Transitioning to Forefront Online Protection for Exchange (FOPE) (Part 4)

by [Published on 23 July 2013 / Last Updated on 22 Aug. 2013]

In this article the author covers some FOPE security features that will help Exchange administrators manage security according to the organization needs.

If you would like to read the other parts in this article series please go to:

Introduction

FOPE has everything that a traditional anti-spam and anti-virus can have on a local server/appliance and much more. The main advantage of using FOPE is that Microsoft servers receive way more messages than our domains combined in a year :) and because of this high volume of data together with its specialized team, Microsoft is able to protect and prevent spam and virus in a better way.

In this article we will cover the Additional Spam Filtering, Policy Rules and how to configure bulk messages to go to the users’ Junk E-mail folder.

Managing Security (ASF and Rules)

One of the first lines of defense for an FOPE customer is the Additional Spam Filtering (ASF) as shown in Figure 01. It allows administrators to increase the chances of a message having certain attributes to be caught in the spam/quarantine of FOPE. In order to configure this security layer, logged on FOPE Admin Console, click the Administration tab, then Domain sub-tab, click the desired domain and then Edit in the Additional Spam Filtering (ASF) Options section.

Image
Figure 01

Note:
The last option NDR Backscatter doesn’t need to be configured if you use FOPE as outbound domain which is the case in this article series.

Bear in mind that the Test option does not block/quarantine the message, however it will help you to validate certain conditions by either modifying or tagging a message with an X-header when the condition is true. We can enable what is going to happen on the domain page by clicking Edit in the Spam Test Mode Options section.

Managing Policy Rules

Another useful resource is Policy Rules. You can access it by clicking the Administration tab, and then Policy Rules. The main page of the Policy Rules page is a list of all existent rules, in our environment we will create a New Policy Rule. A new page (Figure 02) will be displayed where the administrator can select several sections of the message to apply a rule, such as: Header, Sender, Recipient, Attachment, Subject, Body and finally the message itself. Each rule can also has a scope for domain, traffic, and every rule has an action (Reject, Allow, Quarantine, Redirect, Force TLS, Deliver with BCC and finally Test), while it may be configured to expire on a specific date.

Image
Figure 02

Like any other solution, you can play around with FOPE Policy rules but based on my experience using the product, I would like to suggest a couple of hints that you can use before using it:

  • A new policy can take up to 30 to 35 minutes to be applied. I would set the expectation of your users for 1 to 2 hours just to play on the safe side
  • The number of policies is virtually unlimited although it is easier to keep in a single policy when the Traffic/Domain and Action are the same.
  • Try to consolidate policies, for example you can easily have a single policy to block senders, and every time that you need to add or remove an entry you can just edit the policy and perform the change.
  • If you are comfortable with Regex then use it when building your Policy rules otherwise, use the plain text

Now that you have glanced at the current policies, you can start planning to move your existent policies in your environment to the FOPE environment.

How to bypass FOPE policies…

I know we (administrators) hate doing that but sometimes the business requires a domain that can barely stay out of the blacklist to send messages to our pristine organization and since we are protected by FOPE most likely that domain won’t be able to send messages in normal circumstances.

You can bypass FOPE security by using an Inbound Policy Rule to allow traffic from the source IP of the troublemaker and that will allow your organization to receive e-mail even if that source domain is black listed.

Dealing with Bulk e-mail

We have spammers that send to your mailbox without authorization, however we have some companies that send messages offering promotions, events and all that stuff and they somehow have your e-mail address in their database (the way that they get your e-mail is a topic for another discussion).

FOPE is able to identify those bulk messages and stamp their header with a string (SRV:BULK) and we can deal with those type of messages on our end using Transport Rules. In the Figure 03, we can see a message tagged as bulk message by looking at the Internet Headers.

Image
Figure 03

Now that we know how to identify a bulk message, we just need to stop by our Exchange Server to identify the current SCL Junk e-mail threshold value of our organization (Figure 04). In order to get that information we can run the Get-OrganizationConfig | select SCLJunk* | fl and the value shown there is key because our Transport Rule has to associate any bulk e-mail message with a value higher than that to guarantee that those messages are being delivered in the Junk E-mail folder.

Image
Figure 04

In our Exchange organization we can use the following steps to create the Transport Rule:

  1. Open Exchange Management Console.
  2. Expand Microsoft Exchange On-Premises.
  3. Expand Organization Configuration.
  4. Click Hub Transport.
  5. Click Transport Rules.
  6. Click New Transport Rule.
  7. On the Introduction page, label the new rule and click Next.
  8. On the Condition page, select when the message header matches text patterns and configure the Step 2: Edit the rule description by clicking an underlined value section to X-Forefront-Antispam-Report on the first link and SRV:BULK on the second one. The result is shown in Figure 05. Click Next.

Image
Figure 05

  1. On the Conditions page, select set the spam conficence level to value and on the Step 2 section, use a value that is higher than the current SCLJunkThreshold (in our case our organization level is 6) as shown in Figure 06. Click Next.

Image
Figure 06

  1. On the Exception page, leave default settings and click Next.
  2. On the Create rule page, click New.
  3. On the Completion page, make sure that the Transport Rule was created successfully and click Finish.

After configuring the current Transport Rule any new bulk message will be delivered to the end-users Junk E-mail folder, and that is one of the last chances for the spam to disturb your end-users productivity.

Conclusion

In this article we covered some of the FOPE security features but we just scratched the surface. FOPE provides tons of security features to improve the security of your environment. Just the Policy Rules component can be customized and configured in several different ways to fit your organization requirements.

If you would like to read the other parts in this article series please go to:

Featured Links