Microsoft Small Business Server 2003 Spam Filtering
Unsolicited commercial email (UCE), generally known as spam, is becoming a bigger and bigger problem for each company and even home users. A lot of time has to be spent on filtering which emails are spam and which are not. So an important task of each Server Administrator who has the responsibility of the Messaging and Collaboration Server System, is to implement a good SPAM Email Filtering System.
Microsoft provides lots of features with Exchange Server 2003 Service Pack 2 to filter Spam and provides a solution to reduce the amount of time spent on filtering SPAM.
These features are included within Exchange Server 2003 and, due to this, are part of each Small Business Server 2003 Implementation within this solution.
Within this article we will now take an in-depth look at the features themselves and how to implement them.
Connection Level Protection
Protecting against SPAM at the connection level has been the best defense for years, because this means that SPAM will never enter the company’s network. This feature does nothing more than evaluate incoming SMTP connections for potential SPAM. If the connection SMTP host is a well known Spammer, the connection can be dropped.
Exchange itself provides two ways for connection level SPAM protection.
IP Connection Filtering
IP Connection filtering is a configurable setting within Exchange Server 2003 that can totally block SMTP connections based on IP-Addresses. This is a rudimentary method of protection because the connection filtering lists need to be administered manually. In addition to this you can allow special explict SMTP connections.
Figure 1: IP-Address Filtering
Real-Time Block Lists
With Exchange Server 2003, you will have a new and more dynamic way of providing connection level protection. This feature is called Real-Time Block Lists. These lists are known as SPAM sources, open relays or part of an IP range. But these lists should not include STMP hosts which are the same as a provider’s dial-up connection. This would lead to thousands of emails sent by dial-up users being rejected.
Block List providers are 3rd party organizations that collect IP addresses of internet SMTP domains. When a host initiates an SMTP session with a subscriber of a block list service, the subscriber issues a DNS query to the block list provider’s DNS Server with the sender’s host IP address. The block list server then checks whether the connecting host is on the block list or not.
To enable this feature you have to install Exchange Server 2003 Service Pack 2 because, in earlier versions of Exchange Server 2003, only the connection host was relevant and not the sending host, which meant that firewalls or SMTP hosts in between could be Spammers. This has been achieved by providing perimeter IP lists and an internal IP range configuration in Exchange System Manager.
Figure 2: Block List Filtering (1)
Figure 3: Block List Filtering (2)
Figure 4: Block List Filtering (3)
Figure 5: Block List Filtering (4)
Protocol Level Protection
Protocol level protection against SPAM is another way of filtering spam in the next layer of defense at the SMTP protocol level. The SMTP traffic between sending and receiving hosts is analyzed to verify that the sender and the recipient are allowed hosts.
Recipient and Sender Blocking
The first way of providing protocol level protection is to define individual senders or domains from who you do not want to accept messages (also known as white and black lists). Exchange Server 2003 can be configured to block blank sender addresses and filter recipients who are not in the Active Directory too.
This blocking method prevents the directory harvesting attack (DHA). Within this attack, the Exchange Server itself responds to RFC2821 RCPT TO: commands are passed in search of valid IP addresses. When it detects an email that is sent to a non-existing recipient, Exchange returns an “Unknown user”. Spammers now have the chance to sell valid email addresses or use them as recipients for unsolicited mail. This threat can be mitigated by using the tarpitting method, which is provided by Windows Server 2003 Service Pack 1. This feature allows the administrator to insert a configurable delay before returning an SMTP protocol response.
Figure 6: Sender Filtering
Figure 7: Recipient Filtering
One of the newest additions to Exchange Server 2003 anti-spam features is Sender ID filtering which comes with Exchange Server 2003 Service Pack 2. Sender ID attempts to verify that the sending host is approved to send messages from the SMTP domain.
There are two parts that need to be available for Sender ID to work. The first is a well-known DNS record known as sender policy framework. It defines which servers are allowed to send SMTP from this domain. The other one is an SMTP host that supports Sender ID.
Sender ID filtering can greatly reduce UCEs if the sending domains have SPF records registered in DNS, but all domains which do not have SPF records might encounter problems.
Figure 8: Sender-ID Filtering
Content Level Protection
The next option for filtering emails for SPAM is by using content level protection. This means that we can now analyze the message content looking for common clues that may indicate unsolicited email.
Exchange Intelligent Message Filter
With Exchange Server 2003 Service Pack 2, Microsoft provided a content filter called Exchange Intelligent Message Filter. It is based on patented machine-learning technology from Microsoft Research. This Smart Screen technology is already in use by MSN, Microsoft Hotmail and Microsoft Office Outlook 2003, and is called Junk Email Filtering.
Intelligent Message Filter was designed to categorize between SPAM and non-SPAM based on the characteristics of each email message.
After IMF adds a Spam Confidence Level (SCL) to the message, it then evaluates two configured thresholds:
Gateway blocking > messages can be archived, deleted, rejected or nothing can be done
Store junk email configuration > move emails to junk mail folder
IMF can provide anti-phishing filtering, too. It can be configured in detail using the “Custom Weighting” feature which is implemented by an XML file called MSExchange.UceContentFilter.xml and has to be saved in the same directory as the .dll and .dat files of your Exchange Server. IMF can be updated using Windows Server Update Services (WSUS).
Figure 9: Intelligent Message Filtering
Outlook 2003 and Outlook Web Access Junk E-Mail
The last step to filter Spam is to clean your Outlook client itself by using an anti-SPAM feature called Junk-Email Filtering. At first it collects the SCL information from IMF. In addition it has its own filtering feature where each user can configure their own white and black lists for SPAM.
If you consider implementing all these features for UCE filtering, you will have a good chance of reducing your SPAM to a bare minimum and you'll be able to spend your time on other more improtant work rather than dealing with SPAM emails. And a great thing is that all these features are available with Small Business Server 2003, too.
If you still have any questions on implementing and configuring, please do not hesitate to contact me.