The six-layered secret of effective Exchange Server email filtering

Blocking spam and protecting your email system from viruses, while continuing to deliver legitimate messages, is an ongoing challenge for most organizations. Antispam and antivirus software are obvious points of protection, but there are many other email filtering mechanisms you can use to enhance the effectiveness of your spam and virus fighting efforts.

Microsoft recommends a six-layered approach to message hygiene. Each layer filters unwanted messages differently and at a unique access point on the system. This tutorial explains how to implement these six layers of spam and virus protection on Exchange 2003 or Exchange 2007.

SIX LAYERS OF EFFECTIVE EMAIL FILTERING

Layer 1: External filtering

External filtering typically refers to hosted filtering, which involves allowing a third party to eliminate most obvious spam before it's delivered to your organization. For example, your organization may receive two million spam messages a day, which can consume a great deal of Internet bandwidth and server processing power. Instead of using resources trying to eliminate unwanted messages, you can use a hosted filtering service.

By doing so, you point an MX record for your domain to a filtering company's server, rather than to your own mail server. The filtering company removes the most obvious spam without acknowledging that messages have been removed, and forwards the remaining messages to your organization.

Layer 2: Connection filtering

Connection filtering checks the IP address of the server that sent the message. It then compares that address with a real-time blacklist.

This approach isn't perfect -- IP addresses can be spoofed, and legitimate senders sometimes send messages from blocked IP addresses. However, connection filtering does help to some degree.

In Exchange Server 2007, connection filtering usually takes place at the Edge Transport server. An Edge Transport server performs various message-hygiene tasks before messages are delivered to the Hub Transport server.

Layer 3: SMTP filtering

SMTP filtering works on a number of levels. First, the SMTP filter typically checks the structure of an inbound message. If the SMTP packet is malformed, or if the sender is blank, it assumes that the message is unwanted and should be filtered out.

SMTP filtering can also be used to view a message's sender. The sender can be cross-referenced against a blacklist, which may contain email addresses of known spammers. The blacklist also can contain entire domains from which email should be rejected.

Both Exchange 2003 and Exchange 2007 support the use of a Safe Senders List, which can acknowledge that messages from specific senders or domains are safe, even if those senders or domains are blacklisted.

Layer 4: Antispam filtering

Previous message hygiene levels were geared toward eliminating spam, so the antispam filtering level might seem redundant. However, in this level, the contents of a message are examined to determine if it's spam.

Exchange 2003 and Exchange 2007 perform antispam filtering in different ways. Exchange Server 2003 uses Intelligent Message Filtering (IMF). This means that Exchange examines different criteria for each message, and uses that criteria to calculate a Spam Confidence Level (SCL) value. An SCL is a percentage assigned to an incoming message based on the likelihood that it is spam.

An Exchange server can be fine-tuned to take various actions based on the SCL. For example, if a message has an SCL of 9, which indicates that the message is 90% likely to be spam, your Exchange server could be set to delete the message automatically.

Exchange Server 2007 uses the Content Filter Agent as an alternative to IMF. The Content Filter Agent performs the same function as the Intelligent Message Filter, but is more advanced. The Content Filter Agent also considers whether Microsoft Outlook sent the message, and whether or not anyone in the organization has the sender on his/her Safe Senders List. Unlike IMF, the Content Filter Agent updates automatically.

Spammers generally use bots to send spam. But because Microsoft Outlook isn't efficient enough to blast large volumes of email messages, it's less desirable to spammers than other email delivery systems. Therefore, a message created in Outlook isn't likely to be spam. Outlook 2007 is designed to digitally sign messages to prove that they were sent from Outlook.

Layer 5: Antivirus filtering

The fifth level of message hygiene processing is antivirus filtering, which sorts out messages containing malicious attachments. Antivirus filtering is often performed at the external filtering level. For example, the ISP that hosts my domain scans inbound email for viruses as a part of the hosted filtering service.

Microsoft lists antivirus filtering as the fifth level of message hygiene processing, but it's good practice to scan for viruses earlier in the filtering process. Compared to the volume of spam that comes into the organization, few messages contain attachments. If you scan for viruses first, then you don't have to worry about processing any of the email that contains viruses, because it would have already been deleted.

