Lesson 2: Customizing the SMTP Service

The SMTP service of Windows 2000 provides a powerful architecture for enhancements and extensions via synchronous transport and protocol event sinks. Most important, SMTP extensions give you a means by which you can examine messages for critical or unsafe content and block their transmission or delivery. Even if you are not a system programmer, you may find the following lesson interesting because it can give you the information you need to put an end to Internet worms and other malicious codes that spread via e-mail messages. The architecture of the SMTP service was explained in Chapter 3, "Microsoft Exchange 2000 Server Architecture."

This lesson briefly discusses the possibilities of extending the SMTP service using event sinks. You can learn how to check incoming messages using a transport event sink written in Microsoft Visual Basic, Scripting Edition (VBScript), and how to discard critical messages.


At the end of this lesson, you will be able to:

  • Explain the purpose of transport and protocol event sinks.
  • Describe possible scenarios where transport and protocol event sinks can be useful.
  • Enhance the SMTP service using the ISMTPOnArrival interface.

Estimated time to complete this lesson: 30 minutes


SMTP Transport Event Handling

Transport events are an extension mechanism for intercepting messages after the SMTP service has received them, before they are delivered to Exchange mailboxes or relayed to other SMTP hosts. Event sinks rely on Microsoft Collaboration Data Objects 2.0 (CDO 2.0). CDO is Component Object Model (COM)-compliant; hence, you can write transport event sinks in any COM-compliant programming language, including Microsoft Visual C++, Microsoft Visual Basic, and Microsoft Visual J++, as well as in Microsoft VBScript and Microsoft JScript. You can find detailed information about event sinks in the Microsoft Platform Software Development Kit.

As a script programmer, you can intercept only one type of SMTP service event: the OnArrival event that occurs when a message has been successfully received by the SMTP service. Scripts can help achieve a desired solution quickly (see Exercise 2 later), but they don't provide best performance. In addition, you need to take extra measures to protect your scripts through NT file system (NTFS) file permissions. Otherwise, another person might view the source code. For maximum flexibility, best performance, and better security, program your event sinks in Visual C++.

By intercepting the OnArrival event, you can process incoming messages for:

  • Adding standard notifications to message text. To add informative text to the message body to inform your users that a message was received from the Internet.
  • Blocking of unsolicited messages. In addition to message filters, you can implement sophisticated logic that examines the sender information within messages.
  • Creating mailing list services. To answer incoming messages with auto-replies and perform further tasks, such as creating a contact from the sender information and adding this contact to distribution groups.
  • Incoming message logging. To maintain a history of all messages received by your SMTP service.
  • Message redirection. To replace the recipient list of an incoming message with another set of recipients.
  • Virus checks. To cancel delivery of the message, based on message and attachment properties.

Exchange 2000 registers numerous SMTP and Network News Transfer Protocol (NNTP) event sinks to integrate the existing Windows 2000 services with the Information Store. You can read more about the integration of IIS with Exchange 2000 Server in Chapter 3, "Microsoft Exchange 2000 Server Architecture."

Protocol Event Handling

SMTP protocol events allow you to alter the way the SMTP service communicates with other SMTP-based systems. You can implement your own SMTP protocol commands to achieve specific functionality. Exchange 2000 Server, for instance, implements a variety of SMTP protocol event sinks, which propagate, among other things, link state information across the communication infrastructure. You can read more about the purpose of link state information in Chapter 16, "Message Routing Configuration."

There are two types of protocol events that the SMTP service allows you to intercept:

  • Inbound protocol events. These occur when a remote SMTP host or client connects to the local SMTP service and establishes a session by sending the HELO or EHLO command.
  • Outbound protocol events. These occur when the local SMTP service connects to a remote SMTP host and establishes a session to transfer messages.

Event Binding

For the SMTP service to work with your event sinks, you need to register them in the IIS metabase. A binding associates a particular event, such as OnArrival, with a sink name, such as SMTPMessageCheck (see Exercise 2). Within the metabase a globally unique identifier (GUID) identifies each binding. You can use Server Extension Objects (SEOs) implemented in a DLL called SEO.DLL to manage event sink bindings. To examine them in the IIS metabase, open the MetaEdit utility (from the Windows 2000 Resource Kit), expand the LM node, expand SmtpSvc, expand 1, and then expand the EventManager node. Underneath, you will find the EventTypes container that holds the event bindings.

NOTE


The Platform Software Development Kit describes a file called SMTPREG.VBS, which allows you to register event sinks conveniently. SMTPREG.VBS relies on SEO.

Virus Protection Using Transport Event Sinks

Transport event sinks are extremely powerful tools for virus protection. A virus scanner, for instance, can use them to check all incoming messages and safely discard those that contain infected file attachments. Sometimes, however, you need to react quicker than vendors can supply updated virus checklists, especially if you need to protect against mail worm viruses that already have affected other networks but haven't reached your organization yet.

Mail worms follow a very simple principle. A recipient opens an infected message attachment, and the virus code is executed. This retrieves the full set of address information from all available address lists or from messages in the Inbox, and a new message addressed to all recipients is generated. The new message contains the infected file attachment again, which subsequent recipients will open, and so the virus spreads in the form of an avalanche. Your organization must immediately cope with a huge amount of messages, which often leads to an overtaxing of the communication infrastructure.

Mail worm messages have certain common characteristics. For instance, the subject line is usually the same in all virus messages. Under virus attack, you probably will receive numerous messages, all with the same subject line. It's easy to identify them. Therefore, if you implement a transport event sink that prevents the reception of these messages, your system will be secure.

Most recent versions of mail worms, however, alter the subject line on every cycle, but you still can handle them easily. Plain e-mail messages cannot contain the virus code: An infected attachment is necessary. Consequently, if you intercept all incoming messages with executable attachments, you can prevent mail worms from penetrating your organization. You could forward suspicious mail to a skilled colleague for careful inspection before forwarding it to the actual recipient in the organization. This measure may be used temporarily or permanently.

Exercise 2: Checking Incoming Messages for .vbs Attachments

In this exercise you will extend the SMTP service by means of a transport event sink. The VBScript code checks incoming SMTP messages for a subject line containing the word virus, and it checks for attachments with a .vbs extension. In both cases, delivery of suspicious messages is blocked. They are written to the Badmail directory of the SMTP virtual server.

To view a multimedia demonstration that displays how to perform this procedure, run the EX2CH15*.AVI files from the \Exercise_Information\Chapter15 folder on the Supplemental Course Materials CD.

IMPORTANT


Do not register the event script in a production server without testing it carefully on a reference system beforehand. Incorrect scripts can block the entire incoming SMTP message transfer.

Prerequisites

  • Log on as Administrator to BLUESKY-WKSTA and BLUESKY-SRV1.
  • Insert the Supplemental Course Materials CD into the CD-ROM drive of BLUESKY-SRV1.

To register a transport event sink for the SMTP service

  1. On BLUESKY-SRV1, start Windows Explorer and create a new directory called EventSink under the root directory C (C:\EventSink).
  2. Copy the file SMTPREG.VBS from the \Exercise_Information\Chapter15\EventSinks folder on the Supplemental Course Materials CD into the newly created directory.
  3. In Windows Explorer, open the C:\EventSink directory, right-click in the left pane, point to New, and select Text Document.
  4. Name the new file SMTPMSGCHECK.VBS (if a Rename dialog box appears, click Yes), then right-click on it, and, from the shortcut menu, select Edit. Enter the following VBScript code:

     <SCRIPT LANGUAGE="VBScript"> Sub IEventIsCacheable_IsCacheable() 'To implement the Interface, and return S_OK implicitly End Sub Sub ISMTPOnArrival_OnArrival(ByVal Msg, EventStatus )   Dim envFlds   Dim colAttachs   Dim iFound   Set envFlds = Msg.EnvelopeFields If Msg.Subject = "" Or Len(Msg.Subject) < 5 Then   iFound = 0 Else  iFound = Instr(1, Msg.Subject, "VIRUS", 1) ' First position of the word VIRUS End If 'Check whether the message contains a VBS attachment Set colAttachs = Msg.Attachments For Each oAttach in colAttachs   If Instr(1, oAttach.FileName, "vbs", 1) > 0 Then iFound = 1 Next If iFound > 0 Then   'Do not deliver, place message in the Badmail directory.   envFlds("http://schemas.microsoft.com/cdo/smtpenvelope /messagestatus") = 3   envFlds.Update ' Commit the changes of the message status  'Skip remaining event sinks  EventStatus = 1 End If End Sub </SCRIPT> 

  5. Save the changes and close the editor (Notepad).
  6. Create another text file, name it INSTSINK.BAT, then right-click on it, and, from the shortcut menu, select Edit. Enter the following lines:

     @ECho Off REM *********** The following 2 lines install the Event Sink to log SMTP Messages *********** cscript smtpreg.vbs /add 1 onarrival SMTPMessageCheck CDO.SS_SMTPOnArrivalSink "mail from=*" cscript smtpreg.vbs /setprop 1 onarrival SMTPMessageCheck Sink ScriptName "c:\EventSink\SMTPMsgCheck.vbs" REM ***** Remove the 'REM' tag from the following line ****** REM ***** if you want to deinstall the Event Sink again ****** REM cscript smtpreg.vbs /remove 1 onarrival SMTPMessageCheck 

  7. Save the changes and close Notepad.
  8. Click Start, select Run, type cmd, and click OK to start the Windows 2000 command prompt. Then change into the C:\EventSink directory (type cd \EventSink).
  9. Type instsink.bat, and press ENTER to execute the batch file and register the Event Sink sample to log messages. Verify that the event sink is registered properly, and then type exit, and press ENTER to close the command prompt.
  10. Launch Exchange System Manager, and restart the Default SMTP Virtual Server under BLUESKY-SRV1.
  11. Test the transport event sink using Telnet as demonstrated earlier in Exercise 1 (see Figure 15.9). Alternatively, you can use Outlook Express and send SMTP messages to BLUESKY-SRV1, as demonstrated in Exercise 6 of Chapter 11, "Internet-Based Client Access." If a message contains the word virus in its subject line, or has a .vbs attachment, message delivery is canceled, and the message is placed in the \Program Files\Exchsrvr\Mailroot\Vsi 1\Badmail directory.

Exercise Summary

You can extend the SMTP service with scripts written in Microsoft VBScript or Microsoft JScript. The same is also possible when using Microsoft Visual Basic or Microsoft Visual C++, which generally provides a better performance and more flexibility. However, the principle remains the same: You register your event sinks and process individual messages, which the SMTP service will hand over. You gain full access to the contents of messages passing through your SMTP service. This allows you to log all incoming messages, for instance; add additional text to each of them, such as an official note that this message was received from an insecure network; or perform a basic virus scan. You have the option to block and discard critical messages before they reach the mailboxes of your users or are relayed to other systems.

click to view at full size

Figure 15.9 Implementing a custom event sink for the SMTP transport



MCSE Training Kit Exam 70-224(c) Microsoft Exchange 2000 Server Implementation and Administration
MCSE Training Kit Exam 70-224(c) Microsoft Exchange 2000 Server Implementation and Administration
ISBN: N/A
EAN: N/A
Year: 2001
Pages: 186

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net