Step-by-Step Guide

Step 6: Configure Edge Transport server email filtering agents

The Edge Transport server that we've configured so far serves no real purpose other than to isolate your back-end Exchange servers from the Internet. You can make your Edge Transport server much more useful by configuring it to filter out spam, viruses and malware prior to it arriving at your Hub Transport server.

First, you need to understand though that all filters on an Edge Transport server are enabled automatically by default. What this means is that if you create a filter, it immediately goes into effect.

Over time, you can gradually filter messages more aggressively as you are able to confirm that legitimate email messages are not being filtered out. Of course, you have the option to disable filters, but doing so allows messages that would normally be filtered to pass into your Exchange 2007 organization.

Edge Transport servers filter spam and malware by making use of connection filters. Any messages flowing into the Edge Transport server's receive connector is processed by the Connection Filtering Agent. It's the Connection Filtering Agent's job to filter out spam and malware prior to messages being delivered to the recipient.

When you open the Exchange Management Console on an Edge Transport server, you will notice that there are only two available containers: Edge Transport and Toolbox. When you select the Edge Transport container, the details pane will display the various options for creating a filter, as shown in Figure D.

    Requires Free Membership to View

Figure D: You can create several different types of filters.

Notice that the bottom portion of the details pane contains a series of tabs. The Antispam tab is selected by default; it allows you to create several different types of spam filters.

Content filtering

One of the most useful spam filters is the Content filter. Its job is to use a mathematical algorithm to determine the probability of an email message being spam, and then filter it accordingly. The content filter uses the same Spam Confidence Level (SCL) ratings as Microsoft Outlook.

You can access the content filter by right clicking on Content Filtering and selecting Properties. The properties sheet contains three tabs that are worth paying attention to: Custom Words, Exceptions, and Action.

  • The Custom Words tab allows you to enter words or phrases that can be used to flag an email message as spam. For example, you might enter phrases such as "online casino," "herbal Viagra," or "Bank of Nigeria." Keep in mind though that using the custom word filter has limited effectiveness because most spam messages are designed to avoid using trigger phrases.

  • The Exceptions tab allows you to enter email addresses that the content filter should ignore. For example, if you have a sales email address and you want to make sure that no legitimate messages are ever accidentally filtered as spam, you could enter that mailbox's email address on the Exceptions tab.

    Exceptions are applied on a filter by filter basis. So entering an email address into the Exceptions tab will keep the content filter from blocking email messages sent to that mailbox -- but it will not prevent other filters from blocking email messages.

  • By far the most important tab on the Content Filtering properties sheet is the Action tab, shown in Figure E. The Action tab allows you to set thresholds at which a message should be considered as spam. This tab allows you to delete, reject, or quarantine messages based on their SCL rating. A message's SCL rating is based on the percentage chance that the email message is spam. For example, a message with an SCL rating of 9 is 90% likely to be spam, while a message with an SCL rating of 3 has only a 30% chance of being spam.

Figure E: You can set the threshold at which a message should be filtered.

It is usually best to initially configure an Edge Transport server to provide minimal filtering and then gradually increase the aggressiveness of the filtering over time as you begin to understand the impact of the various filters.

Initially, I recommend only filtering messages with an SCL rating of 8 or higher. I tend to be a little bit conservative though. The default settings have a more aggressive SCL rating of 7 or higher.

IP filtering

Edge Transport server also filter spam by looking at the sender's IP address. There are four different filters that are designed to filter messages based on IP address: IP Allow List, IP Allow List Providers, IP Block List, and IP Block List Providers

  • The IP Allow List allows you to enter the IP addresses of senders whose messages should never be treated as spam. For example, if you are worried about losing important email messages from customers, you might enter the IP address of your customer's mail server.

  • The IP Allow List Providers section lets you specify any IP allows list providers that you want to use. IP allow list providers maintain lists of domains that are virtually guaranteed to never send spam. Exchange Server is able to cross-reference these lists in an effort to determine whether or not spam is known to come from the sender's domain.

  • The IP Block List is designed to allow you to enter the IP addresses of mail servers from which messages should always be treated as spam. You can enter individual IP addresses or entire ranges of addresses.

  • The IP block List Providers section works similarly to the IP Allow List Providers section -- except that it allows you to enter the name of any block list providers that you want to use. An example of such a provider is Spamhaus, which maintains a list of domains from which spam is known to originate.

    Like the content filter, the IP Block List Providers filter also allows you to create an exceptions list in case you don't want the filter to apply to certain mailboxes. The IP Block List filter does not offer the ability to use exceptions.

Recipient filtering

Recipient filtering blocks email messages sent to specific recipients. This is useful if you have Exchange Server mailboxes that should never receive email from the outside world. You can use recipient filtering to prevent email messages from being sent to individual mailboxes or to entire domains.

As you can see in Figure F, the Recipient Filtering properties sheet also allows you to block any email message sent to a recipient who is not listed in the Exchange Global Address List.

Figure F: You can block messages sent to specific mailboxes or domains.

Sender filtering

Sender filtering works by allowing you to filter email messages from specific senders. This filter is very flexible in that it allows you to enter individual email addresses, entire domains, or even whole domain ranges. This means that you could block a specific domain, such as Contoso.com, or you could block all domains within a specific domain hierarchy, such as .com or .net.

The Sender Filtering properties sheet contains an Action tab that lets you control what happens when a blocked sender sends an email message to your Exchange Server organization. By default, the message is rejected, but you have the option of stamping the message with a Blocked Sender stamp and processing the message any way.

Sender ID filtering

Sender ID filtering is designed to prevent domain spoofing techniques that are commonly used by spammers and in phishing scams. Sender ID works by comparing the IP address from which a message has originated against a list of the IP addresses of mail servers that the domain's owner has authorized to send email on behalf of the domain.

By default, the Edge Transport server is configured to stamp messages with the Sender ID result and then continue processing the email. The reason for this is that, although Sender ID screening is an effective antispam technique, Sender ID technology has yet to be widely adopted. Many senders have not yet registered their mail server addresses.

Sender Reputation filtering

The Sender Reputation filter is one of the more interesting filters. It can collect information about recent email messages received from individual senders and domains. If the sender or the domain has been a source for spam, then the sender's reputation is decreased.

In addition to message history, a sender's reputation is also based on whether or not the sender's mail server is configured as an open proxy. When a message is received from a sender, Exchange Server uses the sender's SMTP address to perform a test against the sender's mail server to determine whether or not it is configured as an open proxy, as shown in Figure G. If the server is an open proxy, the sender's reputation is decreased.

Figure G: You can see if a sender's mail server is configured as an open proxy.

The Sender Reputation filter allows you to set a sender reputation threshold value. When this threshold value is exceeded, the sender is temporarily added to the IP Block List. As you can see in Figure H, Exchange Server allows you to control the duration of the block.

Figure H: You can block senders with bad reputations for any length of time.


HOW TO INSTALL AND CONFIGURE AN EDGE TRANSPORT SERVER

 Home: Introduction
 Step 1: How an Edge Transport server works
 Step 2: Install the Edge Transport server
 Step 3: Create an Edge Subscription
 Step 4: Replicate Active Directory data to the Edge Transport server
 Step 5: Verify communication with the Hub Transport server
 Step 6: Configure Edge Transport server email filtering agents
 Step 7: Set up Edge Transport server advanced content-filtering features

ABOUT THE AUTHOR:   
Brien M. Posey, MCSE
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

This was first published in June 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: