672 CHAPTER 16 INTERNET CONNECTIVITY mail for your

SPAM! SPAM! SPAM! 673 . Select Delete, and the message is simply deleted; neither the sender nor the recipient is ever notified. . Select Reject, and the message is not accepted, but the sender receives an NDR. WARNING I strongly recommend that if you use Sender ID filtering, that you configure it only with the Accept option. Many, many domains on the Internet (valid senders) do not have DNS SPF records. Exchange hides the results of the Sender ID lookup, but it is possible to expose this information in Outlook. The Exchange team has a good blog entry on the result codes that Sender ID generates and how to expose these in Outlook. See the blog entry at http://tinyurl.com/azyc2. Spam! Spam! Spam! It typically takes from 1,000 to 10,000 spams to make one sale. If you buy from a spammer, you are personally responsible for the next 1,000 to 10,000 spams sent…including the porn spam sent to your kids. Paul Myers, TalkBiz News Unsolicited Commercial E-mail (UCE) is the official name for the scourge that now darkens our inboxes every morning. For purposes of this chapter, though, I ll just refer to it as spam. Spam has become a significant problem for most corporate, government, and individual e-mail users; it consumes disk space, uses bandwidth, and, most of all, consumes a lot of our time. In 2003, the Radicati Group (www.radicati.com) estimated that spam accounted for nearly 45 percent of all Internet SMTP traffic and that this figure will grow to more than 70 percent by 2007. In some respects I think the Radicati Group was being conservative in their estimates. Some administrators are already reporting that more than 80 percent of the daily mail they receive is spam and I have personally seen one organization that was at the 90 percent threshold (without any filtering.) They further estimate that 30 percent of the average company s mail server resources are used by junk mail, for an estimated cost of approximately $49 per user, and this is expected to exceed $250 by 2007. One study (www.evsmail.com/roi.html) shows that the average North American worker who has e-mail spends about 30 minutes per day dealing with spam. If that worker earns $20 per hour, dealing with spam will cost his company $2500 over the course of a year. The Gartner Group (www.gartner.com) estimates that workers spend nearly 50 minutes per day dealing with unwanted junk mail. One large organization reported the amount of spam they received increased from 100,000 messages per month in February 2002 to more than 400,000 by July of 2003; that is more than 50 percent of the total mail they receive monthly. A 75-mailbox organization I know has implemented a real-time blocking solution that quarantines messages from known open relays and performs some basic Bayesian logic on the messages. Their quarantine public folder contains three days worth of isolated messages, or about 7,000 items! If each of these messages averages 5KB in size, that is about 35MB of storage for three days worth of spam. Not to mention that it takes an estimated 85MB of network bandwidth to receive those messages from the Internet! Clearly, something has to give. NOTE Exchange guru Jason Zann has produced an excellent e-book titled Content Security in the Enterprise Spam and Beyond. You can view this e-book for free at http://tinyurl.com/lnac6.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost adult Web Hosting services

672 CHAPTER 16 INTERNET CONNECTIVITY mail for your

672 CHAPTER 16 INTERNET CONNECTIVITY mail for your domain. In most cases, all you need to be concerned about is specifying the IP addresses of the mail servers that will send mail on your domain s behalf. You can find this wizard at www.anti-spamtools.org. Configuring Sender ID If you plan to use Sender ID as part of your antispam strategy, the first step you need to take is to define the IP addresses of any server in your organization (including SMTP relays in your DMZ if applicable) and any server that accepts mail on your behalf (such as an ISP or a managed provider). You must add this information to the Perimeter IP List and Internal IP Range Configuration settings on the General property page in the Message Delivery Properties dialog box. Simply click the Add button. In the following configuration settings, I have entered the IP addresses of my SMTP relay hosts, managed provider IP addresses, and the internal subnets for my entire organization: Any message examined by the Exchange 2003 Sender ID component will eliminate the internal addresses as a possible originating host for the message. Next I need to configure the Sender ID Filtering property page in the Message Delivery Properties dialog box: The Sender ID filtering properties define how the messages are treated if they fail the Sender ID test. There are three possible options: . Select Accept, and the message has the Sender ID code included in the message header. If the Sender ID test failed, this will be used by the Intelligent Message Filter as a factor when considering the possibility of the messaging being spam.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost adult Web Hosting services

CONTROLLING INBOUND SMTP MAIL 669 Figure 16.15 Monitoring

CONTROLLING INBOUND SMTP MAIL 671 to agree on too much. A number of vendors, technologies, and IETF working groups have reviewed methods to help reduce spam and ensure that a message is coming from a known source. One of the problems is that SMTP is designed as an open system and has almost nothing in the way of security built into it. The other problem is that it seems the major mail vendors and ISPs take exception to anything that the others propose. Sender ID came from the MARID IETF working group that was part of the Sender Policy Framework and Caller ID. A number of major ISPs (Yahoo! and AOL) and open-source proponents have objected to parts of the Sender ID being patented. You might receive a message from someone@microsoft.com, but how could you verify that the message came from one of the mail servers that is allowed to send mail for Microsoft.com? Sender ID was developed to help verify that inbound messages are indeed originating on servers that should be sending messages for a particular domain. A mail server that can examine a message s headers and verify that the message is indeed coming from a valid server for the sender s domain can help reduce the number of spoofing or phishing attacks as well as determining whether a message is valid. To determine the validity of a sender s server, an algorithm called the Purported Responsible Address (PRA) is used. The PRA algorithm has to examine the entire message and the message headers (including the MAIL FROM, Resent- Sender, Resent-From, Return-Path, Received, or other message headers that may indicate the sender s SMTP address). The PRA algorithm determines the purported responsible address for the message. Once the PRA is determined, the SMTP headers must be examined to determine the server that was responsible for sending the message to your organization. To do that, Exchange must know all of the SMTP servers (Exchange and otherwise) within your organization or at a managed provider, if you are using one. Once the server that is responsible for delivering a message to your SMTP servers is determined, then DNS is queried to locate the SPF records for the sending organization s SMTP servers. The SPF record must include any relays or smart hosts that the sender might use. NOTE Microsoft has a place on its website dedicated to getting more information about Sender ID; visit www.microsoft.com/senderid for more information. Setting Up DNS SPF Records Even if you don t plan on using Sender ID as part of your antispam or sender verification strategy, you still need to set up the DNS SPF records. The DNS SPF records are used by hosts to which your servers send messages. So if someone you are sending to starts using Sender ID as one of the criteria for evaluating spam (or, heaven forbid, they reject the message entirely if it does not have a Sender ID record), then this can cause problems for the delivery of your organization s records. The DNS SPF record indicates a list of servers that are authorized to send outbound SMTP mail for your organization. You can easily check to see whether your organization or any other has SPF records created using NSLOOKUP. The following is a simple example of an SPF record for somorita.com: C:>nslookup -q=TXT somorita.com Server: kilauea1.volcanosurfboards.com Address: 192.168.254.15 somorita.com text = v=spf1 mx ip4:131.107.2.200 ip4:131.107.2.201 -all This MX record identifies that the servers with MX records for Somorita.com can send mail for somorita.com as well as the IP addresses 131.107.2.200 and 131.107.2.201. This is a fairly simple record but would be sufficient for a small organization. The nice part is that no one expects you to remember the syntax of the SPF records. Microsoft has a web-based wizard that will take you through the process of asking which servers are able to send

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost adult Web Hosting services

