Spam Management

By Jim McBee, MCSE, MCT, and Microsoft Exchange MVP

See other Security MVP Article of the Month columns.

A messaging administrator’s daily activities includes many tasks both small and large, including mailbox and recipient management, queue management, backups, disaster recovery preparedness, virus protection, and health monitoring. If all of these were not enough, the people that send spam have to make things worse.

In many organizations, spam prevention and quarantine management can take up most of an administrator’s day; some organizations have a full-time employee dedicated to the management of spam-related tasks. In organizations with little or no spam protection technologies, there are estimates that employees each spend as much as 45 minutes each day weeding the unwanted mail out of their mailboxes. One of the most popular topics at conferences, in Internet newsgroups, and on discussion boards is preventing spam.

There are many products and approaches to use when trying to eliminate spam from an Inbox. When looking at approaches to fighting, an organization has a number of choices, including:

• Using client-side software.

• Using software on the mail server or software that integrates with the mail server’s antivirus software.

• Implementing an anti-spam gateway that exists in an organization’s perimeter network.

• Arranging for a third party to perform the initial message hygiene functions (anti-spam and antivirus) before the message is forwarded to the organization’s mail servers

In this article, we will briefly explore one organization’s experience in finding the right anti-spam solution to meet its business needs.

Help! We Are Overwhelmed!

Company X¹ is a small consulting company; Microsoft Exchange Server 2003 supports its 18 mailboxes. E-mail is the lifeblood of this company. Approximately 25 percent of the company uses Windows Mobile devices, Microsoft Office Outlook Web Access is used daily, and e-mail from customers arrives constantly throughout the business day.

For a few years, Company X did not have a dedicated IT specialist and merely ignored the growing problem with spam. Individual employees often installed and configured their own client-side anti-spam solutions. One employee reported that in a single 24-hour period, he received 750 messages that he classified as junk.

Everyone knew the problem was bad, but just how bad? When the company’s upgraded its server to Exchange Server 2003 Service Pack 2, it used the integrated Intelligent Message Filter (IMF), the IMF’s system monitor counters, and SMTP system monitor counters to better quantify just how large the spam problem was. The organization set IMF’s gateway threshold to a spam confidence level (SCL) of 5 and configured it for archival. For 24 hours, the system monitor recorded IMF statistics; these are shown in Figure 1.

Figure 1. 24 hours of IMF system monitor statistics

In a single 24-hour period, this mail server accepted 21,021 messages; out of these, 89.5 percent (18,824) had an SCL of 5 or higher. These 18,824 messages consumed nearly 35 megabytes (MB) of disk space in the archive, and an estimated 40MB of Internet bandwidth was required to receive them. This is really a staggering amount of spam for such a small company.

A few initial measures were put in place to attempt to fight the influx of spam, including enabling real-time block lists (RBLs) and recipient filtering.

Over a five-day period, the Transport Filter Sink statistics were monitored to determine how effective the RBL providers were and how many messages were being rejected because they were sent to invalid recipients. Figure 2 shows the Transport Filter Sink statistics; out of approximately 211,000 DNS block list queries, 111,000 connections were rejected because the sender’s IP address was on one of the DNS block lists.

Figure 2. SMTP message transport statistics

An additional 76,000 messages were rejected because of recipient filtering since the message recipients were not valid recipients in the Active Directory service. Clearly, someone was trying to deliver a lot of inbound messages to invalid recipients. A simple look at the Exchange SMTP Virtual Server’s Current Sessions (see Figure 3) showed dozens of inbound SMTP sessions at any given time.

Figure 3. Inbound SMTP sessions

The SMTP protocol logs were reviewed and it was determined that nearly all of these SMTP sessions were being sent to invalid recipients. This type of spamming is called “dictionary spamming” because the spammer’s software uses a dictionary of common names. A sample of the log is shown below:

21:15:14 212.183.55.210 telekom.at EHLO - +telekom.at 250
21:15:15 212.183.55.210 telekom.at MAIL - +From:+<vztt@telekom.at> 250
21:15:53 212.183.55.210 telekom.at RCPT - +To:<arring@somorita.com> 550
21:16:08 212.183.55.210 telekom.at RCPT - +To:<capps@somorita.com> 550
21:16:24 212.183.55.210 telekom.at RCPT - +To:<carl@somorita.com> 550
21:16:39 212.183.55.210 telekom.at RCPT - +To:<carlis@somorita.com> 550
21:16:54 212.183.55.210 telekom.at RCPT - +To:<blear@somorita.com> 550
21:17:10 212.183.55.210 telekom.at RCPT - +To:<brewer@somorita.com> 550
21:17:25 212.183.55.210 telekom.at RCPT - +To:<boykin@somorita.com> 550
21:17:39 212.183.55.210 telekom.at RCPT - +To:<burris@somorita.com> 550
21:17:55 212.183.55.210 telekom.at RCPT - +To:<carl@somorita.com> 550
21:18:12 212.183.55.210 telekom.at RCPT - +To:<butts@somorita.com> 550
21:18:27 212.183.55.210 telekom.at RCPT - +To:<bill@somorita.com> 550
21:18:41 212.183.55.210 telekom.at RCPT - +To:<blue@somorita.com> 550
21:18:57 212.183.55.210 telekom.at RCPT - +To:<bower@somorita.com> 550
21:19:12 212.183.55.210 telekom.at RCPT - +To:<castle@somorita.com> 550
21:19:27 212.183.55.210 telekom.at RCPT - +To:<atwood@somorita.com> 550
21:19:42 212.183.55.210 telekom.at RCPT - +To:<ash@somorita.com> 550
21:19:57 212.183.55.210 telekom.at RCPT - +To:<cass@somorita.com> 550

Out of nearly 1,000 attempted deliveries that were monitored from this session in this log file, only one was a valid user. This user was probably the “index case” and is how the spammer found the company’s domain in the first place.

Although initial protective measures such as using real-time block lists, an SMTP tar pit (which inserts a delay into SMTP communications associated with spam), and the Intelligent Message Filter did help dramatically reduce the amount of spam that the users were receiving in their Inboxes, the fact remained that much of the spam still made its way to the Exchange server where it was either quarantined or moved to the user’s Junk E-mail folder. The spam still consumed server, network, and user resources.

Evaluating Solutions

When Company X was evaluating solutions, they had several criteria by which they chose a solution. These criteria included:

• Reduce the amount of spam that must be processed by the Exchange server.

• Reduce the amount of spam that hits the user’s mailbox so that it does not synchronize to Windows Mobile devices, be downloaded to remote user’s mailboxes, and does not cause an Out Of Office message to be generated.

• Use a solution that is frequently updated so that both new spam techniques as well as day-zero virus threats can be detected.

• Protect the Exchange server so that it is not directly exposed to the Internet.

• Make sure that the solution is scalable and fault tolerant so that mail will not be lost during inspection and delivery.

• Reduce the amount of network bandwidth and system resources that spam is consuming.

• Require minimal administrative effort since Company X does not have a dedicated IT person.

Company X evaluated SMTP-based solutions that would operate in their perimeter network as well as third-party managed providers. The solution Customer X chose was to use a managed provider. Company X redirects its public DNS MX records to the managed provider’s data centers, the provider supplies message hygiene services such as anti-spam and antivirus protection, and the provider then forwards the messages to Company X’s Exchange server.

Company X can choose its tolerance for just how aggressively the managed provider’s systems filter for potential spam. Many users that had been seeing hundreds of spam messages in their Inboxes each day now report that they usually receive five or fewer spam messages daily.