Sender Reputation

Sender Reputation

You can enable the Sender Reputation anti-spam agent on computers that have the Microsoft Exchange Server 2007 Edge Transport server role installed to block messages according to many characteristics of the sender.

The Sender Reputation agent relies on persisted data about the sender to determine what action, if any, to take on an inbound message. When you configure anti-spam agents on an Edge Transport server, the agents act on messages cumulatively to reduce the number of unsolicited messages that enter the organization.

The Sender Reputation Level

A sender reputation level (SRL) is calculated from the following statistics:

• Sender open proxy test - Proxy servers relay TCP traffic through firewall hosts to provide user applications transparent access across the firewall. Because proxy protocols are lightweight and independent of user application protocols, proxies can be used by many different services. Proxies can also be used to share a single Internet connection by multiple hosts. Proxies are usually set up so that only trusted hosts inside the firewall can cross through the proxies.

  An open proxy is a proxy server that accepts connection requests from anyone anywhere and forwards the traffic as if it originated from the local hosts. Open proxies can exist because of either of the following conditions:

  • Unintentional misconfiguration
  • Malicious Trojan programs

  Frequently with insufficient logging, open proxies provide an ideal way for malicious users to hide their true identities and launch denial of service (DoS) attacks or send spam.

  As more proxy servers are configured to be "open by default," open proxies have become more common. Additionally, malicious users can use multiple open proxies together to hide the sender's originating IP address.

  When the Sender Reputation agent calculates an SRL, it does so by formating an SMTP request in an attempt to connect back to the Edge Transport server from the open proxy. If an SMTP request is received from the proxy, the Sender Reputation agent verifies that the proxy is an open proxy and updates the open proxy test statistic for that sender.

• HELO/EHLO analysis - The HELO and EHLO SMTP commands are intended to provide the domain name, such as Contoso.com, or IP address of the sending SMTP server to the receiving SMTP server.

  Malicious users, or spammers, frequently forge the HELO/EHLO statement in various ways. For example, they type an IP address that does not match the IP address from which the connection originated. Spammers also put domains that are known to be locally supported at the receiving server in the HELO statement in an attempt to appear as if the domains are in the organization. In other cases, spammers change the domain that is passed in the HELO statement.

  The typical behavior of a legitimate user may be to use a different, but a relatively constant, set of domains in their HELO statements. Therefore, analysis of the HELO/EHLO statement on a per-sender basis may indicate that the sender is likely to be a spammer. For example, a sender that provides many different unique HELO/EHLO statements in a specific time period is more likely to be a spammer.

  Senders who consistently provide an IP address in the HELO statement that does not match the originating IP address as determined by the Connection Filter agent are also more likely to be spammers, as are remote senders who consistently provide a local domain name, which is in the same organization as the Edge Transport server, in the HELO statement.

• Reverse DNS lookup - The Sender Reputation agent also verifies that the originating IP address from which the sender transmitted the message matches the registered domain name that the sender submits in the HELO or EHLO SMTP command. The Sender Reputation agent performs a reverse DNS query by submitting the originating IP address to DNS. The result that is returned by DNS is the domain name that is registered by using the domain naming authority for that IP address.

  The Sender Reputation agent compares the domain name that is returned by DNS to the domain name that the sender submitted in the HELO/EHLO SMTP command. If the domain names do not match, the sender is likely to be a spammer, and the overall SRL rating for the sender is adjusted upward.

  The Sender ID agent performs a similar task, but the success of the Sender ID agent relies on legitimate senders to update their DNS infrastructure to identify all the e-mail-sending SMTP servers in their organization. By performing a reverse DNS lookup, you can help identify potential spammers.

• Analysis of SCL ratings on messages from a particular sender - When the Content Filter agent processes a message, it assigns a spam confidence level (SCL) rating to the message. The SCL rating is a number between 0 and 9. A higher SCL rating indicates that a message is more likely to be spam. Data about each sender and the SCL ratings that their messages yield is persisted for analysis by the Sender Reputation agent. The Sender Reputation agent calculates statistics about a sender according to the ratio between all messages from that sender that had a low SCL rating in the past and all messages from that sender that had a high SCL rating in the past. Additionally, the number of messages that have a high SCL rating that the sender has sent in the last day is applied to the overall SRL.

Each of these statistics is weighted and calculated by the Sender Reputation agent to produce an SRL for each sender. The SRL is a number between 0 and 9 that predicts the probability that a specific sender is a spammer or otherwise malicious user. A value of 0 indicates that there is less than a 1 percent chance that the sender is a spammer, whereas a value of 9 indicates that there is more than a 99 percent chance that the sender is a spammer. An SRL of 4 is a neutral rating.

You can configure a block threshold between 0 and 9 at which the Sender Reputation agent issues a request to the Sender Filter agent, and, therefore, blocks the sender from sending a message into the organization. When a sender is blocked, the sender is added to the Blocked Senders list for a configurable period. How blocked messages are handled depends on the configuration of the Sender Filter agent. The following actions are the options for handling blocked messages:

• Reject
• Delete and archive
• Accept and mark as a blocked sender

If a sender is included in the Microsoft Block List or IP Reputation Service, the Sender Reputation agent issues an immediate request to the Sender Filter agent to block the sender. To take advantage of this functionality, you must enable and configure Microsoft Anti-spam Automatic Updates.

By default, the Edge Transport server sets a rating of 0 for senders that have not been analyzed. After a sender has sent 20 or more messages, the Sender Reputation agent calculates an SRL that is based on the statistics listed earlier in this topic.

How SRL Works

The Sender Reputation agent acts on messages during two phases of the SMTP session:

• At the MAIL FROM: SMTP command - The Sender Reputation agent acts on a message only if the message was blocked or otherwise acted on by the Connection Filter agent, Sender Filter agent, Recipient Filter agent, or Sender ID agent. In this case, the Sender Reputation agent retrieves the sender's current SRL rating from the sender profile that is persisted about that sender in the Edge Transport database. After this rating is retrieved and evaluated, the Edge Transport server configuration dictates the behavior that occurs at a particular connection according to the block threshold.
• After the "end of data" SMTP command - The end of data transfer (_EOD) SMTP command is given when all the actual message data is sent. At this point in the SMTP session, many of the anti-spam agents have processed the message. As a by-product of anti-spam processing, the statistics that the Sender Reputation agent relies on are updated. Therefore, the Sender Reputation agent has the data to calculate or recalculate an SRL rating for the sender.