This article discusses antivirus and anti-spam countermeasures including the use of the SCL
setting and the use of edge transport rules to manage viruses. It considers
anti-spam stamps and the phishing confidence level
(PCL). It looks at Sender Identity (ID), block
lists, and allow lists. The lesson discusses
Sender Policy Framework (SPF) records, the sender reputation list
(SRL), and the configuration of anti-spam agents.
Quarantined messages are placed in the spam quarantine mailbox, and this lesson
looks at how you specify this mailbox. The lesson also considers how you manage
updates for content filters. If you choose to use file-level antivirus scanners, you
can avoid the problems associated with such software by configuring exclusions. The
lesson looks at directory, process, and file exclusions.
You can configure Exchange Server 2010 to deal with spam and viruses on both Edge
Transport and Hub Transport servers. In the production environment, you would
typically block spam and viruses (as much as possible) on a perimeter network. Your
Edge Transport servers are the first to receive external email, and it is on these
servers that you should discard communication that is harmful to your
organization’s health. Cleaning your email traffic flow before it reaches the
internal network is a superior strategy to relying on mail filters and antivirus
software installed on desktop computers.
Although you can configure a Hub Transport server to deal with spam and
viruses—and you may have to if you suspect that some of these are internally
generated—not all the available anti-spam and antivirus transport agents
function on a Hub Transport server. Installing one or more Edge Transport servers in
a production organization typically results in a significant reduction virus and
spam messages delivered to user mailboxes.
1. Configuring Anti-Spam Features
In Exchange Server 2010, incoming messages pass through a series of transport
agents before they are forwarded to user mailboxes. Each of these transport
agents concentrates on a different aspect of the incoming message, such as the
Internet Protocol (IP) address of the SMTP server where the
message originates, the sender’s address, or the likelihood that the
message is actually spam. The following built-in transport agents are installed
by default on an Edge Transport server:
Connection Filtering agent
Address Rewriting Inbound agent
Edge Rule agent
Content Filter agent
Sender ID agent
Sender Filter agent
Recipient Filter agent
Protocol Analysis agent
Attachment Filtering agent
Address Rewriting Outbound agent
You can view the transport agents in the order in which they are applied by
entering the following EMS command:
Get-TransportAgent
If the Microsoft Exchange Transport service is running and at least one
message has been sent through the system, the following command shows all the
enabled transport agents—and the SMTP events on which they are
registered—that have encountered messages in the transport pipeline
between the time when the Microsoft Exchange Transport service was started and
the time when the command runs:
Get-TransportPipeline
Only the transport agents that encountered a message are displayed using this
command.
1.1. Connection Filtering
You can enable the Connection Filter anti-spam agent and its associated
connection filtering features on an Edge Transport server. The agent filters
all messages that come through all Receive connectors on that server. Only
messages that come from nonauthenticated external sources—that is,
anonymous Internet sources—are filtered.
The Connection Filter agent enables the following features:
IP block list
IP allow list
IP block list providers
IP allow list providers
Each of these features can be enabled or disabled separately. By default,
the Connection Filter agent is enabled on Edge Transport servers. To disable
connection filtering using the IP allow list, you enter the following EMS
command:
Set-IPAllowListConfig -Enabled $false
To enable connection filtering using the IP allow list (assuming it has
been previously disabled), you enter the following EMS command:
Set-IPAllowListConfig -Enabled $true
To remove an IP allow list provider (for example, treyresearch.com) from
connection filtering configuration, enter the following EMS command:
Remove-IPAllowListProvider -Identity treyresearch.com
To disable connection filtering using the IP block list, you enter the
following EMS command:
Set-IPBlockListConfig -Enabled $false
To configure the Connection Filter agent to block an IP address if any IP
address status codes are returned by the IP block list provider
fabricam.com, you enter the following EMS command:
Set-IPBlockListProvider -Identity fafricam.com -AnyMatch $true
You can also disable connection filtering entirely by disabling the
Connection Filtering agent using the following command (note that you need
to confirm this action unless you use the –Confirm:$false
switch):
Disable-TransportAgent -Identity "Connection Filtering agent"
1.2. Managing Allow Lists and Block Lists
When an incoming message arrives on an Edge Transport server and
connection filtering is enabled, the IP address of the SMTP server that sent
the message is compared against IP allow and block lists. Action is then
taken, as shown in Table 1.
Table 1. Allow and Block List actions
List Condition
|
Action
|
---|
The forwarding SMTP server’s IP address is on
the allow list
|
The message is forwarded to the Exchange
organization.
|
The SMTP server’s IP address is on the block
list.
|
The message is dropped.
|
The SMTP server’s IP address is not on either
list.
|
The message passes through other anti-spam agents on
the configured server.
|
IP block and allow lists are also known as blacklists and whitelists,
respectively. Block lists are also known as real-time block lists (RBLs)
because they are queried each time mail arrives from a new IP address. They
can be configured by adding entries as the need arises. You can also
subscribe to IP block and allow list providers. In particular, third-party
IP block list providers are typically used by Exchange Server 2010
organizations. This allows a third-party organization to keep your list of
the IP addresses of malware senders up to date. IP block list providers
generate their lists based on spam reports and the spam that they have
received from SMTP servers located on the Internet.
Messages received from SMTP servers on the block list will always be
discarded, even if they also appear on the allow list. The only way to
receive email from an SMTP server on a block list is to remove it from the
block list. If you added the IP address to the block list during
configuration, you can remove it. If, on the other hand, it is obtained from
a block list provider, you may need to intercede with the block list
provider.
You can add IP addresses, IP subnets, or IP address ranges to the IP allow
list. Email messages from these sources will not be blocked by connection
filtering. You can also specify a list of IP allow list providers. These
providers supply IP addresses for your IP allow list.
The following EMS command adds the IP address 10.20.0.123 to the IP allow
list:
Add-IPAllowListEntry -IPAddress 10.20.0.123
Note that the Microsoft Exchange Transport service must be running on the
local Edge Transport server. Also, this command requires confirmation unless
the –Confirm switch is used. The following EMS command adds the IP
address 10.20.0.125 to the IP allow list and configures it to expire on
February 2, 2011, at 11:00 AM:
Add-IPAllowListEntry -IPAddress 10.20.0.125 -ExpirationTime "2/2/2011 11:00"
Note:
In Exchange Server 2010, you can configure expiry for both IP allow
and IP block lists. In Exchange Server 2007, you could configure this
only for IP block lists.
The following EMS command adds the IP subnet 10.30.1.1/25 to the IP allow
list:
Add-IPAllowListEntry -IPRange 10.30.1.1/25
The
following EMS command adds the IP range 10.20.20.100 through 10.20.20.200 to
the IP allow list:
Add-IPAllowListEntry -IPRange 10.20.20.100-10.20.20.200
To remove an address from the IP allow list, you need to specify its ID.
The most straightforward way of accomplishing this is to pipe the output of
the Get-IPAllowListEntry EMS cmdlet to the
Remove-IPAllowListEntry EMS cmdlet. For example,
the following command removes the IP address 10.20.0.123 from the IP allow
list:
Get-IPAllowListEntry -IPAddress 10.20.0.123 | Remove-IPAllowListEntry
You can use the IP allow list providers feature to determine whether the
Messaging server that initiated a connection is a host that can be relied on
not to send spam. The Connection Filter agent queries the specified IP allow
list provider services to determine if the source IP address of the message
is on the IP allow list.
The following EMS command adds a new IP allow list provider called Trey
Research Provider:
Add-IPAllowListProvider -Name "Trey Research Provider" -LookupDomain "treyresearch.com"
-AnyMatch $true
Figure 1 shows the output from
this command.
You can specify an order of preference for allow list providers. The
following EMS command configures the same IP allow list provider to be the
top preferred provider:
Set-IPAllowListProvider "Trey Research Provider" -Priority 1
The following EMS command removes the IP allow list provider Trey Research
Provider (note that this command requires confirmation):
Remove-IPAllowListProvider -Identity "Trey Research Provider"
You can add IP
addresses, ranges, and subnets to an IP block list in the same way as you
can to an allow list. However, you would typically use a commercial IP block
list provider to manage your block list. The list of malware sources is
lengthy and changes frequently. The following EMS command adds the IP
address 10.50.4.127 to a block list:
Add-IPBlockListEntry -IPAddress 10.50.4.127
The following EMS command adds the IP subnet 10.0.100.1/24 to the IP block
list:
Add-IPBlockListEntry -IPRange 10.0.100.1/24
The following EMS command adds the IP range 10.40.150.120 through
10.40.150.179 to the IP block list:
Add-IPBlockListEntry -IPRange 10.40.150.120-10.40.150.179
As with allow lists, the easiest way to remove an address from the IP
block list is to pipe the output of the
Get-IPBlockListEntry EMS cmdlet to the
Remove-IPBlockListEntry EMS cmdlet. For example,
the following EMS command removes the IP address 10.50.4.127 from the IP
allow list:
Get-IPBlockListEntry -IPAddress 10.59.4.127 | Remove-IPBlockListEntry
If you want to remove a range, specify an IP address that is within that
range for the IPAddress parameter of the
Get-IPBlockListEntry cmdlet. The following EMS
command removes the subnet 10.0.100.1/24:
Get-IPBlockListEntry -IPAddress 10.0.100.1 | Remove-IPBlockListEntry
If the IP block list providers feature is enabled on a computer, the
Connection Filter agent queries the specified IP block list provider
services to determine if the Messaging server that initiated the connection
is a host that is known to send spam. By default, this anti-spam feature is
only available on Edge Transport servers. The following EMS command adds a
new IP block list provider called “Trey Block List Provider” and
configures it to use bitmask matching for 127.0.0.1 (block messages from IP
addresses that are on the block list):
Add-IPBlockListProvider -Name "Trey Block List Provider" -LookupDomain treyresearch.com
-BitMaskMatch 127.0.0.1
Figure 2 shows the output from
this command.
The
following EMS command configures the Trey Block List Provider service to use
a custom rejection response:
Set-IPBlockListProvider "Trey Block List Provider" -RejectionResponse "Your message was
rejected because the IP address of the server sending your message is in the block list
of the Trey Block List Provider service."
1.3. Content Filtering
Content filtering uses algorithms to assess the contents of a message and
provide a rating that indicates how likely the message is to be spam. How
the message is then treated depends on the threshold values that you set.
You can configure Exchange to drop any message that has even a minimal
likelihood of being spam, you can configure Exchange to reject only those
messages that are very likely to be spam, or (typically) you can choose
settings that filter out most spam but avoid false positives—that is,
filtering out valid messages that are not spam.
The search algorithms look for patterns within messages rather than merely
looking for specific words. These algorithms are updated on a regular basis
because spammers are continually attempting to get around detection
software.
Content filtering is enabled by default on an Edge Transport server only
for inbound, unauthenticated messages from the Internet, which are then
handled as external messages. The following EMC command disables content
filtering:
Set-ContentFilterConfig -Enabled $false
The following EMC command enables content filtering if it has previously
been disabled:
Set-ContentFilterConfig -Enabled $true
You can enable or disable content filtering specifically for internal and
external messages. By default, content filtering is enabled for external
messages and disabled for internal messages.
The following EMS command disables content filtering for external
messages:
Set-ContentFilterConfig -ExternalMailEnabled $false
The following EMS command enables content filtering for internal
messages:
Set-ContentFilterConfig -InternalMailEnabled $true
However,
you should not (as a best practice) filter messages from trusted partners or
from inside your organization. When you run anti-spam filters, there is
always a risk that the filters detect false positives. To reduce the risk of
mishandling legitimate email messages, you should enable anti-spam agents to
run only on messages from potentially untrusted and unknown sources.
You can use the Set-ContentFilterConfig,
Add-ContentFilterPhrase, and
Remove-ContentFilterPhrase EMS cmdlets to modify
your content filtering settings. For example, you might want to block all
email messages whose subject lines contain the words “lose
weight” or “earn extra cash.” On the other hand, if you
work for an organization that, for example, manufactures bicycles, you might
want to allow email messages whose subject lines contain words such as
“bicycle,” “chain,” “wheel,”
“handlebars,” and so on.
You can use the Add-ContentFilterPhrase cmdlet to add
both allowed and blocked words and phrases. The value of the Influence
parameter determines if the word or phrase is allowed or blocked. For
example, the following EMS commands allow all messages that contain the word
“bicycle” and block all messages that contain the phrase
“earn extra cash”:
Add-ContentFilterPhrase -Phrase "bicycle" -Influence GoodWord
Add-ContentFilterPhrase -Phrase "earn extra cash" -Influence BadWord
Figure 3 and Figure 4 show the output from these
commands.
Sometimes you do not want to apply content filtering to email messages
sent to a specific recipient or received from a specific sender. You can use
the Set-ContentFilterConfig EMS cmdlet to configure
both recipient and sender exceptions. For example, the following EMS command
creates an exception for the recipient [email protected] so that messages
sent to this recipient are not checked by the content filter agent:
Set-ContentFilterConfig -BypassedRecipients [email protected]
The following EMS command creates an
exception for the senders [email protected] and
[email protected] so that messages received from these senders are
not checked by the content filter agent:
Set-ContentFilterConfig -BypassedSenders [email protected],
[email protected]
You can also bypass content filtering for all messages received from
specific domains. The following EMS command creates an exception for the
domain contoso.com so that messages received from this domain are not
checked by the content filter agent:
Set-ContentFilterConfig -BypassedSenderDomains contoso.com
The following EMS command creates an exception for the domain fabricam.com
and all its subdomains and for the domain treyresearch.com:
Set-ContentFilterConfig -BypassedSenderDomains *.fabrikam.com,treyresearch.com
After analyzing the content of a message, the content filter assigns an
SCL rating to the message. How those messages are treated depends on the
configuration. You can use the Set-ContentFilterConfig
EMS cmdlet to configure SCL thresholds and actions. The Delete action takes
precedence over the Reject action, and the Reject action takes precedence
over the Quarantine action. Therefore, the SCL threshold for the Delete
action must be greater than the SCL threshold for the Reject action, which
in turn should be greater than the SCL threshold for the Quarantine
action.
For example, you may want messages that have an SCL rating of 5 or 6 to be
forwarded to the quarantine mailbox, messages that have an SCL rating of 7
or 8 to be rejected, and messages with an SCL rating of 9 to be deleted. The
difference between rejection and deletion is that the sender is informed
when a message is rejected. In the case of deletion, the sender receives no
response.
The following EMS commands enable the Delete action and set the
corresponding SCL threshold to 9, enable the Reject action and set the
corresponding SCL threshold to 7, and enable the Quarantine action and set
the corresponding SCL threshold to 5:
Set-ContentFilterConfig -SCLDeleteEnabled $true -SCLDeleteThreshold 9
Set-ContentFilterConfig -SCLRejectEnabled $true -SCLRejectThreshold 7
Set-ContentFilterConfig -SCLQuarantineEnabled $true -SCLQuarantineThreshold 5
Note that the command to enable the Quarantine action works only if a
quarantine mailbox has been specified, as described in the next section of
this lesson. If you enable the Reject action, you can customize the response
sent to the message originator when a message is rejected. The following EMS
command configures the content filter agent to send the rejection response
“Your message has been rejected because it was judged to be
spam”:
Set-ContentFilterConfig -RejectionResponse "Your message has been rejected because it
was judged to be spam."
Note:
MAXIMUM
LENGTH OF REJECTION RESPONSE
Your rejection response should not exceed 240 characters.
1.4. Specifying a Quarantine Mailbox
If you enable message quarantine, you need to specify a quarantine
mailbox. This is a specially created mailbox to which all messages that meet
the SCL quarantine levels are forwarded. You should place the quarantine
mailbox in a separate mailbox database. If you are going to use quarantine,
you need to ensure that someone checks the quarantine mailbox on a regular
basis to see how much legitimate email and how much spam it contains. By
assessing the contents of the quarantine mailbox, you can determine whether
your SCL levels are correctly configured. You can also, when appropriate,
release legitimate messages to their intended recipients by using the Send
Again feature in Microsoft Office Outlook.
You can use the EMS but not the EMC to specify a quarantine mailbox. The
following EMS command sends all messages that meet the spam quarantine SCL
level to [email protected]:
Set-ContentFilterConfig -QuarantineMailbox [email protected]
The following EMS command ensures that all incoming messages that have an
SCL rating of 5 or higher are forwarded to the mailbox
[email protected] (unless other settings result in messages with
higher SCLs being rejected or deleted):
Set-ContentFilterConfig -SCLQuarantineEnabled $true -SCLQuarantineThreshold
5 -QuarantineMailbox [email protected]
1.5. Recipient Filtering
Recipient
filtering allows you to block messages based on whom they are sent to. This
technology is most often used to block messages sent to recipients that are
not listed in the global address list (GAL). Some spammers send messages to
common names at a particular address, hoping to get a hit. If recipient
filtering is enabled, messages will be forwarded from an Edge Transport
server to an internal Hub Transport server only if the recipient is listed
in the GAL. GAL information is stored within the Active Directory
Application Mode directory service. If this setting is not enabled, the Hub
Transport server will reject the invalid address.
When recipient filtering is enabled on a server, it filters all messages
that come through all Receive connectors on that server. Recipient filtering
is enabled by default on an Edge Transport server for inbound messages that
come from the Internet but are not authenticated.
The following EMS command disables recipient filtering:
Set-RecipientFilterConfig -Enabled $false
You can use the Set-RecipientFilterConfig EMS cmdlet
to manage recipient filtering. For example, the following EMS cmdlet
configures the recipient filter agent to block recipients on the Recipients
block list:
Set-RecipientFilterConfig -BlockListEnabled $true
You can use the BlockedRecipients parameter of the
Set-RecipientFilterConfig EMS cmdlet to add SMTP
addresses to the Recipient block list. If you want to specify multiple SMTP
addresses, you can separate them with commas. The following EMS command adds
the email addresses [email protected] and [email protected] to the
Recipient block list:
Set-RecipientFilterConfig -BlockedRecipients [email protected],[email protected]
However, you need to be careful when using this type of command. The SMTP
addresses that you specify replace the existing list of SMTP addresses. To
preserve the existing list, you can use a temporary Shell variable to add an
address to the Recipient block list. The following set of EMS commands uses
the temporary variable $Listing to hold the current list of SMTP addresses.
You add the new address [email protected] to the variable so that the existing
addresses are retained and the new address is added when the variable is
applied to the Recipient block list:
$Listing = Get-RecipientFilterConfig
$Listing.BlockedRecipients += "[email protected]"
Set-RecipientFilterConfig -BlockedRecipients $Listing.BlockedRecipients
The following EMS command blocks messages to recipients that do not exist
in your organization:
Set-RecipientFilterConfig -RecipientValidationEnabled $true
1.6. Sender Filtering and Sender ID
The Sender Filter agent is an anti-spam filter that is enabled by default
on Edge Transport servers. The agent relies on the MAIL FROM: SMTP header to
determine what action, if any, to take on an inbound email message. When
sender filtering functionality is enabled on an Edge Transport server, it
filters all messages that come through all Receive connectors on that
computer. You use sender filtering to drop messages on the basis of the
sender’s email address.
Sender filtering can be configured for a specific sender address or the
sender’s domain. For example, you can filter the sender address
[email protected] or filter all email messages that come from the
@adatum.com domain. Sender filtering is often used to block incoming email
from email domains that provide free addresses. It is also possible to
configure the blocked senders list to automatically block messages that have
no sender information.
The following EMS command disables sender filtering:
Set-SenderFilterConfig -Enabled $false
The following EMS command enables sender filtering if it has previously
been disabled:
Set-SenderFilterConfig -Enabled $false
You use the Set-SenderFilterConfig cmdlet to manage
sender filtering. You can configure two actions for messages whose sender
appears on the blocked senders list. These actions are the following:
The following EMS command configures the Sender Filter agent to block
messages from the specific email addresses [email protected] and
[email protected]:
Set-SenderFilterConfig -BlockedSenders [email protected],[email protected]
The following EMS command configures the Sender Filter agent to block
messages from the specific domain treyresearch.com:
Set-SenderFilterConfig -BlockedDomains treyresearch.com
The following EMS command configures
the Sender Filter agent to block messages from the northwindtraders.com
domain and all its subdomains:
Set-SenderFilterConfig -BlockedDomainsAndSubdomains *.northwindtraders.com
The values that you specify by using the parameters such as
BlockedSenders, BlockedDomains, and BlockedDomainsAndSubdomains replace the
existing list of blocked senders. To preserve the existing list, you can use
a temporary Shell variable to add an address or domain to the blocked
senders list. The following EMS commands use the temporary variable $Listing
to add the sender [email protected] and the domain tailspintoys.com to the
blocked senders list:
$Listing = Get-SenderFilterConfig
$Listing.BlockedSenders += "[email protected]"
$Listing.BlockedDomains += "tailspintoys.com"
Set-SenderFilterConfig -BlockedSenders $Listing.BlockedSenders -BlockedDomains $Listing.
BlockedDomains
The following EMS command configures the Sender Filter agent to block
messages that do not specify a sender in the MAIL FROM: SMTP header:
Set-SenderFilterConfig -BlankSenderBlockingEnabled $true
The Sender ID agent is an anti-spam agent enabled on Edge Transport
servers. The agent relies on the RECEIVED SMTP header and queries the
sending system’s DNS service to determine what action, if any, to take
on an inbound message.
Sender ID is designed to combat spoofing, which is the impersonation of a
sender and a domain. A spoofed email is a message that has a modified
sending address and appears as if it originates from a sender other than
its actual sender. Spoofed mails typically contain a From address that
purports to be from a reputable organization.
When you enable Sender ID in Exchange Server 2010, each message contains a
Sender ID status in the metadata of the message. When an email message is
received, the Edge Transport server queries the sender’s DNS server to
verify that the IP address from which the message was received is authorized
to send messages for the domain that is specified in the message headers.
The IP address of the authorized sending server is referred to as the
Purported Responsible Address (PRA).
Domain administrators publish SPF records on their DNS servers. SPF
records identify authorized outbound email servers. If an SPF record is
configured on the sender’s DNS server, the Edge Transport server
parses the SPF record and determines whether the IP address from which
the message was received is authorized to send email on behalf of the
domain specified in the message.
A very large proportion of phishing (identity theft) scams come from
spoofed domains that have spoofed sender email addresses. The Sender ID
Federation is an industry initiative to counter spoofed domains by
publishing SPF records. This enables suspected phishing sites to be
identified through PCL ratings, which are used by, for example, the
phishing filter built into Microsoft Internet Explorer.
|
The Edge Transport server updates the message metadata with the Sender ID
status based on the SPF record. After the Edge Transport server updates the
message metadata, it delivers the message as normal.
The Sender ID evaluation process generates a Sender ID status for the
message, which used to evaluate the SCL rating. This status can be set to
one of the following values:
Pass
Both the IP address and PRA passed the Sender ID verification
check.
Neutral
The published Sender ID data is inconclusive.
Soft fail
The IP address for the PRA may not be permitted.
Fail
The IP Address is not permitted, no PRA is found in the
incoming mail, or the sending domain does not exist.
None
No published SPF data exists in the sender’s DNS.
TempError
A temporary DNS failure occurred (for example, an unavailable
DNS server).
PermError
The DNS record is invalid. For example, there is an error in
the record format.
The Sender ID status is added to the message
metadata and is later converted to a Messaging Application Program Interface
(MAPI) property. The junk email filter in Office Outlook uses the MAPI
property during the generation of the SCL value.
The Sender ID evaluation process may reveal instances where the From IP
address is missing. If the From IP address is missing, the Sender ID status
cannot be set. In this case, Exchange Server 2010 continues to process the
message without including a Sender ID status on the message. The message is
not discarded or rejected, but an application event is logged.
You can define how an Edge Transport server handles messages that are
identified as spoofed mail and how it handles messages when a DNS server
cannot be reached. The available options include the following:
Delete
This option deletes the message without informing the sending
system of the deletion. Instead, the Edge Transport server sends
a fake OK SMTP command to the sending server and then deletes
the message. Because the sending server assumes the message was
sent, it does not retry sending the message.
Reject
The message is rejected, and an SMTP error response is
returned to the sending server. The error response is a
5xx-level protocol response with text that corresponds to the
Sender ID status.
Stamp the status
All inbound messages to your organization have the Sender ID
status included in the metadata of the message. This is the
default action.
The effectiveness of Sender ID in combating spoofing depends on specific
DNS data. The more organizations that update their Internet-facing DNS
servers by using an SPF record, the more effectively Sender ID identifies
spoofed email messages. To support the Sender ID infrastructure, you need to
update your Internet-facing DNS data by creating an SPF record and hosting
the SPF record on your public DNS servers.
You use the Set-SenderIDConfig cmdlet to configure
Sender ID options and actions. You may, for example, want to exclude
specific recipients and sender domains from Sender ID filtering, configure
actions for messages that are spoofed, and configure actions for transient
failures.
For example, the following EMS command configures the Sender ID agent to
reject any messages that were spoofed—these are messages where the IP
address of the sending server is not listed as an authoritative SMTP sending
server in the DNS SPF record for the sending domain:
Set-SenderIDConfig -SpoofedDomainAction Reject
You can also
configure Sender ID action for transient errors. For example, it is
considered a transient error if a DNS server is unavailable when Exchange
attempts to verify the Sender ID for a sending domain. The following EMS
command configures the Sender ID agent to stamp the messages for which the
Sender ID status cannot be determined because of a temporary error—the
message is processed by other anti-spam agents, and the Content Filter agent
uses the mark when determining the SCL value for the message:
Set-SenderIDConfig -TempErrorAction StampStatus
You can set exceptions so that messages sent to a specific recipient or
received from a specific sender domain bypass the Sender ID check. For
example, the following EMS command configures the Sender ID agent to bypass
the Sender ID check for the recipients [email protected] and
[email protected]:
Set-SenderIDConfig -BypassedRecipients [email protected],[email protected]
The following EMS command configures the Sender ID agent to bypass the
Sender ID check for messages that are received from the domain
northwindtraders.com:
Set-SenderIDConfig -BypassedSenderDomains northwindtraders.com
However, the values that you specify by using the BypassedRecipients and
BypassedSenderDomains parameters replace the existing exceptions. To
preserve the existing listing of recipients or sender domains, you can use a
temporary Shell variable to add a recipient or domain to the exceptions
list. The following EMS commands use the temporary variable $Listing to add
the domain treyresearch.com to the list of domains for which you want to
bypass Sender ID check:
$Listing = Get-SenderIDConfig
$Listing.BypassedSenderDomains += "treyresearch.com"
Set-SenderIDConfig -BypassedSenderDomains $Listing.BypassedSenderDomains
Note:
ANTI-SPAM STAMPS
Sender ID, SCL, and PCL are also types of anti-spam stamps. You can
use anti-spam stamps as diagnostic tools to determine what actions to
take on false positives and on suspected spam messages that individuals
receive in their mailboxes. You can view anti-spam stamps in Office
Outlook, and you can generate an anti-spam report.
1.7. Sender Reputation
Sender reputation is used on Edge Transport servers to block messages
according to various sender characteristics. It relies on these
characteristics to determine the action to take on an inbound message. By
default, sender reputation processing is enabled on an Edge Transport server
for inbound messages that come from the Internet and are not authenticated.
Such messages are handled as external messages. The following EMS command
disables sender reputation for all messages:
Set-SenderReputationConfig -Enabled $false
The following EMS command disables sender reputation specifically for
external messages:
Set-SenderReputationConfig -ExternalMailEnabled $false
By default, sender reputation is disabled for internal messages. The
following EMS command enables sender reputation for internal
messages:
Set-SenderReputationConfig -InternalMailEnabled $true
An SRL is calculated from the following statistics:
Analysis of SCL ratings on messages
from a particular sender
When the Content Filter agent processes a message, it assigns
an SCL rating to the message. Sender reputation calculates
statistics about a sender according to the ratio between
previous messages from that sender that had a low SCL rating and
previous messages from the same source that had a high SCL
rating. In addition, the number of messages with a high SCL
rating sent in the past day is applied to the overall
SRL.
Reverse DNS lookup
Sender reputation verifies that the originating IP address
from which the sender transmitted the message matches the
registered domain name that the sender submits in the HELO or
EHLO SMTP command by performing reverse DNS query and submitting
the originating IP address to DNS. Sender reputation compares
the domain name returned by DNS to the domain name that the
sender submitted in the HELO/EHLO SMTP command. If the domain
names do not match, the sender is likely to be a spammer, and
the overall SRL rating for the sender is adjusted upward.
HELO/EHLO analysis
The HELO and EHLO SMTP commands provide the domain name or IP
address of the sending SMTP server to the receiving SMTP server.
Spammers may attempt to forge the HELO/EHLO statement, and
analysis of this statement on a per-sender basis may indicate
that the sender is likely to be a spammer. For example, a sender
that provides many different unique HELO/EHLO statements in
a
specific time period is more likely to be a spammer, as is a
sender who consistently provides an IP address in the HELO
statement that does not match the originating IP address as
determined by the Connection Filter agent.
Sender open proxy
test
An open proxy is a proxy server that accepts connection
requests and forwards the traffic as if it originated from the
local host. Proxy servers relay Transmission Control Protocol
traffic through firewalls to provide user applications
transparent access across the firewall. Proxies can also be used
to permit multiple hosts to share a single Internet connection.
Proxies are usually set up so that only trusted hosts inside the
firewall can cross through the proxies. However, open proxies
can exist because of misconfiguration or malicious Trojan horse
programs and can provide a method for malicious users to hide
their true identities and launch denial-of-service attacks or
send spam. When sender reputation performs an open proxy test,
it generates an SMTP request in an attempt to connect back to
the Edge Transport server from the open proxy. If an SMTP
request is received from the proxy, sender reputation verifies
that the proxy is an open proxy and updates the open proxy test
statistic for that sender.
Sender reputation weighs each of these statistics and calculates an SRL
for each sender. The SRL is a number from 0 through 9 that predicts the
probability that a specific sender is a spammer or other type of malicious
user. A value of 0 indicates that the sender is most unlikely to be a
spammer; a value of 9 indicates that the sender very likely is a
spammer.
The following EMS command configures sender reputation to perform an open
proxy test for determining sender confidence:
Set-SenderReputationConfig -OpenProxyDetectionEnabled $true
The following EMS command configures sender reputation to add the IP
addresses of hosts that fail the open proxy test to the IP block
list:
Set-SenderReputationConfig -SenderBlockingEnabled $true -OpenProxyDetectionEnabled $true
Sender reputation is used to add SMTP servers to the IP block list for a
limited duration based on the characteristics of the messages sent. You can
configure an SRL block threshold at which sender reputation issues a request
to the Sender Filter agent to block the sender from sending a message into
your organization. A blocked sender is added to the blocked senders list for
a configurable time period. The following EMS command sets the SRL block
threshold to 5 (it is 7 by default) and configures sender reputation to add
offending senders to the IP block list for 48 hours:
Set-SenderReputationConfig -SenderBlockingEnabled $true -SrlBlockThreshold
5 -SenderBlockingPeriod 48
The following options are available for blocked messages:
If a sender is included in the
Microsoft block list or Microsoft IP Reputation Service sender reputation
issues, an immediate request is made to the Sender Filter agent to block the
sender. To take advantage of this functionality, you must enable the
Microsoft Exchange Anti-Spam Update Service. By default, an Edge Transport
server sets an SRL of 0 for senders that have not been analyzed. After a
sender has sent 20 or more messages, sender reputation calculates an SRL
that is based on the statistics returned by analyzing these messages.
Microsoft Update for Anti-Spam Services
Exchange 2010 offers additional services to help keep anti-spam
components up to date through the Microsoft Update infrastructure.
Microsoft Exchange 2010 Standard Anti-Spam Filter Updates offer
anti-spam updates every two weeks.
The Microsoft Forefront Protection 2010 for Exchange Server Anti-Spam
Update service is a premium service that updates the content filter
daily via Microsoft Update. In addition, this service includes available
spam signature and IP Reputation Service updates on an as-needed basis
up to several times a day. Spam signature updates identify the most
recent spam campaigns. IP Reputation Service updates provide sender
reputation information about IP addresses that are known to send
spam.
To ensure that Forefront Protection 2010 for Exchange Server stays up
to date, you run the Enable Anti-Spam Updates Wizard, as shown in Figure 5. To use
Microsoft Update to update the Forefront Protection 2010 for Exchange
Server anti-spam definitions automatically, you select the Use Microsoft
Update To Help Keep Your Exchange Server Up-To-Date With Anti-Spam
Definition Updates check box.
You can also ensure that spam signature updates are downloaded
automatically by selecting Automatic under Enable Anti-Spam Updates and
selecting the Spam Signature Updates check box. You can ensure that the
Edge Transport server is kept up to date with information about IP
addresses that are known to forward spam by selecting Automatic under
Enable Anti-Spam Updates and selecting IP Reputation Updates. Both of
these options exist independently of updating Forefront Protection 2010
for Exchange Server’s anti-spam definitions using Microsoft
Update.
The
Manual — Updates For This Server Will Be Applied Manually option
allows you to manually apply updates. This option also exists
independently of updating Forefront Protection 2010 for Exchange
Server’s anti-spam definitions using Microsoft Update.