Anti-Spam and Anti-Malware Protection in Exchange 2013 (Part 1)

by [Published on 14 Nov. 2013 / Last Updated on 14 Nov. 2013]

In this article series, the author will discuss anti-spam in Exchange 2013 and introduce and explore the new features regarding anti-malware protection.

If you would like to read the other parts in this article series please go to:

Introduction

Spam and viruses have been a concern for any messaging administrator since almost the first public messaging environment. Every year, the volume of e-mail spam and viruses keeps increasing as so does their sophistication. Microsoft understands these threats and, as such, Exchange has been providing anti-spam protection out of the box for many versions now.

Exchange 2003 had built-in Open Relay Filter or DNS Blacklist and Realtime Blackhole List capabilities which were later complemented by Microsoft Exchange Intelligent Message Filter (IMF) that used Microsoft SmartScreen technology to provide better anti-spam protection. IMF, first released in May 2004 became an integral part of Exchange 2003 in SP2.

With Exchange 2007 and 2010, Microsoft further improved Exchange’s anti-spam capabilities by providing connection filtering, content filtering, attachment filtering, sender ID, sender/recipient filtering, sender reputation and IP allow/block lists out of the box on an Edge server. All these features could also be enabled on a Hub Transport server, with the exceptions of connection and attachment filtering. This meant that small organizations that did not have the means, capabilities or enough e-mail volume to justify the cost of installing and maintaining a full perimeter network together with an Edge Transport server, could still take advantage of almost all its anti-spam capabilities.

However, although this provided a good level of protection, there was never in-built anti-malware protection for some reason. As such, all these features were typically complemented either by using anti-pam/anti-malware third-party software or appliance, or Microsoft’s own software. As to the latter, first there was Microsoft Antigen for Exchange 2003, then Microsoft Forefront Security for Exchange Server (FSE) for Exchange 2007 and finally Microsoft Forefront Protection 2010 for Exchange Server (FPE) for both Exchange 2007 SP1 and 2010.

As we all know, in September 2012 Microsoft announced it was discontinuing further releases of all of the Forefront suite products, with FPE support expiring December 31, 2015. Microsoft’s recommendation was now for organizations to use Forefront Online Protection for Exchange (FOPE), now named Exchange Online Protection (EOP) in its latest release.

Unfortunately, cloud solutions such as EOP are not suitable for every organization. So what should organizations with an on-premise Exchange 2013 deployment do for anti-spam and anti-malware protection? To answer this question, let us have a look at what Exchange 2013 provides in this subject. We will start by reviewing the anti-spam features of 2013, which are virtually identical to Exchange 2010 and then explore the new capabilities introduced around anti-malware protection.

For the first time, an Exchange release provides both anti-spam and anti-malware protection out of the box.

Note:
Although Data Loss Prevention (DLP) can be used to help protect sensitive data, this article will only focus on protecting against spam and viruses. For more information on DLP, please check the Exchange 2013 Data Loss Prevention article.

Anti-Spam in Exchange 2013

As with previous versions of Exchange, 2013 provides a layered approach to help reducing spam. It uses transport agents to provide anti-spam filtering with built-in anti-spam agents available remaining relatively unchanged from Exchange 2010.

With the server role consolidation in Exchange 2013, one might expect the anti-spam agents to now be installed on the Client Access servers (CAS), which run the Front End Transport service, since this service is the first point of contact for any inbound e-mail to the organization. However, remember that CAS servers now act as a stateless proxy for all inbound and outbound external SMTP traffic, it does not inspect message content and does not queue any messages locally. On the other hand, the Transport service, which runs on all Mailbox servers, is almost identical to the Hub Transport server role in previous versions of Exchange. It handles SMTP mail flow for the organization, performs message categorization, content inspection and does queue messages locally.

For these reasons, anti-spam agents in Exchange 2013 run on Mailbox servers.

Anti-Spam Mailbox Agents

Anti-spam agents are usually enabled on mailbox servers when an organization does not have an Edge Transport server or some sort of third-party anti-spam filtering appliance.

Similarly to transport agents, anti-spam agents are assigned a priority value. A lower value indicates a higher priority, so typically, an anti-spam agent with priority 1 will act on a message before an anti-spam agent with priority 9. Based on the default priority value of the anti-spam agent, the following list briefly describes the agents and the default order in which they are applied to messages on a Mailbox server:

  1. Sender Filter agent: compares the sender on the MAIL FROM: SMTP command to an administrator-defined list of senders or sender domains who are prohibited from sending messages to the organization to determine what action, if any, to take on an inbound message;
  2. Recipient Filter agent: compares the message recipients on the RCPT TO: SMTP command to an administrator-defined Recipient Block list. If a match is found, the message is not permitted to enter the organization. The recipient filter also compares recipients on inbound messages to the local recipient directory to determine whether the message is addressed to valid recipients. When a message is not addressed to valid recipients, it is rejected;
  3. Sender ID agent: relies on the IP address of the sending server and the Purported Responsible Address (PRA) of the sender to determine whether the sender is spoofed or not;
  4. Content Filter agent: assesses the contents of a message and also acts on the safelist aggregation feature, which collects data from the anti-spam safe lists that Outlook and Outlook Web App users configure and makes this data available to the Content Filter agent;
  5. Protocol Analysis agent: is the underlying agent that implements the sender reputation functionality. Sender reputation relies on persisted data about the IP address of the sending server to determine what action, if any, to take on an inbound message. A Sender Reputation Level (SRL) is calculated from several sender characteristics that are derived from message analysis and external tests.

Anti-Spam Legacy Edge Transport Agents

As Exchange 2013 does not provide, at this stage, an Edge server, many organization already using Exchange 2013 choose to use an Exchange 2010 Edge Transport server. One reason for this is that, besides having installed and enabled by default all of the anti-spam agents described above, an Edge server provides two more agents not available on a Mailbox server:

  1. Connection Filtering agent: inspects the IP address of the remote server that is trying to send messages to determine what action, if any, to take on an inbound message. Connection filtering uses a variety of IP Block/Allow lists as well as IP Block/Allow List provider services to determine whether the connection from the specific IP should be blocked or allowed in the organization;
  2. Attachment Filter agent: filters messages based on attachment file name, extension or MIME content type. Attachment filtering can be configured to block a message and its attachment, to strip the attachment and allow the message to pass through, or to silently delete the message and its attachment.

Based on the default priority value of the anti-spam agents, this is the default order in which they are applied on an Edge Transport server:

  1. Connection Filtering agent
  2. Sender Filter agent
  3. Recipient Filter agent
  4. Sender ID agent
  5. Content Filter agent
  6. Protocol Analysis agent for sender reputation
  7. Attachment Filter agent

Enabling Anti-Spam Agents

As already mentioned, In Exchange 2013 the following anti-spam agents are available in the Transport service on Mailbox servers, but they are not installed by default:

  • Content Filter agent
  • Sender ID agent
  • Sender Filter agent
  • Recipient Filter agent
  • Protocol Analysis agent for sender reputation

Remember that organizations typically install the anti-spam agents in the Transport service on a Mailbox server only when it accepts all incoming mail without any prior anti-spam filtering. In case these agents are installed on a Mailbox server but there is also other Exchange anti-spam agents operating on the messages before they reach the Mailbox server (like an Exchange 2010 Edge Transport server in the perimeter network), the anti-spam agents on the Mailbox server recognize the anti-spam X-header values that are added to messages by other Exchange anti-spam agents. Messages that contain these X-headers pass through without being scanned again. The only exceptions are recipient look-ups performed by the Recipient Filter agent which will occur again on the Mailbox server.

Image
Figure 1.1: Anti-Spam X-Headers

In order to install and use these agents, we have to use the same Install-AntispamAgents.ps1 script we used with Exchange 2007 and 2010. Start by navigating to the Exchange’s Script folder and then run the script:

Image
Figure 1.2: Running the Install-AntispamAgents.ps1 Script

Next, restart the Microsoft Exchange Transport service either using the Services MMC or the Shell:

Image
Figure 1.3: Restarting the Microsoft Exchange Transport Service

The final step is to specify the IP addresses of any internal SMTP servers that should be ignored by the Sender ID agent. At least one IP address needs to be set. If the Mailbox server we just installed the anti-spam agents on is the only SMTP server in the organization, then we specify its IP address.

Image
Figure 1.4: Specifying Internal SMTP Servers

If you want to add IP addresses without affecting any existing values, use the following cmdlet instead:

Set-TransportConfig -InternalSMTPServers @{Add="<IP 1>","<IP 2>"...}

Note:
Even though the script will run without any errors on a CAS server, remember that you cannot enable the anti-spam agents on an Exchange 2013 Client Access server.

Managing all the anti-spam agents in Exchange 2013 is virtually unchanged from Exchange 2007 and 2010. The only difference is that the anti-spam settings are no longer configurable through an user interface – only the Shell can be used to configure and manage these agents.

As there are already a number of articles on MSExchange.org on how to do that, this article will focus on the new anti-malware features of Exchange 2013. For more information, please visit the Security & Message Hygiene section on MSExchange.org’s website.

Exchange 2013 vs Exchange Online Protection Anti-Spam

Although Exchange itself provides very good anti-spam capabilities, for more anti-spam features and easier management, organizations can purchase EOP from Microsoft, a cloud-based e-mail filtering service that helps organizations protecting against both spam and malware. EOP is typically used in three primary ways:

  • In a standalone scenario with EOP providing protection for the on-premises Exchange 2013 environment, legacy Exchange versions or for any other on-premises SMTP e-mail solution;
  • As part of Microsoft Exchange Online with EOP protecting Exchange Online cloud-hosted mailboxes;
  • In a hybrid deployment with EOP protecting the messaging environment and controlling mail routing when there is a mix of on-premises and cloud mailboxes.

The following are benefits of using EOP versus Exchange 2013:

  • Easier configuration: administrators can use the Exchange Administration Center console to customize spam filtering settings. There is no anti-spam user interface in Exchange 2013;
  • Stronger connection filtering: in Exchange 2013, connection filtering IP Block/Allow lists are available only through an Exchange 2007/2010 Edge Transport server. EOP uses Microsoft’s own block/allow lists aggregated from vendors to provide greater IP-level filtering;
  • Stronger content filtering: with EOP, administrators can easily configure content filter policies to:
    • Filter messages written in specific languages;
    • Filter messages sent from specific countries or regions;
    • Mark bulk e-mail messages as spam;
    • Search for attributes in a message and act upon the message if it matches a specific advanced spam option attribute. Some of these options offer a combination of Sender ID and Sender Policy Framework (SPF) technologies to authenticate and verify that messages are not spoofed.
  • Quicker updates: spam updates are propagated more quickly across the network. In Exchange 2013 updates occur two times per month, whereas the service is updated multiple times per hour;
  • Outbound filtering: outbound spam filtering is always enabled when using EOP for sending outbound e-mail to protect organizations using the service and their intended recipients.

Conclusion

In the first part of this article series, we had a quick look at anti-spam in Exchange 2013 and how it is practically unchanged from Exchange 2007 and 2010. In the next article we will explore the new features surrounding anti-malware protection in Exchange 2013.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links