Using Exchange Server 2010 Antispam Tools (part 6) - Sender Reputation

10/18/2014 9:08:34 PM

10. Sender Reputation

Sender reputation is the most promising feature of Exchange 2010 when it comes to reducing the amount of spam you receive. This is because much of the spam that is received today is sent by bot or zombie networks. Spammers have joined forces with virus writers; the virus writers have written malware that infects hundreds of thousands of users' computers. Periodically, these computers check with the spammer and download a new batch of spam. Blocking a single IP address becomes impractical because the spammers have so many of these computers all over the Internet. However, these zombie networks are usually not using correct SMTP commands and are not RFC compliant. A lot of spammers also use SMTP proxies by sending messages through a proxy on the Internet.

Sender reputation allows Exchange to analyze the connections that are coming in to an Edge Transport or Hub Transport server and look for things such as the number of protocol errors, invalid delivery attempts, and the number of messages from the same sender. These can be used to determine if a specific IP address is sending spam. On the Action tab of the Sender Reputation object's properties (shown in Figure 10), you can specify the Sender Reputation Level Block Threshold value; this is a value from 0 to 9 that is used to block senders that exceed a certain "suspicious" threshold.

Figure 10. Configuring the sender reputation level block threshold

The default for the SRL block threshold is 7; we recommend keeping it at this slightly less aggressive value and then monitoring to see if a lot of spam still gets through. If so, you can increase it slightly, but keep in mind that as you get more aggressive with this value, the possibility of valid connections getting rejected becomes higher.

The Threshold Action section allows you to specify how long a sender is retained on an IP block list once the sender has been determined to be suspicious. The default is 24 hours, and we recommend that you keep that value.

Exchange can test for open proxies and determine if the source of a connection is an open proxy that is probably being used to send spam. On the Sender Confidence tab (Figure 11), you can enable the open proxy test. If a connecting SMTP client is determined to be an open proxy, it will be added to the IP block list for the time specified on the Action tab.

Figure 11. Configuring the sender reputation filter to perform an open proxy test

10.1. Configuring the Edge Transport Server to Enforce Organization Policies

The Edge Transport server has a transport rules feature just as the Exchange 2010 Hub Transport server does. You may find this useful if there are certain types of organizational policies that you wish to enforce on messages that are arriving on the Edge Transport server and before they are delivered on to the Exchange 2010 Hub Transport server.

To illustrate the use of transport rules on the Edge Transport server, let's go through an example that enforces a policy of blocking outbound messages that contain certain confidential words and phrases. Here are the requirements:

  1. All messages being sent to a user outside the organization should have this transport rule applied to them.

  2. If the message subject or body contains the words confidential, secret formula, or secret recipe, we want to take action on the message.

  3. If the message meets the criteria, an error should be recorded in the event log, the message should be dropped, and a copy of the message should be sent to the company audit alias.

For this example, it is assumed that the Edge Transport server is used to relay outbound messages to the Internet as well as to accept inbound messages. This example could also apply to transport rules used inside the organization.

In the Actions pane, select the New Transport Rule task to launch the New Transport Rule wizard. On the Introduction page (shown in Figure 12), provide a descriptive name for the policy as well as an accurate description of the function of the transport rule. When finished, click Next to move on to the next page of the wizard.

Figure 12. Introduction page of the New Transport Rule Wizard

On the Conditions page, specify the conditions of the transport rule. For this rule, two conditions must be met: the message must be from a user inside the organization and there must be specific words in the message body or subject. First, check the condition When The Subject Field Or The Message Body Of The Message Contains Specific Words; this will add that condition to the Step 2 portion of the wizard page. From here you need to click the specific word's link so that you can use the Specify Words dialog. In the Specify Words dialog, you can add or remove words and phrases that are part of the condition.

When finished, click the OK button to close the Specify Words dialog. You now need to select the second condition. Select the From Users Inside Or Outside The Organization check box. This adds that selection to the Step 2 portion of the wizard page. The default is from users inside the organization, but you could change this by clicking the Inside link to see the Select Scope dialog box.

The finished product for the Conditions page looks like Figure 13. You can see the conditions selected on the top part of the wizard page (the Step 1 section) and the additional information that was specified for the conditions (Step 2), such as the words to search for and the fact that it applies to message sent by users inside the organization.

Figure 13. Conditions page of the transport rule

Figure 14. The Actions page of the New Transport Rule wizard

The next page of the wizard is the Actions page. On this page, you specify what you want to do if you find a message that meets the conditions you set on the Conditions page. First, you select the Log An Event With Message action; this adds a message link to the Step 2 section of the page. You click the message link to see the Specify Event Message dialog. Here you enter the information you want entered in the event log.

Next you select the Redirect The Message To Address check box and then click the addresses link that is now in Step 2 of the wizard page. This will display the Specify Recipients dialog. Here you need to add the SMTP address auditor@somorita.com.

After you add the email address to the Specify Recipients dialog, click OK and then select the Silently Drop The Message check box. There is nothing else you need to do for this particular action. Figure 14 shows the finished product for the Actions tab.

You can now click Next to see the Exceptions page of the wizard. The Exceptions page allows you to add exceptions to this particular rule. In this example there are none, so you can click Next to move on to the Create Rule configuration summary. From here, you can click the New button to create the new rule.

  •  Exchange Server 2007 Management and Maintenance Practices : Postmaintenance Procedures, Reducing Management and Maintenance Efforts
  •  Exchange Server 2007 Management and Maintenance Practices : Prioritizing and Scheduling Maintenance Best Practices (part 2) - Weekly Maintenance
  •  Exchange Server 2007 Management and Maintenance Practices : Prioritizing and Scheduling Maintenance Best Practices (part 1) - Daily Maintenance
  •  Exchange Server 2007 Management and Maintenance Practices : Best Practices for Performiming Database Maintenance (part 2) - Offline Database Maintenance
  •  Exchange Server 2007 Management and Maintenance Practices : Best Practices for Performiming Database Maintenanceng (part 1) - Automatic Database Maintenance
  •  Exchange Server 2007 Management and Maintenance Practices : Auditing the Environment (part 3) - Message Tracking
  •  Exchange Server 2007 Management and Maintenance Practices : Auditing the Environment (part 2) - SMTP Logging
  •  Exchange Server 2007 Management and Maintenance Practices : Auditing the Environment (part 1) - Audit Logging - Enabling Event Auditing , Viewing the Security Logs
  •  Qnap TS-251Turbo NAS Review
  •  Edmail See Without A Camera
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
    programming4us programming4us
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    Popular Tags
    Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Exchange Server Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe Photoshop CorelDRAW X5 CorelDraw 10 windows Phone 7 windows Phone 8 Iphone