Approaches to Fighting Spam in an Exchange Environment Greg Taylor Senior Consultant - MCS.

Slides:



Advertisements
Similar presentations
Basic Communication on the Internet:
Advertisements

Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
Understanding Group Policy on Windows Server 2003 Michael J. Murphy TechNet Presenter
IMF Mihály Andó IT-IS 6 November Mihály Andó 2 / 11 6 November 2006 What is IMF? ­ Intelligent Message Filter ­ provides server-side message filtering,
FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE INTERCONTINENTAL GROUP Information security in real business firewall security.
Clean Out the Junk! Outsmarting Unsolicited NUIT Tech Talk Presentation February 18, 2005 Sherry Minton Dan Frommer.
Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
What’s New in WatchGuard XCS 10.0 Update 2 WatchGuard Training.
Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Guide to Operating System Security Chapter 10 Security.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Implementing Exchange Server Security Ward Solutions.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Microsoft Office Project 2003 Resource Kits James Scott & Roy Riley Technical Content Development Microsoft Corporation.
How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support Summer 2006.
MSG328 Anti-Spam in Exchange2003 Max Ciccotosto Program Manager - Exchange Microsoft Corporation.
Security. Physical security Protection from fire/water Protection from dust and extremes of temperature.
TNT Microsoft Exchange Server 2003 Disaster Recovery Michael J. Murphy TechNet Presenter
Forefront Security Exchange. Problem Meddelande system och sammarbetsprodukter är underbarar mål för elak kod och “distrubition” av äkta dynga… Viruses.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Srinivas L Technology Specialist – Security | Microsoft
What’s New in WatchGuard XCS v9.1 Update 2. WatchGuard XCS v9.1 Update 2  Introduce New Features WatchGuard XCS Outlook Add-in Secur Encryption.
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
Exchange 2010 Recipient and Mailbox Management IT:Network:Applications.
Managing Client Access
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
SIM309. Connection Analysis (IP-based edge blocks) Reputation Analysis Connection Filtering Protect businesses from receiving –borne viruses.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
© 2006 Global Knowledge Training LLC All rights reserved. Deploying Outlook 2003 Configuring Clients Outlook 2003 Security and Performance New Outlook.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
Security and Messaging Matthew Smith Systems Consultant Raven Computers Ltd Security and Messaging Matthew Smith Systems Consultant Raven Computers Ltd.
Module 8: Managing Client Configuration and Connectivity.
Securing Microsoft® Exchange Server 2010
Module 6: Manage and Configure Messaging. Configuring Internet Mail Using Small Business Server (SBS) 2008 Console Configuring Protection Configuring.
IT:Network:Applications.  How messaging servers work  Initial tips for success Exchange management  Server roles  Exchange Server Management  Message.
Chapter 6: Packet Filtering
By: Bill Stevenson Jose Plancarte Erik Magsino. Overview Messaging and collaboration server Send and Receive electronic mail and other forms of interactive.
Module 14: Configuring Server Security Compliance
The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .
Module 6 Planning and Deploying Messaging Security.
Virtual techdays INDIA │ august 2010 virtual techdays INDIA │ august 2010 Moving/Co-existing your messaging platform to the cloud with Exchange.
advantages The system is nearly universal because anyone who can access the Internet has an address. is fast because messages.
銳擎智識股份有限公司 銳擎智識股份有限公司 Executive Vice President Richard Chuang
Module 5 Managing Message Transport. Module Overview Overview of Message Transport Configuring Message Transport.
Module 5 Planning and Deploying Message Transport in Microsoft® Exchange Server 2010.
“SaaS secure web and gateways frequently provide efficiency and cost advantages, and a growing number of offerings are delivering an improved.
Exchange Deployment Planning Services Exchange 2010 Complementary Products.
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard XCS What’s New in version 10.1.
Security fundamentals Topic 9 Securing internet messaging.
NetTech Solutions Protecting the Computer Lesson 10.
Implementing Microsoft Exchange Online with Microsoft Office 365
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
CERN - IT Department CH-1211 Genève 23 Switzerland t OIS Update on the anti spam system at CERN Pawel Grzywaczewski, CERN IT/OIS HEPIX fall.
Group Policy in Windows Vista. Group Policy Administration Group Policy with Windows Vista QoS Policies What Will We Cover?
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Maintaining and Updating Windows Server 2008 Lesson 8.
Fighting Spam in an Exchange Environment Tzahi Kolber IT Supervisor - Polycom Israel.
TMG Client Protection 6NPS – Session 7.
Securing the Network Perimeter with ISA 2004
Spam Fighting at CERN 12 January 2019 Emmanuel Ormancey.
Implementing Client Security on Windows 2000 and Windows XP Level 150
Presentation transcript:

Approaches to Fighting Spam in an Exchange Environment Greg Taylor Senior Consultant - MCS

What We Will Cover: Anti-Spam Tools in Exchange 2003 Smart Screen Technology Controlling UCE with Intelligent Message Filter Administration and Monitoring IMF Some Recommended Best Practices (and tips!)

