Last week, I started writing about my experience moving my (admittedly small) production Exchange environment to Exchange Server 2007 ("Going Live with Exchange 2007, Part 1," October 26, 2006, http://www.windowsitpro.com, InstantDoc ID 94029). I mentioned that I still had work to do on antispam protection. As shipped, Exchange 2007 does a better job blocking spam to my network than a basic Exchange 2003 installation with Microsoft Exchange Intelligent Message Filter, but it doesn't do as well as Vamsoft's ORF Enterprise Edition.
Shortly after submitting last week's column, I added some IP blacklist providers to my Exchange 2007 configuration. You might recall that the message protection and hygiene features in Exchange 2007 are implemented as a set of agents that run either on the Hub Transport or Edge Transport server. You use the Anti-spam tab of the server Properties page to adjust the properties used for the IP Block List Providers object; you can also adjust other properties, such as the settings used for sender and recipient filtering and for Sender ID.
I added two DNS blacklists: AbuseAT (http://cbl.abuseat.org) and Spamhaus (http://www.spamhaus.org/). There are many other popular services out there—why did I pick these two?
- I chose AbuseAT because its Composite Blocking List records only hosts that have attempted to send messages in a way that indicates the host is infected or compromised.
- I chose Spamhaus because it's a large, well-known service that combines two separate lists (SBL is a list of spammers; XBL is a list of compromised IP addresses from which viruses, worm traffic, or spam originates).
There are many other blacklists, some much more aggressive than others. For example, the Spam and Open-Relay Blocking System (SORBS) list includes large ranges of addresses that belong to dial-up ISPs, which shouldn't generally be sending SMTP mail. But it also includes large blocks of addresses assigned to cable-modem and DSL providers. Even though I have a business cable-modem account, if my local provider's IP address were to show up in SORBS, I'd have a hard time exchanging mail with the rest of the world. In my opinion, SORBS is a little too quick to block addresses, which is why I don't use this blacklist.
Choosing a blacklist is tricky; your best bet is to start with one or two list providers and see whether your spam level drops. I saw a dramatic decrease in the amount of spam reaching my servers after I added the AbuseAT and Spamhaus lists. I've gone from getting 15–20 spam messages per account per day to one or two, and I haven't found any false positives generated by the Realtime Blackhole Lists (RBLs). Your own mileage may vary, which is why it's important to test the RBLs you choose to ensure that they don't drop legitimate messages.
Next week, I'll be writing about the fall Microsoft Exchange Connections show—look for a report on what's new and cool on the show floor, as well as highlights of the keynotes and other presentations. If you're going to be in Las Vegas for the show, look for me Wednesday morning in session or throughout the show in the exhibit area.