The six-layered secret of effective Exchange Server email filtering

Blocking spam and protecting your email system from viruses, while continuing to deliver legitimate messages, is an ongoing challenge for most organizations. Antispam and antivirus software are obvious points of protection, but there are many other email filtering mechanisms you can use to enhance the effectiveness of your spam and virus fighting efforts.

Microsoft recommends a six-layered approach to message hygiene. Each layer filters unwanted messages differently and at a unique access point on the system. This tutorial explains how to implement these six layers of spam and virus protection on Exchange 2003 or Exchange 2007.

SIX LAYERS OF EFFECTIVE EMAIL FILTERING

Layer 1: External filtering

External filtering typically refers to hosted filtering, which involves allowing a third party to eliminate most obvious spam before it's delivered to your organization. For example, your organization may receive two million spam messages a day, which can consume a great deal of Internet bandwidth and server processing power. Instead of using resources trying to eliminate unwanted messages, you can use a hosted filtering service.

By doing so, you point an MX record for your domain to a filtering company's server, rather than to your own mail server. The filtering company removes the most obvious spam without acknowledging that messages have been removed, and forwards the remaining messages to your organization.

Layer 2: Connection filtering

Connection filtering checks the IP address of the server that sent the message. It then compares that address with a real-time blacklist.

This approach isn't perfect -- IP addresses can be spoofed, and legitimate senders sometimes send messages from blocked IP addresses. However, connection filtering does help to some degree.

In Exchange Server 2007, connection filtering usually takes place at the Edge Transport server. An Edge Transport server performs various message-hygiene tasks before messages are delivered to the Hub Transport server.

Layer 3: SMTP filtering

SMTP filtering works on a number of levels. First, the SMTP filter typically checks the structure of an inbound message. If the SMTP packet is malformed, or if the sender is blank, it assumes that the message is unwanted and should be filtered out.

SMTP filtering can also be used to view a message's sender. The sender can be cross-referenced against a blacklist, which may contain email addresses of known spammers. The blacklist also can contain entire domains from which email should be rejected.

Both Exchange 2003 and Exchange 2007 support the use of a Safe Senders List, which can acknowledge that messages from specific senders or domains are safe, even if those senders or domains are blacklisted.

Layer 4: Antispam filtering

Previous message hygiene levels were geared toward eliminating spam, so the antispam filtering level might seem redundant. However, in this level, the contents of a message are examined to determine if it's spam.

Exchange 2003 and Exchange 2007 perform antispam filtering in different ways. Exchange Server 2003 uses Intelligent Message Filtering (IMF). This means that Exchange examines different criteria for each message, and uses that criteria to calculate a Spam Confidence Level (SCL) value. An SCL is a percentage assigned to an incoming message based on the likelihood that it is spam.

An Exchange server can be fine-tuned to take various actions based on the SCL. For example, if a message has an SCL of 9, which indicates that the message is 90% likely to be spam, your Exchange server could be set to delete the message automatically.

Exchange Server 2007 uses the Content Filter Agent as an alternative to IMF. The Content Filter Agent performs the same function as the Intelligent Message Filter, but is more advanced. The Content Filter Agent also considers whether Microsoft Outlook sent the message, and whether or not anyone in the organization has the sender on his/her Safe Senders List. Unlike IMF, the Content Filter Agent updates automatically.

Spammers generally use bots to send spam. But because Microsoft Outlook isn't efficient enough to blast large volumes of email messages, it's less desirable to spammers than other email delivery systems. Therefore, a message created in Outlook isn't likely to be spam. Outlook 2007 is designed to digitally sign messages to prove that they were sent from Outlook.

Layer 5: Antivirus filtering

The fifth level of message hygiene processing is antivirus filtering, which sorts out messages containing malicious attachments. Antivirus filtering is often performed at the external filtering level. For example, the ISP that hosts my domain scans inbound email for viruses as a part of the hosted filtering service.

Microsoft lists antivirus filtering as the fifth level of message hygiene processing, but it's good practice to scan for viruses earlier in the filtering process. Compared to the volume of spam that comes into the organization, few messages contain attachments. If you scan for viruses first, then you don't have to worry about processing any of the email that contains viruses, because it would have already been deleted.

Layer 6: Client-level filtering

Client-level filtering refers to any spam or antivirus filters that run at the workstation level. Microsoft Outlook 2003 and Outlook 2007 both use Smart Screen-based spam filtering -- the same filtering technology that IMF uses. This removes the most obvious spam at the server level; users can adjust their own spam filters to control how aggressively remaining messages are filtered, and what happens to suspected spam.