As Exchange has adapted over the years,
Microsoft has recognized the pitfalls encountered by companies
overwhelmed by spam and email viruses. To combat this, they have
consistently improved the features of their bundled tools to provide
organizations with protection that would have had to be addressed with
third-party applications in the past.
Exchange Server 2007 Antispam Measures
As
previously mentioned, spam is a global problem that affects everyone
with an Internet-accessible email address. The spam problem has grown
beyond bothersome; it has become an issue that negatively impacts
end-user productivity and places a significant burden on messaging
systems.
Exchange 2007 has many antispam
measures built in to the application. These methods are especially
effective when coupled with Outlook 2007. A few of these features are
as follows:
Increased protection through integrated security technologies—
Exchange Server 2007 acts as the first line of defense on incoming
email messages. The Exchange server determines the legitimacy of the
message, and is able to disable links or uniform resource locators
(URLs) to help protect the user community. In addition, Exchange 2007
offers new antiphishing capabilities to help to prevent emails of this
nature from reaching your users in the first place.
Improved email legitimacy assurance—
Email legitimacy is managed through Email Postmark technology when you
combine Office Outlook 2007 and Exchange Server autoencryption. Outlook
Email Postmark applies a token (actually a computational puzzle that
acts as a spam deterrent) to email messages it sends. This token can be
read by a receiving Exchange 2007 server to confirm the reliability of
the incoming message.
Distribution lists restricted to authenticated users—
Using message delivery restrictions, you can configure a distribution
list to accept mail from all senders, or specific senders or groups. In
addition, you can require that all senders be authenticated before
their message is accepted.
Connection filtering—
Improvements have been made in the configuration and management of IP
Block lists, IP Allow lists, IP Block List providers, and IP Allow List
providers. Each of these elements can now be reviewed and configured
directly from the Exchange Management Console.
Content filtering—
Exchange 2007 includes the Exchange Intelligent Message Filter, or IMF,
which uses the Microsoft SmartScreen patented “machine-learning”
technology. This content filter evaluates inbound messages and
determines the probability of whether the messages are legitimate,
fraudulent, or spam.
In addition, the IMF
consolidates information that is collected from connection filtering,
sender filtering, recipient filtering, sender reputation, SenderID
verification, and Microsoft Office Outlook 2007 Email Postmark
validation. The IMF then applies a Spam Confidence Level (SCL) rating
to a given message. Based on this rating, an administrator can
configure actions on the message based on this SCL rating. These
actions might include the following:
Delivery to a user Inbox or Junk E-Mail folder.
Delivery to the spam quarantine mailbox.
Rejection of the message and no delivery.
Acceptance
and deletion of the message. The server accepts the message and deletes
it instead of forwarding it to the recipient mailbox.
Antispam updates—
Exchange 2007 now offers update services for their antispam components.
The standard Exchange 2007 antispam filter updates every 2 weeks. The
Forefront Security for Exchange Server antispam filter updates every 24
hours.
Spam quarantine—
The spam quarantine provides a temporary storage location for messages
that have been identified as spam and that should not be delivered to a
user mailbox. Messages that have been labeled as spam are enclosed in a
nondelivery report (NDR) and are delivered to a spam quarantine
mailbox. Exchange administrators can manage these messages and can
perform several actions, such as rejecting the message, deleting it, or
flagging it as a false positive and releasing it to the originally
intended recipient. In addition, messages with an SCL rating that the
administrator has defined as “borderline” can be released to the user’s
Junk E-Mail folder in Outlook. These borderline messages are converted
to plain text to provide additional protection for the user.
Recipient filtering—
In the past, an email that was addressed to a specific domain would
enter that domain’s messaging service, regardless of whether it was
addressed to a valid recipient. This not only utilized bandwidth, but
also required Exchange servers to process the messages, create a
nondelivery report (NDR), and send that message back out. Now, by using
the EdgeSync process on your Hub Transport server, you can replicate
recipient data from the enterprise Active Directory into the Exchange
Active Directory Application Mode (ADAM) instance on the Edge Transport
server. This enables the Recipient Filter agent to perform recipient
lookups for inbound messages. Now, you can block messages that are sent
to nonexistent users (or to internal use only distribution lists).
SenderID—
First implemented in Exchange Server 2003 SP2, Sender ID filtering
technology primarily targets forgery of email addresses by verifying
that each email message actually originates from the Internet domain
that it claims to. Sender ID examines the sender’s IP address, and
compares it to the sending ID record in the originator’s public DNS
server. This is one way of eliminating spoofed email before it enters
your organization and uses your company resources.
Sender reputation—
The Sender Reputation agent uses patented Microsoft technology to
calculate the trustworthiness of unknown senders. This agent collects
analytical data from Simple Mail Transfer Protocol (SMTP) sessions,
message content, Sender ID verification, and general sender behavior
and creates a history of sender characteristics. The agent then uses
this knowledge to determine whether a sender should be temporarily
added to the Blocked Senders list.
IP Reputation Service—
Provided by Microsoft exclusively for Exchange 2007 customers, this
service is an IP Block list that allows administrators to implement and
use IP Reputation Service in addition to other real-time Block list
services.
Outlook junk email filter lists aggregation— This
feature helps reduce false positives in antispam filtering by
propagating Outlook 2003 and Outlook 2007 Junk Email Filter lists to
Mailbox servers and to Edge Transport servers.
Additional Antispam Measures
In
the battle against spam, passive measures protect your organization,
but more aggressive measures can help lessen the problem overall. The
following sections cover some suggestions of ways that your
organization can help fight back.
Utilizing Blacklists
Many
companies are unknowingly serving as open relays. Many spammers take
advantage of this lack of security and utilize the organization’s
messaging system to send their unsolicited email. When a company or
domain is reported as an open relay, the domain can be placed on a
blacklist. This blacklist, in turn, can be used by other companies to
prevent incoming mail from a known open relay source.
You can find some organizations that maintain blacklists at the following addresses:
Distributed Sender Blackhold List—http://www.dsbl.org
SpamCop Website—http://www.spamcop.net
Open Relay Database—http://ordb.org
Report Spammers
Organizations
and laws are getting tougher on spammers, but spam prevention requires
users and organizations to report the abuse. Although this often is a
difficult task because many times the source is undecipherable, it is
nonetheless important to take a proactive stance and report abuses.
Users
should contact the system administrator or help desk if they receive or
continue to receive spam, virus hoaxes, and other such fraudulent
offers. System administrators should report spammers and contact mail
abuse organizations, such as those listed earlier in the “Utilizing Blacklists” section.
System
administrators should use discretion before reporting or blocking an
organization. For example, if your company were to receive spam
messages that appeared to originate from Yahoo! or Hotmail, it wouldn’t
necessarily be in your best interest simply to block those domains. In
that example, the cure might be worse than the disease, so to speak.
Third-Party Antispam Products
Although
Microsoft has equipped users, system administrators, and third-party
organizations with many tools necessary to combat spam, the additional
use of a third-party product, or products, can provide additional
protection. These third-party products can also provide a multitude of
features that help with reporting, customization, and filtering
mechanisms to maximize spam blocking, while minimizing false positives.
Do Not Use Open SMTP Relays
By
default, Exchange Server 2007 is not configured to allow open relays.
If an SMTP relay is necessary in the messaging environment, take the
necessary precautions to ensure that only authorized users or systems
have access to these SMTP relays.
Note
You can use the Exchange Best Practice Analyzer, or other tools such as Sam Spade (http://www.samspade.org/) to check your environment for open mail relays.
