateway level.

Industry estimates suggest that 40 percent or more of incoming e-mail messages are designated as spam. This increased flow of junk e-mail continues to challenge midsize businesses. Not only is it a nuisance, but spam can also be an expensive proposition when factoring in the potential loss of productivity and the additional resources required to deal with it.

Therefore, a practical solution is necessary in developing approaches to fight against spam.

Microsoft® Exchange Server 2003 with Service Pack 2 (SP2) introduces a framework that combines different methods for fighting spam within either a single or multiple Exchange Server environments. This framework is called Exchange Server 2003 Anti-Spam Framework, and is comprised of connection-level, protocol-level, and content-level filtering.

Approaches within this framework allow both administrators and end users to precisely filter and categorize spam and decide on their end whether it is spam or legitimate business e-mail.

The primary goal of this framework is to provide the administrators and users with solutions that are flexible enough to apply on the server side and the client side. This document describes these approaches in detail and demonstrates how each approach within the framework functions, and how each of these approaches works collectively. It presents assessment and development plans, as well as a step-by-step guide in the deployment and management section.

Note   Microsoft also provides an important service that helps fight spam. This service is called Exchange Hosted Services, or EHS. EHS is composed of four distinct services that help midsize businesses to protect themselves from e-mail-borne malware, satisfy retention requirements for compliance, encrypt data to preserve confidentiality, and preserve access to e-mail during and after emergency situations.
The heart of Exchange Hosted Services is a distributed network of data centers located at key sites along the Internet backbone. Each data center contains fault-tolerant servers that are load-balanced from site to site and from server to server.
A detailed description of this service is beyond the scope of this guide. Please refer to the white paper “Microsoft Exchange Hosted Services Overview” at www.microsoft.com/exchange/services/services.mspx for more information.

Overview

This document consists of four main sections that discuss options and solutions to provide practical approaches to fighting spam within the Exchange Server environment. The four sections are: Introduction, Definition, Challenges, and Solutions.

Introduction

This section provides an executive summary of this document along with an overview of its structure and some information regarding the intended audience.

Definition

This section provides some details about the definition and the overview of the Exchange Server 2003 Anti-Spam Framework. These details will be useful for understanding the solutions discussed in this document.

Challenges

This section describes some of the challenges that a midsize business might face when determining how to filter spam at the different levels that the Anti-Spam Framework provides.

Solutions

This section discusses practical solutions that address the challenges presented by unsolicited e-mail. It assesses approaches and development plans to address the challenges, along with step-by-step information about deployment and management of the following methods:

  • Connection-level protection

    • IP connection filtering

    • Real-time block lists

  • Protocol-level protection

    • Recipient and sender blocking

    • Sender ID

  • Content-level protection

    • Exchange Intelligent Message Filter

    • Outlook 2003 and Outlook Web Access Junk E-Mail

In addition to the Exchange Server 2003 Anti-Spam Framework, it is important to recognize user awareness as a vital part of fighting spam within Exchange Server environments. This topic will be discussed at the end of the "Deployment and Management" section.

Who Should Read This Guide

This document is intended primarily for information technology (IT) professionals and business management who are responsible for planning and implementing approaches to fighting spam within an Exchange Server environment for midsize businesses. Such professionals may be in the following roles:

  • System architects. People who are responsible for designing the overall server infrastructure, developing server deployment strategies and policies, system hardening, and contributing to networking connectivity design.

  • Information technology managers. People who are the technical decision makers and who manage the information technology staff responsible for the infrastructure, the desktop and server deployment, and Exchange server administration and operations across sites.

  • Systems administrators. People who are responsible for planning and deploying technology across Microsoft Exchange servers and evaluating and recommending new technology solutions.

  • Exchange Messaging administrators. People who are responsible for implementing and managing organizational messaging.

Definition

Exchange Server 2003 Anti-Spam Framework is a mechanism to combat spam within the Exchange Server environment. The release of Exchange Server 2003 SP2 enhances the framework by including the industry standard e-mail authentication technology called Sender ID filtering. This technology helps reduce the amount of spam that arrives in a user’s inbox.

This section discusses Exchange Server 2003 Anti-Spam Framework in detail.

Exchange Server 2003 Anti-Spam Framework

Exchange Server 2003 applies anti-spam protection at three different levels–the connection level, the protocol level, and the content level–as shown in the following figure.

Figure 1. Three levels of spam protection

Figure 1. Three levels of spam protection

Connection-level protection analyzes the connecting SMTP host, protocol-level protection analyzes the message’s sender and recipient, and content-level protection evaluates the message content. Each of these types of anti-spam protection are described in greater detail in the following subsections.

Connection-Level Protection

Connection-level protection is among the most beneficial layers of defense against spam, because with this level of protection, the spam message never enters the midsize business. As shown in the following figure, connection-level protection works by evaluating each incoming SMTP connection for the probability that it is a source of spam.

Cc875815.AFSESE02(en-us,TechNet.10).gif

Figure 2. Connection-level protection

If the connecting SMTP host is identified as a host that sends spam or a host that would not normally send SMTP messages, the connection can be refused, thus eliminating costly cycles spent determining if the inbound message is spam. To this end, there are two types of connection-level filtering available with Exchange Server 2003.

IP Connection Filtering

With Exchange Server 2003, you can explicitly choose to deny SMTP connections based on IP address. This approach is the most rudimentary method of protecting an Exchange server, because the connection-filtering lists are manually administered. If you want to deny inbound SMTP connections from a specific host for a given reason (including the probability that it is a source of spam), the connections are denied at this level.

SMTP connections can be explicitly allowed. If you want to receive mail from a blocked SMTP host that has been identified as a source of spam, you can choose to allow messages from the specified SMTP host that otherwise would be denied.

Real-Time Block Lists

A more dynamic means of providing connection-level protection is through use of real-time block lists (RBL). Block lists are lists of IP addresses that are either known sources of spam, open relays, or part of an IP scope that should not include an SMTP host, such as an IP address from the Microsoft MSN® dial-up pool.

Third-party block list providers collect IP addresses that fit each profile. When a sending host initiates an SMTP session with a subscriber to the block list service, the subscriber issues a Domain Name System (DNS)-type query to the block list provider with the connecting host’s IP address. The block list provider then replies with a code indicating whether the connecting host is on a list. The code can also indicate which list the connecting SMTP host is on.

The real-time block list filtering process is described as follows and shown in the following figure.

  1. An SMTP host connects to the Exchange Server 2003 server over Transmission Control Protocol (TCP) port 25.

  2. The Exchange Server 2003 server queries the configured block list provider to verify that the connecting SMTP host is not on the block list.

  3. If the connecting SMTP host is not on the block list, the connection is allowed. If the host is on the block list, the connection is dropped.

Cc875815.AFSESE03(en-us,TechNet.10).gif

Figure 3. How real-time block list filtering works

Prior to Exchange Server 2003 SP2, connection filtering functionality was not available if firewalls or intermediary SMTP hosts existed between Exchange and the sending identity (Exchange is positioned behind the perimeter network), because connection filtering prior to Exchange Server 2003 SP2 considered only the connecting host. When an intermediary host (such as a firewall or other SMTP appliance) is between the sending host and Exchange, only the intermediary host is considered.

With the release of Exchange Server 2003 SP2, the Exchange server can be positioned anywhere in the midsize business and still filter connections correctly. This functionality is achieved by providing perimeter IP lists and an internal IP range configuration in Exchange System Manager. That way, sender ID and real-time block list functionality will analyze the IP address that connects to your intermediary SMTP host, such as a firewall.

Protocol-Level Protection

Cc875815.AFSESE04(en-us,TechNet.10).gif

Figure 4. Protocol-level protection

After the SMTP message has advanced beyond the connection-level protection, the next layer of defense is at the SMTP protocol level. The SMTP dialog between the sending SMTP host and the receiving SMTP host is analyzed to verify that the sender and recipients are allowed, and to determine the sender’s SMTP domain name.

Recipient and Sender Blocking

Another way to manually reduce spam is to define individual senders or domains from which you do not want to accept messages. Sender blocking allows you to specify individual SMTP addresses or domains to block. With Exchange Server 2003, you can also disallow messages that have a blank sender address, as well as archive filtered messages.

Recipient filtering allows you to filter messages sent to a specific recipient. You can also filter recipients who are not listed in the directory. However, enabling the filtering of recipients who are not in the directory can make your company vulnerable to an SMTP e-mail address harvest attack, known as directory harvesting attack (DHA). In this situation, the Exchange server responses to RFC2821 RCPT TO: commands are parsed in search of valid SMTP addresses. The SMTP protocol acknowledges acceptable recipients during an SMTP session by responding with a 250 2.1.5 response. When e-mail is sent to a non-existent recipient, the Exchange server returns a 550 5.1.1 User unknown error. Therefore, a spammer can write an automated program that uses common names or dictionary terms to construct e-mail addresses to a specific domain. The program can then collect all e-mail addresses that return 250 2.1.5 to RCPT TO: SMTP and discard all e-mail address that cause 550 5.1.1 User unknown errors. The spammer can then sell the valid e-mail addresses or use them as recipients for unsolicited mail.

This threat can be mitigated by using a method known as tarpitting. The Microsoft Windows Server™ 2003 SP1 SMTP tarpit feature allows an administrator to insert a configurable delay before returning some SMTP protocol responses. The attacking host does not wait long enough for the response.

For more information, see the Microsoft Knowledge Base article “SMTP tar pit feature for Microsoft Windows Server 2003” at https://support.microsoft.com/?kbid=842851.

Sender ID

One of the most recent additions to the Exchange Server 2003 anti-spam defenses is Sender ID filtering. This feature in Exchange Server 2003 SP2 attempts to verify that the sending SMTP host is approved to send messages from the domain specified in the sending e-mail address. Many spam messages are spoofed so that the message appears to come from a legitimate e-mail address. By deceiving the e-mail recipient into thinking the e-mail is from a legitimate authority (bank representative, customer service, etc.), users may be tricked into disclosing valuable information that can lead to identity theft or larceny. Sender ID attempts to reduce or eliminate spoofed messages.  

There are two parts to Sender ID that are required for the system to work. The first part is a DNS record known as a sender policy framework (SPF) record. The SPF record defines which servers are authorized to send SMTP addresses for your domain. You do not need to have Sender ID configured to have an SPF record. The second part is an SMTP host that supports Sender ID, such as Exchange Server 2003 SP2.

The SPF record is added to the DNS zone so that other organizations with Sender ID can verify that messages they receive that purport to be from your domain are sent by the servers you authorized in your SPF record. The following steps and figures illustrate how the process works, first without an SPF record and then with an SPF record in place.

  1. A message is sent to the Exchange Server 2003 server from the spamming SMTP host fabrikam.com with sender ID enabled. The sender address is susanf@nwtraders.com.

  2. The Exchange server queries DNS for the SPF record for nwtraders.com.

  3. Because nwtraders.com does not have an SPF record, the message is allowed past Sender ID.

Cc875815.AFSESE05(en-us,TechNet.10).gif

Figure 5. Spam entering an organization without Sender ID / SPF record

Northwind Traders then adds an SPF record to the nwtraders.com DNS zone as follows:

  1. A message is sent to the Exchange Server 2003 server from the spamming SMTP host fabrikam.com with Sender ID enabled. The sender address is susanf@nwtraders.com.

