Exchange 2007 Anti-Spam Configuration in 30 seconds - Understanding Anti-Spam and Antivirus Mail Flow

For a brief overview, read Understanding Anti-Spam and Antivirus Mail Flow [4].

Publish SPF Records for your domains.  Do everyone a favour.

http://www.openspf.org/

If you don't have an Edge Server, install the filters on your Hub Transport Server.  How to Enable Anti-Spam Functionality on a Hub Transport Server [6]

The Install-AntispamAgents.ps1 script is copied to the %system drive%/Program Files\Microsoft\Exchange Server\Scripts folder. You must run the script from this location

./install-AntispamAgents.ps1

Restart-Service MSExchangeTransport

Set the Junk, Quarantine, Delete thresholds [7].  I only set the Reject threshold; I don't want a central quarantine to sort through, nor do I want my server silently deleting emails.

Set-ContentFilterConfig -SCLRejectEnabled $true -SCLRejectThreshold 8
Set-ContentFilterConfig -SCLDeleteEnabled $true -SCLDeleteThreshold 9
Set-ContentFilterConfig -QuarantineMailbox someaddress@somewhere.com
Set-ContentFilterConfig -SCLQuarantineEnabled $true -SCLQuarantineThreshold 7

 For email that isn't rejected, I set Organization-level spam settings so that messages with a score of 5 or over are put into Junk Email folders.  Then users can sort through their own spam.

Set-OrganizationConfig -SCLJunkThreshold 5

Set SCL Junk threshold on all mailboxes [2] - for specific settings/more granular settings beyond the org-level.  Set this on all your mailboxes initially and you can tweak individual mailboxes as necessary.  I usually just leave this as 5, since Outlook will auto-add recipients/contacts to the safe senders list which bypasses this.

Get-Mailbox | Set-Mailbox -SCLJunkEnabled $true -SCLJunkThreshold 5

If you have a SMTP server that all inbound mail passes through first, you want to add them to the Internal SMTP Servers list so that they are ignored by the SPF filter.  The SPF filter will then look at the NEXT hop, which should be the source/sending/external server.  If you don't do this, all your SPF checks will fail since your internal server 192.168.1.1 (in this example) will keep being tested for all inbound SPF queries and keep failing/soft-failing.  [3]

Set-TransportConfig -InternalSMTPServers 192.168.1.1

If the external SMTP server does spam filtering as well (like a Barracuda appliance), and adds a header like "X-Spam-Status: yes", you can configure transport rules to stamp a SCL score on the message, so that it will get processed by Exchange properly and get put into Junk folders [1].

1. Fire up EMC | Organization Config | Hub Transport | Transport Rules tab
2. Click on New Transport Rule in the Action pane
3. Give the new rule a name, add a comment if you wish
4. In the Conditions page, select the condition when a message header contains specific words
5. In the Step 2 edit box, click on the message header link
6. Type X-Spam-Status | click OK
7. In the edit box, click on the specific words link
8. Type yes | click OK | click Next
9. In the Actions page, select the action set the spam confidence level to value
10. In the rule description, click on the 0 link and add a value that's above your SCLJunkThreshold | click Next
11. On the Exceptions page, click Next if you do not want any exceptions to this rule
12. Click New | click Finish to close the wizard

Exchange Shell equivalent:

$condition = Get-TransportRulePredicate HeaderContains
$condition.MessageHeader = "X-Spam-Status"
$condition.words = @("yes")
$action = Get-TransportRuleAction SetSCL
$action.SCLValue = 5
new-TransportRule "Stamp SCL" -condition @($condition) -action @($action)

Enable Antispam updates and the IP reputation updates [5].  This is important.

Enable-AntispamUpdates -Identity SERVER01 -IPReputationUpdatesEnabled $True -MicrosoftUpdate Configured -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True

Create a Receive Connector just for Internet mail, and ensure you have the necessary permissions set on it.  Be sure that any POP3 connectors have their own Receive Connector configured with the appropriate permissions.

http://justinho.com/blog/preventing-external-spoofed-spam-from-authoritative-address-spaces-or-domains/

[1] http://exchangepedia.com/blog/2008/01/assigning-scl-to-messages-scanned-by.html

[2] http://technet.microsoft.com/en-us/library/bb123559(EXCHG.80).aspx

[3] http://technet.microsoft.com/en-us/library/bb124151(EXCHG.80).aspx

[4] http://technet.microsoft.com/en-us/library/aa997242(EXCHG.80).aspx

[5] http://technet.microsoft.com/en-us/library/bb125199(EXCHG.80).aspx

[6] http://technet.microsoft.com/en-us/library/bb201691(EXCHG.80).aspx

[7] http://technet.microsoft.com/en-us/library/aa995995(EXCHG.80).aspx

Posted on April 14, 2008 15:45 by Justin tagged , categories blog
Actions: E-mail | Permalink | Comments (3) | Trackback

Comments (3) -

December 27. 2008 02:59

very good doc. I been reading lot of doc's and everything i confused. This is great. Thaks a million


February 12. 2009 20:10

Agree with Sony above. I have spent the whole day now trying to get the scljunk* to work and this is the first document I found that has a clear listing of what should be done.


However ......, I sorted out the steps needed and have applied all above. Still, my outlook 2007 refuses to store messages with a


X-MS-Exchange-Organization-SCL: 5


in my Junk E-mail folder. Using Set-Mailbox I configured in Exchange 2007 a -SCLjunkThreshold to 4 and -SCLJunkEnabled to $true to my mailbox. The filter in OWA is active, but still the message with the value above of 5 arrives at my inbox. What am I missing?


February 23. 2009 20:33

admin

Are you running an Edge server?  Or have these changes been made to your Hub?  If you have, you've installed the antispam agents on your Hub server?


admin

Comments are closed