1. Approaches to Fighting Spam in an Exchange Environment Greg Taylor Senior Consultant - MCS

2. What We Will Cover: Anti-Spam Tools in Exchange 2003 Smart Screen Technology Controlling UCE with Intelligent Message Filter Administration and Monitoring IMF Some Recommended Best Practices (and tips!)

3. Prerequisite Knowledge Experience supporting Microsoft Networks Experience administering Exchange Server 2003 Experience using and supporting Outlook Level 200

4. Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices

5. What is Spam? Unsolicited Commercial E-mail More than 70% of email traffic Costly use of resources – IT – Personnel Potentially offensive

6. The Problem Spam volume and variety growing. – >2 billion spam / day worldwide (Radicati). – 36% of all Internet e-mail vs. 8% last year (Brightmail). – Spammers constantly changing their attacks. ISPs have been hit hard. – Up to 90% MSN®/Hotmail® messages are spam. – AOL estimates over 30% spam. Affects mobile devices and desktop computers. Threat: Spam overruns users’ mailboxes and devices, destroying e-mail’s value as a communication medium.

7. Source: http://www.brightmail.com/spamstats.html The Problem

8. Source: http://www.messagelabs.com/emailthreats/ The Problem

9. Microsoft: – Internally we send 3 million messages a day to each other. – 10 million messages are delivered to Microsoft from the Internet each day – with only 1 million of those being delivered post message-hygiene. – Bill Gates has his own server that only a couple of administrators have access to, directly at the server – which is permanently under lock and key and has a security camera facing it. – Bill Gates is world's most spammed man – He receives four million e-mails daily, most of them spam, and is probably the most 'spammed' person in the world The Problem

10. Microsoft’s Anti-UCE Strategy Innovative Technologies Industry Self-Regulation and Cooperation Working with Governments

11. Exchange 2003 Anti-Spam Tools Accept and Deny lists (and Tarpitting) Block Lists Recipient Filtering Sender Filtering Intelligent Message Filtering

12. Accept/ Deny Lists Information Store Exchange 2003 Anti-Spam Tools

13. Accept/ Deny Lists Block Lists Information Store Exchange 2003 Anti-Spam Tools

14. Accept/ Deny Lists Block Lists Recipient Filter Information Store Exchange 2003 Anti-Spam Tools

15. Accept/ Deny Lists Block Lists Recipient Filter Sender Filtering Information Store Exchange 2003 Anti-Spam Tools

16. Accept/ Deny Lists Block Lists Recipient Filter Sender Filtering Intelligent Message Filter Information Store Exchange 2003 Anti-Spam Tools

17. FeatureFilter PointResource Cost Accept/Deny ListsSMTP Session Block ListsSMTP Session Exchange Sender Filter SMTP Gateway Recipient FilteringSMTP Gateway Intelligent Message Filter Gateway/User Mailbox Exchange 2003 Anti-Spam Tools

18. Intelligent Message Filtering Utilizes Smart Screen Machine Learning Applied at the gateway – Marks message with Spam Confidence Level (SCL) rating Utilized throughout the mail stream Scans headers, body of message and other attributes.

19. Smart Screen In Use Hotmail and MSN – 82% of incoming mail filtered Outlook 2003 – Junk E-mail folder Third Party products can utilize it Exchange Server 2003 – Intelligent Message Filter

20. Smart Screen and Third Party Tools Spam Confidence Level Read level and act upon it Write to and normalize SCL Some Partners: – Symantec (Brightmail) – Mail-filters.com – Policy Patrol by Red Earth Software

21. SCL Ratings Uses technology from Microsoft Research to provide each received message with a Spam Confidence Level (SCL) indicating the likelihood that the message is UCE The spam confidence level (SCL) is the normalized value assigned to a message that indicates, based on the characteristics of a message (such as the content, message header, and so forth), the likelihood that the message is spam. There are eleven values available to categorize spam, as outlined in the following table. SCL Value Spam Categorization Reserved by Microsoft Exchange Server 2003 for messages submitted internally. A value of -1 should not be overwritten because it is this value that is used to eliminate false positives for internally-submitted e-mail. 0Assigned to messages that are not spam. 1Extremely low likelihood that the message is spam Ranging to 9Extremely high likelihood that the message is spam

22. Client SCL 5 Smart Screen and IMF in Action SCL 8 Smart Screen Algorithm Gateway Server Mailbox Store Server 3 rd Party Tools SCL 5

23. IMF in a Pure Microsoft Environment Exchange Gateway Servers ExchangeIntranetServers

24. IMF Availability and Installation Free Download for Exchange Users Download from: www.microsoft.com/exchange/imfwww.microsoft.com/exchange/imf IMF Installation on Gateway Exchange Servers Management Tools on administration machine

25. System Requirements Hardware Requirements – Minimum 256 MB RAM – Recommends 1 GB RAM – 500 MB on Exchange volume – 200 MB on System drive Security: Disable Authentication Outlook 2003 (recommended).NET Administrator Account

26. Forest 2 Forest 1 SCL Cross Forest Authentication I

27. Forest 2 Forest 1 Cross Forest Authentication IISCL

28. Installing Intelligent Message Filter Exchange 2003 UCE Control Features Preparing for IMF Installing IMF Cross Forest Authentication demonstration demonstration

29. Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices

30. Configure IMF

31. Intelligent Message Filter in Action Junk E-mail Folder Inbox Rejected at the gateway InternetGateway Mailbox Store Server

32. Pre-July 2004 Messaging Hygiene Infrastructure

33. Current Messaging Hygiene Infrastructure

34. Enabling and Configuring IMF Enabling and Configuring IMF Setting up the gateway Enabling IMF on Virtual Servers Configure Outlook 2003 Configure Outlook Web Access 2003 demonstration demonstration

35. © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. http://www.microsoft.com/uk/technet

36. Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices

37. Modifying Registry Settings Archive Location Marking SCL on archived messages Authenticated Connections Number of Blocked Senders

38. Archiving Filtered E-mail Volume of UCE Default Location: \Program Files\ Exchsrvr\Mailroot\vsi n\UCEArchive. Move files to the …\Mailroot\vsi 1\Pickup directory. Registry setting: – HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter\ ArchiveDir

39. Marking SCL on Archived Messages Not affixed by default Use to test and tune IMF Registry Setting: – HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilt er\ArchiveSCL

40. IMF on Authenticated Connections Normally a trusted source Situation: a trusted forest has an open relay, allowing it to be utilized by spammers. Registry Setting – HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilte r\CheckAuthSessions

41. Number of Blocked and Safe Senders Metadata stored on Exchange Server Default is 510 KB, around 2,000 entries Registry Setting – HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExc hangeIS\ ParametersSystem\Max Extended Rule Size

42. Administering IMF Administering IMF Changing the Archive Location Storing the SCL Rating of Archived Messages Filtering Messages through Authenticated Connections Setting the Size of Rules demonstration demonstration

43. Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices

44. Set Logging Level

45. Event Viewer Event ID: 7512 Severity=Informational A Message was Filtered at the gateway Event ID: 7513 Severity=Informational Intelligent Message Filter was installed or updated. The event message includes the update version number. Event ID: 7514 Severity=Error An error occured while installing or updating Intelligent Message Filter. Event ID: 7515 Severity=Error Intelligent Message Filter was unable to filter a message. Possible causes are corrupted or malformed messages.

46. Performance Counters Record Amount of Spam filtered – Total Messages Scanned for UCE – Total Messages Acted Upon Discover range of SCL scores – Total Messages Assigned an SCL Rating of [0-9] Determine IMF performance – Total Messages Scanned/sec

47. Tuning Thresholds Set Gateway threshold to “No Action” Use Performance Monitor to judge mail flow – % UCE out of Total Messages Scanned – Total Messages Assigned an SCL Rating of [0-9] With performance data, set the thresholds to catch the bulk of UCE.

48. IMF Microsoft Operations Manager MP Download at – www.microsoft.com/downloads www.microsoft.com/downloads Centralized Data Collection Improved Reporting Integrate with other management tools

49. Monitoring and Troubleshooting IMF Monitoring and Troubleshooting IMF Troubleshooting IMF Problems with the Event Viewer Managing the Archive Monitoring and Measuring IMF demonstration demonstration

50. Agenda Preparing for and Installing IMF Enabling and Configuring IMF Administering IMF Monitoring and Troubleshooting IMF Some Recommended Best Practices (and tips!)

51. Messaging Hygiene Architectural Principles Anti-spam MUST be done before anti virus Anti-spam SHOULD be done for inbound mail only Anti-spam filtering SHOULD remove vs. quarantine Anti-virus MUST scan both inbound and outbound mail Anti-virus MUST be mail direction aware Anti-virus MUST follow “block on fail” rule Anti-virus and Anti-spam systems MUST integrate with Exchange

52. Tarpitting Recipient filtering can help a malicious sender enumerate e- mail addresses that do exist by using a directory harvest attack. A software update (842851 (also included in Windows Server 2003 Service Pack 1)) adds a feature that you can use to delay the SMTP address verification responses for each address that is not valid that is submitted. By default, this feature is disabled. – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ SMTPSVC\Parameters\TarpitTime – Note Only anonymous connections are affected by the TarpitTime registry entry. Therefore, we recommend that you only enable this registry entry on the Internet-facing mail gateway servers.

53. Tarpitting

54. Best Practices (1) Use a multilayered defense for effective results Scan for spam at the messaging gateway Scan messages for spam before scanning for viruses Delete rather than clean infected messages

55. Best Practices (2) Strip attachments of certain file types Disable security notifications to Internet senders Scan both incoming and outgoing e-mail for viruses Generate security notifications for infected outgoing Internet e-mail Use restricted distribution groups

56. For More Information… Microsoft Knowledgebase article 867633 – www.microsoft.com/exchange/imf Anti Spam Capabilities in Exchange 2003 – www.microsoft.com/exchange/techinfo/security/antispam.asp Microsoft Anti Spam Technology – www.microsoft.com/mscorp/twc/privacy/spam.mspx www.microsoft.com/mscorp/twc/privacy/spam.mspx Visit TechNet at www.microsoft.com/technet www.microsoft.com/technet/tnt1-132 For additional information on books, courses and other community resources that support this session visit www.microsoft.com/technet/tnt1-132

57. MS Press Inside information for IT Professionals To find the latest IT Professional related titles visit www.microsoft.com/learning/books/

58. 3rd Party Publications Supplementary publications for IT Pro’s These books can be found and purchased at all good book stores and on-line retailers

60. © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. http://www.microsoft.com/uk/technet