Filtering

In addition to an updated anti-virus interface, Exchange Server 2003 has also made improvements on content filtering and blocking, with a number of different types of filters available to block unsolicited or unwanted email.

graphics/shortsig_icon.gif STOPPING SPAM

Outlook 2003 and Exchange Server 2003 offer some great new spam filtering options, but spam still gets through. If you really want to battle spam, plan to invest in a third-party spam filter that adds into Exchange, or an external solution such as SpamArrest (http://www.spamarrest.com).


The basic concept behind the new filtering tools is pretty simple, based on Grant and Deny lists that you can configure for originating IP addresses, recipients, and senders. Besides allowing you to manually create your own lists, Exchange Server 2003 can now leverage blacklists of known spammers or bulk e-mailers and block senders who appear on the list from sending email through your Exchange implementation. In the following sections, you are going to walk through each of the different types of filters and how they are configured.

Inbound/Recipient Filtering

As in previous versions of Exchange, when an email is received for an email address that is not valid, a nondelivery report is returned to the sender. In the case of unsolicited email or spam, where the return email address is fake, Exchange continues to send the nondelivery report, wasting resources.

One way to alleviate this problem is to configure inbound filtering. Inbound or recipient filtering filters out email messages sent from external sources and can be used to filter messages based on two different sets of criteria. The first filtering method is through the use of a recipient filter list. If an email message is sent to an email address that is on the list, the message is blocked.

The second filtering method blocks email messages sent to invalid email addresses (that is, the email address does not exist) and works through a lookup to the Active Directory to determine whether the recipient does exist and what permissions the sender has.

SMTP ERROR CODES

With either of these methods, the SMTP server returns an SMTP error message to indicate that the email message was not accepted, which could allow bulk e-mailers to confirm valid addresses. For example, if the recipient does not exist, the SMTP error 550 (Action not taken. Mailbox unavailable. Not found, not accessible) might be returned, indicating that the recipient does exist. SMTP error 553 (Mailbox name not allowed. Mailbox syntax may be incorrect) might clue a bulk mailer in that the recipient doesn't exist.


To set up inbound filtering, follow these steps:

  1. Open the Exchange System Manager and navigate to the Message Delivery settings under Global Settings.

  2. Right-click on the Message Delivery node and select Properties.

  3. Click on the tab for Recipient Filtering to open the property page, shown in Figure 4.4.

    Figure 4.4. You can enter individual email addresses or use wildcards to filter entire domains.

    graphics/04fig04.gif

  4. To filter e-mails sent to individual addresses, click the Add button and enter the email address of the recipient you want to block. To add an entire domain, use the asterisk wildcard before the @ symbol (that is, *@samspublishing.com)

  5. To filter e-mails sent to recipients who are not listed in the Active Directory, click the check box for Filter Recipients Who Are Not in the Directory.

  6. Click Apply to apply your changes and OK to exit the Message Delivery Properties.

  7. Locate the SMTP virtual server you want to apply this filter to in the Exchange Manager under Servers, Server Name, Protocols, SMTP.

  8. Right-click on the SMTP protocol and select Properties.

  9. From the General property page, click on Advanced to open the dialog box shown in Figure 4.5.

    Figure 4.5. To enable recipient filtering, turn on the option on each of your SMTP virtual servers.

    graphics/04fig05.gif

  10. Highlight the IP address you want to modify and click Edit to open the dialog box shown in Figure 4.6.

    Figure 4.6. Identification dialog box.

    graphics/04fig06.gif

  11. Click the option to Apply Recipient Filter.

  12. Click OK to return to the Advanced property page and click OK again to return to the property pages for the virtual server you have been editing.

Outbound/Sender Filtering

Another filtering option available in Exchange Server 2003 is outbound or sender filtering. Outbound filtering works in two ways: You can either specify a list of senders to block outgoing mail from, or you can block messages sent with no sender.

To set up a list of senders to filter, follow these steps:

  1. Open the Exchange System Manager and navigate to the Message Delivery settings under Global Settings.

  2. Right-click on the Message Delivery node and select Properties.

  3. Click on the tab for Sender Filtering to open the property page shown in Figure 4.7.

    Figure 4.7. You can create a sender filter on individual email addresses or domains.

    graphics/04fig07.gif

  4. To filter e-mails sent from individual addresses, click the Add button and enter the email address of the recipient you want to block. To add an entire domain, use the asterisk wildcard before the @ symbol (that is, *@samspublishing.com).

  5. To filter e-mails with a blank sender, click the check box for Filter Messages with Blank Sender.

  6. Click Apply to apply your changes and click OK to exit the Message Delivery Properties.

  7. By default, Exchange drops the connection if a message is sent from a sender on the list. You can change that behavior using the check box provided. Then you have the option of archiving filtered messages, and you can control whether the sender is notified.

  8. To apply your filters, locate the SMTP virtual server for you to use in the Exchange Manager under Servers, Server Name, Protocols, SMTP.

  9. Right-click on the SMTP protocol and select Properties.

  10. From the General property page, click on Advanced.

  11. Highlight the IP address you want to modify and click Edit to open the dialog box shown in Figure 4.8.

    Figure 4.8. This option enables sender filtering for this server.

    graphics/04fig08.gif

  12. Click the option to Apply Sender Filter.

  13. Click OK to return to the Advanced property page and click OK again to return to the property pages for the virtual server you have been editing.

Connection Filtering

Connection filtering (also called real-time blacklist [RBL] filtering) moves beyond simple inbound/outbound filtering. Instead of maintaining lists of blocked users or domains, connection filtering can be configured to check a blacklist maintained by a third-party provider. If a sender or domain is on the list, an SMTP error is generated and a response is issued to the sender.

graphics/shortsig_icon.gif SEEMS LIKE FILTERING, WITHOUT FILTERING

Exchange offers a couple of options that seem, at first glance, to offer content filtering but they don't. The most common mixup is with Exchange's option to perform a reverse lookup on incoming SMTP connections. The trick is that Exchange won't reject SMTP connections even if the reverse lookup fails, so you're not really stopping anything. If you really want to block email coming from known spammers, RBL is definitely the way to go.


BEFORE YOU GET STARTED

To configure connection filtering, you need to have the details of the RBL provider you want to use. A number of free providers exist, such as SpamHaus (http://www.spamhaus.org/sbl/index.lasso) or SpamCop (http://www.spamcop.net), or you can pay for a subscription RBL service from companies such as Mail Abuse (http://www.mail-abuse.org/) or Mail Deflector (http://www.maildeflector.net/). A fairly comprehensive list of RBL providers is available at Declude (http://www.declude.com/junkmail/support/ip4r.htm).


To create a connection filtering rule, follow these steps:

  1. Open the Exchange System Manager and navigate to the Message Delivery settings under Global Settings.

  2. Right-click on the Message Delivery node and select Properties.

  3. Click on the tab for Connection Filter to open the property page shown in Figure 4.9.

    Figure 4.9. You can control the order in which Connection Filter rules are applied using the Move Up and Move Down buttons.

    graphics/04fig09.gif

  4. Click the New button to create a new Connection Filter Rule.

  5. Enter the name and DNS Suffix of your RBL provider.

    CUSTOM ERROR MESSAGES

    You can also enter a custom error message that will appear when a message is blocked using the text field provided. If you leave this field blank, the default message of <IP Address> has been blocked by <Connection Filter Rule Name> will be used. The syntax for custom messages is as follows:

    • %0: The connecting IP address

    • %1: The display name of the rule

    • %2: The RBL provider

    You can combine these variables with text to create a custom error message (that is, Your message was blocked by an RBL list maintained by %2).

  6. By default, the rule you have created fires on any code that is returned from your RBL provider. You can use the Return Status Code button to enter a custom status code that you are expecting from your RBL provider.

  7. Click OK to create your rule.

You can create multiple connection filtering rules using this method. Their priority is controlled by their position in the list of rules. You can change the order in which they are evaluated using the Move Up and Move Down buttons.

ENABLING CONNECTION FILTERING RULES

By default, when you create a rule, it is enabled. You can temporarily disable a rule by editing the rule and selecting the check box on the first property page to Disable This Rule.


If you need to configure exceptions to your connection filtering rule, you can enter criteria based on the following:

  • A single IP address

  • A range of IP addresses

  • A single SMTP address

This allows you to create an exception for an IP address that appears on an RBL list. For example, if someone incorrectly reports an IP address of one of your customers as a bulk mailer, you could create an exception that would still allow mail from that IP address to come through.

The final step in setting up connection filtering is applying it to the virtual SMTP servers that you want to filter. To do that, follow these steps:

  1. Locate the SMTP virtual server that you want to apply this filter to in the Exchange Manager under Servers, Server Name, Protocols, SMTP.

  2. Right-click on the SMTP protocol and select Properties.

  3. From the General property page, click on Advanced.

  4. Highlight the IP address you want to modify and click Edit.

  5. Click the option to Apply Connection Filter.

  6. Click OK to return to the Advanced property page and click OK again to return to the property pages for the virtual server you have been editing.

Filtering Protocols

With the different filtering protocols you have just looked at, it can be difficult to determine what precedence each of the filtering methods has and when each filter is evaluated. This can be especially confusing when you consider the fact that you can also apply filters to your SMTP virtual servers to block suspect IP addresses.

FOR MORE INFORMATION

Configuring filtering at the server level on SMTP virtual servers is covered in the discussion of new security features in Chapter 8, "Security," page 101.


With all these different filtering methods, how do you decide which takes precedence? Next, you are going to look at how these filters work together using a common scenario in which an SMTP client submits an email message to Exchange, as shown in Figure 4.10.

Figure 4.10. Connection filtering scenarios.

graphics/04fig10.gif

Connection filtering is accomplished using the following steps:

  1. When an SMTP client attempts to connect and send a message, the first type of filter that is applied is the filter on your SMTP virtual server. This filter checks the sender's IP address against a list of blocked IP addresses. If the IP address is restricted, the connection is dropped. If the IP address is not restricted, the connection is allowed and the client issues a HELLO command, which identifies who is sending the message.

  2. The next type of filter to be applied is a connection filter. The requesting IP address is checked against both the Accept and Deny lists. If the IP address is on the Deny list, the connection is dropped.

  3. The next type of filter to fire is the sender filtering. Here, the sender is checked against the Deny list. If the user is present on the list, the connection is dropped or the message goes to the Badmail directory, depending on your configuration. If the user is not on the Deny list, the connection continues and the recipient is identified.

  4. Connection filtering is used again, except this time the requesting IP address is checked against a real-time blacklist. If the IP address appears on the list, the sender receives an error message and the connection continues. If the recipient appears on the connection filtering Accept list, the message is accepted and no further filters are applied.

  5. The final type of filter to be applied is recipient filtering. Here, the recipient is checked against the recipient filtering Block list. If the recipient appears on that list, an error message is returned to the sender. If the recipient is not on the list of blocked recipient, one last check is made against the Active Directory to ensure that the recipient appears there.

Between all the different types of filtering available in Exchange Server 2003, you should be able to stem the tide of unsolicited mail that flows through Exchange. Although no system has perfected the filtering of unwanted e-mails, this should provide the tools you need to come close.



Microsoft Exchange Server 2003 Delta Guide
Microsoft Exchange Server 2003 Delta Guide
ISBN: 0672325853
EAN: 2147483647
Year: 2003
Pages: 109

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net