CONTROLLING INBOUND SMTP MAIL 669 Figure 16.15 Monitoring

CONTROLLING INBOUND SMTP MAIL 669 Figure 16.15 Monitoring the IMF s counters in the Performance console You can also see the IMF value that is assigned to a message that makes its way into your Junk E-mail folder. By default, the SCL value is not exposed to the user interface, but thanks to a clever Microsoft engineer (the same clever dude who wrote the IMF Archive Viewer) and Exchange guru Paul Bowden, you can add the SCL to the Outlook view either using Outlook 2003 or Outlook Web Access 2003. For information about doing this using Outlook 2003, see the Exchange team blog at http:// tinyurl.com/b2p5n. For information about how to expose the SCL value in Outlook Web Access, see http://tinyurl.com/7vemy. Figure 16.16 shows the exposed SCL column in Outlook 2003. Figure 16.16 Exposing the SCL value in Outlook 2003 If you see an SCL value of 0, this means the message was less than the SCL value required to put the message in the Junk E-mail folder. I see this frequently when I move a message manually to the Junk E-mail folder. If you see an SCL value of -1, it means the message came through an authenticated connection.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost adult Web Hosting services

666 CHAPTER 16 INTERNET CONNECTIVITY specifically placed a

668 CHAPTER 16 INTERNET CONNECTIVITY Figure 16.14 Easily manage IMF archived files using the IMF Archive Manager If your Exchange software is another location, make sure you specify the correct path to the msexchange.ucecontentfilter.dll file. Now you can create a file called msexchange. ucecontentfilter.dll in the c:program filesexchsrvrbinmscfv2 folder. This file must be an XML file, and it must be saved in Unicode format. In this example, I want to make sure any message that contains the word surfboard in either the body or the text of the message is given an SCL of 0. I also want to make sure any message that contains the phrase free Viagra should increase the SCL of the message by 5, and anytime the subject contains the phrase Joke of the day that the SCL should be 9. For more information about creating and customizing a custom weighting list, see the Exchange 2003 SP2 release notes. You can find a link to these in Microsoft Knowledge Base article 906671, Microsoft Exchange Server 2003 Service Pack 2 release notes. If you are curious about how well your IMF is doing at detecting spam, you are in for a slight disappointment. No logging or reporting features are included with the IMF (but, hey, it was free). Digital Labs has a utility called IMF Stats (www.digitallabs.net/imfs/) that can improve on the information you can discern from the IMF. A quick and dirty way to get some basic statistics from the IMF is through the Performance console. You will find some new performance-monitoring counters under the MSExchange Intelligent Message Filter object, including the percentage of messages that are considered spam (the gateway threshold) and the number of messages at each SCL rating. Figure 16.15 shows the Performance console with all of the available counters for the IMF loaded in report form.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost clan Web Hosting services

666 CHAPTER 16 INTERNET CONNECTIVITY specifically placed a

CONTROLLING INBOUND SMTP MAIL 667 TIP The IMF needs to be enabled only on the Exchange servers that accept inbound messages from the Internet, not on mailbox servers. The IMF will not scan filter messages that arrive from an authenticated source, such as other Exchange server within your organization or if you have configured SMTP Connectors for authentication from trusted business partners. Tuning the Intelligent Message Filter Over the past two years, I have toyed with differing values for gateway blocking and store configuration but have arrived at no definitive configuration values that will fit for every organization. In the organization in which I receive most of my e-mail, a gateway blocking SCL of 6 and a store Junk Email SCL value of 5 works well with few false positives. I recommend starting with a gateway blocking value of 8, setting the action to Archive, setting the store Junk E-mail configuration a value of 6, and thenn start monitoring the situation for excessive false positives. Diane Poremsky, owner of www.slipstick.com, noted that with an SCL of 6, she noticed a false positive rate of less than 1 in 800 messages. Dropping that value to an SCL value of 5 increased the false positive rate to 6 in 300. When I first start tuning the IMF, I direct everything to an archive folder; you can find this in the SMTP virtual server s directory by default. You can change the location of this folder by creating a REG_SZ value called ArchiveDir in this Registry key: HLKMSoftwareMicrosoftExchangeContentFilter Set this value to the directory in which you want to store archived messages. Another useful value that should be created in this Registry key is a value that tells the IMF to include the SCL value and probability in the message headers. Create a REG_DWORD value called ArchiveSCL in the same Registry key, and set it to 1. Once this is done, the IMF will add to the SMTP header a value called XSCL that includes the SCL value and the probability rating of the message. Changing the these Registry values requires you to restart the SMTP Service. Now you will find the archived messages that meet or exceed the gateway blocking SCL in the directory you specified. You can review these files and determine whether the message is really spam. If it is not spam, you can simply put it in the SMTP virtual server s Pickup folder, and the message will be delivered. Reading these messages can be a little difficult, though, especially if you are opening each one in Notepad! One of the clever developers on the Exchange team realized this and wrote a spiffy, free (and unsupported) utility called the IMF Archive Manager. Figure 16.14 shows the IMF Archive Manager. You can download the latest version from http://tinyurl.com/5w5pr. From the IMF Archive Manager, you can scroll through the messages, delete messages, copy the message content to the Clipboard, resubmit the message for delivery (in case of a false positive), or report the message. The report feature is nice if you have someone to which you can send the spam. I specify the spam@uce.gov address that the U.S. Federal Trade Commission maintains for reporting spam. You can further customize the IMF v2 that ships with Exchange 2003 v2 using custom weighting. This allows you to specify additional words or phrases that may increase or decrease the likelihood that a message is spam. To create a custom weighting file, you need to first register the DLL that will be used to read and process the weighting file. At the command prompt, type the following: REGSVR32 c:program filesexchsrvrbinmscfv2msexchange.ucecontentfilter.dll

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost clan Web Hosting services

666 CHAPTER 16 INTERNET CONNECTIVITY specifically placed a

666 CHAPTER 16 INTERNET CONNECTIVITY specifically placed a sender or sender s domain in their Safe Sender s list, the message will not be moved to the Junk E-mail folder. The user s Safe Sender s list is ignored when messages are being processed at the gateway currently. In a future version of Exchange, the gateway will be able to consider a user s Safe Sender, lists but this currently would place way too much CPU and memory load on the gateway server. Once the IMF options in the Message Delivery Properties dialog box are set, then you need to enable IMF scanning on the SMTP virtual servers that will accept inbound mail from the Internet. If you use front-end or bridgehead servers, then you need only to enable the IMF on the SMTP virtual servers located on those servers. The IMF filter is enabled in the same dialog box as the Sender, Recipient, Connection, and Sender ID filters shown earlier in the chapter. Probabilities of Spam One Saturday night when I was I was a little bored, I analyzed the SCL rating against the probability rating found in the X-SCL header in order to get a better idea what the SCL actually means. I took approximately 300 messages in the IMF archive and found the percentage boundaries for the SCL. Since the IMF had only messages with an SCL of 5 or greater, I have only values for SCL ratings higher than 5. . SCL 9 means 98.75 100 percent probability of being spam. . SCL 8 means 96.91 98.74 percent probability of being spam. . SCL 7 means 94.27 96.87 percent probability of being spam. . SCL 6 means 90.41 94.25 percent probability of being spam. . SCL 5 means 74.98 90.33 percent probability of being spam. Although this may not mean much to most people, what it told me is that setting the SCL value to archive or reject messages with an SCL of 7 or greater means I m rejecting messages that have a 94.27 percent or greater probability of being spam.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost clan Web Hosting services

CONTROLLING INBOUND SMTP MAIL 663 Configuring a Connection

CONTROLLING INBOUND SMTP MAIL 665 Configuring the Intelligent Message Filter Configuring the IMF is deceptively simple because the Intelligent Message Filtering property page (shown in Figure 16.13) of the Message Delivery Properties dialog box has only three configuration options. Figure 16.13 Configuring the Intelligent Message Filter I said configuration is deceptively simple. It is deceptive because you have to chose the right levels for your organization. The Gateway Blocking Configuration settings allow you to set a level from 1 to 9 where that number is the SCL of the message being examined. If a message s SCL is equal to or greater than the number specified in the Block Messages with an SCL Rating Greater Than or Equal To drop-down list, then the action specified in the When Blocking Messages dropdown list is taken. You can specify the following actions: Archive specifies that the message will be placed in the IMF s archive folder where it can be reviewed by an administrator. By default, this is in the SMTP virtual server s UCEArchive folder, but you can change this via the Registry. Delete specifies that the message should be deleted. No one is notified that the message is deleted. No Action specifies that the gateway (the machine on which the IMF is processing the messages, usually a bridgehead of the front-end server) assigns the SCL but passes the message to the mailbox server or Information Store. Reject specifies that the messages be refused and that an NDR message be sent to the sender. This is nice if the message ends up being a false positive, because then at least the sender is notified. The Store Junk E-mail Configuration portion of the IMF s configuration allows to you to specify your tolerance for messages that are sent to the Information Store. This value will be less than the value that you process at the gateway. Messages that are passed to the store are placed in the user s Junk E-mail folder if they are using Outlook 2003 or Outlook Web Access 2003. If a user has

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost mac Web Hosting services

CONTROLLING INBOUND SMTP MAIL 663 Configuring a Connection

664 CHAPTER 16 INTERNET CONNECTIVITY Figure 16.12 Configuring connecting filtering Also found on the Connection Filtering property page is the Global Accept and Deny List Configuration options. From these lists you can specify IP addresses or IP subnets from which you will either always accept or always reject inbound SMTP mail. The actual logging that is generated is the information found in the SMTP protocol logs. Separate logs of rejected connections or e-mail addresses are not kept. For information about how to perform logging, along with a SQL stored procedure for generating a report, visit http://martijnjongen.com for the instructions and the necessary SQL scripts. My biggest beef with Microsoft s implementation of RBL features is that there is no option for either tagging the message s subject line or marking the message as potential spam and passing it to another scanning system. Either the message is rejected or it is not. Intelligent Message Filter The Intelligent Message Filter (IMF) is Microsoft s first real attempt at providing antispam protection for Exchange. As I mentioned earlier, sender filtering and recipient filtering are minimally affected, and there is a lot of controversy surrounding the use of connection filtering. Microsoft first announced the IMF in November of 2003. For a while, the rumor was that either you would have to pay for it or it would be available only to customers who subscribed to software assurance. When it was finally released shortly after Exchange 2003 SP1, it was a free add-on. For nearly a year, Microsoft did not update the filter. With the release of Exchange 2003 SP2, the IMF is completely integrated with Exchange 2003. If you are still running Exchange 2003 SP1 and the IMF v1, you should log on as the person who installed the IMF and remove the IMF from Add/Remove programs before you install SP2. The IMF is probably not the best antispam-filtering system available on the market. However, it is quite good. It is free, so that elevates it a few additional points, in my humble opinion. For example, this makes up for that it is not as configurable or does not have as many reporting features as other products on the market. The IMF is a fairly simple technology for Exchange. When a message arrives from the Internet, the IMF scans the message using Microsoft s SmartScreen scanning technology and determines the spamminess of the message. Based on technology in the filter, the message is assigned a Spam Confidence Level (SCL) rating.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost mac Web Hosting services

CONTROLLING INBOUND SMTP MAIL 663 Configuring a Connection

CONTROLLING INBOUND SMTP MAIL 663 Configuring a Connection Filter to Use a Block List Configuring Exchange 2003 to use a block list is pretty simple. Display the Connection Filtering property page of the Message Delivery object, and then click the Add button. You will see a dialog box that allows you to specify a connection filtering rule. In the Connecting Filtering Rule dialog box, you must enter a name for the rule and the DNS suffix of the RBL provider. In this case, I m using bl.spamcop.net. Alternatively, you can also configure a custom error message that is included in the frame that rejects the message. I like to do this in case the sender is a valid user; I include the web address for the provider so the administrator can find out how to get their IP address removed. Clicking the Return Status Code button allows you to specify which types of servers you will reject. If the RBL provider you are using supports all of the return status codes in Table 16.2, you can specify which types of blocked hosts you want to block. The default is that any returned address is blocked. For example, if I wanted to block only known open relays, I would enter 127.0.0.4. Inevitably, some IP addresses wind up on RBLs and don t really belong there. This was common with Exchange 5.5 because the Internet Mail Service was open for relay by default. Some RBLs are notoriously difficult to get off of once your IP address is on them. For this reason, the Connection Filtering property page (shown in Figure 16.12) allows you to specify a list of SMTP address from which you will always accept mail, even if they are found to be coming from an open relay. You can find these addresses in the Exception list.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost mac Web Hosting services

660 CHAPTER 16 INTERNET CONNECTIVITY This server had

662 CHAPTER 16 INTERNET CONNECTIVITY I can also test to see whether an IP address is on a specific RBL using the NSLOOKUP command. For the 64.119.217.53 IP address, the result would look like this: C:>nslookup -q=a 53.217.119.64.bl.spamcop.net Server: kalapana.volcanosurf.com Address: 192.168.254.10 Name: 53.217.119.64.bl.spamcop.net Address: 127.0.0.2 Table 16.2: RBL Provider Status Code Examples Status Code Explanation No response / Not found / Name does not exist Host is not on this RBL 127.0.0.2 Known source of spam or known open relay 127.0.0.3 Known dial-up IP address or DHCP range 127.0.0.4 Known source of spam 127.0.0.5 Known smart host or multistage open relay 127.0.0.6 Spam software developer or site that advertises using spam (see spamsites.org) 127.0.0.7 List server that automatically opts in e-mail address without confirmation 127.0.0.8 Systems with insecure CGI scripts or scripts that turn them into an open relay 127.0.0.9 Open proxy servers Learning More about Block Lists Block lists have been around almost as long as spam. They have been met by e-mail administrators with a mixed range of emotions. Some administrators think block lists are gifts from the heavens; others think they are a form of terrorism. Most block list providers have been threatened with lawsuits numerous times. A lot of RBL providers are on the Internet; most of them are free. They do accept donations, however. If you use their services, consider sending them some money so they can keep operating. The following is a list of some of the more popular RBLs: www.ordb.net www.spamcop.net cbl.abuseat.org www.mail-abuse.org www.spamhaus.org You can find a list of some of the most common RBL providers and the features they support at www.email-policy.com/Spam-black-lists.htm.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost inexpensive Web Hosting services

660 CHAPTER 16 INTERNET CONNECTIVITY This server had

CONTROLLING INBOUND SMTP MAIL 661 If the host had been on the RBL, the response would look similar to this in the Answer section of the DNS response: DNS: Answer section: 53.217.119.64.bl.spamcop.net. of type Host Addr on class INET addr. DNS: Resource Name: 53.217.119.64.bl.spamcop.net. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 2048 (0×800) DNS: Resource Data Length = 4 (0×4) DNS: IP address = 127.0.0.2 WARNING In Microsoft s implementation of block list lookups, if a sender s IP address is on the block list, the connection is rejected. Other implementations (such as some antispam systems), use the RBL lookup as one more thing that can increase the likelihood that a message is spam. Other implementations will tag the subject line or quarantine messages that are received from hosts on a block list. This response is from a SpamCop s RBL service (www.spamcop.net). Notice that the IP address reported for the host 53.217.119.64.bl.spamcop.net was 127.0.0.2. Figure 16.11 shows the relevant frames captured in Microsoft Network Monitor. Figure 16.11 Capturing an SMTP session with an RBL lookup Once the Exchange server realized that the inbound IP address was on an RBL, it rejected the inbound message and disconnected the session. The SMTP response looked like this: SMTP: Response =550 5.7.1 64.119.217.53 has been blocked by Spamcop RBL list If you are curious about what this looked like in the SMTP protocol logs, my Exchange 2003 server issued a 550 command. Here is a conversation from the perspective of the SMTP protocol logs: 15:29:32 64.119.217.53 bestdealsguy.com HELO – +bestdealsguy.com 250 15:29:32 64.119.217.53 bestdealsguy.com MAIL – +FROM:+ 250 15:29:32 64.119.217.53 bestdealsguy.com RCPT – +TO:+ 550 15:29:32 64.119.217.53 bestdealsguy.com QUIT – bestdealsguy.com 240 The most common response is probably either name does not exist or 127.0.0.2, which means the requested host is on the RBL. Table 16.2 lists the possible status codes that the RBL server may return. Not all RBLs support anything other than 127.0.0.2; see www.email-policy.com/Spamblack- lists.htm for a list of some of the RBLs and the status returns they support. There is no Internet standard for return codes, and not all RBL providers use the exact list shown in Table 16.2. Check with the provider you plan to use to see which return codes they use.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost inexpensive Web Hosting services

660 CHAPTER 16 INTERNET CONNECTIVITY This server had

660 CHAPTER 16 INTERNET CONNECTIVITY This server had the Filter Recipients Who Are Not in the Directory check box enabled, and thus for each of these recipients, the error code 550 was returned. You may notice that each of these attempts was set 15 seconds apart. This is because the SMTP server has an SMTP tar pit of 15 seconds defined. This slows the return of error codes. None of the recipients you see in this small listing (I took a very small part of the log) are or have never been a valid recipient in this company s mail system. All in all, over a four-hour period of time, this IP address attempted nearly 1,000 invalid messages. Fortunately, the tar pit slows down the attempted delivery of these messages and since recipient filtering is enabled the messages never actually enter the mail server. Connection Filtering Connection filtering allows you to reject inbound IP addresses if the IP address is found on a block list. Block lists are also known as real-time block lists (RBL), real-time black hole lists, or just black hole lists; Microsoft refers to these as real-time block lists. As far as a true, built-in antispam feature for Exchange 2003, this is about as close as it gets. My favorite RBL at the moment is the Spamhaus XBL and SBL combination (www.spamhaus.org), though I am always testing the performance of these block lists. I find that using the Spamhaus list withOpen Relay Database (www.ordb.net) and Spam- Cop (www.spamcop.net) helps the RBL feature block about 50 to 70 percent of the spam I receive. Not everyone has such a charitable attitude toward block lists. More than once I have seen discussions in newsgroups by frustrated administrators whose servers or entire IP subnets have been placed on an RBL through no fault of their own. In one case in particular, an entire subnet was placed on an RBL because the previous occupier of those IPs had open SMTP relays. And, I have tested RBLs that ended up being too aggressive in how they add hosts to their lists. The SORBS list, for example, includes many dial-up and DHCP addresses on its list. Although these types of addresses are often the source of spam, many small businesses now use DHCP addresses for their mail servers (including my own home/test network). In my case, I have to relay all of my outbound mail through my cable modem provider in order for some large ISPs to accept the mail that I send. WARNING Yes, RBLs help me block more than 50 percent of the spam I receive. However, before you get up and start dancing on the tables, read the section later in this chapter called Detection and False Positives. Microsoft s implementation of RBL features is not the most robust in the world, so the error logging and filtered message forwarding features are nonexistent. Connection filtering checks one or more lists of open relays, dial-up addresses, and known spammers. These lists are usually implemented via DNS, and therefore they are easily queried via almost any type of SMTP host. When an inbound connection is established to the SMTP virtual server with a connection filter enabled, the virtual server does a DNS query for a hostname, but the query looks like reverse lookup. The RBL lookup is almost the same as a regular reverse lookup, except that the root domain is the name of your RBL provider rather than in-addr.arpa. For example, if the inbound IP address is 216.95.201.85, the query will be 85.201.95.216.bl.spamcop.net because I m using the orbd.net RBL. The following is the captured query from Microsoft Network Monitor. DNS: 0x6C:Std Qry for 85.201.95.216.bl.spamcop.net. of type Host Addr on class INET addr. If the IP address is OK, the response from the DNS looks like this: DNS: 0x6C:Std Qry Resp. Auth. NS is spamcop.net. of type SOA on class INET addr. : Name does not exist

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost inexpensive Web Hosting services