Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2006-10-11
Microsoft Exchange Server 2007 includes several improvements to the suite of anti-spam and antivirus features that was introduced in Exchange Server 2003.
Management of these features has improved in Exchange 2007. For example, you implement all anti-spam and antivirus features as transport-level agents, and you can manage and script the anti-spam and antivirus features by using the Exchange Management Shell.
Also, you can use a synchronization service named the Microsoft Exchange EdgeSync service to update configuration information and user data on computers that have the Edge Transport server role installed. The Microsoft Exchange EdgeSync service is a collection of processes that are run on the computer that has the Exchange 2007 Hub Transport server role installed to establish one-way replication of recipient and configuration information from the Active Directory directory service to the Active Directory Application Mode (ADAM) instance on the Edge Transport server. The Microsoft Exchange EdgeSync service copies only the information that is required for the Edge Transport server to perform anti-spam and message security configuration tasks and the information about the Send connector configuration that is required to enable mail flow from the Hub Transport servers in the Exchange 2007 organization to the Internet through one or more Edge Transport servers. The Microsoft Exchange EdgeSync service performs scheduled updates so that the information in ADAM remains current.
The following anti-spam and antivirus features are new or improved in Exchange 2007:
- Connection filtering The configuration
and management of IP Block lists, IP Allow lists, IP Block List
providers, and IP Allow List providers have been improved by
displaying each of these elements in the Exchange Management
Console. For more information, see Connection
- Content filtering Exchange Intelligent
Message Filter, which uses Microsoft SmartScreen patented
machine-learning technology, is the underlying technology of the
content filter that evaluates inbound messages and determines the
probability of whether the messages are legitimate, fraudulent, or
In addition to scanning message content, Intelligent Message Filter consolidates data that is collected from connection filtering, sender filtering, recipient filtering, sender reputation, Sender ID verification, and Microsoft Office Outlook 2007 E-mail Postmark validation to apply a spam confidence level (SCL) rating to a given message. You can configure actions on the message based on this SCL rating. These actions may include the following:
- Delivery to an Outlook user Inbox or Junk E-mail folder
- Delivery to the spam quarantine mailbox
- Rejection of the message and no delivery
- Acceptance and deletion of the message. The server accepts the
message and deletes it instead of forwarding it to the recipient
Finally, Exchange 2007 now offers additional services to help keep anti-spam components up to date. The following update services are available:
- Microsoft Exchange 2007 Standard Anti-spam Filter Updates:
Filter updates every two weeks
- Microsoft Forefront Security for Exchange Server: Filter
updates every 24 hours
- Microsoft Update
- Delivery to an Outlook user Inbox or Junk E-mail folder
- Spam quarantine Spam quarantine
provides a temporary storage location for messages that are
identified as spam and that should not be delivered to a user
mailbox inside the organization. Spam quarantine functionality is
available during the content filtering process. Messages that are
identified as spam are wrapped in a non-delivery report (NDR) and
are delivered to a spam quarantine mailbox inside the organization.
Exchange administrators can manage messages that are delivered to
the spam quarantine mailbox and can take appropriate actions, such
as deleting messages or letting messages that are flagged as false
positives in anti-spam filtering be routed to their intended
The Exchange 2007 environment enables two-tiered spam quarantine functionality. First, administrators can access the spam quarantine mailbox. By using Outlook, administrators can access the spam quarantine mailbox to search for messages, release messages to the intended recipients, or reject and delete messages. Messages that have an SCL rating that the administrator has defined as borderline can be released to the user's Junk E-mail folder in Outlook. The borderline messages are converted to plain text for additional protection before they are sent to the user's Junk E-mail folder. For more information, see Spam Quarantine.
- Recipient filtering By using the
Microsoft Exchange EdgeSync service, you can now replicate
recipient data from the enterprise Active Directory into the
Exchange Active Directory Application Mode (ADAM)
instance on the Edge Transport server role. This enables the
Recipient Filter agent to perform recipient lookups for inbound
messages so that you can block messages that are sent to
nonexistent users or internal-only distribution lists. Also, in
Exchange 2007, you can configure the tarpitting interval on
each inbound Receive connector. For more information, see Recipient
- Sender ID Sender ID verifies that each
e-mail message originates from the Internet domain from which the
message claims to come by examining the sender's IP address and
comparing the IP address to the Sender ID record in the sender's
public Domain Name System (DNS) server. The Sender ID record in the
sender's public DNS server is the sender policy framework (SPF)
record. The SPF defines the IP addresses that are authorized to
send messages for the domain in which the SPF record resides. When
the receiving system queries the SPF record, and a "Pass" status is
returned, the receiving system has a higher assurance that the
message is not being spoofed by an illegitimate sender.
You can specify how the Sender ID agent handles temporary errors, such as DNS failures, when it performs an SPF query. For more information, see Sender ID.
- Sender reputation Sender reputation
uses patented Microsoft technology to calculate the trustworthiness
of unknown senders. Sender reputation gathers analytical data
from Simple Mail Transfer Protocol (SMTP) sessions, message
content, Sender ID verification, and general sender behavior and
creates a history of sender characteristics. Sender reputation
uses this knowledge to determine whether a sender should be
temporarily added to the Blocked Senders list. For more
information, see Sender
- IP Reputation Service This service,
which is provided by Microsoft, is an IP Block list that is offered
exclusively to Exchange 2007 customers. Administrators can
choose to implement and use IP Reputation Service in addition to
other real-time block list services.
- Aggregation of Outlook Junk E-mail Filter
Lists This feature helps reduce false
positives in anti-spam filtering by propagating Outlook 2003
and Outlook 2007 Junk E-mail Filter Lists to Mailbox
servers and to Edge Transport servers. For more information, see
Improvements in Antivirus Protection
Exchange 2007 includes many improvements to antivirus protection. In addition to continued support of the Virus Scanning API (VSAPI), Microsoft has made a significant investment in more effective, efficient, and programmable virus scanning at the transport level.
Exchange 2007 introduces the concept of transport agents. Agents are managed software components that perform a task in response to an application event.
Exchange 2007 also provides antivirus stamping, which helps reduce the volume of antivirus scanning across an organization by stamping messages that were scanned for viruses with the version of the antivirus software that performed the scan and the result of the scan. This antivirus stamp travels with the message as the message is routed through the organization. The stamp is used to determine whether additional antivirus scanning must be performed on the message.
In Exchange 2007, agents act on transport events, much like event sinks in earlier versions of Exchange. Third-party developers can write customized agents to take advantage of the underlying Exchange MIME parsing engine for robust transport-level antivirus scanning. The Exchange 2007 MIME parsing engine, developed and evolved through many years of MIME-handling exposure, is likely the most trusted and robust MIME engine in the industry.
Another Exchange 2007 antivirus improvement is the implementation of attachment filtering by a transport agent. By running attachment filtering on the Edge Transport server role in your organization, you can reduce the spread of malware attachments before they enter your organization. For more information about attachment filtering, see Attachment Filtering.
Using Exchange Hosted Services
Spam and virus filtering is enhanced by or is also available as a service from Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted services:
- Hosted Filtering, which helps organizations protect themselves
from e-mail-borne malware
- Hosted Archive, which helps them satisfy retention requirements
- Hosted Encryption, which helps them encrypt data to preserve
- Hosted Continuity, which helps them preserve access to e-mail
during and after emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.