fighting spam in an exchange environment n.
Skip this Video
Loading SlideShow in 5 Seconds..
Fighting Spam in an Exchange Environment PowerPoint Presentation
Download Presentation
Fighting Spam in an Exchange Environment

Loading in 2 Seconds...

play fullscreen
1 / 29

Fighting Spam in an Exchange Environment - PowerPoint PPT Presentation

  • Uploaded on

Fighting Spam in an Exchange Environment. Tzahi Kolber IT Supervisor - Polycom Israel. What will we cover:. Problems and Concerns How to Fight Spam Exchange Server 2003 Anti-Spam Features Exchange Server 2007 Anti-spam Features How not to be blocked as spammers. Problems and Concerns.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Fighting Spam in an Exchange Environment' - Ava

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
fighting spam in an exchange environment

Fighting Spam in an Exchange Environment

Tzahi KolberIT Supervisor - Polycom Israel

what will we cover
What will we cover:
  • Problems and Concerns
  • How to Fight Spam
  • Exchange Server 2003 Anti-Spam Features
  • Exchange Server 2007 Anti-spam Features
  • How not to be blocked as spammers.

Problems and Concerns

  • Unwanted messages are the #1 concern
    • Risk to security and privacy and availability
    • Phisher scams, ID and information theft
      • Spoofing detected in 95% of phishing attacks
    • Unauthorized relay
    • Spam represents more than 60% of e-mail traffic
      • Hotmail blocks more than 1 billion messages every day
    • Viruses, Spyware, and Trojans (that can effects mobile devices too).

  • Low cost of entry, high profit, and anonymity
    • All the economics favor the spammer and phisher

Enterprise Requirements for Anti-Spam

  • False positives are primary concern
  • Block at the gateway whenever possible
    • User never sees it
    • Reduces impact on bandwidth.
    • Reduces impact of system resources on Exchange servers (CPU, I/O, DB size…)
  • Administration
    • End-to-end solutions (including mobiles).
    • Easy to manage
    • Balance corporate and end-user control
exchange server 2003 anti spam features
Exchange Server 2003: Anti-Spam Features
  • Connection filtering: where it came from
  • Sender filtering: who sent it
  • Recipient filtering: who it is for
  • Microsoft Exchange Intelligent Message Filter: what it is about
  • Sender ID: Is the sender is really the sender?
  • * Restricted Distribution Lists
message filtering in exchange
Message Filtering in Exchange


Deny Lists

Information Store

Block Lists

Recipient Filter

Sender Filtering

Sender ID

Intelligent Message Filter

message filtering in exchange1
Message Filtering in Exchange

Blocks of all incoming SMTP connections

Connection filtering

Sender and recipient filtering

Blocks of remaining messages

Intelligent Message Filter

Blocks of remaining messages

AV Scanning

Outlook 2003 andOutlook Web Accessjunk e-mail

Blocks of remaining messages

message mail flow

Outlook 2003 &

Outlook Web


Gateway Server


Gateway Server


Mailbox Server


Connection Filtering


SCL Store


User Safe/



Desktop Anti-Virus



Attachment Stripping

Attachment blocking


Exchange IMF



User Safe/Blocked




Virus Scanning








Filter Action



Message Mail flow


Antivirus and Attachments


Mailbox servers


layer 1 connection filtering
Layer 1 - Connection Filtering
  • Check where the mail is coming from
    • Support for multiple Real Time Block List (also known as DNS Block List) providers
    • Global Accept and Deny Lists
    • Configurable exception list that override the RBL
    • Blocking by IP/subnet
connection filtering and sp2
Connection Filtering and SP2
  • Connection Filtering relies on getting the original sender's IP to run the DNS query on
  • In SP2 New Header parsing algorythm (P2 header)
  • Looks for first untrusted IP addresses of SMTP sender servers
  • Admins need to configure trusted internal IP gateway
  • As a result connection filtering can now perform filtering inside the perimeter. 
sender filtering
Sender Filtering
  • Filters messages sent from particular e-mail addresses or domains
  • Message submission method is persisted
  • Optionally filter messages with blank senders
  • Optionally drop connection
  • Note: adding own domain to Sender Filter list may break list services
recipient filtering who it is for
Recipient Filtering (Who It Is For)
  • Filter messages sent to particular e-mail recipients (valid or invalid)
  • No NDR because message is rejected at protocol level
  • Designed to combat directory harvesting attacks (Tarpitting combats that too).
  • Related Feature - Restricted distribution lists 
    • Allow only authenticated users to send to a distribution list
    • Reduces impact of unsolicited e-mail sent to internal-only distribution lists
layer 2 smtp filtering
Layer 2 – SMTP Filtering
  • If the incoming connection passed through the Connection Filtering layer, the next in line is SMTP Filtering
  • Sender and Recipient Filtering
    • Sender : List of prohibited sender email addresses, domain address, blank sender
    • Recipient : Directory lookup and Tar pitting
  • Sender ID Filtering
sender id
Sender ID
  • Comes with SP2
  • Industry standard framework
  • Fight against e-mail domain spoofing. 
  • Verify that each e-mail message originates from the Internet domain from which it claims to come based on the sending server's IP address.
  • See
benefits of sender id
Benefits of Sender ID
  • Protect sender’s brand and domain names from spoofing and phishing
    • Receivers validate the origin of mail
      • More input into spam filtering decision
    • By itself does NOT stop spam
how does sender id work
How Does Sender ID Work?
  • Senders publish IP addresses of outbound email servers in DNS via SPF record
  • Receivers determine which domain(s) to check
    • “Purported responsible domain” derived from message body (RFC 2822 headers)
    • “Envelope From” domain (RFC 2821 Mail From)
  • Receivers query DNS for the outbound email servers of the chosen domain and perform domain spoofing test

