Exchange Server 2007: Anti-Spam and Anti-Virus Safeguard

Microsoft has made major edge security updates to its current leading messaging server: the Exchange Server 2007.

Its predecessor, the Exchange Server 2003, had limited protection against spam and viruses, which is a exceeding issue for petty to medium extent businesses who host their own messaging servers. Exchange Server 2007 has untrue some key improvements in this area, and dispassionate in time.

Anti-Spam and Anti-Virus protection is carried out by the Edge Transport Server formerly called the Gateway Server.

The Edge Transport Server is deployed as a stand-alone server providing a unmarried objective of contact to the outside (i.e. the Internet) which substantially decreases possible security holes effecting the inside network.

Multiple Limit Transport Servers can be deployed to provide fail-over redundancy and SMTP traffic load balancing for high traffic messaging environments.

Protecting messaging services from spam, viruses and malware requires a multi-layered, multi-pronged and multi-faceted approach. Understanding the process that is applied to incoming and outgoing messaging data will hand those of you who are technicians and administrators to deploy, maintain, and upgrade the components required to protect users and networks form these threats.

Anti-Spam and Anti-Virus is provided by several agents on the Edge Transport Server. These modules act on or filter messages as they are processed by the message transport components.

Inbound SMTP Sessions

Connection Filtering

Once the edge server is contacted by an outside server to initiate a SMTP session, connection filtering is applied to decide if the sending agents IP inscription is hostile (blocked) or friendly (allowed). The IP address of the sending server is always available as it is a basic component of the session connection. The IP address is filtered through IP block/allow case and via providers block/allow list. The result testament either mark the session or allow the message to continue to the next filtering stage.

Sender Filtering

Next the "MAIL FROM:" is compared to a list of sender or sender domains blocked list. This folder is built up by the administrator of the network and contains senders which own been banned from sending email to the organization. The process described above repeats, and if matched the session is terminated if not the message continues onto the attached filter.

Recipient Filtering

The "RCPT TO:" is compared to both an admin defined block recipient list, and the local send accounts list. If the block list is matched the session is terminated; if the message is not blocked and there is no local mail domicile the memo can either be rejected or continue onto a general (catch all) mail box such as admin@domain or info@domain.

Sender ID

This filter is used to combat spoofed messages which would allow a hostile notice to transverse the connection and sender filters. DNS servers are programmed with sender policy framework (SPF) records which recognize the outgoing mail servers for a specific domain. The Sender ID filter compares the message header with the SPF commit to paper and rates the message accordingly. In that this filter cannot explicitly arbitrate a friendly of hostile message, it is programmable to either allow or deny messages which have resulted in undetermined or failed Sender ID validation.

Content Filtering

This is where things get a small complicated. Content filtering is performed by proprietary technology programs which attempt to identify or differentiate valid or spammed content. You can equate content filtering of email to the process of speech recognition, of speech to text engines. Most content is licence identified, however there is always a margin of error and also a learning curve. Content filters need to constantly adapt to exterior changes and may work very well one week and not so well the following time.

First the note is compared to five conditions: IP allow list, recipients not filtered, anti-spam bypass enabled, sender on safe senders list, and sender is on not filtered list. If any of these conditions are true then the message will bypass the content filter and the attachment filter and will be scanned for viruses. Provided the indication does not right any of the five conditions it is scanned by the content filter.

Content filtering on exchange servers currently uses Microsoft's Smart Screen technology which employs the Intelligent Message Filter. There are a few things approximately this technology that admins should be aware of. First, the filter requires constant updates as advanced spamming techniques are introduced constantly. Second, although Microsoft claims that this technology is very accurate, it also has a built in spam quarantine advantage to temporarily grasp spam identified messages, just in case the filter has mistaken a valid email as spam.

The content filter and uses a safelist aggregation attribute which uses data from end users anti-spam safe list to determine if a message requires further scanning or is exempt from the content filter. The content filter applies a Spam Confidence Level (SCL) rating to the message. Depending on the SPL threshold levels the filter will either silently delete the message, reject the message at the SMTP level, send the letter to the spam quarantine mail box, or pass the message to the next filter.

Sender Reputation

Sender Reputation assigns a Sender Label Level to a communication that is then compared to threshold levels set by the admin to cinch how a sign should be treated. Sender Reputation holds persistent data about lone senders including HELO/EHLO analysis, reverse DNS lookup, SCL ratings and open proxy test. SR processes the messages at the "MAIL FROM" command apart if the message has been acted upon by the Connection, Sender, Recipient, or Sender ID filters. The SRL will also be recalculated for a sender after the EOD command as other anti-spam agents will have updated the persistent data.

Attachment Filtering

If there are any attachments associated with the message, the attachment filter compares the attachment file name, period or MIME content type and can be programmed to either delete the message, strip off the attachment or pass the message.

Anti-Virus Scanning

Of course all messages must be scanned for viruses all the more if the message is from allowed senders. Replace Server 2007 uses Microsoft's Forefront Security anti-virus package. Messages are scanned and whether a virus is detected the message is deleted and notification is sent to the recipient.

Finally the message is sent to the recipients email box where Outlook's Junk Email Filter compares its assigned SCL to threshold levels and either sends it to the recipient's inbox or the junk mail box.

The complete article is avaialble at Train Singal Training.

Keywords: