Approaches to Fighting Spam in an Exchange Server Environment

8/3/2019 Approaches to Fighting Spam in an Exchange Server Environment

1/33

Midsize Business Security Guidance

Approaches to Fighting Spam in an

Exchange Server Environment

Published: August 2006

For the latest information, please seewww.microsoft.com/technet/security/midsizebusiness/default.mspx


2/33

2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial

License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to

Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.


3/33

Contents


4/33

Introduction

Welcome to this document from the Midsize Business Security Guidance collection.Microsoft hopes that the following information will help you create a more secure andproductive computing environment.

Executive Summary

Unsolicited e-mail messages, also known as junk e-mail messages or spam, aremessages sent from a single source with the intent of broadcasting to many mailboxes atone time. The goal of the spammer is to deliver the message to the end user so that theyopen it and actually read it, which is how the spammer makes money. There aredefinitely many different techniques spammers use to put the messages in gray areas,where they cannot be easily detectable at the gateway level.

Industry estimates suggest that 40 percent or more of incoming e-mail messages aredesignated as spam. This increased flow of junk e-mail continues to challenge midsizebusinesses. Not only is it a nuisance, but spam can also be an expensive proposition

when factoring in the potential loss of productivity and the additional resources requiredto deal with it.

Therefore, a practical solution is necessary in developing approaches to fight againstspam.

Microsoft Exchange Server 2003 with Service Pack 2 (SP2) introduces a frameworkthat combines different methods for fighting spam within either a single or multipleExchange Server environments. This framework is called Exchange Server 2003 Anti-Spam Framework, and is comprised of connection-level, protocol-level, and content-levelfiltering.

Approaches within this framework allow both administrators and end users to preciselyfilter and categorize spam and decide on their end whether it is spam or legitimatebusiness e-mail.

The primary goal of this framework is to provide the administrators and users withsolutions that are flexible enough to apply on the server side and the client side. Thisdocument describes these approaches in detail and demonstrates how each approachwithin the framework functions, and how each of these approaches works collectively. Itpresents assessment and development plans, as well as a step-by-step guide in thedeployment and management section.

Note Microsoft also provides an important service that helps fight spam. This service is calledExchange Hosted Services, or EHS. EHS is composed of four distinct services that help midsizebusinesses to protect themselves from e-mail-borne malware, satisfy retention requirements forcompliance, encrypt data to preserve confidentiality, and preserve access to e-mail during andafter emergency situations.

The heart of Exchange Hosted Services is a distributed network of data centers located at key

sites along the Internet backbone. Each data center contains fault-tolerant servers that are load-balanced from site to site and from server to server.

A detailed description of this service is beyond the scope of this guide. Please refer to the whitepaper Microsoft Exchange Hosted Services Overview atwww.microsoft.com/exchange/services/services.mspx for more information.
http://www.microsoft.com/exchange/services/services.mspxhttp://www.microsoft.com/exchange/services/services.mspx


5/33

2 Midsize Business Security Guidance

Overview

This document consists of four main sections that discuss options and solutions toprovide practical approaches to fighting spam within the Exchange Server environment.The four sections are: Introduction, Definition, Challenges, and Solutions.

Introduction

This section provides an executive summary of this document along with an overview ofits structure and some information regarding the intended audience.

Definition

This section provides some details about the definition and the overview of the ExchangeServer 2003 Anti-Spam Framework. These details will be useful for understanding thesolutions discussed in this document.

Challenges

This section describes some of the challenges that a midsize business might face whendetermining how to filter spam at the different levels that the Anti-Spam Frameworkprovides.

Solutions

This section discusses practical solutions that address the challenges presented byunsolicited e-mail. It assesses approaches and development plans to address thechallenges, along with step-by-step information about deployment and management ofthe following methods:

Connection-level protection

IP connection filtering Real-time block lists

Protocol-level protection

Recipient and sender blocking

Sender ID

Content-level protection

Exchange Intelligent Message Filter

Outlook 2003 and Outlook Web Access Junk E-Mail

In addition to the Exchange Server 2003 Anti-Spam Framework, it is important torecognize user awareness as a vital part of fighting spam within Exchange Serverenvironments. This topic will be discussed at the end of the "Deployment andManagement" section.


6/33

Approaches to Fighting Spam in an Exchange Server Environment 3

Who Should Read This Guide

This document is intended primarily for information technology (IT) professionals andbusiness management who are responsible for planning and implementing approaches tofighting spam within an Exchange Server environment for midsize businesses. Such

professionals may be in the following roles: System architects. People who are responsible for designing the overall server

infrastructure, developing server deployment strategies and policies, systemhardening, and contributing to networking connectivity design.

Information technology managers. People who are the technical decision makersand who manage the information technology staff responsible for the infrastructure,the desktop and server deployment, and Exchange server administration andoperations across sites.

Systems administrators. People who are responsible for planning and deployingtechnology across Microsoft Exchange servers and evaluating and recommendingnew technology solutions.

Exchange Messaging administrators. People who are responsible for

implementing and managing organizational messaging.


7/33


Definition

Exchange Server 2003 Anti-Spam Framework is a mechanism to combat spam within theExchange Server environment. The release of Exchange Server 2003 SP2 enhances theframework by including the industry standard e-mail authentication technology calledSender ID filtering. This technology helps reduce the amount of spam that arrives in ausers inbox.

This section discusses Exchange Server 2003 Anti-Spam Framework in detail.

Exchange Server 2003 Anti-SpamFramework

Exchange Server 2003 applies anti-spam protection at three different levelstheconnection level, the protocol level, and the content levelas shown in the followingfigure.

Figure 1. Three levels of spam protectionConnection-level protection analyzes the connecting SMTP host, protocol-level protectionanalyzes the messages sender and recipient, and content-level protection evaluates themessage content. Each of these types of anti-spam protection are described in greaterdetail in the following subsections.


8/33


Connection-Level Protection

Connection-level protection is among the most beneficial layers of defense against spam,because with this level of protection, the spam message never enters the midsizebusiness. As shown in the following figure, connection-level protection works byevaluating each incoming SMTP connection for the probability that it is a source of spam.

