Anti-Spam and Antivirus Functionality
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
Topic Last Modified: 2016-11-17
Spammers, or malicious senders, use a variety of techniques to send spam into your organization. No single tool or process can eliminate all spam. Microsoft Exchange Server 2007 builds on the foundation of Exchange Server 2003 to provide a layered, multipronged, and multifaceted approach to reducing spam and viruses. Exchange 2007 includes a variety of anti-spam and antivirus features that are designed to work cumulatively to reduce the spam that enters your organization. Exchange 2007 also includes improved infrastructure for antivirus applications.
You can reduce the incidences of virus outbreaks and attacks by malicious software, which is also referred to as malware, in your organization if you reduce the overall volume of spam that enters your organization. When you eliminate the bulk of the spam at the computer that has the Edge Transport server role installed, you save lots of processing resources, bandwidth, and storage when the messages are scanned for viruses and other malware further along the mail flow path.
The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.
The following sections provide brief descriptions of each default anti-spam and antivirus feature.
The anti-spam and antivirus filters are applied in the following order. For more information, see Understanding Anti-Spam and Antivirus Mail Flow.
Connection filtering Connection filtering inspects the IP address of the remote server that is trying to send messages to determine what action, if any, to take on an inbound message. The remote IP address is available to the Connection Filter agent as a byproduct of the underlying TCP/IP connection that is required for the Simple Mail Transfer Protocol (SMTP) session. Connection filtering uses a variety of IP Block lists, IP Allow lists, as well as IP Block Providers services or IP Allow Provider services to determine whether the connection from the specific IP should be blocked or should be allowed in the organization.
Sender filtering Sender filtering compares the sender on the MAIL FROM: SMTP command to an administrator-defined list of senders or sender domains who are prohibited from sending messages to the organization to determine what action, if any, to take on an inbound message.
Recipient filtering Recipient filtering compares the message recipients on the RCPT TO: SMTP command to an administrator-defined Recipient Block list. If a match is found, the message is not permitted to enter the organization. The recipient filter also compares recipients on inbound messages to the local recipient directory to determine whether the message is addressed to valid recipients. When a message is not addressed to valid recipients, the message can be rejected at the organization's network perimeter.
Sender ID Sender ID relies on the IP address of the sending server and the Purported Responsible Address (PRA) of the sender to determine whether the sender is spoofed or not. PRA is calculated based on the following message headers:
For more information about the PRA, see Sender ID and RFC 4407.
Content filtering Content filtering uses Microsoft SmartScreen technology to assess the contents of a message. Intelligent Message Filter is the underlying technology of Exchange content filtering. Intelligent Message Filter is based on patented machine-learning technology from Microsoft Research. During its development, Intelligent Message Filter learned distinguishing characteristics of legitimate e-mail messages and spam. Regular updates with Microsoft Anti-spam Update Service ensure that the most up-to-date information is always included when the Intelligent Message Filter runs. Based on the characteristics of millions of messages, Intelligent Message Filter recognizes indicators of both legitimate messages and spam messages. Intelligent Message Filter can accurately assess the probability that an inbound e-mail message is either a legitimate message or spam.
Note: On November 1, 2016, Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and Outlook. The existing SmartScreen spam definitions will be left in place, but their effectiveness will likely degrade over time. For more information, see Deprecating support for SmartScreen in Outlook and Exchange.
Spam quarantine is a feature of the Content Filter agent that reduces the risk of losing legitimate messages that are incorrectly classified as spam. Spam quarantine provides a temporary storage location for messages that are identified as spam and that should not be delivered to a user mailbox inside the organization.
Content filtering also acts on the safelist aggregation feature. Safelist aggregation collects data from the anti-spam safe lists that Microsoft Outlook and Office Outlook Web Access users configure and makes this data available to the Content Filter agent on the computer that has the Edge Transport server role installed in Exchange 2007.
When an Exchange administrator enables and correctly configures safelist aggregation, the Content Filter agent passes safe e-mail messages to the enterprise mailbox without additional processing. E-mail messages that Outlook users receive from contacts or that those users have added to their Outlook Safe Senders List or have trusted are identified by the Content Filter agent as safe. The result is that messages that are identified as safe are not classified as spam and unintentionally filtered out of the messaging system.
Sender reputation Sender reputation relies on persisted data about the IP address of the sending server to determine what action, if any, to take on an inbound message. The Protocol Analysis agent is the underlying agent that implements the sender reputation functionality. A sender reputation level (SRL) is calculated from several sender characteristics that are derived from message analysis and external tests.
Senders whose SRL exceeds a configurable threshold will be temporarily blocked. All their future connections are rejected for up to 48 hours.
In addition to the locally calculated IP reputation, Exchange 2007 also takes advantage of IP Reputation anti-spam updates, available via Microsoft Update, which provide sender reputation information about IP addresses that are known to send spam.
Attachment filtering Attachment filtering filters messages based on attachment file name, file name extension, or file MIME content type. You can configure attachment filtering to block a message and its attachment, to strip the attachment and allow the message to pass through, or to silently delete the message and its attachment.
Microsoft Forefront Security for Exchange Server Forefront Security for Exchange Server is an antivirus software package that is tightly integrated with Exchange 2007 and offers antivirus protection for the Exchange environment. The antivirus protection that is provided by Forefront Security for Exchange Server is language independent. However, the setup, administration of the product, and end-user notifications are available in 11 server languages. For more information, see Protecting Your Microsoft Exchange Organization with Microsoft Forefront Security for Exchange Server.
Outlook Junk E-mail filtering The Outlook Junk E-Mail Filter uses state-of-the-art technology to evaluate whether a message should be treated as a junk e-mail message based on several factors, such as the time that the message was sent and the content and structure of the message, and the metadata collected by the Exchange Server anti-spam filters. Messages caught by the filter are moved to a special Junk E-mail folder, where the recipient can access them later.
Anti-spam stamps help you diagnose spam-related problems by applying diagnostic metadata, or "stamps," such as sender-specific information, puzzle validation results, and content filtering results, to messages as they pass through the anti-spam features that filter inbound messages from the Internet. These stamps are visible to the end-user mail client and encode sender-specific information, the version of the spam filter definition file, Outlook puzzle validation results, and content filtering results.
Exchange 2007 now offers additional services to help keep anti-spam components up to date, taking advantage of the proven Microsoft Update infrastructure.
Microsoft Exchange 2007 Standard Anti-spam Filter Updates offer anti-spam updates every two weeks via Microsoft Update.
The Forefront Security for Exchange Server anti-spam update service is a premium service that updates the content filter daily via Microsoft Update. In addition, the premium service includes the Spam Signature and IP Reputation Service updates that are available on an as-needed basis, up to several times a day. Spam Signature updates identify the most recent spam campaigns. IP Reputation Service updates provide sender reputation information about IP addresses that are known to send spam.
|To use the premium service, you must have the Exchange Enterprise Client Access License (CAL).|
If Exchange Server 2007 Service Pack 1 (SP1) is deployed on a computer that is running Windows Server 2008, you can enter IP addresses and IP address ranges in the Internet Protocol Version 4 (IPv4) format, Internet Protocol Version 6 (IPv6) format, or both formats. A default installation of Windows Server 2008 enables support for IPv4 and IPv6.
We strongly recommend against configuring Receive connectors to accept anonymous connections from unknown IPv6 addresses. If your organization must receive mail from senders who use IPv6 addresses, create a dedicated Receive connector that restricts the remote IP addresses to the specific IPv6 addresses that those senders use.
If you configure a Receive connector to accept anonymous connections from unknown IPv6 addresses, the amount of spam that enters your organization is likely to increase. Currently, there is no broadly accepted industry standard protocol for looking up IPv6 addresses. Most IP Block List providers do not support IPv6 addresses. Therefore, if you allow anonymous connections from unknown IPv6 addresses on a Receive connector, you increase the chance that spammers will bypass IP Block List providers and successfully deliver spam into your organization.
Spam filtering is enhanced by or is also available as a service from Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted services:
Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware, including viruses and spam
Hosted Archive, which helps them satisfy retention requirements for compliance
Hosted Encryption, which helps them encrypt data to preserve confidentiality
Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.
For more information about anti-spam and antivirus features, see the following topics: