Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-08-07
Spammers, or malicious senders, use a variety of techniques to send spam into your organization. No single tool or process can eliminate all spam. Microsoft Exchange Server 2007 builds on the foundation of Exchange Server 2003 to provide a layered, multipronged, and multifaceted approach to reducing spam and viruses. Exchange 2007 includes a variety of anti-spam and antivirus features that are designed to work cumulatively to reduce the spam that enters your organization. Exchange 2007 also includes improved infrastructure for antivirus applications.
You can reduce the incidences of virus outbreaks and attacks by malicious software, which is also referred to as malware, in your organization if you reduce the overall volume of spam that enters your organization. When you eliminate the bulk of the spam at the computer that has the Edge Transport server role installed, you save lots of processing resources, bandwidth, and storage when the messages are scanned for viruses and other malware further along the mail flow path.
The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.
The following sections provide brief descriptions of each default anti-spam and antivirus feature.
Anti-Spam and Antivirus Filters
The anti-spam and antivirus filters are applied in the following order. For more information, see Understanding Anti-Spam and Antivirus Mail Flow.
- Connection filtering Connection
filtering inspects the IP address of the remote server that is
trying to send messages to determine what action, if any, to take
on an inbound message. The remote IP address is available to the
Connection Filter agent as a byproduct of the underlying TCP/IP
connection that is required for the Simple Mail Transfer Protocol
(SMTP) session. Connection filtering uses a variety of IP Block
lists, IP Allow lists, as well as IP Block Providers services or IP
Allow Provider services to determine whether the connection from
the specific IP should be blocked or should be allowed in the
- Sender filtering Sender filtering
compares the sender on the MAIL FROM: SMTP command to an
administrator-defined list of senders or sender domains who are
prohibited from sending messages to the organization to determine
what action, if any, to take on an inbound message.
- Recipient filtering Recipient filtering
compares the message recipients on the RCPT TO: SMTP command to an
administrator-defined Recipient Block list. If a match is found,
the message is not permitted to enter the organization. The
recipient filter also compares recipients on inbound messages to
the local recipient directory to determine whether the message is
addressed to valid recipients. When a message is not addressed to
valid recipients, the message can be rejected at the organization's
- Sender ID Sender ID relies on the IP
address of the sending server and the Purported Responsible Address
(PRA) of the sender to determine whether the sender is spoofed or
not. PRA is calculated based on the following message headers:
- Content filtering Content filtering
uses Microsoft SmartScreen technology to assess the contents of a
message. Intelligent Message Filter is the underlying technology of
Exchange content filtering. Intelligent Message Filter is based on
patented machine-learning technology from Microsoft Research.
During its development, Intelligent Message Filter learned
distinguishing characteristics of legitimate e-mail messages and
spam. Regular updates with Microsoft Anti-spam Update Service
ensure that the most up-to-date information is always included when
the Intelligent Message Filter runs. Based on the characteristics
of millions of messages, Intelligent Message Filter recognizes
indicators of both legitimate messages and spam messages.
Intelligent Message Filter can accurately assess the probability
that an inbound e-mail message is either a legitimate message or
Spam quarantine is a feature of the Content Filter agent that reduces the risk of losing legitimate messages that are incorrectly classified as spam. Spam quarantine provides a temporary storage location for messages that are identified as spam and that should not be delivered to a user mailbox inside the organization.
Content filtering also acts on the safelist aggregation feature. Safelist aggregation collects data from the anti-spam safe lists that Microsoft Outlook and Office Outlook Web Access users configure and makes this data available to the Content Filter agent on the computer that has the Edge Transport server role installed in Exchange 2007.
When an Exchange administrator enables and correctly configures safelist aggregation, the Content Filter agent passes safe e-mail messages to the enterprise mailbox without additional processing. E-mail messages that Outlook users receive from contacts or that those users have added to their Outlook Safe Senders List or have trusted are identified by the Content Filter agent as safe. The result is that messages that are identified as safe are not classified as spam and unintentionally filtered out of the messaging system.
- Sender reputation Sender reputation
relies on persisted data about the IP address of the sending server
to determine what action, if any, to take on an inbound message.
The Protocol Analysis agent is the underlying agent that implements
the sender reputation functionality. A sender reputation level
(SRL) is calculated from several sender characteristics that are
derived from message analysis and external tests.
