Wednesday, May 20, 2009

Corporate spam prevention on Exchange server and more

Another post about spam, today we will cover:
  • Nolisting (non-Exchange spam fighting method)
  • Exchange IMF
  • Exchange Sender/Recipient Filtering
  • Exchange Connection Filtering
  • Barracuda Networks DNSBL goes public
  • Tip on closing Exchange vulnerability
  • Vamsoft ORF (Open Relay Filter)

I will start off with something non-Exchange related - Nolisting!!! This looks like a wonderful spam prevention technique, that only requires that you have your own domain and control over the MX records.

Nolisting involves creating 2 fake mx records that point at nowhere. Spammers will usually attempt to only send to one server, if it fails they will abandon the attempt, normally they will send to the highest priority server, but some spammers seem to be taking a new approach of pin-pointing the lowest priority server with the assumption that only the primary server will have spam a filtering system - my method will nix both of those attackers.

For my domain I have created the following MX mail records:

  • Priority 1 dummyserver.smpltechno.com
  • Priority 20 mail.smpltechno.com
  • Priority 30 backupmail.smpltechno.com
  • Priority 40 dummyserver2.smpltechno.com

My true mail server being the 2nd one, the dummy servers being simply that, a record that points to a non-existent server name. Read more on Nolisting here.

On to Exchange Spam fighting with native tools:

Exchange 2003 SP2 comes with some new filtering tools to help you significantly fight spam. To configure these filters go to the Exchange System Manager and open the Message Delivery Properties under Global Settings.

First off I will start with the most basic spam prevention filter, Recipient Filtering. This will not do any real active spam blocking, but by checking the box there that says: "Filter recipients that are not in Active Directory", you can aide in preventing directory harvests which spammers use to list out all the addresses in use. You can also use it to prevent certain users from receiving outside email.

Next in line is the Sender Filter tab, you will want to check the box that says: "Filter messages with blank sender." -If you dont know them, block em. You can also use this tab to block individual spammers, but this would be a very tedious method of blocking spam.

On to the hardcore spam killers, Intelligent Message Filtering (IMF), uses heuristics to analyze each message and assigns each message a score (SCL). Filtering is then performed on 2 thresholds, if the score is equal or higher than a certain rating it will filter it at the gateway (1st setting), the next threshold sends the message to the Junk Mail box in Outlook. By lowering the  thresholds on these 2 you can fight more spam, but raising the chance of false positives. I have set mine to very minimum scores, 9 or higher will reject messages at the gateway, and 8 will send them to the Junk Mail folder in Outlook. It is recommended that you read the manual on IMF and filtering here. I should also mention this gets updated bi-monthly through Microsoft Update, an alternative update script can be found here.

Finally the most useful filter probably is the Connection Filter, which use Realtime Block Lists (RBL), aka DNS Blacklists, to look up a sending servers address to see if they are a known spammer.

There are several organizations that publish these DNS blacklists, but today we will be using the new Barracuda RBL, which they have just recently opened for public use. Barracuda Networks manufactures industrial spam filtering   gateways that sit in front of your mail server, if you dont have Exchange and cant use ORF, its a good alternative. To use this list you must register on their site and list the IP of any server that will be using the list. Go to the Connection Filter tab and click add to configure your blacklist provider like the image shown. This is most likely the most efficient method of preventing spam, as users will never have to review messages blocked by the Connection Filter, and many spammers are on these lists.

Now that all your filters are configured you need to enable them. In the Exchange System Manager expand Servers>Your Server> Protocols>SMTP> and open the Properties for the SMTP Virtual Server. On the General tab, click the Advanced button and click Edit button and check off the filters you wish to use. 

While in the SMTP Virtual Server properties it is well advised that you disable external relaying. Click the Access tab and click the Relay button, in here unless you know what you're doing only your subnet should be allowed to relay, and you should uncheck the box that says: "Allow any authenticated user to relay". This could allow a weak account to be hijacked by external spammers allowing them to use your server as a spam sending monster.

Once finished you must stop/restart the SMTP Virtual Server for the settings to take effect. Here is a block diagram that shows how messages flow through the different filtering points:

The above settings should aide in dramatically reducing spam, but if you find your users are still receiving significant amounts of unwanted email, you may need to move on to some 3rd party filtering. I have tried many different platforms for spam filtering, and there is ONLY ONE....

Vamsoft Open Relay Filter for Exchange

I have tried programs from GFI, Symantec, Trend Micro, Sonicwall, and many others, but only ORF provides all the features at a light price, in a light weight package that will nearly eliminate even the largest bulks of bulk mail with a very low false positive rate. A new release has just come out with some great new features.

  • DNS Blacklists
  • Automatic whitelists - if you send to them, they must be on the list
  • Sender/recipient/IP blacklists/whitelists
  • SPF lookups
  • Keyword filtering with regular expressions
  • Attachment filtering with regular expressions
  • URL blocklists - HTML emails are scanned for known URLs of spammers
  • Tarpit delays
  • Greylisting
  • New! Honeypot test - if a spammer sends to a dummy address you set they are banned
  • Integration with external apps like antivirus scanners
  • Quick import/export of settings to transfer golden settings to other servers
  • SQL integration for reports and list management if needed
  • Excellent reporting tools

Some of the other great features of ORF that I have yet to find in other programs:

  • One low price from SBS to Exchange Enterprise 
  • Low footprint 15-30 mb RAM and low CPU usage
  • No annual fee one time license

Finally here is a great article from Vamsoft (if you are using ORF) on preventing spam that shows your address for both the sender and recipient. You might look at some of the other spam related articles here if you are interested in other ways to prevent spam.

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)