The SCL Hook
Microsoft introduced VSAPI in Exchange 2000 as the platform for antivirus tools to gain access to Exchange components such as the Store. Microsoft has updated VSAPI in Exchange 2003, but the most important upgrade that ISVs can exploit to protect servers against email threats is a new "hook" that antispam products can leverage.
The Spam Confidence Level (SCL) is a new Store property that antispam products can update, using whatever techniques or algorithms they want to engineer into their transport sink. And the Store SCL Processor is a new Store component that looks for SCL values, then takes action based on the value—as well as certain client settings if the client supports features such as Outlook 2003’s Junk E-Mail Filter. The higher a given message's SCL value, the higher the probability that the message is spam. To determine the SCL value, antispam utilities use different algorithms to analyze data in message headers and contents.
The threshold values that Exchange 2003 uses for SCL processing reside in three attributes that Exchange 2003 adds to AD when you run the Setup program's ForestPrep component. These attributes are
- Enabled Flag (ms-Exch-Uce-Enabled)
- Block Threshold (ms-Exch-Uce-Block-Threshold)
- Store Action Threshold (ms-Exch-Uce-Store-Action-Threshold)
To establish whether Exchange performs SCL processing within an organization, the Enabled Flag is set to 0 or 1. The Block Threshold determines the value at which antispam products take action to block a message—either by dropping it completely or moving it to a quarantine area. The Store Action Threshold tells Exchange how to deal with messages that pass through for delivery. If the message has an SCL value higher than the threshold, Exchange puts the message into the Junk E-Mail folder; otherwise, it goes into the Inbox as usual. Vendors are still working out the exact details about how their antispam products will manipulate and interact with these settings, but I like to see that Microsoft has put the fundamentals in place.
If you desire, you can deploy multiple antispam utilities or perhaps an antispam product that uses several scanning techniques (similar to the way that some antivirus products use multiple virus-detection engines to ensure that they catch a higher percentage of suspect messages). In any case, the desired outcome is to either discard spam or permit messages to pass through for further processing—with an SCL score in their Properties that will help client-side utilities process the messages.
For example, Outlook 2003’s Junk E-Mail Filter feature lets you choose to delete suspected spam messages. (The default setting is to place these messages into a Junk E-Mail folder.) Typically, Outlook’s junk-email processing algorithm determines whether to file these messages in the Junk E-Mail folder after they arrive in the user’s mailbox. However, on an Exchange 2003 server equipped with suitable antispam software that sets the SCL, the Store can make the decision and refile messages that an antispam utility has determined have a high SCL value—before they go anywhere near the client. This scenario is preferable because the client doesn't need to download messages, so you save bandwidth and processing.
If you decide to deploy antispam products with Exchange 2003, I recommend selecting products that support SCL processing. At the time of this writing, such products are in still in beta, but you should be able to get SCL-compliant antispam products soon after Microsoft ships Exchange 2003. You'll find detailed information about the SCL in the Exchange 2003 software development kit's (SDK's) Solutions section in the Microsoft Developer Network (MSDN).
Commercial Protection
Not everyone is ready to deploy Exchange 2003. Thankfully, a healthy commercial market exists for add-on antispam products that protect Exchange 2003 servers. Sunbelt Software’s iHateSpam Server Edition is a good example of a standalone antispam tool that supports Exchange 2003 and Exchange 2000. (A gateway version is available for Exchange 5.5.) Sunbelt Software also offers a client edition of iHateSpam that protects Outlook 2002 and Outlook 2000 clients.
The server edition monitors incoming SMTP traffic and checks it against the blackhole lists and whitelists that you configure, as well as any additional policies that you want to use. (For example, you might treat any message that mentions "viagra" as highly probable spam.) Installing and configuring iHateSpam is easy and doesn't affect users, nor does the tool require any updates to the AD schema. The product boasts impressive reporting capabilities that let you see information such as spam volume and the user who receives the most spam, but you need to channel data to a Microsoft SQL Server 2000 database before you can report on it. The software also inserts a "spam rating" into the message header to give users a quick spam evaluation. (To see SMTP message headers in Outlook, open a message and click View, Options. Outlook displays the message-header information in the Internet Headers field.) Sunbelt is reportedly planning a new version of the product that will let you use the Microsoft Data Engine (MSDE) instead of SQL Server. This modification will reduce complexity and let small sites avoid the cost of SQL Server licenses.
Other server-based antispam products include CS MAILsweeper for Exchange, Brightmail Anti-Spam Enterprise Edition, GFI MailEssentials for Exchange/SMTP, and McAfee Security's McAfee Spamkiller. (You can find more antispam products at Slipstick Systems' Content Control Tools page at http://www.slipstick.com/addins/content_control.htm.) Expect current interest in spam protection to drive the development of other products in this space. All the aforementioned products support Exchange 2003, although some of them require software updates to support Exchange 2003's antispam SCL hook. As with most software products, I recommend downloading evaluation copies from vendors' Web sites and running the software on test servers to see which product best suits your environment. The cost of deploying these products varies from country to country and depends on the level of support that you require. You also need to factor in the cost of a subscription to an RBL provider, should you decide to use these services as a definitive source of information about known spammers.
Register