Layer 6: Client-level filtering

Client-level filtering refers to any spam or antivirus filters that run at the workstation level. Microsoft Outlook 2003 and Outlook 2007 both use Smart Screen-based spam filtering -- the same filtering technology that IMF uses. This removes the most obvious spam at the server level; users can adjust their own spam filters to control how aggressively remaining messages are filtered, and what happens to suspected spam.

reading

Microsoft Exchange Server 2007 performance tutorial
Update on the recent Norman antivirus engine issue
Updating the Forefront Server Security and Antigen documentation on TechNet
Using Microsoft Exchange IMF and Antigen Advanced Spam Manager Together
Microsoft Online Services Available Worldwide
ISA 2006 – OWA publishing rule stops working without reason
Spammers Retool for Renewed Assault
Now we’ve got loads of items – what do we do about it?
Twitter a Exchange Calendar using Powershell and EWS - Exchange 2007
Creating Emails based on a Twitter feed / Friends timeline status updates
Is your E2K7 project in danger of being scrapped?
A Practical Look at Migrating From Exchange 2003 to Exchange 2007 (Part 4)
Managing Exchange Server 2007 log files (Part 2)
Did the Spam Originate Inside Your Network?
Exchange 2007 and SMTP Banner Tests
Exchange 2007 Service Pack 1 and Address List Segregation – Part 3 (Finalising the Configuration)…
Microsoft Online Goes Global
Exchange 2007 Server Installation Guide Updates
Economic crisis spells opportunity for spammers
Customizing OWA 2007 language settings
What's the difference between the Microsoft Exchange Server Unified Messaging (UM) role and Microsoft Office Communications Server 2007?
Exchange alternatives: Pros and cons
Troubleshooting Microsoft Outlook Web Access logon issues
Goodbye Exchange ExMerge, Hello Export-Mailbox
What are my choices for Exchange Server in the cloud?
How to enable inbound fax for OCS 2007 Enterprise Voice and Exchange 2007 UM enabled users?
Migrating Lotus Notes to Microsoft’s Business Productivity Online Suite
A Month of Exchange Server 2007 Tips - Week 1
Part 15 - I used to do it this way… Now how do I do it? Administering Exchange 2003 vs. Exchange 2007
Verify a Standby Continuous Replication Copy
Introduction to Exchange Online - Uncovering BPOS (Part 4)
A lossy failover causes duplicate mails to be delivered to clients from the hub transport dumpster when using Exchange 2007 SP1 Cluster Continuous Replication (CCR).
Using Standby Continuous Replication in both single node cluster implementation and database portability implementation when only a single machine is available.
Exchange 14 Brings Browser Bliss
Encapsulate This!
Frequently Asked Questions about the February CU
Haz Firewall, Want Cheezburger
White Paper Announcement - CCR or SCC?
White Paper Announcement - CCR and DAS
Part 16 - I used to do it this way… Now how do I do it? Administering Exchange 2003 vs. Exchange 2007
Part 17 - I used to do it this way… Now how do I do it? Administering Exchange 2003 vs. Exchange 2007
To Mount Or Not To Mount?
A Practical Look at Migrating From Exchange 2003 to Exchange 2007 (Part 5)
Managing Outlook 2007 through Group Policies (Part 1)
A bit of Test-ServiceHealth Fun
Exchange 2007 /newCMS or /recoverCMS fails when installing on Windows 2003 clusters.
Running setup.com /clearLocalCMS on a Windows 2008 cluster disables the machine accounted (VCO) associated with the CMS name.
Update Roll-up 7 for Exchange Server 2007 Service Pack 1 has been released.
Exchange Server Documentation Updates - March 2009
Installing, Configuring Exchange 2007 Edge Server (Part 1)
Melissa anniversary marks birth of email-aware malware
A noisy (and annoying) red herring in Microsoft Exchange Unified Messaging…
Allow Application Servers to Relay off of Exchange 2007
A Month of Exchange Server 2007 Tips - Week 2
A Month of Exchange Server 2007 Tips - Week 3
Forward to Internet recipients without internal mail-enabled contacts no longer works on Exchange 2007 – Part 2
Internet Explorer 8 and OWA: Where Are The Images?
Part 18 - I used to do it this way… Now how do I do it? Administering Exchange 2003 vs. Exchange 2007
Sanitizing Get-LogonStatistics cmdlet data to view better Logon stats in Exchange 2007
MX Record and Mail Delivery in Basic
RPC OVER HTTPS SCRIPT
Managing Exchange certificates (Part 3)
A Practical Look at Migrating From Exchange 2003 to Exchange 2007 (Part 6)
Indexing and Exchange 2007, how about PDF files?
Quick Tip: Exchange 2007 SP1 - CCR Install problems with 60 second Domain Controller replication
Breaking the Artificial Database Size Limit in Exchange 2007 Standard Edition
Public Folder Replication Problems: "Multiple Edits Have Been Made"
Announcing the release of Exchange Server Remote Connectivity Analyzer
Exchange Web Services - What You Didn't Know
OST Sizing Guidance Changes

Restoring Exchange Server 2003 Clusters

The common restore processes that you would need to perform when restoring Exchange Server 2003 clusters are listed here:
Recover a server node in the cluster:
The Exchange resources of a failed cluster node are moved to another online node in the cluster. This basically means that the Exchange databases can continue to be accessed by the Exchange virtual server from the other node. If you need to remove the failed cluster node from the cluster and replace it with another node, you can use the process below as a guideline:
Using Cluster Administrator, evict the server node from the cluster.
Create and install the new server node.
Rejoin the node to the cluster
Install Exchange on the node.
Move the Exchange resources to this node.
Recover a cluster quorum disk resource:
You can use the process below as a guideline for recovering from a cluster quorum failure:
On each server node in the cluster, stop the Cluster Service.
Restore the system state data that holds the cluster quorum disk, using the Windows Backup utility.
Run the Clusrest.exe Resource Kit tool to restore the backup to the cluster quorum disk.
Recovering the shared disk resource that contains the Exchange databases:
Ensure that the Do Not Mount At Startup check box for the databases that you want to restore is selected, for the databases residing in the cluster.
Proceed to restore the Mailbox store form the backup.
Check that the databases have been mounted.
Check the content of the Event log.
Deselect the Do Not Mount At Startup checkbox for each database that is restored.

Gateway Security Software

MailMarshal SMTP is a total email content security solution for organizations of all sizes. It unifies anti-spam, email threat protection, content security, policy enforcement and data leakage prevention into a highly scalable, flexible and easy-to-manage solution.

MailMarshal acts as an email gateway to your organization by filtering all incoming and outgoing email at your network/Internet perimeter. MailMarshal blocks incoming email threats such as spam, phishing, viruses, malware and Denial of Service attacks. MailMarshal also enforces acceptable use policies and ensures compliance with data leakage prevention policies.
MailMarshal can be deployed as a single standalone solution. Or, multiple, geographically distributed MailMarshal servers can be easily configured in an array to support the largest of enterprise environments with minimal administration.

Active Directory Tools

• NETDIAG.EXE*
  • diagnostic tool helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network client
• DIRUSE.EXE
  • displays directory size information, including compression information for NTFS volumes
  • You can use Diruse to determine the actual usage of space for compressed files and directories
  • You can also specify a maximum folder size, then diruse marks any folders that exceed the specified limit and, if you choose, alerts you to the problem
• REPADMIN.EXE: Replication Diagnostics Tool*
  • Diagnose replication problems
• SDCHECK.EXE: Security Descriptor Check Utility*
  • Display effective access controls on an object
• NLTEST.EXE*
  • Use to check status of trusts, Lists PDCs, force a user db into sync in an NT4 domain
• ACLDIAG.EXE: ACL Diagnostics*
  • determine whether a user has been granted or denied access to a directory object. It can also be used to reset access control lists to their default state
• DSACLS.EXE*
  • View or modify the access control lists of directory objects
• LDP.EXE: Active Directory Administration Tool
  • Allows LDAP operations to be performed against Active Directory
• DSASTAT.EXE: Active Directory Diagnostic Tool*
  • Compare directory information on domain controllers and detect differences
  • Compares directory trees within or across different domains
  
  
  • DCDAIG.EXE*
    
  • • Analyzes the state of domain controllers in a forest or enterprise to assist in troubleshooting
  • ADSIZER.EXE
    • The Active Directory Sizer tool allows you to estimate the hardware required for deploying Active Directory in your organization
    • The estimate provided is based on your organization's usage profile, domain and site topology
  • GPUPDATE.EXE*
    • updates the group policy changes made to the entire domain
  • GPMONITOR.EXE
    • creates reports when policy settings are refreshed and displays the reports so an administrator can view them
    • helps check Group Policy object (GPO) stability and monitor policy replication
      
  • Ntrights.exe*
    • NTRights is a command-line tool that allows you to grant or revoke a right for a user or group of users on a local or remote computer
    • You can also place an entry in the event log of the computer, noting the change.
    • Useful in unattended or automated installations during which you may want to change the default rights
    • You can also use it in situations where you need to change a right in an existing installation, but you cannot access and log on to all computers
      
  • Oh.exe*
    • Open Handles (OH) is a command-line tool that shows the handles of all open windows
    • used to show only information about a specific process
    • finding the process that has a file open when a sharing violation occurs
  • Permcopy.exe*
    • Share Permissions Copy
  • Perms.exe*
    • User File Permissions Tool
  • Tcmon.exe
    • Traffic Control Monitor

Top 10 Database Mounting Issues and Their Solutions

Got a problem getting your databases in Exchange 2000 Server and later to mount? There are several conditions that can:

• Cause your Exchange databases to not mount, even though the Exchange Information Store service still starts

• Prevent the Information Store service itself from starting, which would leave databases unmounted

In most cases, the application log of the server running Exchange provides enough information to continue troubleshooting the problem and find the root cause. Those events are typically logged with a source of either MSExchangeIS (Microsoft Exchange Information Store) or ESE (Extensible Storage Engine).

Find out the how to address these issues, numbered in the order of greatest impact, by reading the Microsoft Knowledge Base articles listed on this page.

1. Exchange reaches the 16-gigabyte (GB) limitation.

See Article 828070: Exchange Mailbox Store Does Not Mount When the Mailbox Store Reaches the 16-GB Limit.

2. File-level antivirus software deletes or modifies the transaction log files.

See Article 819553: "An Internal Processing Error Has Occurred" Error Message When You Try to Mount a Database.

3. Permissions in Active Directory directory service are modified.

See the following articles in the Knowledge Base:

• Article 283179: Information Store Does Not Start with Service-Specific Error 0 (Zero)

• Article 318098: Exchange Information Store Does Not Start on a Member Server 

4. Hardware issues are preventing your databases from mounting.

See the following articles in the Knowledge Base:

• Article 327334: Event ID 474 Error Indicates a Hardware Failure

• Article 314917: Understanding and Analyzing -1018, -1019, and -1022 Exchange Database Errors

5.Exchange needs rights that Group Policy does not have.

See Article 314294: Exchange 2000 Error Messages Are Generated Because of SeSecurityPrivilege Right and Policytest Issues.

6.The wrong organization or administrative group names are displayed after disaster recovery.

See the following articles in the Knowledge Base:

• Article 280652: "Event ID 1088" Is Logged and Store Fails to Mount

• Article 324606: How to Use Legacydn.exe to Correct Exchange Organization or Administrative Group Names

7.After Exchange disaster recovery, Exchange databases do not mount if the Information Store service is not updated to the service pack level of restored databases.

See 326017: Information Store Service Does Not Start After You Install Service Pack 1 on a Clustered Server.

8. Exchange has run out of hard drive space.

See Article 294318: Error Occurs When You Try to Mount a Database.

9. Databases do not mount after /disasterrecovery setup.

See Article 285169: Information Stores Do Not Mount After You Use the /disasterrecovery Switch.

10.Hard disk NTFS file system permissions have been modified.

See Article 307242: Information Store Does Not Mount with 0xfffff745 and -2235 Errors.

How To View and Kill Processes On Remote Windows Computers

To view processes on a remote Computer ,you will need to know the username and password on the Computer you want to view the processes. Once you have the user account information, the syntax for using tasklist
tasklist.exe /S SYSTEM /U USERNAME /P PASSWORD
Now if there was a process that needed to be killed, you can use the taskill command. As with tasklist, you will also need the Username and Passoword on the remote Computer. The syntax for using taskkill is
taskkill.exe/S SYSTEM /U USERNAME /P PASSWORD /IM PROCESS

Active Directory Replication Monitor

REPLMON.EXE: Active Directory Replication Monitor

• Display status of domain controllers.
• The Active Directory Replication Monitor tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication through a graphical interface. The Active Directory Replication Monitor is a graphical tool located on the Tools menu within Windows 2000 Support Tools.
• Active Directory Replication Monitor Features
  Some of the key features of the Active Directory Replication Monitor are
  • Graphic displays - Replication Monitor displays whether or not the monitored server is a global catalog server, automatically discovers the directory partitions that the monitored server hosts, graphically displays this breakdown, and shows the replication partners that are used for inbound replication for each directory partition. Replication Monitor distinguishes between direct replication partners, transitive replication partners, bridgehead servers, and servers removed from the network in the user interface. Failures from a specific replication partner are indicated by a change in the icon used for the partner.
  • Replication status history - The history of replication status per directory partition, per replication partner is recorded, generating a granular history of what occurred between two domain controllers. This history can be viewed through Replication Monitor's user interface or can be viewed offline or remotely through a text editor.
  • Property pages - For direct replication partners, a series of property pages displays the following for each partner: the name of the domain controller, its globally unique identifier (GUID), the directory partition that it replicates to the monitored server, the transport used (remote procedure call [RPC] or Simple Mail Transfer Protocol [SMTP] and distinguishes between intra- and inter-site when RPC is used), the time of the last successful and attempted replication events, update sequence number (USN) values, and any special properties of the connection between the two servers.
  • Status report generation - Administrators can generate a status report for the monitored server that includes a listing of the directory partitions for the server, the status of each replication partner (direct and transitive) for each directory partition, detail on which domain controllers the monitored server notifies when changes have been recorded, the status of any group policy objects (GPOs), the domain controllers that hold the Flexible Single Master Operations (FSMO) roles, a snapshot of the performance counters on the computer, and the registry configuration of the server (including parameters for the Knowledge Consistency Checker [KCC], Active Directory, Jet database, and LDAP). Additionally, the administrator can also choose to record (in the same report) the enterprise configuration, which includes each site, site link, site link bridge, subnet, and domain controller (regardless of domain) and the properties of each type of object just mentioned. For example, for the domain controller properties, this records the GUID that makes up the Domain Name System (DNS) record that is used in replication, the location of the computer account in Active Directory, the inter-site mail address (if it exists), the host name of the computer, and any special flags for the server (whether or not it is a global catalog server). This can be extremely helpful when troubleshooting an Active Directory replication problem.
  • Server Wizard - With Server Wizard, administrators can either browse for the server to monitor or explicitly enter it. The administrator can also create an .ini file, which predefines the names of the servers to monitor, which is then loaded by Replication Monitor to populate the user interface.
  • Graphical site topology - Replication Monitor displays a graphical view of the intra-site topology and, by using the context menu for a given domain controller in the view, allows the administrator to quickly display the properties of the server and any intra- and inter-site connections that exist for that server.
  • Properties display - Administrators can display the properties for the monitored server including the server name, the DNS host name of the computer, the location of the computer account in Active Directory, preferred bridgehead status, any special flags for the server (for example, if it is the Primary Domain Controller [PDC] Emulator for its domain or not), which computers it believes to hold the FSMO roles, the replication connections (Replication Monitor differentiates between administrator and automatically generated connection objects) and the reasons they were created, and the Internet Protocol (IP) configuration of the monitored server.
  • Statistics and replication state polling - In Automatic Update mode, Replication Monitor polls the server at an administrator-defined interval to get the current statistics and replication state. This feature generates a history of changes for each monitored server and its replication partners and allows the administrator to see topology changes as they occur for each monitored server. In this mode, Replication Monitor also monitors the count of failed replication attempts for each replication partner. If the failure count meets or exceeds an administrator-defined value, it can write to the event log and send an e-mail notification to the administrator.
  • Replication triggering - Administrators can trigger replication on a server with a specific replication partner, with all other domain controllers in the site, or all other domain controllers intra- and inter-site.
  • KCC triggering - Administrators can trigger the KCC on the monitored server to recalculate the replication topology.
  • Display nonreplicated changes - Administrators can display, on demand, Active Directory changes that have not yet replicated from a given replication partner.