Want to start a conversation with a stranger? Ask about the most outrageous spam message he or she has ever received. Because everyone who has an email account gets spam, this icebreaker is almost guaranteed to work—although the answer you get might embarrass one or both of you!
Many Exchange administrators use third-party mail filters, but Exchange Server
2003 has a surprisingly good set of built-in spam-reduction tools. In fact,
Microsoft uses these tools as a first line of defense for its own systems, and
Microsoft employees will generally tell you that they don't get much spam. Is
your organization getting the most out of Exchange 2003's built-in tools? To
answer that question, you need a thorough understanding of the tools, how they're
applied, and your configuration options.
The Exchange Antispam Process
Exchange 2003 incorporates several types of antispam protection, including blocking
mail from specific IP addresses or senders and filtering with the Microsoft
Exchange Intelligent Message Filter (IMF). Exchange applies filtering techniques
in a predictable-sequence. The process starts when a remote system opens an
SMTP connection to the Exchange server. If the server is accepting connections,
the following types of filtering take place:
- Connection filtering—Exchange applies checks based on the sender's
IP address and other data, such as whether the SMTP conversation has the correct
syntax.
- Sender and recipient filtering—Exchange checks for the sender's IP
address on any blacklists and checks the sender and recipient addresses against
its lists of permitted users and blocked users.
- Content filtering—Exchange passes the message through the IMF (if
it's enabled).
Exchange then submits the message to the mailbox store, where it may be acted upon by the store (according to options set in the IMF) or by the client-side Outlook junk mail filter.
Setting Up Filtering
You control which types of filtering are applied to your Exchange servers in
two ways. First, you can use the Message Delivery node in Exchange System Manager
(ESM) to specify filtering settings for the IMF, sender and recipient filtering,
connection filtering, and Sender ID filtering. Each filtering type has its own
tab in the Message Delivery Properties dialog box, as you can see in Figure
1.
Second, you can control which filtering mechanisms are applied to each SMTP
virtual server in your organization. Open the SMTP virtual server properties
and click the Advanced button on the General tab, then click Edit to display
the Identification dialog box that Figure 2
shows. After you select the filtering types you want to apply, you must restart
the SMTP virtual server for the options to take effect. The settings applied
for each selected filter are drawn from the configuration data for each virtual
server. Having independent filtering options for each virtual server gives you
flexibility in how you filter inbound messages.
It's important to understand that although connection, sender, and recipient filtering happen at different times, they're all part of the SMTP conversation, so they're not really discrete operations.
Connection Filtering
Connection filtering is a catch-all term that includes several steps Exchange
takes when accepting an SMTP connection. The connection begins when a remote
server connects to the Exchange SMTP service. Exchange receives the sender's
IP address and performs several checks.
- Exchange checks the sender's IP address against the lists of allowed and
blocked IP addresses, which are stored in Active Directory (AD). The SMTP
virtual server is smart enough to notice updates to the address lists without
a service restart. If the IP address appears on the global accept list, the
message is exempted from further checks. If the address is on the global deny
list, the connection is immediately dropped. No nondelivery report (NDR) is
generated, but the sending server receives a 5.7.0 Access Denied error
message. Two sets of IP address lists are used for this step: The first set
is the global accept and deny lists, defined on the Connection Filtering tab
of the Message Delivery Properties dialog box, and the second set is the pair
of accept and deny lists that are specific to the individual virtual server.
- If you've enabled reverse DNS lookups, Exchange uses the IP address to perform
a reverse DNS check to verify that a DNS name is associated with the IP address.
If no result is found, Exchange drops the connection.
- The Exchange server accepts the sender's HELO/EHLO message. If it's incorrectly
formed, Exchange drops the connection.
- Exchange accepts the sender's MAIL FROM verb, which provides what's known
as the envelope FROM (or P1) address. This address is who the sender
claims to be, but Exchange makes no effort to verify it. However, Exchange
does check the P1 address against the list of blocked senders. If the address
is on the list, Exchange drops the connection with a 5.1.0 Sender Denied
error message; otherwise, the Exchange server sends a 250 OK status
message and the SMTP conversation continues.
Prev. page
[1]
2
3
next page 
