10. Sender Reputation
Sender reputation is the most promising feature of
Exchange 2010 when it comes to reducing the amount of spam you receive.
This is because much of the spam that is received today is sent by bot
or zombie networks. Spammers have joined forces with virus writers; the
virus writers have written malware that infects hundreds of thousands
of users' computers. Periodically, these computers check with the
spammer and download a new batch of spam. Blocking a single IP address
becomes impractical because the spammers have so many of these
computers all over the Internet. However, these zombie networks are
usually not using correct SMTP commands and are not RFC compliant. A
lot of spammers also use SMTP proxies by sending messages through a
proxy on the Internet.
Sender reputation allows Exchange to analyze the
connections that are coming in to an Edge Transport or Hub Transport
server and look for things such as the number of protocol errors,
invalid delivery attempts, and the number of messages from the same
sender. These can be used to determine if a specific IP address is
sending spam. On the Action tab of the Sender Reputation object's
properties (shown in Figure 10),
you can specify the Sender Reputation Level Block Threshold value; this
is a value from 0 to 9 that is used to block senders that exceed a
certain "suspicious" threshold.
The default for the SRL block threshold is 7; we
recommend keeping it at this slightly less aggressive value and then
monitoring to see if a lot of spam still gets through. If so, you can
increase it slightly, but keep in mind that as you get more aggressive
with this value, the possibility of valid connections getting rejected
becomes higher.
The Threshold Action section allows you to specify
how long a sender is retained on an IP block list once the sender has
been determined to be suspicious. The default is 24 hours, and we
recommend that you keep that value.
Exchange can test for open proxies and determine if
the source of a connection is an open proxy that is probably being used
to send spam. On the Sender Confidence tab (Figure 11),
you can enable the open proxy test. If a connecting SMTP client is
determined to be an open proxy, it will be added to the IP block list
for the time specified on the Action tab.
10.1. Configuring the Edge Transport Server to Enforce Organization Policies
The Edge Transport server has a transport rules
feature just as the Exchange 2010 Hub Transport server does. You may
find this useful if there are certain types of organizational policies
that you wish to enforce on messages that are arriving on the Edge
Transport server and before they are delivered on to the Exchange 2010
Hub Transport server.
To illustrate the use of transport rules on the Edge
Transport server, let's go through an example that enforces a policy of
blocking outbound messages that contain certain confidential words and
phrases. Here are the requirements:
All messages being sent to a user outside the organization should have this transport rule applied to them.
If the message subject or body contains the words confidential, secret formula, or secret recipe, we want to take action on the message.
If
the message meets the criteria, an error should be recorded in the
event log, the message should be dropped, and a copy of the message
should be sent to the company audit alias.
For this example, it is assumed that the Edge
Transport server is used to relay outbound messages to the Internet as
well as to accept inbound messages. This example could also apply to
transport rules used inside the organization.
In the Actions pane, select the New Transport Rule
task to launch the New Transport Rule wizard. On the Introduction page
(shown in Figure 12),
provide a descriptive name for the policy as well as an accurate
description of the function of the transport rule. When finished, click
Next to move on to the next page of the wizard.
On the Conditions page, specify the conditions of
the transport rule. For this rule, two conditions must be met: the
message must be from a user inside the organization and there must be
specific words in the message body or subject. First, check the
condition When The Subject Field Or The Message Body Of The Message
Contains Specific Words; this will add that condition to the Step 2
portion of the wizard page. From here you need to click the specific
word's link so that you can use the Specify Words dialog. In the
Specify Words dialog, you can add or remove words and phrases that are
part of the condition.
When finished, click the OK button to close the
Specify Words dialog. You now need to select the second condition.
Select the From Users Inside Or Outside The Organization check box.
This adds that selection to the Step 2 portion of the wizard page. The
default is from users inside the organization, but you could change
this by clicking the Inside link to see the Select Scope dialog box.
The finished product for the Conditions page looks like Figure 13.
You can see the conditions selected on the top part of the wizard page
(the Step 1 section) and the additional information that was specified
for the conditions (Step 2), such as the words to search for and the
fact that it applies to message sent by users inside the organization.
The next page of the wizard is the Actions page. On
this page, you specify what you want to do if you find a message that
meets the conditions you set on the Conditions page. First, you select
the Log An Event With Message action; this adds a message link to the
Step 2 section of the page. You click the message link to see the
Specify Event Message dialog. Here you enter the information you want
entered in the event log.
Next you select the Redirect The Message To Address
check box and then click the addresses link that is now in Step 2 of
the wizard page. This will display the Specify Recipients dialog. Here
you need to add the SMTP address auditor@somorita.com.
After you add the email address to the Specify
Recipients dialog, click OK and then select the Silently Drop The
Message check box. There is nothing else you need to do for this
particular action. Figure 14 shows the finished product for the Actions tab.
You can now click Next to see the Exceptions page of
the wizard. The Exceptions page allows you to add exceptions to this
particular rule. In this example there are none, so you can click Next
to move on to the Create Rule configuration summary. From here, you can
click the New button to create the new rule.
