TechEd 2007: Notes from the BOF Session on Fighting Spam With Exchange Server 2007

by Bharat Suneja

Tuesday night was a Birds of a Feather (BOF) night, with plenty of BOF sessions and chalk talks scheduled. My session on Fighting Spam With Exchange Server 2007 (not a very creative title, I know… but it got the message across :) was scheduled for 7:45 PM. I was positive I’ll probably be the only person in the room – 7:45 PM isn’t exactly the time I’d want to attend a TechEd session on anything, with the exception of a few good speakers.

On a side note, keeping my expectations low also meant I could claim the attendance was more than I expected even if only one person showed up. Nevertheless, the room filled up as we got closer to the start time.

It was an interesting discussion on anti-spam in Exchange Server 2007, as well as Exchange 2003.

Some takeaways:

  • Exchange’s anti-spam features consist of more than just Intelligent Message Filter (IMF) – there’s 1) Connection Filter: allows using IP Allow Lists, IP Block Lists, IP Block List Providers (RBLs) and IP Allow List Providers 2) Sender Filter: block sending domain or SMTP address 3) Recipient Filter: block internet messages to list of valid recipients, perform Recipient Validation to block messages for non-existent recipients 4) Sender ID Filter: looks up SPF records in purported sending domain’s DNS zone, protects from address spoofing and phishing 5) Content Filter (aka “IMF”): Blocks messages based on content
  • 3 Gateway Thresholds and Actions: Exchange Server 2007’s Content Filter Agent supports 3 gateway thresholds and actions – 1) Delete 2) Reject and 3) Quarantine
  • Quarantine functionality: Though the quarantine functionality in Exchange Server 2007 is a step forward compared to Exchange Server 2003’s archiving feature, it’s not as full-featured as that offered by many third-party products. End-users have no control over the quarantine – an administrator has to inspect quarantined messages and make the decision to deliver or delete. However, it’s important to understand that a) it’s not compulsory to use the quarantine and b) The end-user mechanism for accessing suspicious messages is the Junk Mail folder c) Quarantining is one more layer available to admins – between the gateway actions of Rejecting or Deleting mail and the Store action of delivering to Junk Mail
  • Exchange Server 2007’s Connection Filter agent does not immediately drop connections from IP addresses explicitly listed on the IP Block List. Exchange Server 2003 does this for IPs listed in its Global Deny List. This change in behaviour allows such “filtered” connections to be logged in the agent log. Some customers like to see these logged, whereas many want connections to be dropped immediately.
  • Many customers prefer anti-spam appliances like Barracuda and IronPort in the perimeter, and consider these very effective, and generally lower cost compared to an Exchange 2007 Edge Transport server.
  • No studies or test results are available yet to demonstrate how the Edge Transport server performs compared to such appliances. It would be great to have a feature and performance comparison of these.
  • Many customers are interested in Greylisting – a technique that registers each connection’s “triplet” of a) Sending host’s IP address b) Sender’s address c) Recipient’s address and looks up a database. If not found, the connection is immediately dropped and the triplet added to the database. The technique is based on the idea that valid RFC-compliant SMTP hosts will attempt to resend the message after a set interval. The (receiving) SMTP server will find the triplet in the database upon the second attempt, and consequently accept the connection.
  • Interested in learning more about Greylisting? Evan Harris has a whitepaper titled “The Next Step in Spam Control: Greylisting
  • Exchange Server 2007 SDK has the code for a Greylisting agent. This needs to be compiled into a DLL using Visual Studio 2005, and installed using the accompanying installation script. Since this is just a programming sample provided in the SDK, it makes sense to test this adequately in a test environment and not expect any production support
  • Freeware Greylisting transport sinks/add-ins for Exchange Server 2003 are available on the web, like this one from Chris on
  • Over a period of time, the effectiveness of techniques like Greylisting may decrease, but as of now it still eliminates 80-90% of spam.
  • SMTP Tarpitting is a technique that inserts a delay in SMTP responses to SMTP clients that display suspicious protocol behavior. More details about tarpitting in a previous post titled “Enabled by default: SMTP Tarpit in Exchange Server 2007
  • Safelist Aggregation: This allows Exchange to aggregate senders marked as safe by (Outlook/OWA) users. If an EdgeSync subscription exists (in topologies with an Edge server), the safe list is replicated to the Edge as part of EdgeSync. Exchange’s use of safe lists can reduce false positives significantly. It’s not required to have an Edge server – Hub Transport servers with anti-spam agents installed can also use this feature.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: