Use ISA Server and Exchange 2000 to control email

Content management is a broader concept than antivirus scanning. The term includes managing the flow of email content between and within organizations. For example, content-management software lets you screen email messages for sexist, racist, or obscene language that violates your company policy. Such software also can alert you when messages or attachments contain proprietary information that you don't want to leave your company. In addition, content-management methods can protect your organization from spam.

In "Managing Your Email Content, Part 1," June 2001, I discuss content management in Exchange Server 5.5, vendors' add-in applications, and a content-management scenario. In this article, I look at

  • Exchange 2000 Server's native content-management functionality
  • updates to the Virus Scanning API (VS API) in Exchange 2000 Service Pack 1 (SP1)
  • using the Microsoft Internet Security and Acceleration (ISA) Server to control email

Exchange 2000 Methods
Exchange 2000 provides some built-in methods for controlling unwanted email—from filtering messages based on content to using reverse DNS lookups to verify senders. You can use built-in filtering to prevent specific senders from sending email messages to your servers. Note that the ability to use filtering on SMTP senders doesn't exist in the Windows 2000 SMTP service, only in the Exchange 2000 SMTP service. (For information about SMTP security in Exchange Server 5.5, see Joseph Neubauer, "Is Your Exchange Server Relay-Secure?" January 2000.)

First, before you can create any SMTP filter restrictions, you must select the Apply Filter option for each virtual server that can accept SMTP email. You define filtering globally, but each SMTP virtual server has filtering options for each IP address. Therefore, one server can act as multiple virtual servers with unique settings. To select the Apply Filter option, open Exchange System Manager (ESM) by clicking Start, Programs, Microsoft Exchange, System Manager. If the Administrative Groups container appears in the left pane, expand it by double-clicking the container or clicking the plus sign (+) to the left of the container. If the Administrative Groups container doesn't exist or you have just expanded it, expand the Servers container in the left pane and expand the container for your server.

Next, expand the Protocols container, expand the SMTP container, then select the SMTP Virtual Server—most likely the Default SMTP Virtual Server. Right-click, and select Properties to open the dialog box. Click Advanced, and edit any existing IP addresses or add a new address (if the SMTP virtual server listens on additional IP addresses). Then, select the Apply Filter check box, as Figure 1, page 8, shows. The Filter Enabled column will change to Yes when you close the dialog boxes. Now, you need to configure the filters.

At the top of ESM, just below the Organization name, expand the Global Settings container to find the Message Delivery container. Right-click Message Delivery, and choose Properties. On the Filtering tab, which Figure 2, page 8, shows, you can enter the names of senders you want to filter out and choose how you want Exchange to handle the message and notifications. By default, Exchange sends a nondelivery report (NDR) and moves the message to the \exchsrvr\mailroot\vsi #\drop folder (where vsi# is the name of your virtual server—the default SMTP virtual server is vsi 1). You can also tell Exchange to send copies of the NDR to a location of your choice, which you can specify on the Messages tab in the Properties of the SMTP Virtual Server.

If the NDR can't be delivered to the sender, a copy of the message is put in the Badmail directory (\exchsrvr\mailroot\vsi #\badmail). You can change the location of this directory by right-clicking the SMTP Virtual Server, selecting Properties, and selecting the Messages tab, which displays the current Badmail location.

However, perhaps you don't want senders to know that you've dropped their messages. Selecting the Accept messages without notifying sender of filtering check box configures the system to not generate an NDR. You can use wildcards (e.g., *@nothing-good-to-say.com) or enter the sender's display name in quotation marks (""). The Filter messages with blank sender check box is useful because messages with a blank sender are suspect.

In rare cases, you might mistakenly filter messages that should be delivered (e.g., in some cases in which you filter on domains). You can archive these messages until you're sure that you aren't filtering out content that you or your users want. If you archive these messages, be sure to monitor the disk partition that holds the archive in case it fills rapidly, because you must manually remove the old messages.

Reverse DNS lookup. An Exchange 2000 SMTP virtual server can also perform reverse DNS lookup on incoming messages. The Exchange Server verifies that the IP address of the connected SMTP host matches the host or domain submitted in the EHLO/HELO SMTP command. (HELO starts an SMTP session, and EHLO starts an Enhanced SMTP—ESMTP—session.) If the reverse DNS lookup is successful, the Received header of the email message remains unchanged. However, if the verification is unsuccessful, unverified appears after the IP address in the Received header of the message.

Because reverse DNS lookup adds overhead to the SMTP session, Exchange doesn't enable it by default, and administrators use it sparingly. Whether you use reverse DNS lookup depends on how much you need it and how likely it is to cause a queue of mail on your SMTP gateways. If your gateways are already working too hard, don't chance it. However, if the server has fast drives and plenty of processing power, you can test how useful reverse DNS lookup is for you.

To enable reverse DNS lookup, go to the Delivery tab in the Default SMTP Virtual Server Properties dialog box. Click Advanced, and in the Advanced Delivery dialog box, select the Perform reverse DNS lookup on incoming messages check box. Figure 3 shows these steps.

Another way to use SMTP server for content management is through transport event sinks. The sidebar "SMTP Server Transport Events," explains this process.

Exchange 2000 VS API
Exchange Server 5.5 SP3 introduced a VS API (formerly called the antivirus API—AV API) to let developers write improved antivirus products. Microsoft designed the VS API to ensure that all attachments in the Exchange Server Information Store (IS) are scanned before a client has access to the message. The VS API in Exchange 2000 SP1 adds provisions for content management. The new version passes the entire message body to the antivirus scanner, allowing for scanning of such exploits as HTML scripts, which I discuss in "Managing Your Email Content, Part 1." The initial VS API for Exchange 2000 was unable to scan incoming messages from Internet protocol clients (e.g., POP3, IMAP, SMTP); therefore, Microsoft recommended that users use only Messaging API (MAPI)­based clients to send and receive messages until Exchange 2000 SP1 became available. VS API in SP1 removes the need for this restriction (as long as you use VS API­based antivirus scanning) and adds content-management functionality when you tie it to a third-party VS API-based message scanner.

ISA Server
ISA Server, the successor to Microsoft Proxy Server 2.0, provides more than a software-based packet-filter firewall and Web-content cache. (For an overview of ISA Server's features, see Sean Daily's Windows 2000 Magazine article "Microsoft's Stellar ISA Server," October 2000.) One new feature in ISA Server is a smart-application filter, such as the Message Screener, which lets you create filters to intercept, block, analyze, modify, or redirect traffic in any protocol, including SMTP email. Although you might have been considering ISA for use as a software firewall, you might be pleasantly surprised to know that you can also use the smart-application filter for basic content management.

The filter looks for a particular keyword string in incoming or outgoing SMTP messages. If the filter finds the string, the filter signals an ISA Server event and drops the message or adds a text string to the beginning of the message's subject line and passes the message along either to the intended recipient or to the administrator.

For ISA Server to perform content filtering on incoming mail, you must configure the server specially because the Message Screener isn't enabled by default. To install the Message Screener component during the initial ISA Server installation, select the Custom Install, then select Add-In Services to see the options that Figure 4 shows. After you install Message Screener (and restart your computer, if this is the initial installation of ISA Server), you can launch the ISA Management console from the Start menu.

If you've already installed ISA Server, you can add the Message Screener add-in services from Control Panel, Add/Remove Programs, ISA Server. In Microsoft Internet Security and Acceleration Server Setup, click Add/Remove, then select Message Screener from Add-in services.

To screen for certain keywords, you add the words to the SMTP application filter. Launch the ISA Management console by clicking Start, Programs, Microsoft ISA Server, then clicking ISA Management. When the console is running, the top node of the tree is Internet Security and Acceleration Server. Expand the Servers and Arrays node directly below the top node to find the server you want to configure (the display name is SERVER Array). Expand this node, and click the Publishing node. In the Taskpad view in the right pane, click the Secure Mail Server icon to launch the Mail Server Security Wizard. This wizard lets you publish Secure Sockets Layer (SSL) or default (i.e., nonsecure) mail for the following services: incoming or outgoing SMTP, incoming POP3, IMAP4, Network News Transfer Protocol (NNTP), and Exchange. You can use this option when you run the ISA Server directly on your Exchange server. If the ISA Server is your only SMTP server, you can't run the Message Screener; you must forward the mail to another SMTP server.

