Exchange Server 2007: Anti-Spam and Anti-Virus Protection
Microsoft has made major edge security updates to its new main messaging server: the Exchange Server 2007.
Its predecessor, the Exchange Server 2003, had limited protection against spam and viruses, which is a major issue for small to medium size businesses who host their own messaging servers. Exchange Server 2007 has made some key improvements in this area, and just in time.
Anti-Spam and Anti-Virus protection is carried out by the Edge Transport Server formerly called the Gateway Server.
The Edge Transport Server is deployed as a stand-alone server providing a single point of contact to the outside (i.e. the Internet) which substantially decreases possible security holes effecting the inside network.
The Edge Transport Architecture
Image courtesy of Microsoft.com
The diagram above illustrates how transport agents get incorporated into the Edge Transport architecture. At various stages of message processing, transport events take place to perform spam filtering, virus scanning, and other security tasks.
Multiple Edge Transport Servers can be deployed to provide fail-over redundancy and SMTP traffic load balancing for high traffic messaging environments.
Protecting messaging services from spam, viruses and malware requires a multi-layered, multi-pronged and multi-faceted approach. Understanding the process that is applied to incoming and outgoing messaging data will help those of you who are technicians and administrators to deploy, maintain, and upgrade the components required to protect users and networks form these threats.
Anti-Spam and Anti-Virus is provided by several agents on the Edge Transport Server. These modules act on or filter messages as they are processed by the message transport components.
Inbound SMTP Sessions
Once the edge server is contacted by an outside server to initiate a SMTP session, connection filtering is applied to determine if the sending agents IP address is hostile (blocked) or friendly (allowed). The IP address of the sending server is always available as it is a basic component of the session connection. The IP address is filtered through IP block/allow list and via providers block/allow list. The result will either end the session or allow the message to continue to the next filtering stage.
Next the “MAIL FROM:” is compared to a list of sender or sender domains blocked list. This list is built up by the administrator of the network and contains senders which have been banned from sending email to the organization. The process described above repeats, and if matched the session is terminated if not the message continues onto the next filter.
The “RCPT TO:” is compared to both an admin defined block recipient list, and the local mail accounts list. If the block list is matched the session is terminated; if the message is not blocked and there is no local mail address the message can either be rejected or continue onto a general (catch all) mail box such as [email protected] or [email protected]
This filter is used to combat spoofed messages which would allow a hostile message to transverse the connection and sender filters. DNS servers are programmed with sender policy framework (SPF) records which identify the outgoing mail servers for a particular domain. The Sender ID filter compares the message header with the SPF record and rates the message accordingly. Because this filter cannot explicitly determine a friendly of hostile message, it is programmable to either allow or deny messages which have resulted in undetermined or failed Sender ID validation.
This is where things get a little complicated. Content filtering is performed by proprietary technology programs which attempt to identify or differentiate valid or spammed content. You can equate content filtering of email to the process of speech recognition, of speech to text engines. Most content is correctly identified, but there is always a margin of error and also a learning curve. Content filters need to constantly adapt to external changes and may work very well one week and not so well the next time.
First the message is compared to five conditions: IP allow list, recipients not filtered, anti-spam bypass enabled, sender on safe senders list, and sender is on not filtered list. If any of these conditions are true then the message will bypass the content filter and the attachment filter and will be scanned for viruses. If the message does not meet any of the five conditions it is scanned by the content filter.
Content filtering on exchange servers currently uses Microsoft’s Smart Screen technology which employs the Intelligent Message Filter. There are a few things about this technology that admins should be aware of. First, the filter requires constant updates as new spamming techniques are introduced constantly. Second, although Microsoft claims that this technology is very accurate, it also has a built in spam quarantine function to temporarily hold spam identified messages, just in case the filter has mistaken a valid email as spam.
The content filter also uses a safelist aggregation feature which uses data from end users anti-spam safe list to determine if a message requires further scanning or is exempt from the content filter. The content filter applies a Spam Confidence Level (SCL) rating to the message. Depending on the SPL threshold levels the filter will either silently delete the message, reject the message at the SMTP level, send the message to the spam quarantine mail box, or pass the message to the next filter.
Sender Reputation assigns a Sender Reputation Level to a message that is then compared to threshold levels set by the admin to determine how a message should be treated. Sender Reputation holds persistent data about individual senders including HELO/EHLO analysis, reverse DNS lookup, SCL ratings and open proxy test. SR processes the messages at the “MAIL FROM” command only if the message has been acted upon by the Connection, Sender, Recipient, or Sender ID filters. The SRL will also be recalculated for a sender after the EOD command as other anti-spam agents will have updated the persistent data.
If there are any attachments associated with the message, the attachment filter compares the attachment file name, extension or MIME content type and can be programmed to either delete the message, strip off the attachment or pass the message.
Of course all messages must be scanned for viruses even if the message is from allowed senders. Exchange Server 2007 uses Microsoft’s Forefront Security anti-virus package. Messages are scanned and if a virus is detected the message is deleted and notification is sent to the recipient.
Finally the message is sent to the recipients email box where Outlook’s Junk Email Filter compares its assigned SCL to threshold levels and either sends it to the recipient’s inbox or the junk mail box.