Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2010-01-18
Spammers, or malicious senders, use a variety of techniques to send spam into your organization. No single tool or process can eliminate all spam. Microsoft Exchange Server 2010 builds on the foundation of Exchange Server 2007 to provide a layered, multipronged, and multifaceted approach to reducing spam and viruses. Exchange 2010 includes a variety of anti-spam and antivirus features that are designed to work cumulatively to reduce the spam that enters your organization.
You can reduce the incidences of virus outbreaks and attacks by malicious software, which is also referred to as malware, in your organization if you reduce the overall volume of spam that enters your organization. When you eliminate the bulk of the spam at the computer that has the Edge Transport server role installed, you save processing resources, bandwidth, and storage when the messages are scanned for viruses and other malware further along the mail flow path.
The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.
The following sections provide brief descriptions of each default anti-spam and antivirus feature.
Looking for management tasks related to managing transport servers? See Managing Transport Servers.
Anti-Spam and Antivirus Filters
The anti-spam and antivirus filters are applied in a specific order. For more information, see Understanding Anti-Spam and Antivirus Mail Flow. The following order applies:
- Connection filtering Connection
filtering inspects the IP address of the remote server that's
trying to send messages to determine what action, if any, to take
on an inbound message. The remote IP address is available to the
Connection Filter agent as a byproduct of the underlying TCP/IP
connection that's required for the SMTP session. Connection
filtering uses a variety of IP Block lists, IP Allow lists, as well
as IP Block List provider services or IP Allow List provider
services to determine whether the connection from the specific IP
should be blocked or allowed in the organization.
- Sender filtering Sender filtering
compares the sender on the MAIL FROM: SMTP command to an
administrator-defined list of senders or sender domains who are
prohibited from sending messages to the organization to determine
what action, if any, to take on an inbound message.
- Recipient filtering Recipient filtering
compares the message recipients on the RCPT TO: SMTP command to an
administrator-defined Recipient Block list. If a match is found,
the message isn't permitted to enter the organization. The
recipient filter also compares recipients on inbound messages to
the local recipient directory to determine whether the message is
addressed to valid recipients. When a message isn't addressed to
valid recipients, the message can be rejected at the organization's
- Sender ID Sender ID relies on the IP
address of the sending server and the Purported Responsible Address
(PRA) of the sender to determine whether the sender is spoofed or
not. PRA is calculated based on the following message headers:
- Content filtering Content filtering
uses Microsoft SmartScreen technology to assess the contents of a
message. Intelligent Message Filter is the underlying technology of
Exchange content filtering. Intelligent Message Filter is based on
patented machine-learning technology from Microsoft Research.
During its development, Intelligent Message Filter learned
distinguishing characteristics of legitimate e-mail messages and
spam. Regular updates with Microsoft Exchange Anti-spam Update
service ensure that the most up-to-date information is always
included when the Intelligent Message Filter runs. Based on the
characteristics of millions of messages, Intelligent Message Filter
recognizes indicators of both legitimate messages and spam
messages. Intelligent Message Filter can accurately assess the
probability that an inbound e-mail message is either a legitimate
message or spam.
Spam quarantine is a feature of the Content Filter agent that reduces the risk of losing legitimate messages that are incorrectly classified as spam. Spam quarantine provides a temporary storage location for messages that are identified as spam and that shouldn't be delivered to a user mailbox inside the organization.
Content filtering also acts on the safelist aggregation feature. Safelist aggregation collects data from the anti-spam safe lists that Microsoft Outlook and Outlook Web App users configure and makes this data available to the Content Filter agent on the computer that has the Edge Transport server role installed in Exchange 2010.
When an Exchange administrator enables and correctly configures safelist aggregation, the Content Filter agent passes safe e-mail messages to the enterprise mailbox without additional processing. E-mail messages that Outlook users receive from contacts or that those users have added to their Outlook Safe Senders List or have trusted are identified by the Content Filter agent as safe. The result is that messages that are identified as safe aren't classified as spam and unintentionally filtered out of the messaging system.
- Sender reputation Sender reputation
relies on persisted data about the IP address of the sending server
to determine what action, if any, to take on an inbound message.
The Protocol Analysis agent is the underlying agent that implements
the sender reputation functionality. A sender reputation level
(SRL) is calculated from several sender characteristics that are
derived from message analysis and external tests.
Senders whose SRL exceeds a configurable threshold will be temporarily blocked. All their future connections are rejected for up to 48 hours.
In addition to the locally calculated IP reputation, Exchange 2010 also takes advantage of IP reputation anti-spam updates, available via Microsoft Update, which provide sender reputation information about IP addresses that are known to send spam.
- Attachment filtering Attachment
filtering filters messages based on attachment file name, file name
extension, or file MIME content type. You can configure attachment
filtering to block a message and its attachment, to strip the
attachment and allow the message to pass through, or to silently
delete the message and its attachment.
- Microsoft Forefront Protection 2010 for Exchange
Server Forefront Protection 2010 for Exchange
Server (FPE) is an antivirus software package that's tightly
integrated with Exchange 2010 and offers antivirus protection for
the Exchange environment. The antivirus protection that's provided
by FPE is language independent. However, the setup, administration
of the product, and end-user notifications are available in 11
server languages. For more information, see Microsoft Forefront Protection 2010 for Exchange
- Outlook junk e-mail filtering The
Outlook junk e-mail filter uses state-of-the-art technology to
evaluate whether a message should be treated as a junk e-mail
message based on several factors, such as the time that the message
was sent, the content and structure of the message, and the
metadata collected by the Exchange Server anti-spam filters.
Messages caught by the filter are moved to a special Junk E-mail
folder, where the recipient can access them later.
Anti-spam stamps help you diagnose spam-related problems by applying diagnostic metadata, or stamps, such as sender-specific information, puzzle validation results, and content filtering results, to messages as they pass through the anti-spam features that filter inbound messages from the Internet. These stamps are visible to the end-user mail client and encode sender-specific information, the version of the spam filter definition file, Outlook puzzle validation results, and content filtering results.
Microsoft Update for Anti-Spam Services
Exchange 2010 offers additional services to help keep anti-spam components up to date, taking advantage of the proven Microsoft Update infrastructure.
Microsoft Exchange 2010 Standard Anti-spam Filter Updates offer anti-spam updates every two weeks via Microsoft Update.
The Forefront Security for Exchange Server Anti-spam Update service is a premium service that updates the content filter daily via Microsoft Update. In addition, the premium service includes the spam signature and IP Reputation Service updates that are available on an as-needed basis, up to several times a day. Spam signature updates identify the most recent spam campaigns. IP Reputation Service updates provide sender reputation information about IP addresses that are known to send spam.
|To use the premium service, you must have the Exchange Enterprise client access license (CAL).|
Using Exchange Hosted Services
Spam filtering is enhanced by or is also available as a service from Microsoft Exchange Hosted Services.
Exchange Hosted Services is a set of four distinct hosted services:
- Hosted Filtering, which helps organizations protect themselves
from e-mail-borne malware
- Hosted Archive, which helps them satisfy retention requirements
- Hosted Encryption, which helps them encrypt data to preserve
- Hosted Continuity, which helps them preserve access to e-mail
during and after emergency situations
These services integrate with any on-premises Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.
Strategy for Anti-Spam Approach
Your strategy for how to configure the anti-spam features and establish the aggressiveness of your anti-spam agent settings requires that you plan and calculate carefully. If you set all anti-spam filters to their most aggressive levels and configure all anti-spam features to reject all suspicious messages, you're more likely to reject messages that aren't spam. On the other hand, if you don't set the anti-spam filters at a sufficiently aggressive level and don't set the spam confidence level (SCL) threshold low enough, you probably won't see a reduction in the spam that enters your organization.
It's a best practice to reject a message when Exchange detects a bad message through the Connection Filter agent, Recipient Filter agent, or Sender Filter agent. This approach is better than quarantining such messages or assigning metadata, such as anti-spam stamps, to such messages. The Connection Filter agent and Recipient Filter agent automatically block messages that are identified by the respective filters. The Sender Filter agent is configurable.
This best practice is recommended because the SCL that underlies connection filtering, recipient filtering, or sender filtering is relatively high. For example, with sender filtering, where the administrator has configured specific senders to block, there's no reason to assign the sender filtering data to such messages and to continue to process them. In most organizations, blocked messages should be rejected. (If you didn't want the messages rejected, you wouldn't have put them on the Blocked Senders List.)
The same logic applies to real-time block list services and recipient filtering, although the underlying confidence isn't as high as the IP Block list. You should be aware that the further along the mail flow path a message travels, the greater the probability of false positives, because the anti-spam features are evaluating more variables. Therefore, you may find that if you configure the first several anti-spam features in the anti-spam chain more aggressively, you can reduce the bulk of your spam. As a result, you'll save processing, bandwidth, and disk resources so that you can process more ambiguous messages.
Ultimately, you must plan to monitor the overall effectiveness of the anti-spam features. If you monitor carefully, you can continue to adjust the anti-spam features to work well together for your environment. With this approach, you should plan on a fairly non-aggressive configuration of the anti-spam features when you start. This approach lets you minimize the number of false positives. As you monitor and adjust the anti-spam features, you can become more aggressive about the type of spam and spam attacks that your organization experiences.