Messaging Hygiene in SBS 2008
[Today's post comes to us courtesy of Shawn Sullivan]
In Exchange 2007, anti-spam processing is performed by a series of Transport Agents. All Exchange 2007 anti-spam Transport Agents, except for Attachment Filtering, are enabled during SBS Setup. Because Attachment Filtering is only available on the Edge Transport role, SBS 2008 gives you the option to install a 120 day trial version of Forefront Security for Exchange during setup, which provides this service as well as anti-virus processing. Out of the box, SBS 2008 offers strong protection against spam while minimizing false positives. However, it is open to customization as determined by the needs of your organization.
The following is an example of the Exchange PowerShell command Get-TransportAgent from a default installation of SBS 2008:
NOTE: The Transport Rule Agent, Journaling Agent, and the AD RMS Prelicensing Agent are configured by default but do not perform anti-spam processing.
SBS 2008 also configures Exchange to automatically update the anti-spam Transport Agents from Microsoft Update. New versions are published every two weeks. This process occurs independently of WSUS.
IMPORTANT: In order to download update definitions for anti-spam, you are required to have either an Exchange 2007 Enterprise CAL for each user mailbox or a Forefront Security for Exchange license. If you have not purchased a Forefront Security for Exchange license before the 120 trial period expires, your anti-spam agents will no longer be updated. You will be notified in both the Windows SBS console and the Forefront Security console when the trial has expired.
Anti-Spam Agents by Priority (First to Last)
Connection Filtering consists of the IP Allow List, Block List, and the online service provider for both. It is enabled by default, but the lists are blank. This is open for your customization. IP addresses that are explicitly allowed through this filter will bypass all subsequent anti-spam processing. Those that are blocked will be unable to submit email to the server.
To add entries to the IP Allow and IP Block List, expand Server Configuration > Hub Transport > Anti-Spam:
To add entries to the IP Allow and IP Block List Providers, expand Organization Configuration > Hub Transport > Anti-Spam:
For more information on adding providers, see http://technet.microsoft.com/en-us/library/bb124369.aspx
Content Filtering is responsible for stamping each email message that traverses the transport pipeline with a Spam Confidence Level (SCL ) value, which ranges from -1 (trusted internal servers) to 9 (highest probability of spam). By default, messages that have an SCL of 7 or greater are rejected, which will inform the sender of the failure through a 550 5.7.1 error upon submission. No custom words or exceptions are configured by default; however you may add these as needed. You may also change the SCL threshold and the action taken when it is met or exceeded:
Sender ID Filtering will query public DNS against every connecting SMTP server and check for the existence of a Sender Policy Framework (SPF) record. Essentially, SBS will use this record to compare the SMTP domain sent during MAIL FROM and the IP Address that the connecting SMTP server is using. If the IP address is not on the list of acceptable sending servers for the SMTP domain, the Sender ID Filter will stamp this failure on the message, which is then taken into consideration by the Sender Reputation Filter (see below):
For more information on the Sender Policy Framework, see http://www.microsoft.com/downloads/details.aspx?familyid=D8A174B1-697C-4AEA-9C92-2E70A013C30B&displaylang=en
To verify or create an SPF record for your domain, use the following http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
Sender Filtering is set to block messages from blank senders by default. You may add individual senders or entire domains to this list as needed:
Recipient Filtering is set to block messages sent to recipients who are not in the Global Address List. Exchange will inform the sending SMTP server, upon the RCPT TO command, that the recipient is invalid. You may choose to add further recipients who are in the GAL to this list:
Sender Reputation Filtering (Protocol Analysis Agent) builds a confidence profile of each sending server based on the following tests:
- Passing or failing the Sender ID check
- Analysis of the EHLO/HELO statement for signs of forgery. This includes frequently changing domain names from the same IP, passing an IP address in the statement that does not match the connecting IP, or passing a domain name that appears to be in the same internal Exchange organization but is coming from a remote server.
- An SCL history of messages sent from a particular IP Address.
- A reverse DNS lookup is performed to determine if the PTR record for the connecting IP Address matches the domain name submitted during EHLO/HELO.
- An open relay test is performed by Exchange through the connecting SMTP server
All of this information is combined to form Sender Reputation assignment level from 0 (minimum) to 9 (maximum). By default, sending IP Addresses who meet or exceed 7 will be added to the IP Block list for 24 hours. If after 24 hours the sender is flagged at 7 or higher, they will again be added for another 24 hours.
Special consideration must be taken when your email is hosted at another location or processed by an SMTP gateway. The following post will explain the action you must take to prevent Sender ID/Sender Reputation from blocking the hosting IP addresses as they submit mail to your server: http://blogs.technet.com/sbs/archive/2008/11/24/how-to-setup-Anti-Spam-in-exchange-2007-when-using-a-mail-hosting-company.aspx
Forefront Security for Exchange Routing Agent details will be included in an upcoming blogpost.
How to Monitor Agent Activity
Dedicated logging for Transport Agent activity is kept in “%ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog”. There is no GUI reporting provided by Exchange for the data contained in these logs. However, you can view them in Notepad, Excel, or if you are feeling adventurous you can try Log Parser:
Junk Email and SCL Thresholds for Outlook
By default, the global SCL threshold for junk email for all Outlook users is 8 (NOTE: On SBS 2008, only Outlook 2000 SP3 and higher clients are allowed to connect to Exchange). However, any messages that receive a 7 or higher will be rejected by the Content Filter before they reach the mailbox. To display the current setting, use the Get-OrganizationConfig | fl SCLJunkThreshold command. To adjust this value between 0-9, use the Set-OrganizationConfig –SCLJunkThreshold <integer> command.
Individual SCL thresholds and actions can be configured at the per-mailbox level. Email that is not rejected, deleted, or quarantined by the Exchange Anti-Spam Agents can be further filtered by these settings. Options here are delete, reject, junk, or have the email quarantined. By default, this is not configured in SBS 2008 for any mailbox but is open for customization. Further information on adjusting these settings can be found here:
NOTE: To enable Outlook to quarantine messages, you must specify a quarantine mailbox for the organization. Run the Set-ContentFilterConfig –QuarantineMailbox <MailboxEmailAddress> command from the Exchange PowerShell. It is advisable to create a dedicated mailbox for this function so you can impose a retention policy on it.
To display the current settings for all mailboxes, use Get-Mailbox | ft Name, *SCL*
Whitelists and Safelists for Senders and Domains
This can be configured at various points throughout Exchange. If the sending SMTP server’s IP address is not in the IP Allow List or listed as an internal SMTP server, it will be subject to Content Filtering, Sender-ID, and Sender-Reputation.
You can set individual whitelists on the Content and Sender ID filters. For Content Filtering, you can exclude individual senders (BypassedSenders) or entire domains (BypassedSenderDomains) :
For Sender ID, you can exclude entire domains (BypassedSenderDomain) and recipients (BypassedRecipients)
NOTE: You cannot simply append entries to the whitelist in PowerShell. You must specify the entire list, separated by commas, in addition to the new entries.
You can also employ Safelist Aggregation to collectively pull individual Outlook safelist configuration from your user’s mailboxes for global use. This is an effective way to quickly obtain a detailed grassroots list of safe senders and reduce false positives. More information is here: