Approaches to Fighting Spam in an Exchange Environment Greg Taylor
60 Slides2.89 MB
Approaches to Fighting Spam in an Exchange Environment Greg Taylor Senior Consultant - MCS
What We Will Cover: Anti-Spam Tools in Exchange 2003 Smart Screen Technology Controlling UCE with Intelligent Message Filter Administration and Monitoring IMF Some Recommended Best Practices (and tips!)
Prerequisite Knowledge Experience supporting Microsoft Networks Experience administering Exchange Server 2003 Experience using and supporting Outlook Level 200
Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices
What is Spam? Unsolicited Commercial E-mail More than 70% of email traffic Costly use of resources – IT – Personnel Potentially offensive
The Problem Spam volume and variety growing. – 2 billion spam / day worldwide (Radicati). –36% of all Internet e-mail vs. 8% last year (Brightmail). –Spammers constantly changing their attacks. ISPs have been hit hard. –Up to 90% MSN /Hotmail messages are spam. –AOL estimates over 30% spam. Affects mobile devices and desktop computers. Threat: Spam overruns users’ mailboxes and devices, destroying e-mail’s value as a communication medium.
The Problem Source: http://www.brightmail.com/spamstats.html
The Problem Source: http://www.messagelabs.com/emailthreats/
The Problem Microsoft: –Internally we send 3 million messages a day to each other. –10 million messages are delivered to Microsoft from the Internet each day – with only 1 million of those being delivered post message-hygiene. –Bill Gates has his own server that only a couple of administrators have access to, directly at the server – which is permanently under lock and key and has a security camera facing it. –Bill Gates is world's most spammed man –He receives four million e-mails daily, most of them spam, and is probably the most 'spammed' person in the world
Microsoft’s Anti-UCE Strategy Innovative Technologies Industry Self-Regulation and Cooperation Working with Governments
Exchange 2003 Anti-Spam Tools Accept and Deny lists (and Tarpitting) Block Lists Recipient Filtering Sender Filtering Intelligent Message Filtering
Exchange 2003 Anti-Spam Tools Accept/ Deny Lists Information Store
Exchange 2003 Anti-Spam Tools Accept/ Deny Lists Block Lists Information Store
Exchange 2003 Anti-Spam Tools Accept/ Deny Lists Block Lists Recipient Filter Information Store
Exchange 2003 Anti-Spam Tools Accept/ Deny Lists Block Lists Recipient Filter Sender Filtering Information Store
Exchange 2003 Anti-Spam Tools Accept/ Deny Lists Block Lists Recipient Filter Sender Filtering Intelligent Message Filter Information Store
Exchange 2003 Anti-Spam Tools Feature Filter Point Accept/Deny Lists SMTP Session Block Lists SMTP Session Exchange Sender Filter SMTP Gateway Recipient Filtering SMTP Gateway Intelligent Message Filter Gateway/User Mailbox Resource Cost
Intelligent Message Filtering Utilizes Smart Screen Machine Learning Applied at the gateway – Marks message with Spam Confidence Level (SCL) rating Utilized throughout the mail stream Scans headers, body of message and other attributes.
Smart Screen In Use Hotmail and MSN – 82% of incoming mail filtered Outlook 2003 – Junk E-mail folder Third Party products can utilize it Exchange Server 2003 – Intelligent Message Filter
Smart Screen and Third Party Tools Spam Confidence Level Read level and act upon it Write to and normalize SCL Some Partners: – Symantec (Brightmail) – Mail-filters.com – Policy Patrol by Red Earth Software
SCL Ratings Uses technology from Microsoft Research to provide each received message with a Spam Confidence Level (SCL) indicating the likelihood that the message is UCE The spam confidence level (SCL) is the normalized value assigned to a message that indicates, based on the characteristics of a message (such as the content, message header, and so forth), the likelihood that the message is spam. There are eleven values available to categorize spam, as outlined in the following table. SCL Value Spam Categorization -1 Reserved by Microsoft Exchange Server 2003 for messages submitted internally. A value of -1 should not be overwritten because it is this value that is used to eliminate false positives for internally-submitted e-mail. 0 Assigned to messages that are not spam. 1 Extremely low likelihood that the message is spam Ranging to 9 Extremely high likelihood that the message is spam
Smart Screen and IMF in Action Gateway Server SCL 8 5 Smart Screen Algorithm 3rd Party Mailbox Store Server Tools SCL 5 Client
IMF in a Pure Microsoft Environment Exchange Intranet Servers Exchange Gateway Servers
IMF Availability and Installation Free Download for Exchange Users Download from: www.microsoft.com/exchange/imf IMF Installation on Gateway Exchange Servers Management Tools on administration machine
System Requirements Hardware Requirements – Minimum 256 MB RAM – Recommends 1 GB RAM – 500 MB on Exchange volume – 200 MB on System drive Security: Disable Authentication Outlook 2003 (recommended) .NET Administrator Account
Cross Forest Authentication I SCL Forest 1 Forest 2
Cross Forest Authentication II SCL Forest 1 Forest 2
demonstration Installing Intelligent Message Filter Exchange 2003 UCE Control Features Preparing for IMF Installing IMF Cross Forest Authentication
Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices
Configure IMF
Intelligent Message Filter in Action Internet Gateway Mailbox Store Server Rejected at the gateway Junk E-mail Folder Inbox
Pre-July 2004 Messaging Hygiene Infrastructure Internet 1. Sender and recipient filtering 2. Intelligent Message Filter 3. Third-party antispam Legend Internet e-mail SMTP traffic Exchange Server 2003 gateway server with antispam Dedicated antivirus server Exchange Server 2003 SMTP routing server Exchange Server 2003 mailbox server Outlook 2003 client 4. Virus scanning with attachment filtering
Current Messaging Hygiene Infrastructure Internet 1. Third-party block list 2. Sender and recipient filtering 3. Intelligent Message Filter Legend Internet e-mail SMTP traffic Exchange Server 2003 gateway server with antispam Exchange Server 2003 SMTP routing server with antivirus Exchange Server 2003 mailbox server Outlook 2003 client 4. Virus scanning with attachment filtering
demonstration Enabling and Configuring IMF Setting up the gateway Enabling IMF on Virtual Servers Configure Outlook 2003 Configure Outlook Web Access 2003
http://www.microsoft.com/uk/technet 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices
Modifying Registry Settings Archive Location Marking SCL on archived messages Authenticated Connections Number of Blocked Senders
Archiving Filtered E-mail Volume of UCE Default Location: root \Program Files\ Exchsrvr\Mailroot\vsi n\ UCEArchive. Move files to the \Mailroot\vsi 1\Pickup directory. Registry setting: – HKEY LOCAL MACHINE\Software\Microsoft\Exchange\ContentFilter\ ArchiveDir
Marking SCL on Archived Messages Not affixed by default Use to test and tune IMF Registry Setting: – HKEY LOCAL MACHINE\Software\Microsoft\Exchange\ ContentFilter\ArchiveSCL
IMF on Authenticated Connections Normally a trusted source Situation: a trusted forest has an open relay, allowing it to be utilized by spammers. Registry Setting – HKEY LOCAL MACHINE\Software\Microsoft\Exchange\ ContentFilter\CheckAuthSessions
Number of Blocked and Safe Senders Metadata stored on Exchange Server Default is 510 KB, around 2,000 entries Registry Setting – HKEY LOCAL MACHINE\System\CurrentControlSet\Services\ MSExchangeIS\ ParametersSystem\Max Extended Rule Size
demonstration Administering IMF Changing the Archive Location Storing the SCL Rating of Archived Messages Filtering Messages through Authenticated Connections Setting the Size of Rules
Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices
Set Logging Level
Event Viewer Event ID: 7512 Severity Informational A Message was Filtered at the gateway Event ID: 7513 Severity Informational Intelligent Message Filter was installed or updated. The event message includes the update version number. Event ID: 7514 Severity Error An error occured while installing or updating Intelligent Message Filter. Event ID: 7515 Severity Error Intelligent Message Filter was unable to filter a message. Possible causes are corrupted or malformed messages.
Performance Counters Record Amount of Spam filtered – Total Messages Scanned for UCE – Total Messages Acted Upon Discover range of SCL scores – Total Messages Assigned an SCL Rating of [0-9] Determine IMF performance – Total Messages Scanned/sec
Tuning Thresholds Set Gateway threshold to “No Action” Use Performance Monitor to judge mail flow – % UCE out of Total Messages Scanned – Total Messages Assigned an SCL Rating of [0-9] With performance data, set the thresholds to catch the bulk of UCE.
IMF Microsoft Operations Manager MP Download at – www.microsoft.com/downloads Centralized Data Collection Improved Reporting Integrate with other management tools
demonstration Monitoring and Troubleshooting IMF Troubleshooting IMF Problems with the Event Viewer Managing the Archive Monitoring and Measuring IMF
Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices (and tips!)
Messaging Hygiene Architectural Principles Anti-spam MUST be done before anti virus Anti-spam SHOULD be done for inbound mail only Anti-spam filtering SHOULD remove vs. quarantine Anti-virus MUST scan both inbound and outbound mail Anti-virus MUST be mail direction aware Anti-virus MUST follow “block on fail” rule Anti-virus and Anti-spam systems MUST integrate with Exchange
Tarpitting Recipient filtering can help a malicious sender enumerate email addresses that do exist by using a directory harvest attack. A software update (842851 (also included in Windows Server 2003 Service Pack 1)) adds a feature that you can use to delay the SMTP address verification responses for each address that is not valid that is submitted. By default, this feature is disabled. – HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\ Services\ SMTPSVC\Parameters\TarpitTime – Note Only anonymous connections are affected by the TarpitTime registry entry. Therefore, we recommend that you only enable this registry entry on the Internet-facing mail gateway servers.
Tarpitting
Best Practices (1) Use a multilayered defense for effective results Scan for spam at the messaging gateway Scan messages for spam before scanning for viruses Delete rather than clean infected messages
Best Practices (2) Strip attachments of certain file types Disable security notifications to Internet senders Scan both incoming and outgoing e-mail for viruses Generate security notifications for infected outgoing Internet e-mail Use restricted distribution groups
For More Information Microsoft Knowledgebase article 867633 – www.microsoft.com/exchange/imf Anti Spam Capabilities in Exchange 2003 – www.microsoft.com/exchange/techinfo/security/antispam.asp Microsoft Anti Spam Technology – www.microsoft.com/mscorp/twc/privacy/spam.mspx Visit TechNet at www.microsoft.com/technet For additional information on books, courses and other community resources that support this session visit www.microsoft.com/technet/tnt1-132
MS Press Inside information for IT Professionals To find the latest IT Professional related titles visit www.microsoft.com/learning/books/
3rd Party Publications Supplementary publications for IT Pro’s These books can be found and purchased at all good book stores and on-line retailers
http://www.microsoft.com/uk/technet 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.