Sender Reputation when combined
with the other antispam technologies in Edge Services can help reduce
unwanted email very efficiently and effectively. Sender Reputation,
simply put, allows administrators to answer the question, “Can I trust
who sends us email, and if I can’t, why should I process it?” The Sender
Reputation Agent answers this question for you by learning from values
obtained in email messages to determine whether the source of the
messages is legitimate or if it is sending junk.
Configuring
Sender/IP Reputation
Email that is
routed through Receive Connectors is processed by the Sender Reputation
Agent. These messages are received from the Internet and travel inbound
to the Edge Transport server for delivery to the recipient. The Sender
Reputation Agent is enabled by default and can be configured using the
Exchange Management Console or Exchange Management Shell.
Note
Changes described in
this section are applied only to the local system. This is important if
you have more than one Edge Transport server in your environment.
To disable the
Sender Reputation Agent using the Exchange Management Console,
right-click the agent icon in the action pane, and select Disable. To
disable the Sender Reputation Agent using the Exchange Management Shell,
run the set-SenderReputationConfig command with the -Enabled
$false parameter:
"set-SenderReputationConfig -Enabled $false"
The General tab of the
Agent Properties window displays a brief description of the agent and
its capabilities, its current status, and the last time the agent’s
settings were modified.
The Sender Reputation
Agent works by evaluating several items in an email message(s) and then
assigns a score, known as the Sender Reputation Level (SRL). The SRL
works very similarly to the SCL assigned to messages themselves. The SRL
gets assigned to the IP address from which the email message(s) are
originating. The Sender Reputation Agent adds the IP address to the IP
Block List when the SRL corresponds with the tolerance threshold you
have set for this action. The SRL can be adjusted from 0 to 9. You can
also configure the amount of time (in hours, 0 to 48) the flagged IP
address should remain on your IP Block List.
The SRL for an IP
address is derived from the following four items: an open proxy test,
HELO/EHLO validation check, reverse DNS lookup, and SCL ratings derived
from messages received from the sending IP address. The Sender
Reputation Agent takes the cumulative results of these items into
account when composing the SRL.
An open proxy test
determines whether the receiving Edge Transport server can communicate
back to itself through the network on which the sending IP address
resides. Open proxies are easy to
establish and are commonly used by spammers to conceal the true identity
of the server sending email. When email messages are routed through an
open proxy, the information contained in the message changes to reflect
that of the local host—that is, the network on the “other side” of the
proxy server.
Note
Performing an open
proxy test is enabled by default. This setting can be changed on the
Sender Confidence tab of the Sender Reputation Properties window.
The HELO/EHLO SMTP
commands are another item often forged by spammers. Their purpose is to
provide the domain name or IP address from which the message originated.
Spoofing the From address, using the same domain in the To and From
fields, and forging the sending IP address are very common spam tricks.
A reverse DNS lookup is
performed to determine if the domain name registered with the sending IP
address is the same as that provided with the HELO/EHLO commands.
Note
Although there are a
couple of similarities, this is not the same as SenderID and the use of
SPF records.
The SCL of a message is
the last item taken into account by the Sender Reputation Agent when
calculating a SRL for a particular IP address. The Sender Reputation
Agent tabulates SCL scores obtained from messages previously received
from the same IP address.
Configuring the
Sender Reputation Agent Using the Exchange Management Console
The Sender Reputation Agent
can be configured using the Exchange Management Console interface. To
configure the sender reputation from EMC, do the following:
1. | Launch the Exchange Management Console.
|
2. | Select Edge Transport in the console tree.
|
3. | Double-click the Sender Reputation agent.
|
4. | The General tab provides a quick overview of the Sender
Reputation Agent, along with the last time the agent’s settings were
modified.
|
5. | The Sender
Confidence tab allows you to enable (default) or disable the open proxy
test. This typically remains enabled.
|
6. | The Action tab allows you to set the block threshold
for SRL on a scale of 0 to 9. (The default setting is 7, the maximum.)
|
7. | The Action tab also allows you to configure how
long (0 to 48 hours) the IP address should remain on the Edge Transport
server’s IP Block List. (The default setting is 24 hours.)
|
8. | Click Apply to save changes or click OK to save changes
and close the window.
|
Configuring Sender
Reputation Using the Exchange Management Shell
Sender
Reputation can also be configured through the Exchange Management Shell.
Each shell command has its own parameters you can set based on the
action(s) performed by the command. There are two commands: Get-
and Set-.
The Get-
command is used to retrieve the configuration of Sender Reputation. For
example, entering Get-SenderReputationConfig displays the Sender Reputation
configuration on the local system.
The Set-
command allows an administrator to enable or disable the agent and
modify the configuration of the agent. The following example enables
sender reputation on email received on external SMTP connections,
activates the open proxy detection test, and configures the blocking
options.
Set-SenderReputationConfig -Enabled $true -ExternalMailEnabled $true -OpenProxyDetectionEnabled $true
-ProxyServerName proxy1.companyabc.com -ProxyServerPort 8080 -SenderBlockingEnabled $true -SenderBlockingPeriod 48 -SRLBlockThreshold 8
