Exchange 2007 Anti Spam Migration Tool


Introduction


Exchange Server 2003 introduced some native anti-spam capabilities that helped Systems Administrators to reduce unwanted commercial email (UCE), viruses and malware in general. These features included:



  • Real-Time Block List Service Provider Support
  • Global Deny and Accept Lists
  • Sender Filtering
  • Inbound Recipient Filtering
  • Improved Ability to Restrict Submissions to and Relaying on an SMTP Virtual Server
  • Integration with Outlook 2003 and Outlook Web Access Block and Safe Lists
  • Exchange Intelligent Message Filter (SP2)

Although these configuration settings are stored in Active Directory, they aren’t directly migrated to Exchange Server 2007 if you decide to implement this new version. But worry not, the Anti Spam Migration Tool can deal with this fairly huge amount of information. It reads these settings from Active Directory and converts them to the equivalent Windows PowerShell script, consisting of Exchange 2007 tasks, which can then be run on the Edge Transport or Hub Transport roles of Exchange Server 2007.


Read the following table for a list of the migration settings the tool supports.























Connection Filtering



  • Global Accept and Deny List Configuration – The tool converts accept and deny list entries to corresponding Exchange 2007 IPAllowListEntry and IPBlockListEntry tasks respectively. For each accept or deny list entry, there is an Add-IPAllowListEntry or Add-IPBlockListEntry task written to the output script.
  • Block List Service Configuration – The tool converts each block list service to corresponding Exchange 2007 Add-IPBlockListProvider task
  • Exception list to block list service rules – This is converted to BypassedRecipients parameter on the IPBlockListProvidersConfig object using Set-IPBlockListProvidersConfig task

Recipient Filtering



  • Filter recipients who are not in the directory – This is converted to RecipientValidationEnabled parameter on RecipientFilterConfig object using Set-RecipientFilterConfig task
  • Block messages that are sent to recipients – This is converted to BlockListEnabled and BlockedRecipients parameter on RecipientFilterConfig object using Set-RecipientFilterConfig task

Sender Filtering



  • Filter messages with blank sender – This is converted to BlankSenderBlockingEnabled parameter on SenderFilterConfig object
  • Drop connection if address matches filter – This is not converted as it is not supported in Exchange Server 2007
  • Archive filtered messages – This is not converted as it is not supported in Exchange Server 2007
  • Accept messages without notifying sender of filtering – This is not converted as it is not supported in Exchange Server 2007
  • Block messages from senders – This is converted to BlockedSenders, BlockedDomains, BlockedDomainsAndSubdomains and Action parameters on SenderFilterConfig object using Set-SenderFitlerConfig task.

Sender ID Filtering



  • Sender ID validation failure action – This is converted to SpoofedDomainAction parameter on SenderIdConfig object using Set-SenderIDConfig task

Intelligent Message Filtering



  • Gateway Blocking Configuration – This is converted to one of the three SCL thresholds and one of the three SCL enabled parameters on ContentFilterConfig object using Set-ContentFilterConfig task. For example, if the SCL threshold is set to 6 and the action is set to Delete, then the corresponding task is
    Set-ContentFilterConfig -SCLDeleteThreshold:6 -SCLDeleteEnabled:$true -SCLQuarantineEnabled:$false -SCLRejectEnabled:$false
  • Custom Weight Entries – In Exchange Server 2003, these entries are specified in an XML file MSExchange.UceContentFilter.xml which resides where the Intelligent Message Filter DAT file resides. In order to migrate these entries, the tool can be invoked with a switch that allows you to specify the location of this file. It then reads these entries and converts each of them to Add-ContentFilterPhrase task. 

General settings



  • Perimeter IP List and Internal IP Range Configuration – This is converted to InternalSMTPServers parameter on the TransportConfig object using Set-TransportConfig task
Table 1


Installation


Before installing the tool, ensure that you meet all the requirements:



  • Supported Operating Systems: Windows Server 2000, Windows Server 2003;
  • Microsoft .NET Framework 1.1 or higher;
  • The account under which this tool is run needs to have read rights to AD configuration container and read access to MSExchange.UCEContentFilter.xml.

Installing the tool is as easy as:



  1. Download Exchange 2007 Anti Spam Migration Tool
  2. Run Exchange2007AntiSpamMigration.msi, it will extract the tool and documentation to the target folder (by default C:\Program Files\Exchange2007AntiSpamMigration\)

The tool doesn’t add any icons to your start menu, so you’ll have to run it from the command line. The usage is as follows:


Exchange2007AntiSpamMigration [/f:<full path to custom words file>] [/o:<outputfile name>] [/?]


 /f:      Optional full path to MSExchange.UCEContentFilter.xml file. If not specified, custom words or phrases are not migrated.


 /o:      Optional output file name. If not specified, output is written to MigratedSettings.ps1 in current directory.


 /?       Displays usage.


Exporting Anti-Spam Settings


In order to test and run the tool, I had to populate the anti-spam settings of my Exchange 2003 environment, so I just added some values that could be migrated later. The next pictures illustrate the settings of the Exchange 2003 environment.



Figure 1: Perimeter IP List



Figure 2: Sender Filtering



Figure 3: Connection Filtering



Figure 4: Recipient Filtering



Figure 5: Intelligent Message Filtering



Figure 6: Sender ID Filtering


After filling the Exchange 2003 anti-spam settings with some random values, I just run the tool. The result is a PowerShell script as you can see in Figure 8.



Figure 7: Running the tool



Figure 8: Output file


In my test environment I only had one single Exchange Server 2007, with 3 roles: Client Access, Mailbox and Hub Transport.


Because Hub Transport servers only need to perform anti-spam functions when there is no Edge Transport server to perform this function, this is a feature that is not enabled by default (Figure 9). Adding this functionality to your Hub Transport servers is a pretty simple process. Just launch the Exchange Management Shell and in the Scripts folder that was created (C:\Program Files\Microsoft\Exchange Server\Scripts\install-AntispamAgents.ps1)), you will find a PowerShell script to install the Anti-spam agents.


Once you complete these steps, you will see the Anti-spam tab enabled in the Exchange Management Console (Figure 11).



Figure 9: Hub Transport without Anti-spam tab



Figure 10: Install Anti-spam Agents



Figure 11: Hub transport with Anti-spam tab


So, now that we have a Hub Transport server with anti spam agents enabled, we just have to run the output script from the Anti Spam Migration Tool (Figure 12). As you can see in the following figures, all the settings have been successfully imported.



Figure 12: Running the tool to import settings



Figure 13: Recipient Filtering



Figure 14: IP Block List Providers



Figure 15: Sender Filtering



Figure 16: Recipient Filtering


Conclusion


Exchange Server 2007 offers some advanced anti-spam features. If you’re transitioning from Exchange 2003 to the current version, you’ll find this tool of extreme value.


The output script in PowerShell will take into account most of the previous settings and it makes the migration a pretty straightforward process. As a curiosity, I can tell you that the Exchange organizations in the example I gave you weren’t even in the same forest, so one can assume that the tool will work for the most complex scenarios.


Related Links


A tool to migrate anti-spam settings from Exchange 2003 to Exchange 2007


Exchange 2007 Anti Spam Migration Tool


Approaches to Fighting Spam in an Exchange Server Environment

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top