Exchange 2007 Spam Filter Overview
Written by Paul Cunningham on April 29, 2010 Tweet
The Exchange 2007 spam filter is a built in feature of the Edge Transport server role, as well as an optional feature of the Hub Transport server role. The spam filter is made up of several individual components that each performs a specific role in detecting and preventing spam from reaching mailboxes. These are the Exchange 2007 spam filter agents listed in the default order of priority on a Hub Transport server.
y y y y y y
Although the priority can be modified it is generally best to leave it in the default order.
The Connection Filter Agent is responsible for assessing incoming email based on its connection characteristics, such as the sender¶s IP address. The Connection Filter is configured with IP block lists and IP allow lists, either manually or by configuring a block list provider. Connection filtering is the most computationally effective way of stopping spam from botnets and insecure email servers, which is why it is the first priority for the Exchange 2007 spam filter by default. The Connection Filter Agent has two actions it can take on incoming email ± reject or accept.
The Content Filter Agent in Exchange Server 2007 is based on the Intelligent Message Filter technology first seen in Exchange 2003. When an email message has passed the Connection Filter Agent it is checked by the Content Filter Agent for known spam content, using heuristic scanning and a database of known spam patterns based on spam submissions from Microsoft partners and customers. The Content Filter Agent can also be manually configured to block certain words or phrases, or to exempt certain email addresses from content filtering. The Content Filter Agent has three actions it can take on incoming email that has been detected as spam ± delete (silently drop), reject (notify sender), or quarantine.
Sender Id is an email authentication protocol that aims to prevent spoofing and phishing by verifying that a sender is authorized to send for that domain name. Though it is widely adopted it is not a standard and so can¶t always be relied upon for spam prevention. The Sender Id Agent has three actions it can take on incoming email that fails validation ± delete, reject, or stamp and continue.
The Sender Filter Agent simply allows the administrator to specify a list of sender email address to block. However there are two actions it can take on incoming emails sent by someone on the list ± reject, or stamp and continue. Because of the wide use of address spoofing in spam this feature is more useful at stopping deliberate harassment or abusive emails from a specific individual.
The Recipient Filter Agent can be used to block incoming emails sent to certain recipients; however a more useful feature is the ability to block emails sent to recipients that don¶t exist. This works hand in hand with an Exchange 2007 spam filter feature known as ³tar pitting´ to stop directory harvest attacks.
The Protocol Analysis Agent underpins the Sender Reputation feature of the Exchange 2007 spam filter. This feature combines its own assessment and testing of a sender along with IP reputation information from Microsoft to determine whether a particular sender should be blocked or treated with suspicion.
Sender Reputation can be configured to a threshold at which a sender is considered suspicious and is blocked. The duration of the block is also configurable, and is set to 24 hours by default.
Other Exchange 2007 Spam Filter Features
The Content Filter Agent offers the option to quarantine suspected spam to a mailbox. Only one quarantine mailbox can be configured for this and there is no self-service option for end users to manage their own personal quarantine items. Exchange 2007 also ships with a series of scripts that can be used for basic reporting of the spam filter¶s performance. This reporting is all done via shell commands and there are no graphical reports generated. There is also no report access for non-administrators, making it impossible for managers and other staff to be able to access reports on their own. Overall the Exchange 2007 spam filter offers the basic features required to protect an email server spam. However the configuration of some items is limited, it has none of the end user self-service options that keep administrative overheads down, and it lacks important features such as Bayesian filtering which can make more intelligent decisions about an organizations email usage to increase the accuracy of its spam detection.