Stage 2: Header Filtering
The second layer of defense—header filter-in—looks at message properties.
Because of the way SMTP works, the sender has already transmitted the message
and consumed bandwidth before header filters can examine it. You want to use
filters that operate before Exchange signals final acceptance of the message;
if the message is bogus, you don't want to accept it only to have it waste your
queue space with an NDR (or worse, generate an NDR to an innocent person whose
email address was forged). You can filter by sender or by recipient. As with
connection filters, you must enable the processing of sender and recipient filters
on each virtual server.
Depending on your configuration, you might be able to reduce spam by placing your local domain addresses in a sender filter, which you define globally within the organization. To define a sender filter:
- In Exchange System Manager, expand Global Settings and open the Message
Delivery item's Properties.
- On the Sender Filtering tab (or the Filtering tab, in Exchange 2000), click
Add and enter the address you want to filter. This address can be specific
(e.g., deving@ 3sharp.com); a display name, in quotation marks (e.g., "Devin
L. Ganger"); or a group of addresses, designated with the asterisk wild-card
(e.g., *@3sharp.com, *@.3sharp.com).
- To reject messages that list no sender, select the Filter messages with
blank sender check box. This option looks at the message header, not the
SMTP envelope.
- You can tell Exchange to drop connections from a sender address that you've
put on the sender list. This action won't generate an NDR. (If you don't specify
this option, Exchange will accept the message but will generate an NDR instead
of delivering the message.) Be careful with this option, which can cause a
temporary mail blockage on remote mail systems. SMTP systems are designed
to attempt delivery until a message is accepted, rejected, or reaches the
configured timeout period.
Exchange 2003 adds the ability to configure recipient filters, which are much
like sender filters but are configured on the Message Delivery object's Recipient
Filtering tab. You can also use the settings on this tab to configure Exchange
to refuse messages for invalid recipients. Whether doing so is a good idea is
hotly debated: Some people think it leads to directory-harvesting attacks. However,
I advise using the feature because it decreases the load on your systems and
on the systems of forgery victims. A sufficiently motivated spammer can (and
will) harvest addresses simply by using a valid return address and NDRs.
By default, neither Exchange 2003 nor Exchange 2000 permit open relays for anonymous clients. However, if you authenticate to the SMTP server, you can submit messages for any recipient and Exchange will relay those messages. Combine this fact with the lack of out-of-the-box auditing of SMTP authentication attempts and you get an attack that looks for accounts that have weak passwords. Attackers can use such accounts to turn a victimized Exchange server into an open relay. Unless you need SMTP authentication for external users, you should disable authenticated relay:
- In Exchange System Manager, open the SMTP virtual server's Properties.
- Click Relay on the Access tab. Clear the Allow all computers which successfully
authenticate to relay, regardless of the list above check box.
Stage 3: Body Filtering
The final stage of defense looks at the entire message, using a combination
of properties to determine whether the message is spam. To get this functionality
for free, install the Microsoft Exchange Intelligent Message Filter (IMF) for
Exchange 2003. IMF version 2 is included in Exchange 2003 Service Pack 2 (SP2).
If you're using Exchange 2003 SP1 or release to manufacturing (RTM), you can
download IMF version 1 at http://tinyurl.com/aetsm. This free server-side filter
integrates with the existing Spam Confidence Level (SCL) framework within Exchange
2003 and Outlook 2003. If you're upgrading to Exchange 2003 SP2 and already
have IMF version 1 installed, you need to uninstall IMF first. After you install
SP2 on the server, you'll need to manually enable IMF version 2 by following
the same steps you used to enable connection filtering.
The IMF looks at each message and uses multiple indicators and factors to determine
the percentage of certainty that the message is spam. This percentage is in
turn translated into an SCL, which is a number from 1 to 9 that represents the
probability that the message is spam. The IMF stores the SCL in the message's
MAPI properties. You can configure the Exchange Information Store to block messages
that have a specified SCL or higher, and clients that are aware of the property
(as of this writing, Outlook 2003 and any clients that use OWA 2003) can take
further action, such as moving the message to the Junk E-mail Folder. The IMF
filters only messages that come in through SMTP, which is Exchange's default
transport. IMF version 2 also gives you the ability to integrate Sender ID checks,
as well as a modifiable, weighted word list so you can customize IMF screening
(something you can't do with IMF version 1).
Freedom Fighters
I've given you a whirlwind tour of some of the built-in or free Exchange server-side
options that you can use to fight spam. (I've also given you some good reasons
to begin deploying Exchange 2003, if you haven't already done so.) Many live
Exchange deployments are using these techniques right now to successfully manage
spam. You can, too.
|
Solution Snapshot
PROBLEM: Spam threatens your Exchange organization.
SOLUTION: Reduce spam by using built-in and free tools.
WHAT YOU NEED: Exchange 2003 or 2000 (some tools require Exchange 2003); a basic
understanding of how SMTP works
DIFFICULTY: 2 out of 5
SOLUTION STEPS:
- Configure and enable connection filters.
- Configure and enable header filters.
- Configure and enable the IMF (for body filtering).
|
)
Register
revencu.diana@gmail.com March 30, 2006 (Article Rating: