Exchange 2010: Anti-spam strengths and limitations

By J. Peter Bruzzese, Built-in Exchange features are typically either very solid, or obviously weak. In other words, you typically know when the built-in feature is all you need or if you should be searching for a third-party assist to firm up that area of your messaging needs. One interesting enigma in this regard is anti-spam features that have been built into Exchange. On their own merit they’re quite good. However it’s worth pondering to see if the built-in feature set is all you need, or want, in a modern day protective solution.

Where are the anti-spam features located in Exchange?

The anti-spam settings are located on your transport servers (Edge or Hub Transport). They appear by default on your Edge Transport servers but they have to be enabled on a Hub Transport server from within the Exchange Management Shell through a script. Microsoft recommends you use an Edge Transport solution or a hosted solution, to protect your organization, however smaller environments may have a single Exchange Server environment running a Typical installation of Exchange (Mailbox, CAS and HT) and yet still want the anti-spam features.

To enable the anti-spam settings on a Hub Transport server, perform the following:

  1. On your Hub Transport server, open the Exchange Management Shell (EMS).
  2. Navigate to the system drive (usually c:) c:\Program Files\Microsoft\Exchange Server\V14\Scripts
  3. Type: .\install-AntiSpamAgents.ps1
  4. Then type: Restart-Service MSExchangeTransport
  5. Then type: Set-TransportConfig –InternalSMTPServers <use IP address of HT server>
  6. Open the Exchange Management Console. Note: If it is already open you will need to close and re-open it.
  7. Expand Organization Configuration node and then select the Hub Transport option.
  8. Note that the Anti-Spam tab is now available.

Exchange 2010 offers nine different anti-spam features

The following is a list of nine anti-spam features that can be utilized within your transport environment:

  • Content Filtering: Uses an algorithm to identify spam, although you have the ability to add specific words to a Custom Words list. The best aspect of the Content Filtering feature is your ability to determine what should happen to email that exceeds certain spam confidence level (SCL) ratings that you specify. As email comes into your Exchange environment, based on clear criteria, an SCL rating can be attached. If that email exceeds the levels you stipulate you might have the email deleted, rejected or quarantined.
  • IP Allow List: This allows you to specify IP addresses that you have no concerns about and so should be allowed to deliver mail without further filtering. You might include other servers you use that send mail (like SharePoint perhaps) or key partners or customer systems.
  • IP Allow List Providers: Allows you to provide a list of safe servers that are known not to send spam. The list comes from a third-party source.
  • IP Block List: Allows you to specify IP addresses that you do have concerns about possibly based on negative experiences with those systems sending spam. You can manually maintain this list on your own.
  • IP Block List Provider: There are published lists of IP addresses of known spammers (that changes daily) and you can utilize a third party service to provide these lists to help protect your environment.
  • Recipient Filtering: This feature allows you to block messages that are sent to non-existent recipients, or messages sent specifically to recipients that you wish to prevent. For example, you might have mailboxes that you do not want mail to be sent toward or mailboxes of former employees that you wish to block email from coming into.
  • Sender Filtering: You can block email from specific senders either by email address or their entire domain. And if an email doesn’t have sender information you can also block that email from coming in.
  • Sender ID: Considers the IP address of the sending server and the Purported Responsible Address (PRA) of the sender to see if the sender is spoofed.
  • Sender Reputation: This one is interesting because it checks an email by performing a reverse DNS proxy and then if it doesn’t like the “reputation” of the message, perhaps due to an indication that it was sent through an open proxy, it can temporarily place that sender on hold for a period of time (24 hours is the default, up to 48 hours). The sender reputation level (SRL) is calculated by looking at several characteristics of the sender and can be calculated locally on the Exchange side although Exchange 2010 also utilizes Windows Updates, which will also provide anti-spam updates that include IP addresses with bad sender reputations.

What’s missing in Exchange 2010 anti-spam?

Well, on the surface you’re looking at some great anti-spam protection right out-of-the-box with Exchange 2010. There is no denying the strength of the nine features just outlined. However, most folks will tell you that you can never have too many anti-spam features working for you. But where the line ends here is that most administrators are looking to do more than just prevent spam from coming in. Malware in the form of virus, rootkits and other junk that come into your organization requires a bit more than what we have with built-in anti-spam features, even if you add in transport rules and other protective elements. This added level of danger means you need to consider another solution for protection. Whether that solution is a hosted one through a third-party, or an on-premise one through a third-party, will depend entirely on you.

On the positive side, typically your third-party solutions go beyond the nine features of Exchange 2010 anti-spam and offer additional spam protection while also offering a full arsenal of malware protection (which often offer multiple antivirus solutions all working at the same time to ensure nothing evil gets through your protective barrier).

In conclusion

Whether you have a small or large organization you can take advantage of the built-in Exchange anti-spam features. However, you will still need to add further protection to your environment to ensure all forms of malware are kept outside of your organization.

Learn more about third party solutions to use together with your Exchange anti-spam.

This guest post was written by J. Peter Bruzzese on behalf of GFI Software Ltd. You can follow him on Twitter @JPBruzzese

All product and company names herein may be trademarks of their respective owners.