Sender ID Framework

  • Message transits one to many email servers en route to receiver
  • Look up Sender’s SPF record in DNS
  • Determine PRA or Mail From check
  • Compare PRA to legitimate IPs in SPF record or Mail From check
  • Match  positive filter input
  • No match  negative filter input
  • One time: Publish SPF record in DNS
  • No other changes required
  • Email sent as normal
  • Authenticates domains not users
  • Validates “last hop” not end-to-end (Can not block email from relay).
  • Spammers can register their own domains…
    • But this aids investigative efforts
    • Allows for reputation of domains - sooner or later is going to be caught….
exchange configuration
Exchange Configuration
  • Set perimeter IP list
define action
Define action

Set it on the SMTP Virtual server

layer 3 content filtering
Layer 3 - Content Filtering
  • If a mail item gets through Recipient Filtering it faces Content filtering.  Content Filtering in Exchange relies on Microsoft Research SmartScreen machine learning technology incorporated into the Intelligent Message Filter (IMF).
  • IMF is now integrated to SP2 (Pre-SP2 version should be uninstalled before SP2 upgrade).
  • Should be updated from Microsoft Update (not Windows Update!!!).

how it works
How it works
  • Examines messages and gives each an SCL value [0-9]
  • Two thresholds: Gateway and Store
  • Messages with a high SCL value are filtered at the gateway
    • MS IT: More than 30% filtered
    • Reduces impact to users and the rest of the infrastructure
  • Possibility of SCL store level spam filtering
    • SCL is transferred as a part of EXCH50 blob
    • Exposing SCL in Outlook
messaging hygiene architectural principles
Messaging Hygiene Architectural Principles
  • Anti-spam MUST be done before anti virus
  • Anti-spam SHOULD be done for inbound mail only
  • Anti-spam filtering SHOULD remove vs. quarantine
  • Anti-virus MUST be mail direction aware
  • Anti-virus SHOULD remove vs. quarantine
  • Generate security notifications for infected ingoing e-mail
  • Anti-virus and Anti-spam systems MUST integrate with Exchange
restricted distribution lists
Restricted Distribution Lists
  • Can accept emails only from Autenticated users.
  • Benefit: Will not be accessed from outside to large number of recipients.
  • Will not be accessible from Linux or other SMTP applications (non authenticated users)
exchange 2007 anti spam systems
Exchange 2007 Anti-Spam systems.
  • Dedicated role / server – Edge server role.
  • * Attachment Filtering
  • * Edge Protocol Rules - Filter known text patterns in malware carriers and drop the connection (Porn, Love, Linux….).
  • * Connection Filtering (White List was added).
  • Sender and Recipient Filtering (including Tar Pitting)
  • Safe Sender List – which was configured at Outlook 2003 / 2007.
  • Sender ID
  • IMF

* Are additions that were added to the Anti-Spam system in Exchange 2003

how not to be blocked as spammers
How NOT to be blocked as spammers.
  • Block SMTP – TCP/25 outside using FW.
  • Verify that you have PTR record in the DNS – same address as the MX record

(will avoid NDR errors 5.7.1 Access Denied too)

  • Don’t send emails with blank subject / Sender.
  • Avoid sending emails to more the 200 recipients in one email.
  • Close your SMTP for relaying.

some useful links
Some Useful links……

Thank you !