IT tutorials
 
Applications Server
 

Exchange Server 2010 : Message Security and Hygiene - Mail Hygiene

5/11/2013 7:42:18 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

The SMTP protocol that allows us to easily send an email to any email server in the world is simple, but it is also very nonsecure. Essentially, for your mail server to be able to send email to, say, [email protected], the SMTP server at washington.gov needs to be able to accept the mail from you anonymously. If SMTP required authentication, washington.gov would need to have a user account and password for anyone who was going to send them email.

Due to the open nature of Internet mail, it is easy for unscrupulous people to send unsolicited commercial email (UCE), hereafter known as spam. It is also easy for mail to be spoofed so that it appears to come from a credible source (such as your bank) and encourages you to take an action, such as logging on to a fake URL and providing your banking credentials; this is known as phishing.

It is easy for these unscrupulous people to send emails with malicious attachments that might spread a virus, load a program onto your computer that will further spread itself (such programs are called worms), load a program that will then generate spam to send to others (this is a bot), or load a monitoring or remote control program on your computer that a malicious hacker can then use. These viruses, worms, and Trojan horse–type programs are collectively known as malware.

Finally, email is such an easy way to send information back and forth that your users may misuse it by sending inappropriate information to their friends and colleagues. Inappropriate use of email can open an organization up to bad publicity and even potential lawsuits, not to mention getting the senders and recipients into big trouble.

1. Blocking Unsolicited Messages

Collectively, the science of scanning messages for inappropriate content is known as message hygiene. All mail systems today should include some type of message hygiene system that, at a minimum, protects against viruses and reduces the amount of spam that makes its way into the user's mailbox.

Out of the box, a full Exchange Server 2010 deployment provides a high level of protection against spam through the antispam agents that are deployed on the Edge Transport role. These agents can also be manually deployed on your servers with the Hub Transport role. However, you will need additional software for protection against viruses. Customers who have Enterprise Client Access Licenses (eCALs) for all users can use Microsoft's Forefront Security for Exchange Server product (www.microsoft.com/forefront) or the Exchange Hosted Services Filtering offering.

You may choose to implement your own message hygiene system, in which case you have your own servers performing the message hygiene functions. Figure 1 shows a multilayer message hygiene system.

Figure 1. Implementing your own multilayer message hygiene system

The message hygiene system in Figure 5.2 is a multilayer system; this system has more than one place that may stop an email-borne threat. Ideally, the majority of spam and malicious email will be stopped by the message hygiene system in the perimeter network; this could be the Microsoft Exchange Edge Transport server or it could be one of the dozens of available SMTP-based message security systems available from third parties. The point of the hygiene system in the perimeter is to keep as much undesirable content as possible from reaching your production mail system and to protect the internal mail servers from possible attempts to compromise them.

Once a message is scanned in the perimeter network, it is then passed on to the Exchange servers on your internal network. There, additional scanning takes place either when the message is moving through the message transport system or when the message is placed in the user's Inbox. Ideally, the scanning system (or scanning engine) on the inside of the network should be a different scanning engine from the one that is used on the perimeter.

The final layer of protection is implemented at the client. The client has a file and memory virus/malware scanner that looks at any content as it is opened, whether that content is in the user's Inbox or something downloaded from the Internet or something on a CD-ROM in the CD drive. Once again, ideally the software running on the client will be from a different vendor than the software running on the server. Running multiple types of scanning software improves the likelihood that newer threats will be stopped.

Some organizations decided that they don't want to have to maintain perimeter-based message hygiene systems, so they use a third-party vendor that provides Internet-based scanning for them. These are usually known as managed providers, and they have SMTP-based scanning systems that will scan messages coming to your mail system before they are delivered to your Exchange servers. Figure 2 shows an example of using a managed provider.

Figure 2. Using a managed provider

The additional cost of using a managed provider is offset by the fact that you don't have to maintain your own perimeter-based scanning system and that most malicious or unwanted email content can be stopped prior to entering your network in the first place. Some third-party managed providers can also provide additional message security, disaster recovery, and message archival functions.

2. Levels of Inspection

There are a lot of ways that your message hygiene system can determine whether something is spam or it's being sent by an unauthorized sender. Though each of these topics deserves in-depth treatment, our intent here is merely to familiarize you with the concepts.


Content Inspection

The most common way that a message is determined to be spam or a phishing message is through content inspection. The software opens the message and looks for characteristics of spam messages, such as a message with nothing but a URL or image, messages that mention certain words or phrases, and so on. Based on the content, the software ranks the message with a number (usually called the Spam Confidence Level [SCL]) from 0 to 9, with 0 being likely the message is not spam and 9 being very spammy. Internal messages and messages that are sent by an authenticated connection are set to an SCL level of negative one (−1). The message transport can then be configured with your tolerance level for spam and can reject, delete, or quarantine messages with higher SCL values. Arguably, content inspection is considered the most accurate method of detecting spam.


Quarantines

Most message hygiene systems offer a quarantine feature that allows the administrator to temporarily move inbound messages that are marginally suspicious or that may require some level of additional inspection. Quarantines may work okay for a small organization, but they can quickly consume valuable manpower in medium-sized and large organizations.


Block Lists

Block lists are lists that either you or a third party maintains. The lists contain IP addresses of known spammers, dial-up IP addresses, DHCP IP addresses, or IP addresses of systems that will allow spammers to send through. The third-party lists are often known as real-time block lists (RBLs) and are maintained (usually by volunteers).


Tarpitting

An SMTP tarpit is frequently used to combat dictionary spammers or bots that go through a list of common names and prepend those to your domain name. They can attempt to send a million messages to your mail server and will probably guess correctly on at least some recipients' names. A tarpit tells the SMTP server to wait some number of seconds (such as 30 seconds) prior to responding to invalid names. This makes dictionary spamming much more difficult.


Sender Protection Framework/Sender ID

The Sender Protection Framework (SPF) and Sender ID are initiatives that are backed by Microsoft. These require that all known senders on the Internet register the addresses of mail servers that will send mail on their behalf. The registration is in the form of a DNS record that defines the mail servers that will send mail for aspecific domain.


Domain Keys

The Domain Keys initiative (DKIM) is backed by Yahoo! and requires that a sending system include a calculation in the header of each outgoing message that the receiving system then verifies. Both of these initiatives are more directly "antispoofing" systems than they are "antispam" systems, but they are useful in helping ensure that messages are coming from the stated sender — which can help reduce spam. It is important to note that Exchange 2010 does not natively provide support for DKIM.


DNS Name and IP Verification

Though Exchange Server cannot do some of these verifications, some SMTP systems will verify things such as whether your public IP address has a valid pointer (PTR) record and whether the DNS domain name you are using is valid. This can help reduce spam but also increases the probability of false positives. (A false positive occurs when the message hygiene mistakenly tags a legitimate message as spam and quarantines, deletes, or rejects it.)


Recipient Filtering

Recipient filtering allows you to configure servers so that they reject mail sent to specific users. While filtering to individual addresses is not particularly useful, you can configure Exchange so that it rejects inbound mail sent to unknown recipients. This prevents the message hygiene system from having to process it further before the message is rejected.


Sender Inspection

Sender inspection or sender filtering is the least useful method of blocking spam because it requires maintaining lists of senders' SMTP addresses or lists of domains from which you will not accept inbound mail. The problem with this approach is that spammers usually do not use the same sender address twice.

3. Why Is My Mail Being Rejected?

Naturally, if you put a system in place that scans and possibly rejects email based on the characteristics or the sender of the message, you are occasionally going to end up with false positives. These false positives will always be in the form of an important email that is being sent to your CEO or one that she is waiting to receive. Take a look at the nondelivery report (NDR) shown in Figure 3; this message was rejected by the receiving mail system.

Figure 3. Examining the report of a rejected message

Exchange Server 2010's message transport system does a pretty good job of examining rejection codes and letting you know why a message was rejected, but you may still have to do some detective work. A remote mail system might reject mail from your users for a number of reasons:

  • The public IP address from which you send mail is on a real-time block list (RBL) provider.

  • Your public IP address is registered as a DHCP IP address on some RBLs; your Internet service provider (ISP) must correct this.

  • You do not have Sender ID records registered in DNS for your public IP addresses, or the records are incorrect.

  • The message has content that makes it look like spam such as suspicious words (mortgage, Viagra, enlargement, free) or the messages is very short (one sentence, for example).

  • Your public IP address does not have a DNS PTR record; your ISP or the owner of the IP address must fix this.

  • Your mail server is sending out the wrong mail domain name when it connects to a remote mail system. For example, your mail domain is somorita.com butitis sayingyourdomain name is somorita.local.

 
Others
 
- Exchange Server 2010 : Message Security and Hygiene - Message-Level Security
- Exchange Server 2010 : Message Security and Hygiene - Transport Security - Enter Transport Layer Security
- Exchange Server 2010 : Message Security and Hygiene - Transport Security - How SSL Works
- SharePoint 2010 : Writing a WebPart (part 4) - WebPart Communication
- SharePoint 2010 : Writing a WebPart (part 3) - Writing the OPML WebPart and a WebPart Editor
- SharePoint 2010 : Writing a WebPart (part 2) - Configuring the WebPart During Deployment
- SharePoint 2010 : Writing a WebPart (part 1) - Writing the RSSFeed WebPart
- Microsoft Dynamics CRM 2011 : Reporting with Excel (part 4) - Uploading Excel Reports to the Reports List in Microsoft Dynamics CRM
- Microsoft Dynamics CRM 2011 : Reporting with Excel (part 3) - Exporting Dynamic Data to Excel PivotTables
- Microsoft Dynamics CRM 2011 : Reporting with Excel (part 2) - Exporting Dynamic Data to Excel Worksheets
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us