Subscribe to Windows IT Pro
October 28, 2003 12:00 AM

Suppressing Spam

Give your Exchange environment defense in depth
Tony Redmond
Windows IT Pro
InstantDoc ID #40469
Rating: (0)

Antigen’s Antispam Barriers
In Antigen 7.5, Sybari integrates antispam processing through a transport sink. Antigen has a good antivirus reputation in the Exchange market. An updated version that supports the Exchange 2003 SCL feature will be available in late 2003.

As with most antispam products, you can set various options in Sybari Spam Manager to suppress or identify spam as it arrives at the Exchange SMTP virtual server. The options are mailhost filtering (which lets you set up blackhole lists), content filtering (which lets you determine the type of content Antigen passes through to Exchange), file filtering (which lets you determine permitted file types), and keyword filtering (which lets you set up lists of words that Antigen looks for as it examines new messages). As Figure 2 shows, Antigen provides prepopulated lists of keywords that cover profanity, racial discrimination, sexual discrimination, and common spam words, such as "viagra." You can add words to these lists, but the prepopulated lists are fairly comprehensive and will stop most spam.

After you set up your keyword lists, you then decide how you want Antigen to treat spam. You can have Antigen drop messages immediately after it detects them as spam—an effective way of suppressing spam, but you run the risk that some messages that resemble spam might be important messages that you want to keep. The best practice is to first deploy the antispam product in "detect only" mode so that the product informs you about new spam and you can examine the notifications to determine the effectiveness of the filters. After you're happy that the filters are accurately detecting spam and ignoring other messages, you can start blocking (i.e., dropping) spam or moving messages into a quarantine directory. Figure 3 shows how Antigen informs administrators when it detects a spam message. You can configure Antigen so that it sends these notifications to as many administrators as you want.

Considering the amount of spam that can arrive at a server, you should be cautious about enabling notifications for administrators. Spam-generated messages can easily swamp a mailbox, particularly on servers that act as the initial line of defense. If you permit spam to pass through, you can configure Antigen so that it marks the spam with a SUSPECT prefix in the Subject line, as Figure 4 shows, before passing it through to Exchange’s routing engine.

Client Protection
Suppressing spam after it arrives at the client is a last-ditch effort. You've already incurred the cost of transporting, delivering, and storing the spam on its route to the client, and now the user gets to view the spam, if only to review the contents of the folder in which the client moves suspect messages. Of course, you can configure Outlook to delete any spam it detects, but again, you then run the risk of losing an important message mistakenly identified as spam. Ensure that the level of junk-mail protection you select, as Figure 5 shows, is appropriate for the traffic you receive.

Both Outlook 2003 and OWA 2003 feature client-side junk-mail filtering. Outlook 2003 supports connections to Exchange 2003, Exchange 2000, and Exchange 5.5 servers, but OWA 2003 is dependent on Exchange 2003. Outlook 2003’s Junk E-Mail filtering works only if you operate in cached Exchange mode. The logic is that Outlook must download the full content of messages before it can filter them. Attempting such downloads in a classic client-server connection would be far too expensive in network terms—you don't want to download giant attachments just to check their content. In an attempt to prevent spammers from gathering intelligence about their victims, both Outlook 2003 and OWA 2003 don't automatically download pictures in HTML-format messages unless you explicitly choose to view the pictures or establish new default settings for picture downloads.

In their messages, many spammers include pointers to small (1 × 1 pixel) graphics with the intention of forcing you to make a network connection to their site to download the image file. Because the file—called a Web beacon—is so small, you don’t experience any network delay during the download, and because the spammer typically hides the file, you don’t see it in the message. The spammer uses this tool to determine the effectiveness and destinations of its messages. Ideally, the spammer also wants to discover which email addresses on its lists are real and active so that they can sell these addresses to other spammers or include them on other lists they maintain. To do so, spammers can include instructions in the URL to pass information about you back to their server.

Figure 6 shows a captured Web beacon. In this example, I received a message that Outlook recognized as spam and filed into my Junk E-Mail folder. To see the HTML source and determine whether the message contained any Web beacons, I right-clicked the message content and selected View Source. As Figure 6 shows, the image references point to files on a remote server, and the circled file points to a small hidden file.

If you don't yet want to upgrade to Outlook 2003, you can still add antispam support to your client by installing products such as Cloudmark's SpamNet, iHateSpam, MailFrontier's Matador, and Mailshell's SpamCatcher. All these products support Outlook 2002 and Outlook 2000, and some offer versions to support Outlook Express clients—but those come with an additional cost to buy, deploy, and support. The actual per-client purchase cost is fairly low (between $20 and $30 per seat, subject to corporate discounts), but the total cost can mount up if you're deploying to thousands of seats. At this point, an upgrade to Outlook 2003 becomes more attractive, particularly when you factor in other Outlook 2003 features, such as cached-mode Exchange.

New Threats
Although we've witnessed great progress in securing messaging servers and protecting them against viruses and spam, we shouldn't become complacent. Virus authors and spam generators are constantly searching for new methods to exploit email. For example, we haven't yet seen the first attack against Instant Messaging (IM) networks. Your job now encompasses the tasks of keeping a close eye on new developments and deploying software to defend servers, and those tasks are unlikely to go away anytime soon.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Tim
    8 years ago
    Mar 21, 2004

    i love this stuff

  • Rich Snow
    9 years ago
    Nov 24, 2003

    Great article! I dug through the Microsoft Ex2003 documentation looking for the RBL feature and didn't find it. Thanks for showing it. Now if we could use the product without tweaking the registry?

    My experience with SPAM filtering in an Exchange 5.5 environment has been that it took two years for the traditional commercial vendors to get on par with Open Source solutions to this problem. I chose a small European software developer (DataEnter X-Wall) because the software is not resource intensive and it allows me much flexibility in suppressing some of the incompatible content that Exchange puts out - such as tnef (Rich Text) formatting, delivery receipts to mailing lists (a horror show) - etc. The price can't be beat! So check out all your options, and don't believe any vendor who claims it can't be done with Microsoft Mail or Exchange 5.5.

  • Chris King
    9 years ago
    Nov 07, 2003

    As always, Tony Redmond is a great source of info. One problem inherent to any tech article is where to decide to leave off in teh details of any procedure, and generally i am content with a pointer to the fact that a funciton exists and I then go research it. In this case, I find myself lost in trying to take the last step in connection filtering (when it requires enabling it on the SMTP server) and the MS docs, and online docs don't clear it up for me. ESM itself tells me i must, which is terrific, but when i go check the help on teh SMTP props themselves it doesn't clear it up for me. :(

  • byron lochridge
    9 years ago
    Oct 28, 2003

    how about an article on third party anti spam that will protect non microsoft email such as that in Goldmine and Pegasus/Mercury?

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.