Senders whose SRL exceeds a configurable threshold will be temporarily blocked. All their future connections are rejected for up to 48 hours.
In addition to the locally calculated IP reputation, Exchange 2007 also takes advantage of IP Reputation anti-spam updates, available via Microsoft Update, which provide sender reputation information about IP addresses that are known to send spam.
- Attachment filtering Attachment
filtering filters messages based on attachment file name, file name
extension, or file MIME content type. You can configure attachment
filtering to block a message and its attachment, to strip the
attachment and allow the message to pass through, or to silently
delete the message and its attachment.
- Microsoft Forefront Security for Exchange
Server Forefront Security for Exchange Server
is an antivirus software package that is tightly integrated with
Exchange 2007 and offers antivirus protection for the Exchange
environment. The antivirus protection that is provided by
Forefront Security for Exchange Server is language independent.
However, the setup, administration of the product, and end-user
notifications are available in 11 server languages. For more
information, see Protecting Your Microsoft Exchange Organization with
Microsoft Forefront Security for Exchange Server.
- Outlook Junk E-mail filtering The
Outlook Junk E-Mail Filter uses state-of-the-art technology to
evaluate whether a message should be treated as a junk e-mail
message based on several factors, such as the time that the message
was sent and the content and structure of the message, and the
metadata collected by the Exchange Server anti-spam filters.
Messages caught by the filter are moved to a special Junk E-mail
folder, where the recipient can access them later.
Anti-spam stamps help you diagnose spam-related problems by applying diagnostic metadata, or "stamps," such as sender-specific information, puzzle validation results, and content filtering results, to messages as they pass through the anti-spam features that filter inbound messages from the Internet. These stamps are visible to the end-user mail client and encode sender-specific information, the version of the spam filter definition file, Outlook puzzle validation results, and content filtering results.
Microsoft Update for Anti-Spam Services
Exchange 2007 now offers additional services to help keep anti-spam components up to date, taking advantage of the proven Microsoft Update infrastructure.
Microsoft Exchange 2007 Standard Anti-spam Filter Updates offer anti-spam updates every two weeks via Microsoft Update.
The Forefront Security for Exchange Server anti-spam update service is a premium service that updates the content filter daily via Microsoft Update. In addition, the premium service includes the Spam Signature and IP Reputation Service updates that are available on an as-needed basis, up to several times a day. Spam Signature updates identify the most recent spam campaigns. IP Reputation Service updates provide sender reputation information about IP addresses that are known to send spam.
|To use the premium service, you must have the Exchange Enterprise Client Access License (CAL).|
Using IPv6 Receive Connectors
If Exchange Server 2007 Service Pack 1 (SP1) is deployed on a computer that is running Windows Server 2008, you can enter IP addresses and IP address ranges in the Internet Protocol Version 4 (IPv4) format, Internet Protocol Version 6 (IPv6) format, or both formats. A default installation of Windows Server 2008 enables support for IPv4 and IPv6.
We strongly recommend against configuring Receive connectors to accept anonymous connections from unknown IPv6 addresses. If your organization must receive mail from senders who use IPv6 addresses, create a dedicated Receive connector that restricts the remote IP addresses to the specific IPv6 addresses that those senders use.
If you configure a Receive connector to accept anonymous connections from unknown IPv6 addresses, the amount of spam that enters your organization is likely to increase. Currently, there is no broadly accepted industry standard protocol for looking up IPv6 addresses. Most IP Block List providers do not support IPv6 addresses. Therefore, if you allow anonymous connections from unknown IPv6 addresses on a Receive connector, you increase the chance that spammers will bypass IP Block List providers and successfully deliver spam into your organization.
Using Exchange Hosted Services
Spam filtering is enhanced by or is also available as a service from Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted services:
- Hosted Filtering, which helps organizations protect themselves
from e-mail-borne malware, including viruses and spam
- Hosted Archive, which helps them satisfy retention requirements
- Hosted Encryption, which helps them encrypt data to preserve
- Hosted Continuity, which helps them preserve access to e-mail
during and after emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.
For More Information
For more information about anti-spam and antivirus features, see the following topics:
- Microsoft Forefront Security for Exchange Server
- Protecting Your Microsoft Exchange Organization
with Microsoft Forefront Security for Exchange Server
the Spam Confidence Level Threshold
Anti-Spam Features to Reduce the Volume of Spam
- Understanding Anti-Spam
and Antivirus Mail Flow