Prerequisite Knowledge Experience supporting Microsoft Networks Experience administering Exchange Server 2003 Experience using and supporting Outlook Level 200

Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices

What is Spam? Unsolicited Commercial More than 70% of traffic Costly use of resources – IT – Personnel Potentially offensive

The Problem Spam volume and variety growing. – >2 billion spam / day worldwide (Radicati). – 36% of all Internet vs. 8% last year (Brightmail). – Spammers constantly changing their attacks. ISPs have been hit hard. – Up to 90% MSN®/Hotmail® messages are spam. – AOL estimates over 30% spam. Affects mobile devices and desktop computers. Threat: Spam overruns users’ mailboxes and devices, destroying ’s value as a communication medium.

Source: The Problem

Source: The Problem

Microsoft: – Internally we send 3 million messages a day to each other. – 10 million messages are delivered to Microsoft from the Internet each day – with only 1 million of those being delivered post message-hygiene. – Bill Gates has his own server that only a couple of administrators have access to, directly at the server – which is permanently under lock and key and has a security camera facing it. – Bill Gates is world's most spammed man – He receives four million s daily, most of them spam, and is probably the most 'spammed' person in the world The Problem

Microsoft’s Anti-UCE Strategy Innovative Technologies Industry Self-Regulation and Cooperation Working with Governments

Exchange 2003 Anti-Spam Tools Accept and Deny lists (and Tarpitting) Block Lists Recipient Filtering Sender Filtering Intelligent Message Filtering

Accept/ Deny Lists Information Store Exchange 2003 Anti-Spam Tools

Accept/ Deny Lists Block Lists Information Store Exchange 2003 Anti-Spam Tools

Accept/ Deny Lists Block Lists Recipient Filter Information Store Exchange 2003 Anti-Spam Tools

Accept/ Deny Lists Block Lists Recipient Filter Sender Filtering Information Store Exchange 2003 Anti-Spam Tools

Accept/ Deny Lists Block Lists Recipient Filter Sender Filtering Intelligent Message Filter Information Store Exchange 2003 Anti-Spam Tools

FeatureFilter PointResource Cost Accept/Deny ListsSMTP Session Block ListsSMTP Session Exchange Sender Filter SMTP Gateway Recipient FilteringSMTP Gateway Intelligent Message Filter Gateway/User Mailbox Exchange 2003 Anti-Spam Tools

Intelligent Message Filtering Utilizes Smart Screen Machine Learning Applied at the gateway – Marks message with Spam Confidence Level (SCL) rating Utilized throughout the mail stream Scans headers, body of message and other attributes.

Smart Screen In Use Hotmail and MSN – 82% of incoming mail filtered Outlook 2003 – Junk folder Third Party products can utilize it Exchange Server 2003 – Intelligent Message Filter

Smart Screen and Third Party Tools Spam Confidence Level Read level and act upon it Write to and normalize SCL Some Partners: – Symantec (Brightmail) – Mail-filters.com – Policy Patrol by Red Earth Software

SCL Ratings Uses technology from Microsoft Research to provide each received message with a Spam Confidence Level (SCL) indicating the likelihood that the message is UCE The spam confidence level (SCL) is the normalized value assigned to a message that indicates, based on the characteristics of a message (such as the content, message header, and so forth), the likelihood that the message is spam. There are eleven values available to categorize spam, as outlined in the following table. SCL Value Spam Categorization Reserved by Microsoft Exchange Server 2003 for messages submitted internally. A value of -1 should not be overwritten because it is this value that is used to eliminate false positives for internally-submitted . 0Assigned to messages that are not spam. 1Extremely low likelihood that the message is spam Ranging to 9Extremely high likelihood that the message is spam

Client SCL 5 Smart Screen and IMF in Action SCL 8 Smart Screen Algorithm Gateway Server Mailbox Store Server 3 rd Party Tools SCL 5

IMF in a Pure Microsoft Environment Exchange Gateway Servers ExchangeIntranetServers

IMF Availability and Installation Free Download for Exchange Users Download from: IMF Installation on Gateway Exchange Servers Management Tools on administration machine

System Requirements Hardware Requirements – Minimum 256 MB RAM – Recommends 1 GB RAM – 500 MB on Exchange volume – 200 MB on System drive Security: Disable Authentication Outlook 2003 (recommended).NET Administrator Account

Forest 2 Forest 1 SCL Cross Forest Authentication I

Forest 2 Forest 1 Cross Forest Authentication IISCL

Installing Intelligent Message Filter Exchange 2003 UCE Control Features Preparing for IMF Installing IMF Cross Forest Authentication demonstration demonstration

Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices

Configure IMF

Intelligent Message Filter in Action Junk Folder Inbox Rejected at the gateway InternetGateway Mailbox Store Server

Pre-July 2004 Messaging Hygiene Infrastructure

Current Messaging Hygiene Infrastructure

Enabling and Configuring IMF Enabling and Configuring IMF Setting up the gateway Enabling IMF on Virtual Servers Configure Outlook 2003 Configure Outlook Web Access 2003 demonstration demonstration

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices

Modifying Registry Settings Archive Location Marking SCL on archived messages Authenticated Connections Number of Blocked Senders

Archiving Filtered Volume of UCE Default Location: \Program Files\ Exchsrvr\Mailroot\vsi n\UCEArchive. Move files to the …\Mailroot\vsi 1\Pickup directory. Registry setting: – HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter\ ArchiveDir

Marking SCL on Archived Messages Not affixed by default Use to test and tune IMF Registry Setting: – HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilt er\ArchiveSCL

IMF on Authenticated Connections Normally a trusted source Situation: a trusted forest has an open relay, allowing it to be utilized by spammers. Registry Setting – HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilte r\CheckAuthSessions

Number of Blocked and Safe Senders Metadata stored on Exchange Server Default is 510 KB, around 2,000 entries Registry Setting – HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExc hangeIS\ ParametersSystem\Max Extended Rule Size

Administering IMF Administering IMF Changing the Archive Location Storing the SCL Rating of Archived Messages Filtering Messages through Authenticated Connections Setting the Size of Rules demonstration demonstration

Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices

Set Logging Level

Event Viewer Event ID: 7512 Severity=Informational A Message was Filtered at the gateway Event ID: 7513 Severity=Informational Intelligent Message Filter was installed or updated. The event message includes the update version number. Event ID: 7514 Severity=Error An error occured while installing or updating Intelligent Message Filter. Event ID: 7515 Severity=Error Intelligent Message Filter was unable to filter a message. Possible causes are corrupted or malformed messages.

Performance Counters Record Amount of Spam filtered – Total Messages Scanned for UCE – Total Messages Acted Upon Discover range of SCL scores – Total Messages Assigned an SCL Rating of [0-9] Determine IMF performance – Total Messages Scanned/sec

Tuning Thresholds Set Gateway threshold to “No Action” Use Performance Monitor to judge mail flow – % UCE out of Total Messages Scanned – Total Messages Assigned an SCL Rating of [0-9] With performance data, set the thresholds to catch the bulk of UCE.

IMF Microsoft Operations Manager MP Download at – Centralized Data Collection Improved Reporting Integrate with other management tools

Monitoring and Troubleshooting IMF Monitoring and Troubleshooting IMF Troubleshooting IMF Problems with the Event Viewer Managing the Archive Monitoring and Measuring IMF demonstration demonstration

Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices (and tips!)

Messaging Hygiene Architectural Principles Anti-spam MUST be done before anti virus Anti-spam SHOULD be done for inbound mail only Anti-spam filtering SHOULD remove vs. quarantine Anti-virus MUST scan both inbound and outbound mail Anti-virus MUST be mail direction aware Anti-virus MUST follow “block on fail” rule Anti-virus and Anti-spam systems MUST integrate with Exchange

Tarpitting Recipient filtering can help a malicious sender enumerate e- mail addresses that do exist by using a directory harvest attack. A software update ( (also included in Windows Server 2003 Service Pack 1)) adds a feature that you can use to delay the SMTP address verification responses for each address that is not valid that is submitted. By default, this feature is disabled. – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ SMTPSVC\Parameters\TarpitTime – Note Only anonymous connections are affected by the TarpitTime registry entry. Therefore, we recommend that you only enable this registry entry on the Internet-facing mail gateway servers.

Tarpitting

Best Practices (1) Use a multilayered defense for effective results Scan for spam at the messaging gateway Scan messages for spam before scanning for viruses Delete rather than clean infected messages

Best Practices (2) Strip attachments of certain file types Disable security notifications to Internet senders Scan both incoming and outgoing for viruses Generate security notifications for infected outgoing Internet Use restricted distribution groups

For More Information… Microsoft Knowledgebase article – Anti Spam Capabilities in Exchange 2003 – Microsoft Anti Spam Technology – Visit TechNet at For additional information on books, courses and other community resources that support this session visit

MS Press Inside information for IT Professionals To find the latest IT Professional related titles visit

3rd Party Publications Supplementary publications for IT Pro’s These books can be found and purchased at all good book stores and on-line retailers

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.