In addition to an updated anti-virus interface, Exchange Server 2003 has also made improvements on content filtering and blocking, with a number of different types of filters available to block unsolicited or unwanted email. STOPPING SPAM Outlook 2003 and Exchange Server 2003 offer some great new spam filtering options, but spam still gets through. If you really want to battle spam, plan to invest in a third-party spam filter that adds into Exchange, or an external solution such as SpamArrest (http://www.spamarrest.com). The basic concept behind the new filtering tools is pretty simple, based on Grant and Deny lists that you can configure for originating IP addresses, recipients, and senders. Besides allowing you to manually create your own lists, Exchange Server 2003 can now leverage blacklists of known spammers or bulk e-mailers and block senders who appear on the list from sending email through your Exchange implementation. In the following sections, you are going to walk through each of the different types of filters and how they are configured. Inbound/Recipient FilteringAs in previous versions of Exchange, when an email is received for an email address that is not valid, a nondelivery report is returned to the sender. In the case of unsolicited email or spam, where the return email address is fake, Exchange continues to send the nondelivery report, wasting resources. One way to alleviate this problem is to configure inbound filtering. Inbound or recipient filtering filters out email messages sent from external sources and can be used to filter messages based on two different sets of criteria. The first filtering method is through the use of a recipient filter list. If an email message is sent to an email address that is on the list, the message is blocked. The second filtering method blocks email messages sent to invalid email addresses (that is, the email address does not exist) and works through a lookup to the Active Directory to determine whether the recipient does exist and what permissions the sender has. SMTP ERROR CODES With either of these methods, the SMTP server returns an SMTP error message to indicate that the email message was not accepted, which could allow bulk e-mailers to confirm valid addresses. For example, if the recipient does not exist, the SMTP error 550 (Action not taken. Mailbox unavailable. Not found, not accessible) might be returned, indicating that the recipient does exist. SMTP error 553 (Mailbox name not allowed. Mailbox syntax may be incorrect) might clue a bulk mailer in that the recipient doesn't exist. To set up inbound filtering, follow these steps:
Outbound/Sender FilteringAnother filtering option available in Exchange Server 2003 is outbound or sender filtering. Outbound filtering works in two ways: You can either specify a list of senders to block outgoing mail from, or you can block messages sent with no sender. To set up a list of senders to filter, follow these steps:
Connection FilteringConnection filtering (also called real-time blacklist [RBL] filtering) moves beyond simple inbound/outbound filtering. Instead of maintaining lists of blocked users or domains, connection filtering can be configured to check a blacklist maintained by a third-party provider. If a sender or domain is on the list, an SMTP error is generated and a response is issued to the sender. SEEMS LIKE FILTERING, WITHOUT FILTERING Exchange offers a couple of options that seem, at first glance, to offer content filtering but they don't. The most common mixup is with Exchange's option to perform a reverse lookup on incoming SMTP connections. The trick is that Exchange won't reject SMTP connections even if the reverse lookup fails, so you're not really stopping anything. If you really want to block email coming from known spammers, RBL is definitely the way to go. BEFORE YOU GET STARTED To configure connection filtering, you need to have the details of the RBL provider you want to use. A number of free providers exist, such as SpamHaus (http://www.spamhaus.org/sbl/index.lasso) or SpamCop (http://www.spamcop.net), or you can pay for a subscription RBL service from companies such as Mail Abuse (http://www.mail-abuse.org/) or Mail Deflector (http://www.maildeflector.net/). A fairly comprehensive list of RBL providers is available at Declude (http://www.declude.com/junkmail/support/ip4r.htm). To create a connection filtering rule, follow these steps:
You can create multiple connection filtering rules using this method. Their priority is controlled by their position in the list of rules. You can change the order in which they are evaluated using the Move Up and Move Down buttons. ENABLING CONNECTION FILTERING RULES By default, when you create a rule, it is enabled. You can temporarily disable a rule by editing the rule and selecting the check box on the first property page to Disable This Rule. If you need to configure exceptions to your connection filtering rule, you can enter criteria based on the following:
This allows you to create an exception for an IP address that appears on an RBL list. For example, if someone incorrectly reports an IP address of one of your customers as a bulk mailer, you could create an exception that would still allow mail from that IP address to come through. The final step in setting up connection filtering is applying it to the virtual SMTP servers that you want to filter. To do that, follow these steps:
Filtering ProtocolsWith the different filtering protocols you have just looked at, it can be difficult to determine what precedence each of the filtering methods has and when each filter is evaluated. This can be especially confusing when you consider the fact that you can also apply filters to your SMTP virtual servers to block suspect IP addresses. FOR MORE INFORMATION Configuring filtering at the server level on SMTP virtual servers is covered in the discussion of new security features in Chapter 8, "Security," page 101. With all these different filtering methods, how do you decide which takes precedence? Next, you are going to look at how these filters work together using a common scenario in which an SMTP client submits an email message to Exchange, as shown in Figure 4.10. Figure 4.10. Connection filtering scenarios.Connection filtering is accomplished using the following steps:
Between all the different types of filtering available in Exchange Server 2003, you should be able to stem the tide of unsolicited mail that flows through Exchange. Although no system has perfected the filtering of unwanted e-mails, this should provide the tools you need to come close. |