Figure 2. Connection-level protection

If the connecting SMTP host is identified as a host that sends spam or a host that wouldnot normally send SMTP messages, the connection can be refused, thus eliminatingcostly cycles spent determining if the inbound message is spam. To this end, there aretwo types of connection-level filtering available with Exchange Server 2003.

IP Connection Filtering

With Exchange Server 2003, you can explicitly choose to deny SMTP connections basedon IP address. This approach is the most rudimentary method of protecting an Exchangeserver, because the connection-filtering lists are manually administered. If you want todeny inbound SMTP connections from a specific host for a given reason (including theprobability that it is a source of spam), the connections are denied at this level.

SMTP connections can be explicitly allowed. If you want to receive mail from a blockedSMTP host that has been identified as a source of spam, you can choose to allowmessages from the specified SMTP host that otherwise would be denied.

Real-Time Block Lists

A more dynamic means of providing connection-level protection is through use of real-time block lists (RBL). Block lists are lists of IP addresses that are either known sourcesof spam, open relays, or part of an IP scope that should not include an SMTP host, suchas an IP address from the Microsoft MSN dial-up pool.

Third-party block list providers collect IP addresses that fit each profile. When a sendinghost initiates an SMTP session with a subscriber to the block list service, the subscriberissues a Domain Name System (DNS)-type query to the block list provider with theconnecting hosts IP address. The block list provider then replies with a code indicatingwhether the connecting host is on a list. The code can also indicate which list theconnecting SMTP host is on.

The real-time block list filtering process is described as follows and shown in the followingfigure.

1. An SMTP host connects to the Exchange Server 2003 server over TransmissionControl Protocol (TCP) port 25.

2. The Exchange Server 2003 server queries the configured block list provider to verifythat the connecting SMTP host is not on the block list.

3. If the connecting SMTP host is not on the block list, the connection is allowed. If thehost is on the block list, the connection is dropped.


9/33


Figure 3. How real-time block list filtering works

Prior to Exchange Server 2003 SP2, connection filtering functionality was not available iffirewalls or intermediary SMTP hosts existed between Exchange and the sending identity(Exchange is positioned behind the perimeter network), because connection filtering priorto Exchange Server 2003 SP2 considered only the connecting host. When anintermediary host (such as a firewall or other SMTP appliance) is between the sendinghost and Exchange, only the intermediary host is considered.

With the release of Exchange Server 2003 SP2, the Exchange server can be positionedanywhere in the midsize business and still filter connections correctly. This functionality isachieved by providing perimeter IP lists and an internal IP range configuration inExchange System Manager. That way, sender ID and real-time block list functionality willanalyze the IP address that connects to your intermediary SMTP host, such as a firewall.

Protocol-Level Protection

Figure 4. Protocol-level protection

After the SMTP message has advanced beyond the connection-level protection, the nextlayer of defense is at the SMTP protocol level. The SMTP dialog between the sending

SMTP host and the receiving SMTP host is analyzed to verify that the sender andrecipients are allowed, and to determine the senders SMTP domain name.

Recipient and Sender Blocking

Another way to manually reduce spam is to define individual senders or domains fromwhich you do not want to accept messages. Sender blocking allows you to specifyindividual SMTP addresses or domains to block. With Exchange Server 2003, you canalso disallow messages that have a blank sender address, as well as archive filteredmessages.


10/33


Recipient filtering allows you to filter messages sent to a specific recipient. You can alsofilter recipients who are not listed in the directory. However, enabling the filtering ofrecipients who are not in the directory can make your company vulnerable to an SMTP e-mail address harvest attack, known as directory harvesting attack (DHA). In this situation,the Exchange server responses to RFC2821 RCPT TO: commands are parsed in searchof valid SMTP addresses. The SMTP protocol acknowledges acceptable recipientsduring an SMTP session by responding with a 250 2.1.5response. When e-mail is sentto a non-existent recipient, the Exchange server returns a 550 5.1.1 User unknown error.Therefore, a spammer can write an automated program that uses common names ordictionary terms to construct e-mail addresses to a specific domain. The program canthen collect all e-mail addresses that return 250 2.1.5 to RCPT TO: SMTPand discard alle-mail address that cause 550 5.1.1 User unknown errors. The spammer can then sellthe valid e-mail addresses or use them as recipients for unsolicited mail.

This threat can be mitigated by using a method known as tarpitting. The MicrosoftWindows Server 2003 SP1 SMTP tarpit feature allows an administrator to insert aconfigurable delay before returning some SMTP protocol responses. The attacking hostdoes not wait long enough for the response.

For more information, see the Microsoft Knowledge Base article SMTP tar pit feature forMicrosoft Windows Server 2003 at http://support.microsoft.com/?kbid=842851.

Sender ID

One of the most recent additions to the Exchange Server 2003 anti-spam defenses isSender ID filtering. This feature in Exchange Server 2003 SP2 attempts to verify that thesending SMTP host is approved to send messages from the domain specified in thesending e-mail address. Many spam messages are spoofed so that the messageappears to come from a legitimate e-mail address. By deceiving the e-mail recipient intothinking the e-mail is from a legitimate authority (bank representative, customer service,etc.), users may be tricked into disclosing valuable information that can lead to identitytheft or larceny. Sender ID attempts to reduce or eliminate spoofed messages.

There are two parts to Sender ID that are required for the system to work. The first part isa DNS record known as a sender policy framework (SPF) record. The SPF record

defines which servers are authorized to send SMTP addresses for your domain. You donot need to have Sender ID configured to have an SPF record. The second part is anSMTP host that supports Sender ID, such as Exchange Server 2003 SP2.

The SPF record is added to the DNS zone so that other organizations with Sender ID canverify that messages they receive that purport to be from your domain are sent by theservers you authorized in your SPF record. The following steps and figures illustrate howthe process works, first without an SPF record and then with an SPF record in place.

1. A message is sent to the Exchange Server 2003 server from the spamming SMTPhost fabrikam.com with sender ID enabled. The sender address [email protected].

2. The Exchange server queries DNS for the SPF record for nwtraders.com.

3. Because nwtraders.com does not have an SPF record, the message is allowed pastSender ID.
http://support.microsoft.com/?kbid=842851http://support.microsoft.com/?kbid=842851http://support.microsoft.com/?kbid=842851http://support.microsoft.com/?kbid=842851


11/33


Figure 5. Spam entering an organization without Sender ID / SPF record

Northwind Traders then adds an SPF record to the nwtraders.com DNS zone as follows:

1. A message is sent to the Exchange Server 2003 server from the spamming SMTPhost fabrikam.com with Sender ID enabled. The sender address [email protected].

2. The Exchange server queries DNS for the SPF record for nwtraders.com.

3. Because the sending IP address (208.217.184.82) is not in the list of IP addressesallowed to send e-mail for nwtraders.com as defined in the SPF (131.107.76.156),the message is acted upon by Sender ID.

Figure 6. Spam recognized in an organization with Sender ID / SPF record


12/33


By implementing Sender ID, you can greatly reduce spam addressed (spoofed) fromdomains that have an SPF record. However, you should note that Sender ID protection isonly as good as the number of organizations that have SPF records.

For Microsoft.com, 59 percent of inbound messages that get past connection-levelfiltering are blocked by protocol-level filtering.

Content-Level Protection

Figure 7. Content-level protection

After connection-level and protocol-level filtering have been applied to determine if aninbound message is spam, the next line of defense is to analyze the message content,

looking for common clues that may indicate unsolicited e-mail. Spammers have exerted aconstant effort to come up with new and inventive ways to avoid detection so that theirmessages get past content filters and enter users inboxes.


Intelligent Message Filter (IMF) is a content filter designed specifically for Exchange. It isbased on patented machine-learning technology from Microsoft Research known asMicrosoft SmartScreen technology. SmartScreen is currently used by MSN, MicrosoftHotmail, Microsoft Office Outlook 2003, and Exchange. IMF was designed todistinguish between characteristics of legitimate e-mail messages and spam, based onmillions of messages. IMF assesses the probability that an incoming e-mail message iseither a legitimate message or spam. Unlike many other filtering technologies, IMF usescharacteristics from a statistically sound sample of e-mail messages. In addition to spam,

the inclusion of legitimate messages in this sample reduces the likelihood of mistakes.Because IMF recognizes characteristics of both legitimate and UCE messages, theaccuracy of IMF is increased.

IMF is installed on Exchange servers that accept inbound SMTP messages from theInternet. When an external user sends e-mail messages to an Exchange server with IMFinstalled, the IMF evaluates the textual content of the messages and assigns eachmessage a rating based on the probability that the message is spam. This rating rangesfrom 1 to 9 and is stored as a message property known as the spam confidence level(SCL) rating. This rating is persisted with the message when the message is sent to otherExchange servers. The overall process is shown in the following figure.

Figure 8. Exchange Intelligent Message Filter process


13/33


After IMF assigns an SCL to the message, it is evaluated against two thresholdsconfigured by the administrator as follows:

1. Gateway blocking configuration: Block messages with an SCL rating greaterthan or equal to. If the SCL of a message is greater than or equal to the value set inthis threshold, one of the following actions can be performed on the message :

Archive Delete

No action

Reject

2. Store junk e-mail configuration: Move messages with an SCL rating greaterthan. If the message is greater than the value set in this threshold, the message willbe delivered to the junk e-mail folder of the users inbox, unless the user has thesender on their safe senders list.

Anti-Phishing

Phishing is a type of deception designed to steal your identity. In phishing scams, scam

artists try to get you to disclose valuable personal data, such as credit card numbers,passwords, account data, or other information, by convincing you to provide it under falsepretenses (for example, by using an e-mail message that asks you to verify accountinformation).

Exchange Server 2003 SP2 adds anti-phishing technology to the IMF so that the phishingmessages are assigned an appropriate SCL and dealt with accordingly.

Custom Weighting

Exchange Server 2003 SP2 also provides a custom weighting feature that letsadministrators customize the behavior of the IMF, based on phrases found within thebody of an e-mail message, the subject line, or both.

The custom weighting feature is implemented by inserting an Extensible Markup

Language (XML) file named MSExchange.UceContentFilter.xml into the same directoryas the MSExchange.UceContentFilter.dll and .dat files on the server with the IMFinstalled. When the SMTP virtual server is started and the IMF is initialized, the XML fileis loaded.

The XML file defines phrases that can be given more or less emphasis by the IMF. Thisfunctionality allows you to customize the IMF if you have business requirements to acceptor deny messages based on phrases that would otherwise be given a different SCL ratingby the IMF.

For Microsoft.com, 38 percent of inbound messages that pass connection-level andprotocol-level filtering are blocked by the IMF.


After a message makes it past server-based anti-spam defenses, the Outlook 2003 clientcan act on messages that have an SCL value greater than or equal to the store junk e-mail configuration setting in the IMF. Messages that exceed this server setting are sent tothe junk e-mail folder in the Outlook 2003 inbox.

Outlook 2003 and Outlook Web Access for Exchange Server 2003 also allow users tocreate a list of safe senders from whom users always want to accept e-mail messages,as well as a list of blocked senders from whom users always want to reject e-mailmessages. At the mailbox store, regardless of the SCL rating assigned to the message,


14/33


Exchange delivers all messages from safe senders to the user's inbox and all messagesfrom blocked senders to the user's junk e-mail folder. However, if the e-mail message hasbeen blocked by the gateway threshold, it is not delivered to the user's inbox because themessage is never delivered to the mailbox store.

ChallengesThe stream of unwanted, often offensive, and sometimes deceptive unsolicitedcommercial e-mail, commonly known as spam, is eroding our collective ability to use e-mail as a channel for communication and legitimate e-commerce.

For many individuals and regions, spam has become such a problem that the Inbox is nolonger a valid communication storage area, because legitimate business e-mail is lost inthe sea of spam. For midsize businesses, spam does nothing but increase the cost ofmessaging, with respect to server consumption, network consumption, and disk usage.

The challenge that midsize businesses face is how to allow good e-mail message andblock the spam e-mail messages. They need ways to fight spam in an Exchange Serverenvironment.

Microsoft Exchange Server 2003 with SP2 uses several filtering methods for reducingspam. These methods are the layered anti-spam solutions that include connection-levelprotection, protocol-level protection, and content level protection as briefly discussedearlier in this document. These methods are flexible. When the mechanism of eachmethod is clearly understood, IT administrators and users can adjust the level ofprotection against spam. They enable midsize businesses to balance e-mail access andspam filtering.

It is important that Exchange administrators and implementers understand how each ofthese methods works and how they work together to reduce the total amount of spamthat arrives in a user's inbox. The following figure shows the layered approach fordefending against spam.

Figure 9. Exchange Server 2003 Anti-Spam Framework


15/33


Solutions

This section discusses the assessment, development, deployment, and management ofMicrosoft Exchange Server 2003 Anti-Spam Framework solutions to combat spam inmidsize business environment.

AssessmentTo effectively fight spam, the overall makeup of the Exchange Server 2003 e-mail systemmust be assessed, including what tools are available and how these tools can beeffectively utilized. A careful study of the environment must be conducted as part of therisk assessment strategy.

The Microsoft Exchange Server 2003 Anti-Spam Framework is a collection of methodsthat include connection filtering, protocol filtering, and content filtering. Understandinghow each one of these methods work and how they work together is essential. Inaddition, user awareness of these technologies will better the chances of their successfulimplementation and management.

The following questions should be considered:

1. Is Exchange Server 2003 installed?

To take advantage of the methods provided by the Exchange Server 2003 Anti-SpamFramework, Exchange Server 20003 must be installed on the appropriate Windowsplatform.

Note Microsoft Exchange Server 2003 can be installed on Windows 2003 or Windows 2000with SP3 or later. Detailed installation requirements for Exchange Server are beyond thescope of the guide. See theInstalling New Exchange 2003 Servers topic on MicrosoftTechNet atwww.microsoft.com/technet/prodtechnol/exchange/guides/Ex2k3DepGuide/a3318f57-3536-4e65-9309-9300cda23c73.mspx?mfr=true.

2. Does the Exchange Server have Exchange 2003 SP2 applied?

Exchange Server 2003 SP2 is a cumulative update that enhances the ExchangeServer 2003 messaging environment with:

Mobile e-mail improvements

Mailbox advancements

Better protection against spam

SP2 delivers improved protection against spam (described earlier in this document)to help ensure a secure and reliable messaging environment. This improvedprotection includes:

An updated and integrated Exchange Intelligent Message Filter, based on thepatented SmartScreen filtering technology developed by Microsoft Research.

New support for Sender ID e-mail authentication protocol, which helps prevent

phishing and spoofing schemes.

3. Is the Default SMTP Virtual Server enabled in the Exchange System Manager?

Recipient filtering, intelligent filtering, sender ID Filtering, and connection filtering areconfigured in the global settings and they also need to be enabled at the SMTP level.Therefore, SMTP must be enabled before you apply changes to these services.
http://www.microsoft.com/technet/prodtechnol/exchange/guides/Ex2k3DepGuide/a3318f57-3536-4e65-9309-9300cda23c73.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/exchange/guides/Ex2k3DepGuide/a3318f57-3536-4e65-9309-9300cda23c73.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/exchange/guides/Ex2k3DepGuide/a3318f57-3536-4e65-9309-9300cda23c73.mspx?mfr=true


16/33


4. Do client workstations have Outlook 2003 installed?

Servers may be configured with all the necessary requirements, but if clients haveolder versions of Outlook they will not be able to take advantages of the methodsoffered within the Microsoft Exchange Server 2003 Anti-Spam Framework.

When all the necessary requirements for the Exchange Server 2003 and its clients

are met, the following methods can be employed: Connection-level protection

IP connection filtering

Real-time block lists



Sender ID




Development

The assessment section raised some questions and provided some answers aboutExchange Server 2003 and client requirement for taking advantage of the MicrosoftExchange Server 2003 Anti-Spam Framework.

Solutions for fighting spam within the Exchange environment also include client securityand user education. All of these approaches should be used to battle spam in Exchangeenvironment.

All of the spam protection methods provided by Microsoft Exchange Server 2003 Anti-Spam Framework are ready to be implemented when the following requirements are met:

Exchange Server 2003 has been installed on the appropriate Windows platforms.

Outlook 2003 and Outlook Web Access have been set up and configured.

All of the latest recommended updates and patches have been applied, includingService Pack 2.

A better understanding of how each method works and how they interact will ensurebetter implementation. Although briefly discussed earlier, this section provides moredetails about these methods that are necessary for deployment and management.


Exchange Server 2003 SP2 includes connection filtering, which compares the IP address

of the connecting server with a list of denied IP addresses (also known as a real-timeblock list). The comparison of IP addresses occurs immediately when the SMTP sessionis initiated, enabling midsize business to block connections to its gateways at the earlieststages of message submission. Before a server in the real-time block list is able to submitmessages, the connection is dropped. This approach results in performance savings atboth the messaging and network layers.

Midsize businesses can establish connection filtering in Exchange Server 2003 SP2either by manually creating a global deny list and a global accept list, or by using third-party-maintained databases of known blocked IP addresses.


17/33


The majority of Exchange Server 2003 SP2 servers are deployed behind anorganization's perimeter and do not face the Internet directly. This placement rendersconnection filtering less useful, because the feature relies on getting the original sender'sIP address to run the DNS query. The release of SP2 has addressed this deficiency byintroducing a new header-parsing algorithm for originating IP address retrieval. ExchangeServer 2003 SP2 with connection filtering deployed can be positioned anywhere in theorganization and perform filtering as it would on the perimeter.


A midsize business can create its own static list of denied IP addresses. As the nameimplies, the global deny list contains certain IP addresses and networks from which anorganization never wants to accept e-mail. Conversely, a midsize business can create aglobal accept lista list of IP addresses and networks from which an organization doesnot want to apply e-mail blocking or filtering policies. The global accept list might includeIP addresses that correspond to subsidiary businesses or trading partners with which themidsize business has trusted relationships. In these circumstances, the midsize businessdoes not want to risk having false positives, so it adds the trusted IP addresses of thesenders e-mail servers to its global accept list.

Real-Time Block ListsA real-time block list is a DNS-based database of IP addresses of known, verified spamsources. Real-time block lists are available from companies that are in the business ofcontinuously monitoring the Internet and tracking down known sources of spam. Whendetected, the offending IP addresses are added to a real-time block list database. Theselists are often available free of charge, or available for a fee if a messaging administratorwants extended services.

Exchange Server 2003 SP2 enables the use of third-party, real-time block lists. Whenconfigured to use a third-party, real-time block list, the Exchange Server 2003 SP2 serverchecks the submitting server's IP address against the real-time block list database anddenies the connection if it finds a match.

Because real-time block list functionality bases its filtering decisions on the IP address ofthe sending server rather than on message content, real-time block lists technically fallinto a separate category from third-party anti-spam software. The real-time block list actslike a gatekeeper, preventing messages from known malicious or questionable serversfrom entering the environment. A message that gets past the real-time block list is a stepcloser to entering the network, but only until its content can be examined by the nextlayer of messaging defense, such as Intelligent Message Filter.

Because of the volume of real-time block listrelated DNS queries that Microsoft ITmakes on a daily basis (tens of millions), Microsoft IT transfers a mirror copy of the real-time block list to its local DNS servers on a predetermined, regular basis (generallymultiple times per day). Most list providers require local copies of the real-time block listsfor query volumes of greater than 250,000 per day. Transfer of a copy of the real-timeblock list is known as a zone transfer from the list provider. Microsoft IT configured its

Exchange Server 2003 SP2 gateways to make real-time block listrelated DNS queriesagainst those local DNS servers.


After the SMTP message has advanced beyond the connection-level protection, the nextlayer of defense is at the SMTP protocol level. The SMTP dialog between the sendingSMTP host and the receiving SMTP host is analyzed to verify that the sender andrecipients are allowed, and to determine the senders SMTP domain name.


18/33


Recipient and Sender Blocking

The recipient filtering feature in Exchange Server 2003 SP2 enables midsize businessesto protect against or reduce the impact of targeted mailbombing. Often, the recipients thatsuch attacks target do not need to receive messages from the Internet at all. Recipientfiltering rejects messages at the gateway layer based on criteria such as to whom amessage is sent.

Although recipient filtering is not as effective in fighting real-time spam threats as real-time anti-spam solutions, recipient filtering can be extremely helpful in diminishing therisks of mailbombing attacks. Recently, the use of recipient filtering enabled Microsoft ITto block millions of messages addressed to just a few recipients in a single day.

Sender ID

The Sender ID Framework is an e-mail authentication technology protocol that helpsaddress the problem of spoofing and phishing by verifying the domain name from whiche-mail is sent. Sender ID validates the origin of e-mail by verifying the IP address of thesender against the purported owner of the sending domain.

Sender ID seeks to verify that every e-mail message originates from the Internet domain

from which it claims to have been sent. This verification is accomplished by checking theaddress of the server sending the e-mail against a registered list of servers that thedomain owner has authorized to send e-mail. This verification is automatically performedby the Internet service provider (ISP) or recipient's mail server before the e-mail messageis delivered to the user. The result of the Sender ID check can be used as additional inputinto the filtering tasks already performed by the mail server. When the sender has beenauthenticated, the mail server may consider past behaviors, traffic patterns, and senderreputation, as well as apply conventional content filters when determining whether todeliver mail to the recipient.


Ideally, spam should never reach the client layer. The reality is that some spam reachesusers' desktop computers. One of the main reasons is that some legitimate e-mailmessages, such as newsletters, often contain characteristics of spam, and it is thereforenot desirable to set the filtering threshold so low that all suspicious messages aredeleted. In addition, users might have individual preferences that a single set ofenterprise-wide settings cannot meet.


The initial filter through which incoming Internet e-mail must pass is Intelligent MessageFilter, which runs on the Exchange Server 2003 SP2 gateway servers at the outermostedge of the messaging environment. Intelligent Message Filter uses the SCL, PCL(Phishing Confidence Level score, which is one of the factors that trigger final SCLassignments), and Sender ID framework built into Exchange Server 2003 SP2. InternetMessage Filter categorizes certain message parts, performs heuristics-based message

analysis, and assigns an SCL rating from 0 through 9 to each scanned message. Thehigher the rating a message receives, the greater the likelihood that the message isspam.

Exchange Server 2003 SP2 incorporates the latest data and updates to IntelligentMessage Filter. Improvements to the IMF and biweekly updates help ensure a continuedfocus on identifying spam and reducing false positives. These improvements include newcapabilities in the fight against spam, including blocking phishing schemes. Phishingschemes attempt, through deception, to fraudulently solicit sensitive personal informationby masquerading as legitimate Web sites.


19/33


The Exchange Server 2003 SP2 environment can be configured to perform filteringactions on messages that have SCL ratings greater than the thresholds configured byadministrators. Intelligent Message Filter uses two thresholds that are set in ExchangeServer 2003 SP2gateway threshold and store threshold.


Junk E-Mail Filter. Outlook 2003 uses state-of-the-art technology developed byMicrosoft Research to evaluate whether a message should be treated as a junk e-mail message based on several factorssuch as the time the message was sent andthe content and structure of the message. The filter does not single out any particularsender or type of e-mail message. Instead, it uses advanced analysis to determinehow likely it is to be thought of by the recipient as a junk e-mail message.

By default, this filter is set to a low setting designed to catch the most obvious junk e-mail messages. Messages caught by the filter are moved to a special Junk E-mailfolder for later access. If you want, you can make the filter more aggressive (perhapsmistakenly catching more legitimate messages), or even set Outlook 2003 topermanently delete junk e-mail messages as they come in. Learn more about theJunk E-Mail Filter.

Safe Senders List. If an e-mail message is mistakenly marked as a junk e-mailmessage by the filter, you can easily add the sender of that message to your SafeSenders List. E-mail addresses and domain names on the Safe Senders List arenever treated as junk e-mail messages, regardless of the content of the message.Contacts are trusted by default and messages from them will never be treated as

junk e-mail messages. When your company uses Microsoft Exchange Server,messages from within the organization will also never be treated as junk e-mailmessages. You can configure Outlook 2003 to accept only messages from the SafeSenders List, giving you total control over which messages you receive.

Blocked Senders List. E-mail messages from certain e-mail addresses or domainnames can easily be blocked by adding the senders to your Blocked Senders List.Messages from people or domain names on your Blocked Senders List will always betreated as junk e-mail messages, regardless of the content of the message.

Safe Recipients List. An e-mail list or group that you are a member of can be addedto your Safe Recipients List. Any messages sent to the e-mail addresses or domainnames on this list will not be treated as junk e-mail messages, regardless of thesender or content of the message.

AutoUpdate. You can update your Junk E-Mail Filter with periodic updates fromMicrosoft so you have the latest methods to block unwanted messages. Microsoft iscommitted to providing periodic updates of the Junk E-Mail Filter.

Deployment and Management

The ability to comprehend how each one of the methods within this framework functionsand how the methods work together is the basic goal of Microsoft Exchange Server 2003Anti-Spam Framework. When the scope of this framework is understood, the proper

deployment and management of these technologies will enable midsize businesses toeffectively fight spam in Microsoft Exchange Server environments. To help the fightagainst spam, users should be equipped with a basic knowledge of the subject to helpmanage the client computers in their environments. In addition, monitoring andtroubleshooting Intelligent Message Filtering will be discussed as part of ongoingmanagement.

The following features need to be configured at both the Global Settings and the SMTPlevels. User awareness is discussed at the end of the section.


20/33


This section explains the step-by-step procedures for:

Connection-level protection

IP connection filtering

Real-time block lists



Sender ID





Exchange Server 2003 supports connection filteringbased on real-time block lists. Thisfeature checks an incoming Internet Protocol (IP) address against a real-time block list

(RBL) provider for categories you want to filter. If a match is found on the RBL providerlist, SMTP issues a 550 5.x.xerror in response to the RCPT TO command, and acustomized error response is issued to the sender. You can use several connectionfilters, and prioritize the order in which each filter is applied.

When you create a connection filter, you establish a rule that SMTP uses to perform aDNS lookup to a list provided by a third-party RBL service. The connection filter matcheseach incoming IP address against the block list provided by the third party. The RBLprovider issues one of two responses:

Host not found. This response indicates that the IP address is not present on itsblock list.

127.0.0.x. This response is a response status code, which indicates that a match forthe IP address was found in the list of offenders. The x varies depending on your

provider.If the incoming IP address is found on the list, SMTP returns a 5.x.xerror in response tothe RCPT TO command (the SMTP command the connecting server issues to identifythe intended message recipient).

Providers of Real-Time Block Lists

Because different providers of real-time block lists offer different types of lists andservices, midsize businesses should carefully consider several providers before choosingone. Two known provides includeSpam Haus at www.spamhaus.org and Spam Cop atwww.spamcop.net.

Answers to the following questions might help in choosing an RBL provider:

Quality of the list. Does anyone verify that a new IP address added to the list isactually a spammer? Can anyone add to the list?

Security of the list. Does the list go through any security checks? Does anyoneverify that no IP addresses were wrongly or maliciously added?

Process for updating the list. What is the review process? If getting on the list isautomated, getting off the list should also be automated after spamming stops. Howquickly are lists updated?
http://www.spamhaus.org/http://www.spamhaus.org/http://www.spamcop.net/http://www.spamhaus.org/http://www.spamcop.net/


21/33


List transfer process. Does the provider allow complete or incremental BerkeleyInternet Name Domain (BIND)style transfers that are directly compatible withWindows DNS?

Support from the block list provider. What level of support does the provider offer?


To configure IP connection filtering

1. From within Exchange System Manager, expand the Global Settings container.

2. Right-click Message Delivery and click Properties.

3. Click the Connection Filtering tab.

4. Decide whether to Accept, Deny, or make an Exception. Deny is selected in thefollowing example.

5. You can select either a Single IP Address or a Group of IP Addresses, as shownin the following screen shot.

Real-Time Block Lists (RBL)

To configure real-time block list functionality at the Global Settings level

1. From within Exchange System Manager, expand the Global Settings container.

2. Right-click the Message Delivery object, and then click Properties.


22/33


3. Click the Connection Filtering tab.

4. To create a connection filter rule, click Add (shown in the following screen shot).

5. In the Display Name field, type a name for the connection filter.

6. In DNS Suffix of Provider, enter the DNS suffix of the provider (for example,contoso.com).

7. In Custom Error Message to Return you can type a custom error message to returnto the sender if you wish. Leave this field blank to use the following default errormessage:

has been blocked by

A custom message can be generated using the following variables: %0. Connecting IP address

%1. Rule name of the Connection Filter

%2. The RBL provider

For example, if you want your custom message to read:

The IP address has been blocked by the following RBL provider.

you would enter the following in Custom Error Message to Return:

The IP address%0 was rejected by RBL provider %2.

Note Exchange will replace %0 with the connecting IP address and %2 with the RBL

provider.


23/33


8. To configure which return status codes received from the RBL provider you want tomatch in this connection filter, click Return Status Code. The following dialog boxwill display.

9. Select one of the following options in the Return Status Code dialog box:

Match Filter Rule to Any Return Code. This connection filter rule is matched toany return status code received from the provider service. This rule sets thedefault value that matches the connection filter to any return status.

Examples:

127.0.0.1. Blocklist

127.0.0.2. Known Open Relay

127.0.0.4. DialUp IP Address

Match Connection Filter to the Following Mask. This connection filter rule ismatched to return status codes received from the provider by using a mask tointerpret them. Enter the mask you want to filter against according to the masksused by your providers.

Examples:

0000 | 0001. Blocklist

0000 | 0010. Open Relay

0000 | 0011. Open relay or Blocklist

0000 | 0100. Dialup host

0000 | 0101. Dialup or Blocklist


24/33


0000 | 0110. Dialup or Openrelay

0000 | 0111. Dialup, Openrelay, or Blocklist

Match Filter Rule to Any of the Following Responses. This connection filterrule is matched to returned status codes received from the provider by using thespecific values of the return status codes.

10. Click OK.

The Sender, Recipient, Intelligent Message Filtering, and Connection Filtering featuresmust also be applied at the SMTP level for them to work properly. Complete the followingsteps to do so.

To enable filtering features at the SMTP level

1. Launch Exchange System Manager.

2. Expand Servers.

3. Expand the (of the e-mail server you wish to configure).

4. Expand Protocols.

5. Expand SMTP.

6. Right-click Default SMTP Virtual Serverand select Properties.

7. In Default SMTP Virtual Server Properties, click Advanced.

8. In Advanced, click Edit.

9. In Identification, select the Apply Connection Filtercheck box to apply the filterthat you previously set (shown in the following screenshot).


25/33



After the SMTP message has advanced beyond the connection-level protection, the nextlayer of defense is at the SMTP protocol level. The SMTP dialog between the sendingSMTP host and the receiving SMTP host is analyzed to verify that the sender andrecipients are allowed, and to determine the senders SMTP domain name.

Recipient Filtering

Use the Recipient Filtering feature to prevent the delivery of messages that are sent toparticular recipient addresses.

To configure Recipient Filtering


2. Expand the Global Settings container.

3. Right-click Message Delivery and select Properties.

4. Click the Recipient Filtering tab.

5. Select Filter recipients who are not in the Directory.6. Click Add, and then add the recipient address (shown in the following screen shot).

Sender ID Filtering

Use the Sender ID Filtering options to configure Sender ID actions. When you use theseoptions, you can specify how the server should handle messages that failed Sender ID

validation. The Sender ID feature is an industry standard that you can use to providegreater protection against unsolicited commercial e-mail (UCE) and phishing schemes.

By default, Sender ID Filtering is set to Accept. However, you can enable the Sender IDfilter behind the perimeter of your network. To do so, you specify the IP addresses of theservers in your internal network that you want excluded from Sender ID filtering.


26/33


To configure Sender ID Filtering



3. Right-click Message Delivery and select Properties.

4. Click the Sender ID Filtering tab.5. Select the desired Sender ID Filtering options (shown in the following screen shot).


Content filtering in Exchange Server 2003 SP2 relies on Microsoft ResearchSmartScreen machine learning technology, which is incorporated into the IntelligentMessage Filtering (IMF). Messages from the Internet arrive at the Exchange SMTPgateway and enter the Exchange Server Anti-Spam Framework. Previous layers of theExchange anti-spam solution (connection, sender, and recipient filtering) block messagesubmissions before actual message data is received. If a message successfully passesall of these previous filters, then the message body is received.

IMF can make an accurate assessment of the probability that an incoming e-mailmessage is either a legitimate message or spam.


27/33



Exchange Intelligent Message Filter is a very important component in combating spam. Itis an SCL-compatible filter that provides advanced server-side message filteringdesigned specifically to combat the influx of spam. For specific information, see theExchange Intelligent Message FilterWeb site at http://go.microsoft.com/fwlink/?linkid=21607.

To configure Exchange Intelligent Message Filter



3. Right-click Message Delivery, and then select Properties.

4. Click the Intelligent Message Filtering tab.

5. In Block message with an SCL rating greater than or equal to (shown in thefollowing screen shot), select the rating level you desire.

The SCL rating scale runs from 0 through 9. The higher the rating, the greater thelikelihood that the message is spam.
http://go.microsoft.com/fwlink/?linkid=21607http://go.microsoft.com/fwlink/?linkid=21607http://go.microsoft.com/fwlink/?linkid=21607


28/33



Both Outlook 2003 and Outlook Web Access 2003 include features that can help protectusers against spam. These features include the following:

User-maintained block lists and safe lists. The block lists and safe lists used byboth Outlook 2003 and Outlook Web Access are stored in the user's mailbox.Because both client programs use the same list, users do not need to maintain twoversions.

External content blocking. Outlook 2003 and Outlook Web Access 2003 make itmore difficult for senders of junk e-mail messages to use beacons to retrieve e-mailaddresses. Incoming messages that contain any content that could be used as abeacon trigger Outlook and Outlook Web Access to display a warning message,regardless of whether they actually contain a beacon. If users know a message islegitimate, they can click the warning message to download the content. If users areunsure about the message, they can delete it without triggering beacons that alert asender of junk mail.

Improved junk e-mail management. With Outlook 2003, users can create rules thatsearch e-mail messages for specific phrases and automatically move messages

containing these phrases from the Inbox to a specified folder (such as the Junk E-mail or Deleted Items folders). Users also have the option to permanently deletesuspected junk e-mail instead of moving it to a specified folder.

Junk e-mail filter. Outlook 2003 includes a junk e-mail filter that searches forcommon spam attributes. (These attributes are updated in conjunction with Officeupdates.) For each suspicious attribute, Outlook increments a counter. The greaterthe count for a given piece of mail, the more likely it is to be spam. Configure thelevel of junk e-mail protection you want in the Junk E-Mail Options dialog box.

To configure the Outlook 2003 junk e-mail filter

1. From within Outlook 2003, click Action in the menu bar.

2. Select Junk e-mail and then Junk E-mail Options (shown in the following screenshot).


29/33


3. The dialog box shown in the following screen shot will display, which allows users tochoose the level of junk e-mail protection they want.


30/33


To configure the junk e-mail filter in Outlook Web Access (OWA)

1. Log in to Outlook Web Access account.

2. Click Options.

3. Click Manage Junk E-Mail Lists.

4. Select the appropriate feature from the View or Modify list (shown in the followingscreen shot).

5. Add, Edit, orRemove sender e-mail addresses.

Note When users first begin using these junk e-mail features, or if they modify the options atany time, they should periodically check for messages that have been removed from the Inbox to

ensure that valid messages have not been moved. Updates to the junk e-mail features in Outlook2003 will be listed in the Office Update section of the Microsoft Office Online Web sitehttp://go.microsoft.com/fwlink/?LinkId=24393.

Monitoring and Troubleshooting Intelligent Message Filter

Monitor and troubleshoot issues with the Microsoft Exchange Intelligent Message Filtercan be done using Event Viewer and System Monitor. This section will provide step-by-step information about how to monitor and troubleshoot.

Using Event Viewer

In Event Viewer, both the Application log and the System log contain errors, warnings,and informational events related to the operation of Exchange, the SMTP service, andother applications. To help identify the cause of Intelligent Message Filter problems,carefully review the data contained in the Application log and System log. Intelligent
http://go.microsoft.com/fwlink/?LinkId=24393http://go.microsoft.com/fwlink/?LinkId=24393


31/33


Message Filter writes events to Event Viewer using the source MSExchangeTransportand the category SMTP Protocol.

To find Intelligent Message Filter events using Event Viewer

1. Click Start, point to All Programs, point to Administrative Tools, and then clickEvent Viewer.

2. In the console tree, click Application Log.

3. To sort the log alphabetically and quickly locate an entry for an Exchange service,click Source in the details pane (shown in the following screen shot).

4. To filter the log to list entries for events logged for Intelligent Message Filter, clickFilteron the View menu.

5. In Application Log Properties, use the Event source list to selectMSExchangeTransport .

6. In the Category list, select SMTP Protocol.

Using System Monitor and Performance Logs and Alerts

Intelligent Message Filter has several performance counters that can be used to monitorits performance and operation.

To use System Monitor and Performance Logs and Alerts

1. Click Start, point to All Programs, point to Administrative Tools, and then clickPerformance.

2. Highlight System Monitor, and then click the + button to add counters.


32/33


3. In the Add Counters dialog box, underPerformance Object, select MSExchangeIntelligent Message Filter(shown in the following screen shot).

User Awareness

As with any other topic, whether its fighting viruses, protecting workstations fromunauthorized users, or combating spam, technology alone should not be the sole defenseagainst threats or attacks. When they are educated, users can play a very significant rolein helping to manage spam. Users should be instructed about how to avoid or filterunwanted e-mails within their Outlook environment.

Such instruction should include:

Never reply to e-mail requests for financial or personal information.

Never provide passwords

Do not open suspicious e-mail file attachments

Do not respond to any suspicious or unwanted e-mails.

Configure junk e-mail options in Outlook 2003 as described in the Outlook 2003 andOutlook Web Access Junk E-Mail section earlier in this document.

Summary

Many midsize businesses build a number of their critical business processes around thefunctionality of Microsoft Exchange Server 2003. A considerable amount of their day-to-day activities are dependant on the services that Exchange Server provides.

The increased flow of junk e-mail continues to challenge midsize businesses. Not only isit a nuisance, but spam can strain networks and waste time, money, and other resourcesfor individuals and businesses around the world.

This document has shown that there are ways to reduce spam within Exchange Server2003 environments. The Exchange Server 2003 Anti-Spam Framework combines spamprotection approaches that provide sufficient flexibility for administrators and end users tohelp them reduce unwanted e-mail and increase their productivity levels.


33/33


References

You can download the Microsoft Exchange Server 2003 Anti-Spam Framework Overviewfrom the Microsoft Download Center athttp://download.microsoft.com/download/0/E/6/0E6A7113-DDA4-4FD7-AABA-B9E264700225/Anti-Spam.doc.

The Better Protection Against Spamtopic in the Exchange Server 2003 SP2 Overview isavailable at www.microsoft.com/exchange/evaluation/sp2/overview.mspx#antispam.

Information about the Exchange Intelligent Message Filter(IMF) and updates for IMF areavailable from Microsoft TechNet atwww.microsoft.com/technet/prodtechnol/exchange/downloads/2003/imf/default.mspx.

The white paper "Messaging Hygiene at Microsoft: How Microsoft IT Defends AgainstSpam, Viruses, and E-Mail Attacks" is available from Microsoft TechNet atwww.microsoft.com/technet/itsolutions/msit/security/messaginghygienewp.mspx.

The article "Exchange Server 2003 Real-Time Block Lists" is available on MicrosoftTechNet at

www.microsoft.com/technet/prodtechnol/exchange/2003/insider/Block_Lists.mspx.

The Microsoft Knowledge Base article "How to configure connection filtering to useRealtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003" isavailable at http://support.microsoft.com/default.aspx?scid=823866.
http://download.microsoft.com/download/0/E/6/0E6A7113-DDA4-4FD7-AABA-B9E264700225/Anti-Spam.dochttp://www.microsoft.com/exchange/evaluation/sp2/overview.mspx#antispamhttp://www.microsoft.com/exchange/evaluation/sp2/overview.mspx#antispamhttp://www.microsoft.com/technet/prodtechnol/exchange/downloads/2003/imf/default.mspxhttp://www.microsoft.com/technet/itsolutions/msit/security/messaginghygienewp.mspxhttp://www.microsoft.com/technet/itsolutions/msit/security/messaginghygienewp.mspxhttp://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/Block_Lists.mspxhttp://support.microsoft.com/default.aspx?scid=823866http://support.microsoft.com/default.aspx?scid=823866http://download.microsoft.com/download/0/E/6/0E6A7113-DDA4-4FD7-AABA-B9E264700225/Anti-Spam.dochttp://www.microsoft.com/exchange/evaluation/sp2/overview.mspx#antispamhttp://www.microsoft.com/technet/prodtechnol/exchange/downloads/2003/imf/default.mspxhttp://www.microsoft.com/technet/itsolutions/msit/security/messaginghygienewp.mspxhttp://www.microsoft.com/technet/itsolutions/msit/security/messaginghygienewp.mspxhttp://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/Block_Lists.mspxhttp://support.microsoft.com/default.aspx?scid=823866http://support.microsoft.com/default.aspx?scid=823866

Documents

Approaches to Fighting Spam in an Exchange Server Environment