CONTROLLING INBOUND SMTP MAIL 669 Figure 16.15 Monitoring

670 CHAPTER 16 INTERNET CONNECTIVITY Automatic Updates to the IMF One of the nicest features about IMF v2 is that you can configure it to automatically update the signatures. Actually, it is nice that it is being updated at all, considering the IMF v1 was updated only once! Microsoft is promising these updates will be available on the first and third Wednesday of each month through Microsoft Update, WSUS, and other Microsoft technologies that can apply updates. To enable updates for the filter, create a Registry value of type REG_DWORD called ContentFilterState in the following Registry key: HKLMSOFTWAREMicrosoftExchange Set this value to 1 to enable updates or 0 to disable them and then restart the SMTP Service. The next time you run Microsoft Update or updates are downloaded to the server from WSUS, the next available update will be download (and optionally applied automatically if that is how you have the server configured). Figure 16.17 shows Microsoft Update. Figure 16.17 Microsoft Update providing an update to the IMF Sender ID Filtering I debated simply ignoring the whole concept of Sender ID for this edition of the book since it is not in wide use and it can cause you more problems than it can solve. However, administrators are often intrigued by new features and are anxious to enable them to see how they will function. But I would be remiss in my responsibilities to you if I did not explain the function of Sender ID and why it can be harmful to your message system s health. WARNING For starters, though, I will warn that if you enable Sender ID on your gateway servers and set it to either delete or reject messages whose Sender ID verification fails, then you will be missing out on more than half of the mail you should be receiving! What Is Sender ID? Our industry has been scrambling to find ways to reduce the amount of spam that we receive and help to keep user confidence in their mail systems so they know that when a message is received from someone, that person really sent it. Unfortunately, time and time again, industry leaders cannot seem

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost adult Web Hosting services

CONTROLLING INBOUND SMTP MAIL 669 Figure 16.15 Monitoring

CONTROLLING INBOUND SMTP MAIL 669 Figure 16.15 Monitoring the IMF s counters in the Performance console You can also see the IMF value that is assigned to a message that makes its way into your Junk E-mail folder. By default, the SCL value is not exposed to the user interface, but thanks to a clever Microsoft engineer (the same clever dude who wrote the IMF Archive Viewer) and Exchange guru Paul Bowden, you can add the SCL to the Outlook view either using Outlook 2003 or Outlook Web Access 2003. For information about doing this using Outlook 2003, see the Exchange team blog at http:// tinyurl.com/b2p5n. For information about how to expose the SCL value in Outlook Web Access, see http://tinyurl.com/7vemy. Figure 16.16 shows the exposed SCL column in Outlook 2003. Figure 16.16 Exposing the SCL value in Outlook 2003 If you see an SCL value of 0, this means the message was less than the SCL value required to put the message in the Junk E-mail folder. I see this frequently when I move a message manually to the Junk E-mail folder. If you see an SCL value of -1, it means the message came through an authenticated connection.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost adult Web Hosting services

666 CHAPTER 16 INTERNET CONNECTIVITY specifically placed a

668 CHAPTER 16 INTERNET CONNECTIVITY Figure 16.14 Easily manage IMF archived files using the IMF Archive Manager If your Exchange software is another location, make sure you specify the correct path to the msexchange.ucecontentfilter.dll file. Now you can create a file called msexchange. ucecontentfilter.dll in the c:program filesexchsrvrbinmscfv2 folder. This file must be an XML file, and it must be saved in Unicode format. In this example, I want to make sure any message that contains the word surfboard in either the body or the text of the message is given an SCL of 0. I also want to make sure any message that contains the phrase free Viagra should increase the SCL of the message by 5, and anytime the subject contains the phrase Joke of the day that the SCL should be 9. For more information about creating and customizing a custom weighting list, see the Exchange 2003 SP2 release notes. You can find a link to these in Microsoft Knowledge Base article 906671, Microsoft Exchange Server 2003 Service Pack 2 release notes. If you are curious about how well your IMF is doing at detecting spam, you are in for a slight disappointment. No logging or reporting features are included with the IMF (but, hey, it was free). Digital Labs has a utility called IMF Stats (www.digitallabs.net/imfs/) that can improve on the information you can discern from the IMF. A quick and dirty way to get some basic statistics from the IMF is through the Performance console. You will find some new performance-monitoring counters under the MSExchange Intelligent Message Filter object, including the percentage of messages that are considered spam (the gateway threshold) and the number of messages at each SCL rating. Figure 16.15 shows the Performance console with all of the available counters for the IMF loaded in report form.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost clan Web Hosting services

666 CHAPTER 16 INTERNET CONNECTIVITY specifically placed a

666 CHAPTER 16 INTERNET CONNECTIVITY specifically placed a sender or sender s domain in their Safe Sender s list, the message will not be moved to the Junk E-mail folder. The user s Safe Sender s list is ignored when messages are being processed at the gateway currently. In a future version of Exchange, the gateway will be able to consider a user s Safe Sender, lists but this currently would place way too much CPU and memory load on the gateway server. Once the IMF options in the Message Delivery Properties dialog box are set, then you need to enable IMF scanning on the SMTP virtual servers that will accept inbound mail from the Internet. If you use front-end or bridgehead servers, then you need only to enable the IMF on the SMTP virtual servers located on those servers. The IMF filter is enabled in the same dialog box as the Sender, Recipient, Connection, and Sender ID filters shown earlier in the chapter. Probabilities of Spam One Saturday night when I was I was a little bored, I analyzed the SCL rating against the probability rating found in the X-SCL header in order to get a better idea what the SCL actually means. I took approximately 300 messages in the IMF archive and found the percentage boundaries for the SCL. Since the IMF had only messages with an SCL of 5 or greater, I have only values for SCL ratings higher than 5. . SCL 9 means 98.75 100 percent probability of being spam. . SCL 8 means 96.91 98.74 percent probability of being spam. . SCL 7 means 94.27 96.87 percent probability of being spam. . SCL 6 means 90.41 94.25 percent probability of being spam. . SCL 5 means 74.98 90.33 percent probability of being spam. Although this may not mean much to most people, what it told me is that setting the SCL value to archive or reject messages with an SCL of 7 or greater means I m rejecting messages that have a 94.27 percent or greater probability of being spam.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost clan Web Hosting services

666 CHAPTER 16 INTERNET CONNECTIVITY specifically placed a

CONTROLLING INBOUND SMTP MAIL 667 TIP The IMF needs to be enabled only on the Exchange servers that accept inbound messages from the Internet, not on mailbox servers. The IMF will not scan filter messages that arrive from an authenticated source, such as other Exchange server within your organization or if you have configured SMTP Connectors for authentication from trusted business partners. Tuning the Intelligent Message Filter Over the past two years, I have toyed with differing values for gateway blocking and store configuration but have arrived at no definitive configuration values that will fit for every organization. In the organization in which I receive most of my e-mail, a gateway blocking SCL of 6 and a store Junk Email SCL value of 5 works well with few false positives. I recommend starting with a gateway blocking value of 8, setting the action to Archive, setting the store Junk E-mail configuration a value of 6, and thenn start monitoring the situation for excessive false positives. Diane Poremsky, owner of www.slipstick.com, noted that with an SCL of 6, she noticed a false positive rate of less than 1 in 800 messages. Dropping that value to an SCL value of 5 increased the false positive rate to 6 in 300. When I first start tuning the IMF, I direct everything to an archive folder; you can find this in the SMTP virtual server s directory by default. You can change the location of this folder by creating a REG_SZ value called ArchiveDir in this Registry key: HLKMSoftwareMicrosoftExchangeContentFilter Set this value to the directory in which you want to store archived messages. Another useful value that should be created in this Registry key is a value that tells the IMF to include the SCL value and probability in the message headers. Create a REG_DWORD value called ArchiveSCL in the same Registry key, and set it to 1. Once this is done, the IMF will add to the SMTP header a value called XSCL that includes the SCL value and the probability rating of the message. Changing the these Registry values requires you to restart the SMTP Service. Now you will find the archived messages that meet or exceed the gateway blocking SCL in the directory you specified. You can review these files and determine whether the message is really spam. If it is not spam, you can simply put it in the SMTP virtual server s Pickup folder, and the message will be delivered. Reading these messages can be a little difficult, though, especially if you are opening each one in Notepad! One of the clever developers on the Exchange team realized this and wrote a spiffy, free (and unsupported) utility called the IMF Archive Manager. Figure 16.14 shows the IMF Archive Manager. You can download the latest version from http://tinyurl.com/5w5pr. From the IMF Archive Manager, you can scroll through the messages, delete messages, copy the message content to the Clipboard, resubmit the message for delivery (in case of a false positive), or report the message. The report feature is nice if you have someone to which you can send the spam. I specify the spam@uce.gov address that the U.S. Federal Trade Commission maintains for reporting spam. You can further customize the IMF v2 that ships with Exchange 2003 v2 using custom weighting. This allows you to specify additional words or phrases that may increase or decrease the likelihood that a message is spam. To create a custom weighting file, you need to first register the DLL that will be used to read and process the weighting file. At the command prompt, type the following: REGSVR32 c:program filesexchsrvrbinmscfv2msexchange.ucecontentfilter.dll

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost clan Web Hosting services

CONTROLLING INBOUND SMTP MAIL 663 Configuring a Connection

664 CHAPTER 16 INTERNET CONNECTIVITY Figure 16.12 Configuring connecting filtering Also found on the Connection Filtering property page is the Global Accept and Deny List Configuration options. From these lists you can specify IP addresses or IP subnets from which you will either always accept or always reject inbound SMTP mail. The actual logging that is generated is the information found in the SMTP protocol logs. Separate logs of rejected connections or e-mail addresses are not kept. For information about how to perform logging, along with a SQL stored procedure for generating a report, visit http://martijnjongen.com for the instructions and the necessary SQL scripts. My biggest beef with Microsoft s implementation of RBL features is that there is no option for either tagging the message s subject line or marking the message as potential spam and passing it to another scanning system. Either the message is rejected or it is not. Intelligent Message Filter The Intelligent Message Filter (IMF) is Microsoft s first real attempt at providing antispam protection for Exchange. As I mentioned earlier, sender filtering and recipient filtering are minimally affected, and there is a lot of controversy surrounding the use of connection filtering. Microsoft first announced the IMF in November of 2003. For a while, the rumor was that either you would have to pay for it or it would be available only to customers who subscribed to software assurance. When it was finally released shortly after Exchange 2003 SP1, it was a free add-on. For nearly a year, Microsoft did not update the filter. With the release of Exchange 2003 SP2, the IMF is completely integrated with Exchange 2003. If you are still running Exchange 2003 SP1 and the IMF v1, you should log on as the person who installed the IMF and remove the IMF from Add/Remove programs before you install SP2. The IMF is probably not the best antispam-filtering system available on the market. However, it is quite good. It is free, so that elevates it a few additional points, in my humble opinion. For example, this makes up for that it is not as configurable or does not have as many reporting features as other products on the market. The IMF is a fairly simple technology for Exchange. When a message arrives from the Internet, the IMF scans the message using Microsoft s SmartScreen scanning technology and determines the spamminess of the message. Based on technology in the filter, the message is assigned a Spam Confidence Level (SCL) rating.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost mac Web Hosting services

CONTROLLING INBOUND SMTP MAIL 663 Configuring a Connection

CONTROLLING INBOUND SMTP MAIL 665 Configuring the Intelligent Message Filter Configuring the IMF is deceptively simple because the Intelligent Message Filtering property page (shown in Figure 16.13) of the Message Delivery Properties dialog box has only three configuration options. Figure 16.13 Configuring the Intelligent Message Filter I said configuration is deceptively simple. It is deceptive because you have to chose the right levels for your organization. The Gateway Blocking Configuration settings allow you to set a level from 1 to 9 where that number is the SCL of the message being examined. If a message s SCL is equal to or greater than the number specified in the Block Messages with an SCL Rating Greater Than or Equal To drop-down list, then the action specified in the When Blocking Messages dropdown list is taken. You can specify the following actions: Archive specifies that the message will be placed in the IMF s archive folder where it can be reviewed by an administrator. By default, this is in the SMTP virtual server s UCEArchive folder, but you can change this via the Registry. Delete specifies that the message should be deleted. No one is notified that the message is deleted. No Action specifies that the gateway (the machine on which the IMF is processing the messages, usually a bridgehead of the front-end server) assigns the SCL but passes the message to the mailbox server or Information Store. Reject specifies that the messages be refused and that an NDR message be sent to the sender. This is nice if the message ends up being a false positive, because then at least the sender is notified. The Store Junk E-mail Configuration portion of the IMF s configuration allows to you to specify your tolerance for messages that are sent to the Information Store. This value will be less than the value that you process at the gateway. Messages that are passed to the store are placed in the user s Junk E-mail folder if they are using Outlook 2003 or Outlook Web Access 2003. If a user has

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost mac Web Hosting services