Anti-spam

Connection Filtering and RBLs in Exchange 2013

Exchange 2003 and later have included Connection Filtering in its repertoire of built-in anitspam tools. In Exchange 2007 and Exchange 2010, this is implemented using the Connection Filtering agent, a transport agent. Connection Filtering agent offers the following functionality: IP Allow List and IP Block List: Static lists of IP addresses you can populate to […]

More →

Happy New Year, You Just Won a Gazillion Dollars!

With the end of holidays comes the beginning of a new year, and this year a new decade. I’ve had a longer semi-vacation in December, and I’m looking forward to the promise of an exciting 2011. The part that I least look forward to is all the Christmas/New Year spam, some of which inevitably makes […]

More →

Using Transport Rules to protect your organization from the ‘Here You Have’ Worm

The Here You Have worm, also known as Visal.B, has been spreading through network shares and email (more details on Microsoft’s Malware Protection Center web site). When spreading through email, the worm sends itself to your contacts with the following strings in the Subject field and message body: Subject: Here you have Body: Hello: This […]

More →

Social Engineering Attack Disguised As Mailbox Quota Message

Social engineering is all about psychological attacks— convincing a user to willingly divulge information is much more convenient, in most cases, than actually brute-forcing your way in. Attackers with very little technical sophistication (and perhaps some great social skills) can easily prey upon even the more vigilant users. I would’ve held on to my belief […]

More →

Export and Import Content Filter Words or Phrases

In Exchange 2010 and Exchange 2007, you can add custom words or phrases as good or bad words to modify the Spam Confidence Level (SCL) assigned to messages. Messages with a good word or phrase are assigned an SCL of 0 and bypass other antispam agents that fire after the Content Filtering agent. Messages with […]

More →

Connection Filtering, RBLs and SMTP logs in Exchange 2007/2010

Exchange Server 2003’s Connection Filtering feature allows you to block connections from IP addresses explicitly added to the Global Deny List, or drop messages from IP addresses listed on a RBL (Real-Time Blackhole List / Real-Time Block List). Note: The term “RBL” is commonly used to describe DNS Black Lists (DNSBLs), but it’s a trademark […]

More →

Why Get-TransportAgent doesn’t agree with the Exchange console

You disable a particular anti-spam agent — let’s say the Content Filtering Agent, using the Exchange Management Console (EMC). Figure 1: Disabling a transport “agent” in the Exchange Management Console Next, you use the Get-TransportAgent command to get the status of transport agents — and surprisingly the Content Filter Agent shows up as Enabled! Figure […]

More →

Protect users from spam from your own domain in Exchange 2010 and Exchange 2007

One of the common complaints from users and many messaging folks is spam received from senders that appear to be from your own domain. SMTP mail is exchanged with anonymous Internet hosts without any authentication. Headers can be and are effortlessly spoofed. Rather than using an unregistered or invalid domain in the From: header, many […]

More →

RFC 2821, HELO again: Validating the HELO/EHLO domain

RFCs 2821 and 1869 specify the format of HELO/EHLO commands issued by a SMTP client to initiate a SMTP session. RFC 2821 on HELO/EHLO command: 4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO) These commands are used to identify the SMTP client to the SMTP server. The argument field contains the fully-qualified domain name of the […]

More →

Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs

Exchange 2007 includes a number of anti-spam agents to filter spam. The anti-spam agents log their actions in (anti-spam) agent logs. The default agent log locations: Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\AgentLog Exchange 2007: \Exchange Server\TransportRoles\Logs\AgentLog Agent Log Configuration You can’t change the agent log location. Here are the available config options: Enable/Disable agent log: On transport […]

More →