Exchange 2007 Anti-Spam Configuration in 30 seconds - Understanding Anti-Spam and Antivirus Mail Flow

written by Justin on Monday, April 14 2008

For a brief overview, read Understanding Anti-Spam and Antivirus Mail Flow [4].

Publish SPF Records for your domains.  Do everyone a favour.

http://www.openspf.org/

If you don't have an Edge Server, install the filters on your Hub Transport Server.  How to Enable Anti-Spam Functionality on a Hub Transport Server [6]

The Install-AntispamAgents.ps1 script is copied to the %system drive%/Program Files\Microsoft\Exchange Server\Scripts folder. You must run the script from this location

./install-AntispamAgents.ps1

Restart-Service MSExchangeTransport

Set the Junk, Quarantine, Delete thresholds [7].  I only set the Reject threshold; I don't want a central quarantine to sort through, nor do I want my server silently deleting emails.

Set-ContentFilterConfig -SCLRejectEnabled $true -SCLRejectThreshold 8
Set-ContentFilterConfig -SCLDeleteEnabled $true -SCLDeleteThreshold 9
Set-ContentFilterConfig -QuarantineMailbox someaddress@somewhere.com
Set-ContentFilterConfig -SCLQuarantineEnabled $true -SCLQuarantineThreshold 7

 For email that isn't rejected, I set Organization-level spam settings so that messages with a score of 5 or over are put into Junk Email folders.  Then users can sort through their own spam.

Set-OrganizationConfig -SCLJunkThreshold 5

Set SCL Junk threshold on all mailboxes [2] - for specific settings/more granular settings beyond the org-level.  Set this on all your mailboxes initially and you can tweak individual mailboxes as necessary.  I usually just leave this as 5, since Outlook will auto-add recipients/contacts to the safe senders list which bypasses this.

Get-Mailbox | Set-Mailbox -SCLJunkEnabled $true -SCLJunkThreshold 5

If you have a SMTP server that all inbound mail passes through first, you want to add them to the Internal SMTP Servers list so that they are ignored by the SPF filter.  The SPF filter will then look at the NEXT hop, which should be the source/sending/external server.  If you don't do this, all your SPF checks will fail since your internal server 192.168.1.1 (in this example) will keep being tested for all inbound SPF queries and keep failing/soft-failing.  [3]

Set-TransportConfig -InternalSMTPServers 192.168.1.1

If the external SMTP server does spam filtering as well (like a Barracuda appliance), and adds a header like "X-Spam-Status: yes", you can configure transport rules to stamp a SCL score on the message, so that it will get processed by Exchange properly and get put into Junk folders [1].

1. Fire up EMC | Organization Config | Hub Transport | Transport Rules tab
2. Click on New Transport Rule in the Action pane
3. Give the new rule a name, add a comment if you wish
4. In the Conditions page, select the condition when a message header contains specific words
5. In the Step 2 edit box, click on the message header link
6. Type X-Spam-Status | click OK
7. In the edit box, click on the specific words link
8. Type yes | click OK | click Next
9. In the Actions page, select the action set the spam confidence level to value
10. In the rule description, click on the 0 link and add a value that's above your SCLJunkThreshold | click Next
11. On the Exceptions page, click Next if you do not want any exceptions to this rule
12. Click New | click Finish to close the wizard

Exchange Shell equivalent:

$condition = Get-TransportRulePredicate HeaderContains
$condition.MessageHeader = "X-Spam-Status"
$condition.words = @("yes")
$action = Get-TransportRuleAction SetSCL
$action.SCLValue = 5
new-TransportRule "Stamp SCL" -condition @($condition) -action @($action)

Enable Antispam updates and the IP reputation updates [5].  This is important.

Enable-AntispamUpdates -Identity SERVER01 -IPReputationUpdatesEnabled $True -MicrosoftUpdate Configured -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True

Create a Receive Connector just for Internet mail, and ensure you have the necessary permissions set on it.  Be sure that any POP3 connectors have their own Receive Connector configured with the appropriate permissions.

http://justinho.com/blog/preventing-external-spoofed-spam-from-authoritative-address-spaces-or-domains/

[1] http://exchangepedia.com/blog/2008/01/assigning-scl-to-messages-scanned-by.html

[2] http://technet.microsoft.com/en-us/library/bb123559(EXCHG.80).aspx

[3] http://technet.microsoft.com/en-us/library/bb124151(EXCHG.80).aspx

[4] http://technet.microsoft.com/en-us/library/aa997242(EXCHG.80).aspx

[5] http://technet.microsoft.com/en-us/library/bb125199(EXCHG.80).aspx

[6] http://technet.microsoft.com/en-us/library/bb201691(EXCHG.80).aspx

[7] http://technet.microsoft.com/en-us/library/aa995995(EXCHG.80).aspx

posted in:

blog and tagged as: ,

No Comments

Similar Posts

  1. Preventing External Spoofed Spam From Authoritative Address Spaces or Domains
  2. Internet Explorer 7 Beta 2
  3. GFI MailEssentials, GFI MailSecurity, Sybari Antigen, and Microsoft IIS stops processing inbound mail

Post a comment