Understanding Anti-Spam and Antivirus Mail Flow
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2010-07-07
When an external user sends e-mail messages to a server running Microsoft Exchange that runs the anti-spam features, the anti-spam features cumulatively evaluate characteristics of inbound messages and either filter out messages suspected to be spam or assign messages a rating based on the probability that the message is spam. This rating is stored with the message as a message property called the spam confidence level (SCL) rating. This rating is persisted with the message when the message is sent to other Exchange servers.
The following figure shows the order in which the default anti-spam features and Microsoft Forefront Protection for Exchange Server filter inbound messages from the Internet. By default, the anti-spam and antivirus features are arranged in this order with the filters that use the least resources filtering first, and then the filters that use the greatest resources filtering last.
|The following figures and explanations assume that the Microsoft Exchange Server 2010 Edge Transport server is the first SMTP server to accept inbound messages. In some organizations, the Edge Transport server may be deployed behind a third-party SMTP server. When the Exchange 2010 Edge Transport server is deployed behind a third-party SMTP gateway server, the Exchange 2010 Edge Transport server requires additional configuration. Specifically, you must make sure that all SMTP gateway servers are listed in the InternalSMTPServer property of the TransportConfig object. For more information, see Set-TransportConfig.|
For more information about additional Exchange anti-spam and antivirus features, see Microsoft Forefront Protection 2010 for Exchange Server.
Default anti-spam features with antivirus filtering of inbound messages from the Internet
As shown in the preceding figure, when an SMTP server connects to Exchange 2010 and initiates an SMTP session, filters are applied in the following order when the Edge Transport server is Internet-facing:
Sender ID filtering
Sender reputation filtering
Outlook junk e-mail filtering
|Connection filtering gathers information during two different events. In the first event, connection filtering gathers IP address information from the connection (shown in the preceding figure). In the second event, connection filtering gathers information when the Sender Filter agent parses the message headers to determine the first external IP address (shown in the figure in "Sender Filtering" later in this topic). Agents may monitor multiple events. The preceding figure shows a high-level view of the approximate order in which agents are applied, when all agents are enabled, for the purposes of illustrating message flow. For more information about specific events and which agents monitor which events, see Understanding Transport Agents.|
Looking for management tasks related to anti-spam and antivirus functionality? See Managing Anti-Spam and Antivirus Features.
During the SMTP session, Exchange 2010 applies connection filtering by using the criteria shown in the following figure.
Connection filtering mail flow
The following process applies:
The Connection Filter agent examines the administrator-defined IP Allow list. If the IP address of the sending server is on the administrator-defined IP Allow list, the message is then processed by sender filtering.
The Connection Filter agent examines the local IP Block list. If the IP address of the sending server is found on the local IP Block list, the message is automatically rejected, and no other filters are applied.
The Connection Filter agent examines the list of allowed IP addresses from any IP Allow List providers that you have. If the IP address of the sending server is on the list of allowed IP addresses from the IP Allow List providers, the message is then processed by sender filtering.
The Connection Filter agent examines the real-time block lists of any IP Block List providers that you've configured. If the sending server's IP address is found on a real-time block list, the message is rejected, and no other filters are applied.
For more information, see Understanding Connection Filtering.
|If the Connection Filter agent is deployed on a computer behind another server that faces the Internet, other filters, such as sender filtering and recipient filtering, are invoked before the Connection Filter agent.|
After connection filtering has been applied, Exchange 2010 examines the sender e-mail address against the list of blocked senders that you configure in sender filtering as shown in the following figure.
Sender filtering mail flow
The Sender Filter agent then checks the sender's e-mail address contained in the From header fields in the message envelope and the message header. If either From header field matches the address in the Blocked Sender list, Exchange 2010 rejects the message at the protocol level, and no other filters are applied.
|Even if recipients in your organization have put senders on their Microsoft Outlook Safe Senders List, sender filtering on the Edge Transport server will override the recipient's Outlook setting and reject the messages.|
For more information about sender filtering, see Understanding Sender Filtering.
For more information about message envelopes and message headers, see Understanding the Pickup and Replay Directories.
If sender filtering doesn't reject the message, Exchange runs connection filtering again. Exchange then applies the Recipient Filter agent as shown in the following figure.
Recipient filtering mail flow
The Recipient Filter agent examines the recipient against the Recipient Block list that you configure in the Recipient Filter agent settings. If the intended recipient matches an e-mail address on your Recipient Block list, Exchange 2010 rejects the message for that particular recipient. In addition, the Recipient Filter agent checks whether the recipient is present in the organization. If the recipient isn't present in the organization, Exchange rejects the message for that particular recipient.
If multiple recipients are listed on the message and all the recipients aren't on the Recipient Block list, the message will continue to process. Otherwise, if the message is bound for only a single blocked recipient, no other filters are applied.
When a message with blocked recipients is processed, the set of blocked recipients are removed from the message, and the message continues into the organization. Protocol-level SMTP rejection responses are sent to the sender for each blocked recipient. The Sender Reputation agent monitors the OnReject event to calculate sender reputation level (SRL).
For more information, see Understanding Recipient Filtering.
If the message still contains valid recipients after recipient filtering has been applied, Exchange 2010 runs the Sender ID agent as shown in the following figure.
Sender ID filtering mail flow
First, the Sender ID agent determines the Purported Responsible Address (PRA) of the message using the algorithm described in RFC 4407. This step is required to accurately identify the message sender. The PRA is an SMTP address, such as firstname.lastname@example.org. The Sender ID agent then performs a Domain Name System (DNS) lookup against the domain part of the PRA. If that domain has published a sender policy framework (SPF) record, the agent uses the SPF record to evaluate the message according to the specification for RFC 4408. The result of the evaluation is stamped on the message in the anti-spam stamp. If that domain doesn't have a published SPF record, the Sender ID agent stamps a Sender ID result of "None" on the message. For more information about the types of stamps used for Sender ID filtering, see Understanding Anti-Spam Stamps.
If the sender's DNS is from a blocked domain or a blocked address, the following actions may be taken depending on your configuration of Sender ID actions:
Reject message If the Sender ID action is set to Reject Message, Exchange rejects the message and sends an SMTP error response to the sending server. The SMTP error response is a 5xx level protocol response with text that corresponds to the Sender ID status.
Delete message If the Sender ID action is set to Delete Message, Exchange deletes the message without informing the sending server of the deletion. The computer that has the Edge Transport server role installed sends a fake "OK" SMTP command to the sending server, and then deletes the message. Because the sending server assumes that the message was sent, the sending server won't retry sending the message in the same session.
Stamp message with Sender ID result and continue processing Exchange stamps the message with the Sender ID result and continues processing the message. This metadata is evaluated by the Content Filter agent when an SCL is calculated. Additionally, sender reputation uses the message metadata when it calculates an SRL for the sender of the message.
For more information, see Understanding Sender ID.
Before Exchange content filtering calls the Exchange Intelligent Message Filter, it applies sender filtering again. The Exchange server then applies the Content Filter agent as shown in the following figure.
Content filtering message flow
The Content Filter agent checks the following conditions in the message. If any of the conditions are true, the message bypasses content filtering and attachment filtering. These messages then go to antivirus scanning for processing. The following conditions are checked:
The sender's IP address is on the IP Allow list for connection filtering.
All recipients are on the exceptions list for content filtering.
The AntiSpamBypassEnabled parameter is set to
$Trueon all the recipients' mailboxes.
All the recipients have added this sender to their Outlook Safe Senders List, which is updated to the Edge Transport server by using safelist aggregation.
The sender is a trusted partner and on the organization's list of senders that aren't filtered.
In addition to the conditions listed, if the SMTP session has been authenticated as a trusted partner, and if the administrator has granted the Bypass Anti-Spam (Ms-Exch-Bypass-Anti-Spam) permission to partners, the anti-spam agents will be disabled for messages during that session. The Bypass Anti-Spam permission isn't granted to partners by default and must be assigned by an administrator.
If a message doesn't meet any of the conditions described, content filtering is applied. Content filtering assigns an SCL rating to the message. Based on the SCL rating, one of the following actions occurs:
If the SCL rating on the message is equal to or greater than the SCL delete threshold, and the SCL delete threshold is enabled, the Content Filter agent deletes the message. There is no protocol-level communication that tells the sending system or sender that the message was deleted. If the SCL rating is lower than the SCL delete threshold value, the Content Filter agent doesn't delete the message. Instead, the Content Filter agent compares the SCL value to the SCL reject threshold.
If the SCL rating on the message is equal to or greater than the SCL reject threshold, and the SCL reject threshold is enabled, the Content Filter agent rejects the message and sends a rejection response to the sending system. You can customize the rejection response. In some cases, a non-delivery report (NDR) is sent to the original sender of the message. If the SCL rating is lower than the SCL reject threshold value, the Content Filter agent doesn't reject the message. Instead, the Content Filter agent compares the SCL value to the SCL quarantine threshold.
If the SCL rating on the message is equal to or greater than the SCL quarantine threshold, and the SCL quarantine threshold is enabled, the Content Filter agent sends the message to the spam quarantine mailbox. For more information about how to manage the spam quarantine mailbox, see Understanding Content Filtering. The message then continues to attachment filtering.
For more information, see the following topics:
After content filtering has been applied, Exchange applies sender reputation filtering as shown in the following figure.
Sender reputation message flow
Sender reputation weighs each of the following message statistics and calculates an SRL for each sender:
Reverse DNS lookup
Analysis of SCL ratings on messages from a specific sender
Sender open proxy test
The SRL is a number from 0 through 9 that predicts the probability that a specific sender is a spammer or otherwise malicious user. A value of 0 indicates that the sender isn't likely to be a spammer; a value of 9 indicates that the sender is likely to be a spammer.
You can configure an SRL block threshold from 0 through 9 by which sender reputation issues a request to the Sender Filter agent to block the sender from sending a message into the organization. When a sender is blocked, the sender is added to the Blocked Senders list for a configurable period. How blocked messages are handled depends on the configuration of the Sender Filter agent. The following actions are the options for handling blocked messages:
Delete and archive
Accept and mark as a blocked sender
If a sender is included in the IP Block list or Microsoft IP Reputation Service, the Sender Reputation agent issues an immediate request to the Sender Filter agent to block the sender. To take advantage of this functionality, you must enable and configure the Microsoft Exchange Anti-spam Update Service.
By default, the Edge Transport server sets a rating of 0 for senders that haven't been analyzed. After a sender has sent 20 or more messages, sender reputation calculates an SRL that's based on the statistics listed earlier.
For more information, see the following topics:
After sender reputation filtering has been applied, Exchange applies attachment filtering as shown in the following figure.
Attachment filtering mail flow
You can configure attachment filtering to block attachments based on their MIME content type, file name, or file name extension. If attachment filtering detects a content type or file name that has been blocked, one of the following actions will occur based on your attachment filtering settings:
Reject If the action setting is set to Reject, both the e-mail message and attachment are prevented from being delivered to the recipient and the system generates a delivery status notification (DSN) failure message to the sender. You can customize your rejection response.
Silent Delete If the action setting is set to Silent Delete, both the e-mail message and attachment are prevented from being delivered to the recipient. A notification that the e-mail message and attachment were blocked isn't returned to the sender.
Strip If the action setting is set to Strip, the attachment is stripped from the e-mail message. This value allows the message and other attachments that don't match an entry on the attachment block list to be delivered to the recipient. A notification that the attachment was blocked is added to the recipient's e-mail message.
If the message wasn't rejected or deleted, or attachment filtering didn't detect blocked attachment types, the message is then scanned for viruses.
For more information, see Configure Attachment Filtering.
After attachment filtering has been applied, or if the recipients were bypassed in content filtering, Forefront Protection for Exchange Server antivirus scanning is applied as shown in the following figure.
Forefront Protection for Exchange Server antivirus scanning mail flow
Forefront Protection for Exchange Server is an antivirus software package that's tightly integrated with Exchange 2010 and offers additional antivirus protection for your Exchange environment. When Forefront Protection for Exchange Server detects messages that seem to contain a virus, the system deletes the message, generates a notification message, and sends the notification to the recipient’s mailbox.
For more information, see Microsoft Forefront Protection 2010 for Exchange Server.
After all the filters are applied and the message has been scanned for viruses, the message is sent to the intended recipient's mailbox and junk e-mail filtering is applied as shown in the following figure.
Outlook junk e-mail filtering mail flow
If the SCL rating for the message is equal to or greater than the SCL Junk E-mail folder threshold, and the SCL Junk E-mail folder threshold is enabled, the Mailbox server puts the message in the Outlook user's Junk E-mail folder. If the SCL value for a message is lower than the values for the SCL delete, reject, quarantine, and Junk E-mail folder thresholds, the Mailbox server puts the message in the user's Inbox. For more information about the SCL thresholds, see Understanding Spam Confidence Level Threshold.