The next step is to configure the SMTP application filter. Click the Extensions node, then double-click the Application filters folder in the right pane. Now, double-click or right-click the SMTP Filter and select Properties. In this configuration area, you can enable filtering on attachments by filename, extension, or size. To add filtering keywords, select the Keywords tab, then click Add and type in a word you want to filter on. You can filter on words in the Message header, Message body, or Message header and body. Notice that you must enter the words or phrases one at a time. Unlike products from other vendors, the SMTP Filter doesn't have an import function to bring in an established list of offensive phrases from a file or vendor Web site. Therefore, you must be creative and aware of every possible offensive or naughty phrase! (In "Managing Your Email Content, Part 1," I discuss content-management software that provides an established list of offensive phrases.) Finally, from the drop-down list, select the action (Delete, Hold, or Forward) you want the filter to perform on the messages. You must manually enter the email address to which you want the messages forwarded; the filter doesn't resolve names from the Global Address List (GAL). Also notice that you can use an arrow to move the keywords up or down. Keyword order is crucial because the first match triggers the defined action. If you delete a message because it contains a certain word, the fact that a later keyword match would have forwarded the message to you is irrelevant. You won't receive the message.

I offer two words of caution. First, you can't verify the address to which the filter will forward the message; therefore, be sure that you enter a valid address. Second, any message that matches a keyword will trigger the action, so be sure that you really want to filter on the keyword you specify. Any content-management application can accidentally catch innocent messages (i.e., a false positive). To avoid losing valuable information, you can hold rather than delete blocked email messages. Unfortunately, holding messages imposes more work on the messaging system administrator, who must periodically check and purge the quarantined messages. The hold location for these messages is in the mailroot\badmail directory, which by default is in the Inetpub folder.

After you configure application filtering, you need to configure your SMTP server to deny relaying for all servers except this server. This procedure varies with the SMTP service the server is running. To configure the Win2K SMTP service, launch Internet Services Manager (ISM) by clicking Start, Programs, Administrative Tools, Internet Services Manager. Double-click the server container, then right-click the Default SMTP Virtual Server and select Properties. On the Access tab, click Relay, then select All except the list below. Click Add to enter the computer, group of computers, or even the domain that is allowed to relay SMTP mail to this server. Close the Relay Restrictions dialog box by clicking OK. On the Delivery tab, click Advanced, and in the Smart host field, type the name of the mail server computer for all outbound messages if you use a single route.

In the beta version of ISA Server, when I installed the Message Screener component on a computer that wasn't the primary ISA Server, I had to run a script to configure the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IsaSmtpFltr\ServerName registry subkey. Although ISA Server Help says that you should run the setregs.vbs tool on the SMTP Server, Microsoft has replaced setregs.vbs with the smtpcred.exe tool in the isa\i386 folder on the ISA Server CD-ROM.

Third-Party SMTP Filters
To create a custom SMTP filter, you can refer to the ISA software development kit (SDK) documentation (http://www.microsoft.com/isaserver/features/sdk.htm), which contains an example with complete source code in C/C++. However, I found the example to be a great motivation to start looking at third-party plug-in applications. Companies such as Aladdin Systems, Baltimore Technologies, GFI, and Trend Micro are developing add-ins to allow SMTP filtering at the ISA Server. These companies all have a background in content filtering at SMTP servers. The Web-exclusive sidebar "Custom Solutions vs. Third-Party Solutions," InstantDoc ID 21174 on the Exchange Administrator Web site (http://www.exchangeadmin.com), gives you guidelines for deciding whether to build or buy applications such as SMTP filter software.

Like other SMTP filters, ISA also lets you configure a list of rejected users or DNS domains for controlling spam. ISA also helps against attacks (e.g., buffer overrun attacks)—a feature that you might not get in other content-management solutions. Microsoft is positioning ISA Server to be your main defense against all types of entry into your network.

Many Choices
These choices (i.e., Exchange 2000, SMTP servers, ISA Server, third-party applications, and the options I listed for Exchange Server 5.5 in "Managing Your Email Content, Part 1") give you a solid foundation for choosing an email content-management solution and its placement. Your current applications might already let you perform content management, or you might need to evaluate and purchase an add-in application. You need to base your decision on the level of control over the flow of email that you want to develop, whether it's simple blocking of junk email or more advanced filtering and routing functionality.

Related Articles in Previous Issues
You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com.

SEAN DAILY
"Microsoft's Stellar ISA Server," October 2000, InstantDoc ID 15477
TONY REDMOND
"The Great Antivirus Crusade," April 2001, InstantDoc ID 20076