  2. The Exchange server queries DNS for the SPF record for nwtraders.com.

  3. Because the sending IP address (208.217.184.82) is not in the list of IP addresses allowed to send e-mail for nwtraders.com as defined in the SPF (131.107.76.156), the message is acted upon by Sender ID.

Cc875815.AFSESE06(en-us,TechNet.10).gif

Figure 6. Spam recognized in an organization with Sender ID / SPF record

By implementing Sender ID, you can greatly reduce spam addressed (spoofed) from domains that have an SPF record. However, you should note that Sender ID protection is only as good as the number of organizations that have SPF records.

For Microsoft.com, 59 percent of inbound messages that get past connection-level filtering are blocked by protocol-level filtering.

Content-Level Protection

Cc875815.AFSESE07(en-us,TechNet.10).gif

Figure 7. Content-level protection

After connection-level and protocol-level filtering have been applied to determine if an inbound message is spam, the next line of defense is to analyze the message content, looking for common clues that may indicate unsolicited e-mail. Spammers have exerted a constant effort to come up with new and inventive ways to avoid detection so that their messages get past content filters and enter users’ inboxes.

Exchange Intelligent Message Filter

Intelligent Message Filter (IMF) is a content filter designed specifically for Exchange. It is based on patented machine-learning technology from Microsoft Research known as Microsoft SmartScreen® technology. SmartScreen is currently used by MSN, Microsoft Hotmail®, Microsoft Office Outlook® 2003, and Exchange. IMF was designed to distinguish between characteristics of legitimate e-mail messages and spam, based on millions of messages. IMF assesses the probability that an incoming e-mail message is either a legitimate message or spam. Unlike many other filtering technologies, IMF uses characteristics from a statistically sound sample of e-mail messages. In addition to spam, the inclusion of legitimate messages in this sample reduces the likelihood of mistakes. Because IMF recognizes characteristics of both legitimate and UCE messages, the accuracy of IMF is increased.

IMF is installed on Exchange servers that accept inbound SMTP messages from the Internet. When an external user sends e-mail messages to an Exchange server with IMF installed, the IMF evaluates the textual content of the messages and assigns each message a rating based on the probability that the message is spam. This rating ranges from 1 to 9 and is stored as a message property known as the spam confidence level (SCL) rating. This rating is persisted with the message when the message is sent to other Exchange servers. The overall process is shown in the following figure.

Cc875815.AFSESE08(en-us,TechNet.10).gif

Figure 8. Exchange Intelligent Message Filter process

After IMF assigns an SCL to the message, it is evaluated against two thresholds configured by the administrator as follows:

  1. Gateway blocking configuration: Block messages with an SCL rating greater than or equal to. If the SCL of a message is greater than or equal to the value set in this threshold, one of the following actions can be performed on the message :

    • Archive

    • Delete

    • No action

    • Reject

  2. Store junk e-mail configuration: Move messages with an SCL rating greater than. If the message is greater than the value set in this threshold, the message will be delivered to the junk e-mail folder of the user’s inbox, unless the user has the sender on their safe senders list.

Anti-Phishing

Phishing is a type of deception designed to steal your identity. In phishing scams, scam artists try to get you to disclose valuable personal data, such as credit card numbers, passwords, account data, or other information, by convincing you to provide it under false pretenses (for example, by using an e-mail message that asks you to verify account information).

Exchange Server 2003 SP2 adds anti-phishing technology to the IMF so that the phishing messages are assigned an appropriate SCL and dealt with accordingly.

Custom Weighting

Exchange Server 2003 SP2 also provides a custom weighting feature that lets administrators customize the behavior of the IMF, based on phrases found within the body of an e-mail message, the subject line, or both.

The custom weighting feature is implemented by inserting an Extensible Markup Language (XML) file named MSExchange.UceContentFilter.xml into the same directory as the MSExchange.UceContentFilter.dll and .dat files on the server with the IMF installed. When the SMTP virtual server is started and the IMF is initialized, the XML file is loaded.

The XML file defines phrases that can be given more or less emphasis by the IMF. This functionality allows you to customize the IMF if you have business requirements to accept or deny messages based on phrases that would otherwise be given a different SCL rating by the IMF.

For Microsoft.com, 38 percent of inbound messages that pass connection-level and protocol-level filtering are blocked by the IMF.

Outlook 2003 and Outlook Web Access Junk E-Mail

After a message makes it past server-based anti-spam defenses, the Outlook 2003 client can act on messages that have an SCL value greater than or equal to the store junk e-mail configuration setting in the IMF. Messages that exceed this server setting are sent to the junk e-mail folder in the Outlook 2003 inbox.

Outlook 2003 and Outlook Web Access for Exchange Server 2003 also allow users to create a list of safe senders from whom users always want to accept e-mail messages, as well as a list of blocked senders from whom users always want to reject e-mail messages. At the mailbox store, regardless of the SCL rating assigned to the message, Exchange delivers all messages from safe senders to the user's inbox and all messages from blocked senders to the user's junk e-mail folder. However, if the e-mail message has been blocked by the gateway threshold, it is not delivered to the user's inbox because the message is never delivered to the mailbox store.

Challenges

The stream of unwanted, often offensive, and sometimes deceptive unsolicited commercial e-mail, commonly known as spam, is eroding our collective ability to use e-mail as a channel for communication and legitimate e-commerce.

For many individuals and regions, spam has become such a problem that the Inbox is no longer a valid communication storage area, because legitimate business e-mail is lost in the sea of spam. For midsize businesses, spam does nothing but increase the cost of messaging, with respect to server consumption, network consumption, and disk usage.

The challenge that midsize businesses face is how to allow good e-mail message and block the spam e-mail messages. They need ways to fight spam in an Exchange Server environment.

Microsoft Exchange Server 2003 with SP2 uses several filtering methods for reducing spam. These methods are the layered anti-spam solutions that include connection-level protection, protocol-level protection, and content level protection as briefly discussed earlier in this document. These methods are flexible. When the mechanism of each method is clearly understood, IT administrators and users can adjust the level of protection against spam. They enable midsize businesses to balance e-mail access and spam filtering.

It is important that Exchange administrators and implementers understand how each of these methods works and how they work together to reduce the total amount of spam that arrives in a user's inbox. The following figure shows the layered approach for defending against spam.

Cc875815.AFSESE09(en-us,TechNet.10).gif

Figure 9. Exchange Server 2003 Anti-Spam Framework

Solutions

This section discusses the assessment, development, deployment, and management of Microsoft Exchange Server 2003 Anti-Spam Framework solutions to combat spam in midsize business environment.

Assessment

To effectively fight spam, the overall makeup of the Exchange Server 2003 e-mail system must be assessed, including what tools are available and how these tools can be effectively utilized. A careful study of the environment must be conducted as part of the risk assessment strategy.

The Microsoft Exchange Server 2003 Anti-Spam Framework is a collection of methods that include connection filtering, protocol filtering, and content filtering. Understanding how each one of these methods work and how they work together is essential. In addition, user awareness of these technologies will better the chances of their successful implementation and management.

The following questions should be considered:

  1. Is Exchange Server 2003 installed?

    To take advantage of the methods provided by the Exchange Server 2003 Anti-Spam Framework, Exchange Server 20003 must be installed on the appropriate Windows platform.

    Note   Microsoft Exchange Server 2003 can be installed on Windows 2003 or Windows 2000 with SP3 or later. Detailed installation requirements for Exchange Server are beyond the scope of the guide. See the Installing New Exchange 2003 Servers topic on Microsoft TechNet at https://technet.microsoft.com/en-us/library/fa02f087-7fe7-4eb7-b859-12632d762f9e.aspx.

  2. Does the Exchange Server have Exchange 2003 SP2 applied?

    Exchange Server 2003 SP2 is a cumulative update that enhances the Exchange Server 2003 messaging environment with:

    • Mobile e-mail improvements

    • Mailbox advancements

    • Better protection against spam

    SP2 delivers improved protection against spam (described earlier in this document) to help ensure a secure and reliable messaging environment. This improved protection includes:

    • An updated and integrated Exchange Intelligent Message Filter, based on the patented SmartScreen filtering technology developed by Microsoft Research.

    • New support for Sender ID e-mail authentication protocol, which helps prevent phishing and spoofing schemes.

  3. Is the Default SMTP Virtual Server enabled in the Exchange System Manager?

    Recipient filtering, intelligent filtering, sender ID Filtering, and connection filtering are configured in the global settings and they also need to be enabled at the SMTP level. Therefore, SMTP must be enabled before you apply changes to these services.

  4. Do client workstations have Outlook 2003 installed?

    Servers may be configured with all the necessary requirements, but if clients have older versions of Outlook they will not be able to take advantages of the methods offered within the Microsoft Exchange Server 2003 Anti-Spam Framework.

    When all the necessary requirements for the Exchange Server 2003 and its clients are met, the following methods can be employed:

    • Connection-level protection

      IP connection filtering

      Real-time block lists

    • Protocol-level protection

      Recipient and sender blocking

      Sender ID

    • Content-level protection

      Exchange Intelligent Message Filter

      Outlook 2003 and Outlook Web Access Junk E-Mail

Development

The assessment section raised some questions and provided some answers about Exchange Server 2003 and client requirement for taking advantage of the Microsoft Exchange Server 2003 Anti-Spam Framework.

Solutions for fighting spam within the Exchange environment also include client security and user education. All of these approaches should be used to battle spam in Exchange environment.

All of the spam protection methods provided by Microsoft Exchange Server 2003 Anti-Spam Framework are ready to be implemented when the following requirements are met:

  • Exchange Server 2003 has been installed on the appropriate Windows platforms.

  • Outlook 2003 and Outlook Web Access have been set up and configured.

  • All of the latest recommended updates and patches have been applied, including Service Pack 2.

A better understanding of how each method works and how they interact will ensure better implementation. Although briefly discussed earlier, this section provides more details about these methods that are necessary for deployment and management.

Connection-Level Protection

Exchange Server 2003 SP2 includes connection filtering, which compares the IP address of the connecting server with a list of denied IP addresses (also known as a real-time block list). The comparison of IP addresses occurs immediately when the SMTP session is initiated, enabling midsize business to block connections to its gateways at the earliest stages of message submission. Before a server in the real-time block list is able to submit messages, the connection is dropped. This approach results in performance savings at both the messaging and network layers.

Midsize businesses can establish connection filtering in Exchange Server 2003 SP2 either by manually creating a global deny list and a global accept list, or by using third-party-maintained databases of known blocked IP addresses.

The majority of Exchange Server 2003 SP2 servers are deployed behind an organization's perimeter and do not face the Internet directly. This placement renders connection filtering less useful, because the feature relies on getting the original sender's IP address to run the DNS query. The release of SP2 has addressed this deficiency by introducing a new header-parsing algorithm for originating IP address retrieval. Exchange Server 2003 SP2 with connection filtering deployed can be positioned anywhere in the organization and perform filtering as it would on the perimeter.

IP Connection Filtering

A midsize business can create its own static list of denied IP addresses. As the name implies, the global deny list contains certain IP addresses and networks from which an organization never wants to accept e-mail. Conversely, a midsize business can create a global accept list—a list of IP addresses and networks from which an organization does not want to apply e-mail blocking or filtering policies. The global accept list might include IP addresses that correspond to subsidiary businesses or trading partners with which the midsize business has trusted relationships. In these circumstances, the midsize business does not want to risk having false positives, so it adds the trusted IP addresses of the sender’s e-mail servers to its global accept list.

Real-Time Block Lists

A real-time block list is a DNS-based database of IP addresses of known, verified spam sources. Real-time block lists are available from companies that are in the business of continuously monitoring the Internet and tracking down known sources of spam. When detected, the offending IP addresses are added to a real-time block list database. These lists are often available free of charge, or available for a fee if a messaging administrator wants extended services.

Exchange Server 2003 SP2 enables the use of third-party, real-time block lists. When configured to use a third-party, real-time block list, the Exchange Server 2003 SP2 server checks the submitting server's IP address against the real-time block list database and denies the connection if it finds a match.

Because real-time block list functionality bases its filtering decisions on the IP address of the sending server rather than on message content, real-time block lists technically fall into a separate category from third-party anti-spam software. The real-time block list acts like a gatekeeper, preventing messages from known malicious or questionable servers from entering the environment. A message that gets past the real-time block list is a step closer to entering the network, but only until its content can be examined by the next layer of messaging defense, such as Intelligent Message Filter.

Because of the volume of real-time block list–related DNS queries that Microsoft IT makes on a daily basis (tens of millions), Microsoft IT transfers a mirror copy of the real-time block list to its local DNS servers on a predetermined, regular basis (generally multiple times per day). Most list providers require local copies of the real-time block lists for query volumes of greater than 250,000 per day. Transfer of a copy of the real-time block list is known as a zone transfer from the list provider. Microsoft IT configured its Exchange Server 2003 SP2 gateways to make real-time block list–related DNS queries against those local DNS servers.

Protocol-Level Protection

After the SMTP message has advanced beyond the connection-level protection, the next layer of defense is at the SMTP protocol level. The SMTP dialog between the sending SMTP host and the receiving SMTP host is analyzed to verify that the sender and recipients are allowed, and to determine the sender’s SMTP domain name.

Recipient and Sender Blocking

The recipient filtering feature in Exchange Server 2003 SP2 enables midsize businesses to protect against or reduce the impact of targeted mailbombing. Often, the recipients that such attacks target do not need to receive messages from the Internet at all. Recipient filtering rejects messages at the gateway layer based on criteria such as to whom a message is sent.

Although recipient filtering is not as effective in fighting real-time spam threats as real-time anti-spam solutions, recipient filtering can be extremely helpful in diminishing the risks of mailbombing attacks. Recently, the use of recipient filtering enabled Microsoft IT to block millions of messages addressed to just a few recipients in a single day.

Sender ID

The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail is sent. Sender ID validates the origin of e-mail by verifying the IP address of the sender against the purported owner of the sending domain.

Sender ID seeks to verify that every e-mail message originates from the Internet domain from which it claims to have been sent. This verification is accomplished by checking the address of the server sending the e-mail against a registered list of servers that the domain owner has authorized to send e-mail. This verification is automatically performed by the Internet service provider (ISP) or recipient's mail server before the e-mail message is delivered to the user. The result of the Sender ID check can be used as additional input into the filtering tasks already performed by the mail server. When the sender has been authenticated, the mail server may consider past behaviors, traffic patterns, and sender reputation, as well as apply conventional content filters when determining whether to deliver mail to the recipient.

Content-Level Protection

Ideally, spam should never reach the client layer. The reality is that some spam reaches users' desktop computers. One of the main reasons is that some legitimate e-mail messages, such as newsletters, often contain characteristics of spam, and it is therefore not desirable to set the filtering threshold so low that all suspicious messages are deleted. In addition, users might have individual preferences that a single set of enterprise-wide settings cannot meet.

Exchange Intelligent Message Filter

The initial filter through which incoming Internet e-mail must pass is Intelligent Message Filter, which runs on the Exchange Server 2003 SP2 gateway servers at the outermost edge of the messaging environment. Intelligent Message Filter uses the SCL, PCL (Phishing Confidence Level score, which is one of the factors that trigger final SCL assignments), and Sender ID framework built into Exchange Server 2003 SP2. Internet Message Filter categorizes certain message parts, performs heuristics-based message analysis, and assigns an SCL rating from 0 through 9 to each scanned message. The higher the rating a message receives, the greater the likelihood that the message is spam.

Exchange Server 2003 SP2 incorporates the latest data and updates to Intelligent Message Filter. Improvements to the IMF and biweekly updates help ensure a continued focus on identifying spam and reducing false positives. These improvements include new capabilities in the fight against spam, including blocking phishing schemes. Phishing schemes attempt, through deception, to fraudulently solicit sensitive personal information by masquerading as legitimate Web sites.

The Exchange Server 2003 SP2 environment can be configured to perform filtering actions on messages that have SCL ratings greater than the thresholds configured by administrators. Intelligent Message Filter uses two thresholds that are set in Exchange Server 2003 SP2—gateway threshold and store threshold.

Outlook 2003 and Outlook Web Access Junk E-Mail
  • Junk E-Mail Filter. Outlook 2003 uses state-of-the-art technology developed by Microsoft Research to evaluate whether a message should be treated as a junk e-mail message based on several factors—such as the time the message was sent and the content and structure of the message. The filter does not single out any particular sender or type of e-mail message. Instead, it uses advanced analysis to determine how likely it is to be thought of by the recipient as a junk e-mail message.

    By default, this filter is set to a low setting designed to catch the most obvious junk e-mail messages. Messages caught by the filter are moved to a special Junk E-mail folder for later access. If you want, you can make the filter more aggressive (perhaps mistakenly catching more legitimate messages), or even set Outlook 2003 to permanently delete junk e-mail messages as they come in. Learn more about the Junk E-Mail Filter.

  • Safe Senders List. If an e-mail message is mistakenly marked as a junk e-mail message by the filter, you can easily add the sender of that message to your Safe Senders List. E-mail addresses and domain names on the Safe Senders List are never treated as junk e-mail messages, regardless of the content of the message. Contacts are trusted by default and messages from them will never be treated as junk e-mail messages. When your company uses Microsoft Exchange Server, messages from within the organization will also never be treated as junk e-mail messages. You can configure Outlook 2003 to accept only messages from the Safe Senders List, giving you total control over which messages you receive.

  • Blocked Senders List. E-mail messages from certain e-mail addresses or domain names can easily be blocked by adding the senders to your Blocked Senders List. Messages from people or domain names on your Blocked Senders List will always be treated as junk e-mail messages, regardless of the content of the message.

  • Safe Recipients List. An e-mail list or group that you are a member of can be added to your Safe Recipients List. Any messages sent to the e-mail addresses or domain names on this list will not be treated as junk e-mail messages, regardless of the sender or content of the message.

  • AutoUpdate. You can update your Junk E-Mail Filter with periodic updates from Microsoft so you have the latest methods to block unwanted messages. Microsoft is committed to providing periodic updates of the Junk E-Mail Filter.

Deployment and Management

The ability to comprehend how each one of the methods within this framework functions and how the methods work together is the basic goal of Microsoft Exchange Server 2003 Anti-Spam Framework. When the scope of this framework is understood, the proper deployment and management of these technologies will enable midsize businesses to effectively fight spam in Microsoft Exchange Server environments. To help the fight against spam, users should be equipped with a basic knowledge of the subject to help manage the client computers in their environments. In addition, monitoring and troubleshooting Intelligent Message Filtering will be discussed as part of ongoing management.

The following features need to be configured at both the Global Settings and the SMTP levels. User awareness is discussed at the end of the section.

This section explains the step-by-step procedures for:

  • Connection-level protection

    • IP connection filtering

    • Real-time block lists

  • Protocol-level protection

    • Recipient and sender blocking

    • Sender ID

  • Content-level protection

    • Exchange Intelligent Message Filter

    • Outlook 2003 and Outlook Web Access Junk E-Mail

Connection-Level Protection

Exchange Server 2003 supports connection filtering based on real-time block lists. This feature checks an incoming Internet Protocol (IP) address against a real-time block list (RBL) provider for categories you want to filter. If a match is found on the RBL provider list, SMTP issues a 550 5.x.x error in response to the RCPT TO command, and a customized error response is issued to the sender. You can use several connection filters, and prioritize the order in which each filter is applied.

When you create a connection filter, you establish a rule that SMTP uses to perform a DNS lookup to a list provided by a third-party RBL service. The connection filter matches each incoming IP address against the block list provided by the third party. The RBL provider issues one of two responses:

  • Host not found. This response indicates that the IP address is not present on its block list.

  • 127.0.0.x. This response is a response status code, which indicates that a match for the IP address was found in the list of offenders. The x varies depending on your provider.

If the incoming IP address is found on the list, SMTP returns a 5.x.x error in response to the RCPT TO command (the SMTP command the connecting server issues to identify the intended message recipient).

Providers of Real-Time Block Lists

Because different providers of real-time block lists offer different types of lists and services, midsize businesses should carefully consider several providers before choosing one. Two known provides include Spam Haus at www.spamhaus.org and Spam Cop at www.spamcop.net.

Answers to the following questions might help in choosing an RBL provider:

  • Quality of the list. Does anyone verify that a new IP address added to the list is actually a spammer? Can anyone add to the list?

  • Security of the list. Does the list go through any security checks? Does anyone verify that no IP addresses were wrongly or maliciously added?

  • Process for updating the list. What is the review process? If getting on the list is automated, getting off the list should also be automated after spamming stops. How quickly are lists updated?

  • List transfer process. Does the provider allow complete or incremental Berkeley Internet Name Domain (BIND)–style transfers that are directly compatible with Windows DNS?

  • Support from the block list provider. What level of support does the provider offer?

IP Connection Filtering

To configure IP connection filtering

  1. From within Exchange System Manager, expand the Global Settings container.

  2. Right-click Message Delivery and click Properties.

  3. Click the Connection Filtering tab.

  4. Decide whether to Accept, Deny, or make an Exception. Deny is selected in the following example.

  5. You can select either a Single IP Address or a Group of IP Addresses, as shown in the following screen shot.

    AFSESE10.GIF

Real-Time Block Lists (RBL)

To configure real-time block list functionality at the Global Settings level

  1. From within Exchange System Manager, expand the Global Settings container.

  2. Right-click the Message Delivery object, and then click Properties.

  3. Click the Connection Filtering tab.

  4. To create a connection filter rule, click Add (shown in the following screen shot).

    AFSESE11.GIF

  5. In the Display Name field, type a name for the connection filter.

  6. In DNS Suffix of Provider, enter the DNS suffix of the provider (for example, contoso.com).

  7. In Custom Error Message to Return you can type a custom error message to return to the sender if you wish. Leave this field blank to use the following default error message:

    <IP address> has been blocked by <Connection Filter Rule Name>

    A custom message can be generated using the following variables:

    • %0. Connecting IP address

    • %1. Rule name of the Connection Filter

    • %2. The RBL provider

    For example, if you want your custom message to read:

    The IP address <IP address> has been blocked by the following RBL provider <RBL provider name>.

    you would enter the following in Custom Error Message to Return:

    The IP address%0 was rejected by RBL provider %2.

    Note   Exchange will replace %0 with the connecting IP address and %2 with the RBL provider.

  8. To configure which return status codes received from the RBL provider you want to match in this connection filter, click Return Status Code. The following dialog box will display.

    AFSESE12.GIF

  9. Select one of the following options in the Return Status Code dialog box:

    • Match Filter Rule to Any Return Code. This connection filter rule is matched to any return status code received from the provider service. This rule sets the default value that matches the connection filter to any return status.

      Examples:

      127.0.0.1. Blocklist

      127.0.0.2. Known Open Relay

      127.0.0.4. DialUp IP Address

    • Match Connection Filter to the Following Mask. This connection filter rule is matched to return status codes received from the provider by using a mask to interpret them. Enter the mask you want to filter against according to the masks used by your providers.

      Examples:

      0000 | 0001. Blocklist

      0000 | 0010. Open Relay

      0000 | 0011. Open relay or Blocklist

      0000 | 0100. Dialup host

      0000 | 0101. Dialup or Blocklist

      0000 | 0110. Dialup or Openrelay

      0000 | 0111. Dialup, Openrelay, or Blocklist

    • Match Filter Rule to Any of the Following Responses. This connection filter rule is matched to returned status codes received from the provider by using the specific values of the return status codes.
  10. Click OK.

The Sender, Recipient, Intelligent Message Filtering, and Connection Filtering features must also be applied at the SMTP level for them to work properly. Complete the following steps to do so.

To enable filtering features at the SMTP level

  1. Launch Exchange System Manager.

  2. Expand Servers.

  3. Expand the <server name> (of the e-mail server you wish to configure).

  4. Expand Protocols.

  5. Expand SMTP.

  6. Right-click Default SMTP Virtual Server and select Properties.

  7. In Default SMTP Virtual Server Properties, click Advanced.

  8. In Advanced, click Edit.

  9. In Identification, select the Apply Connection Filter check box to apply the filter that you previously set (shown in the following screenshot).

    AFSESE13.GIF

Protocol-Level Protection

After the SMTP message has advanced beyond the connection-level protection, the next layer of defense is at the SMTP protocol level. The SMTP dialog between the sending SMTP host and the receiving SMTP host is analyzed to verify that the sender and recipients are allowed, and to determine the sender’s SMTP domain name.

Recipient Filtering

Use the Recipient Filtering feature to prevent the delivery of messages that are sent to particular recipient addresses.

To configure Recipient Filtering

  1. Launch Exchange System Manager.

  2. Expand the Global Settings container.

  3. Right-click Message Delivery and select Properties.

  4. Click the Recipient Filtering tab.

  5. Select Filter recipients who are not in the Directory.

  6. Click Add, and then add the recipient address (shown in the following screen shot).

    AFSESE14.GIF

Sender ID Filtering

Use the Sender ID Filtering options to configure Sender ID actions. When you use these options, you can specify how the server should handle messages that failed Sender ID validation. The Sender ID feature is an industry standard that you can use to provide greater protection against unsolicited commercial e-mail (UCE) and phishing schemes.

By default, Sender ID Filtering is set to Accept. However, you can enable the Sender ID filter behind the perimeter of your network. To do so, you specify the IP addresses of the servers in your internal network that you want excluded from Sender ID filtering.

To configure Sender ID Filtering

  1. Launch Exchange System Manager.

  2. Expand the Global Settings container.

  3. Right-click Message Delivery and select Properties.

  4. Click the Sender ID Filtering tab.

  5. Select the desired Sender ID Filtering options (shown in the following screen shot).

    AFSESE15.GIF

Content-Level Protection

Content filtering in Exchange Server 2003 SP2 relies on Microsoft Research SmartScreen machine learning technology, which is incorporated into the Intelligent Message Filtering (IMF). Messages from the Internet arrive at the Exchange SMTP gateway and enter the Exchange Server Anti-Spam Framework. Previous layers of the Exchange anti-spam solution (connection, sender, and recipient filtering) block message submissions before actual message data is received. If a message successfully passes all of these previous filters, then the message body is received.

IMF can make an accurate assessment of the probability that an incoming e-mail message is either a legitimate message or spam.

Exchange Intelligent Message Filter

Exchange Intelligent Message Filter is a very important component in combating spam. It is an SCL-compatible filter that provides advanced server-side message filtering designed specifically to combat the influx of spam. For specific information, see the Exchange Intelligent Message Filter Web site at https://go.microsoft.com/fwlink/?linkid=21607.

To configure Exchange Intelligent Message Filter

  1. Launch Exchange System Manager.

  2. Expand the Global Settings container.

  3. Right-click Message Delivery, and then select Properties.

  4. Click the Intelligent Message Filtering tab.

  5. In Block message with an SCL rating greater than or equal to (shown in the following screen shot), select the rating level you desire.

    The SCL rating scale runs from 0 through 9. The higher the rating, the greater the likelihood that the message is spam.

    AFSESE16.GIF

Outlook 2003 and Outlook Web Access Junk E-Mail

Both Outlook 2003 and Outlook Web Access 2003 include features that can help protect users against spam. These features include the following:

  • User-maintained block lists and safe lists. The block lists and safe lists used by both Outlook 2003 and Outlook Web Access are stored in the user's mailbox. Because both client programs use the same list, users do not need to maintain two versions.

  • External content blocking. Outlook 2003 and Outlook Web Access 2003 make it more difficult for senders of junk e-mail messages to use beacons to retrieve e-mail addresses. Incoming messages that contain any content that could be used as a beacon trigger Outlook and Outlook Web Access to display a warning message, regardless of whether they actually contain a beacon. If users know a message is legitimate, they can click the warning message to download the content. If users are unsure about the message, they can delete it without triggering beacons that alert a sender of junk mail.

  • Improved junk e-mail management. With Outlook 2003, users can create rules that search e-mail messages for specific phrases and automatically move messages containing these phrases from the Inbox to a specified folder (such as the Junk E-mail or Deleted Items folders). Users also have the option to permanently delete suspected junk e-mail instead of moving it to a specified folder.

  • Junk e-mail filter. Outlook 2003 includes a junk e-mail filter that searches for common spam attributes. (These attributes are updated in conjunction with Office updates.) For each suspicious attribute, Outlook increments a counter. The greater the count for a given piece of mail, the more likely it is to be spam. Configure the level of junk e-mail protection you want in the Junk E-Mail Options dialog box.

To configure the Outlook 2003 junk e-mail filter

  1. From within Outlook 2003, click Action in the menu bar.

  2. Select Junk e-mail and then Junk E-mail Options (shown in the following screen shot).

    AFSESE17.GIF

  3. The dialog box shown in the following screen shot will display, which allows users to choose the level of junk e-mail protection they want.

    AFSESE18.GIF

To configure the junk e-mail filter in Outlook Web Access (OWA)

  1. Log in to Outlook Web Access account.

  2. Click Options.

  3. Click Manage Junk E-Mail Lists.

  4. Select the appropriate feature from the View or Modify list (shown in the following screen shot).

    AFSESE19.GIF

  5. Add, Edit, or Remove sender e-mail addresses.

Note   When users first begin using these junk e-mail features, or if they modify the options at any time, they should periodically check for messages that have been removed from the Inbox to ensure that valid messages have not been moved. Updates to the junk e-mail features in Outlook 2003 will be listed in the Office Update section of the Microsoft Office Online Web site https://go.microsoft.com/fwlink/?LinkId=24393.

Monitoring and Troubleshooting Intelligent Message Filter

Monitor and troubleshoot issues with the Microsoft Exchange Intelligent Message Filter can be done using Event Viewer and System Monitor. This section will provide step-by-step information about how to monitor and troubleshoot.

Using Event Viewer

In Event Viewer, both the Application log and the System log contain errors, warnings, and informational events related to the operation of Exchange, the SMTP service, and other applications. To help identify the cause of Intelligent Message Filter problems, carefully review the data contained in the Application log and System log. Intelligent Message Filter writes events to Event Viewer using the source MSExchangeTransport and the category SMTP Protocol.

To find Intelligent Message Filter events using Event Viewer

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Event Viewer.

  2. In the console tree, click Application Log.

  3. To sort the log alphabetically and quickly locate an entry for an Exchange service, click Source in the details pane (shown in the following screen shot).

    AFSESE20.GIF

  4. To filter the log to list entries for events logged for Intelligent Message Filter, click Filter on the View menu.

  5. In Application Log Properties, use the Event source list to select MSExchangeTransport.

  6. In the Category list, select SMTP Protocol.

Using System Monitor and Performance Logs and Alerts

Intelligent Message Filter has several performance counters that can be used to monitor its performance and operation.

To use System Monitor and Performance Logs and Alerts

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Performance.

  2. Highlight System Monitor, and then click the + button to add counters.

  3. In the Add Counters dialog box, under Performance Object, select MSExchange Intelligent Message Filter (shown in the following screen shot).

    AFSESE21.GIF

User Awareness

As with any other topic, whether it’s fighting viruses, protecting workstations from unauthorized users, or combating spam, technology alone should not be the sole defense against threats or attacks. When they are educated, users can play a very significant role in helping to manage spam. Users should be instructed about how to avoid or filter unwanted e-mails within their Outlook environment.

Such instruction should include:  

  • Never reply to e-mail requests for financial or personal information.

  • Never provide passwords

  • Do not open suspicious e-mail file attachments

  • Do not respond to any suspicious or unwanted e-mails.

  • Configure junk e-mail options in Outlook 2003 as described in the “Outlook 2003 and Outlook Web Access Junk E-Mail” section earlier in this document.

Summary

Many midsize businesses build a number of their critical business processes around the functionality of Microsoft Exchange Server 2003. A considerable amount of their day-to-day activities are dependant on the services that Exchange Server provides.

The increased flow of junk e-mail continues to challenge midsize businesses. Not only is it a nuisance, but spam can strain networks and waste time, money, and other resources for individuals and businesses around the world.

This document has shown that there are ways to reduce spam within Exchange Server 2003 environments. The Exchange Server 2003 Anti-Spam Framework combines spam protection approaches that provide sufficient flexibility for administrators and end users to help them reduce unwanted e-mail and increase their productivity levels.

References

You can download the Microsoft Exchange Server 2003 Anti-Spam Framework Overview from the Microsoft Download Center at https://download.microsoft.com/download/0/E/6/0E6A7113-DDA4-4FD7-AABA-B9E264700225/Anti-Spam.doc.

The Better Protection Against Spam topic in the Exchange Server 2003 SP2 Overview is available at www.microsoft.com/exchange/evaluation/sp2/overview.mspx\#antispam.

Information about the Exchange Intelligent Message Filter (IMF) and updates for IMF are available from Microsoft TechNet at www.microsoft.com/technet/prodtechnol/exchange/downloads/2003/imf/default.mspx.

The white paper "Messaging Hygiene at Microsoft: How Microsoft IT Defends Against Spam, Viruses, and E-Mail Attacks" is available from Microsoft TechNet at www.microsoft.com/technet/itsolutions/msit/security/messaginghygienewp.mspx.

The article "Exchange Server 2003 Real-Time Block Lists" is available on Microsoft TechNet at www.microsoft.com/technet/prodtechnol/exchange/2003/insider/Block\_Lists.mspx.

The Microsoft Knowledge Base article "How to configure connection filtering to use Realtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003" is available at https://support.microsoft.com/default.aspx?scid=823866.

Download

Get the Approaches to Fighting Spam in an Exchange Server Environment paper