The SMTP protocol that allows us to easily
send an email to any email server in the world is simple, but it is also
very nonsecure. Essentially, for your mail server to be able to send
email to, say, [email protected], the SMTP server at washington.gov needs to be able to accept the mail from you anonymously. If SMTP required authentication, washington.gov would need to have a user account and password for anyone who was going to send them email.
Due to the open nature of Internet mail, it is easy
for unscrupulous people to send unsolicited commercial email (UCE),
hereafter known as spam. It is also easy for mail to be spoofed so that
it appears to come from a credible source (such as your bank) and
encourages you to take an action, such as logging on to a fake URL and
providing your banking credentials; this is known as phishing.
It is easy for these unscrupulous people to send
emails with malicious attachments that might spread a virus, load a
program onto your computer that will further spread itself (such
programs are called worms), load a program that will then generate spam
to send to others (this is a bot), or load a monitoring or remote
control program on your computer that a malicious hacker can then use.
These viruses, worms, and Trojan horse–type programs are collectively
known as malware.
Finally, email is such an easy way to send
information back and forth that your users may misuse it by sending
inappropriate information to their friends and colleagues. Inappropriate
use of email can open an organization up to bad publicity and even
potential lawsuits, not to mention getting the senders and recipients
into big trouble.
1. Blocking Unsolicited Messages
Collectively, the science of scanning messages for
inappropriate content is known as message hygiene. All mail systems
today should include some type of message hygiene system that, at a
minimum, protects against viruses and reduces the amount of spam that
makes its way into the user's mailbox.
Out of the box, a full Exchange Server 2010
deployment provides a high level of protection against spam through the
antispam agents that are deployed on the Edge Transport role. These
agents can also be manually deployed on your servers with the Hub
Transport role. However, you will need additional software for
protection against viruses. Customers who have Enterprise Client Access
Licenses (eCALs) for all users can use Microsoft's Forefront Security
for Exchange Server product (www.microsoft.com/forefront) or the Exchange Hosted Services Filtering offering.
You may choose to implement your own message hygiene
system, in which case you have your own servers performing the message
hygiene functions. Figure 1 shows a multilayer message hygiene system.
The message hygiene system in Figure 5.2
is a multilayer system; this system has more than one place that may
stop an email-borne threat. Ideally, the majority of spam and malicious
email will be stopped by the message hygiene system in the perimeter
network; this could be the Microsoft Exchange Edge Transport server or
it could be one of the dozens of available SMTP-based message security
systems available from third parties. The point of the hygiene system in
the perimeter is to keep as much undesirable content as possible from
reaching your production mail system and to protect the internal mail
servers from possible attempts to compromise them.
Once a message is scanned in the perimeter network,
it is then passed on to the Exchange servers on your internal network.
There, additional scanning takes place either when the message is moving
through the message transport system or when the message is placed in
the user's Inbox. Ideally, the scanning system (or scanning engine) on
the inside of the network should be a different scanning engine from the
one that is used on the perimeter.
The final layer of protection is implemented at the
client. The client has a file and memory virus/malware scanner that
looks at any content as it is opened, whether that content is in the
user's Inbox or something downloaded from the Internet or something on a
CD-ROM in the CD drive. Once again, ideally the software running on the
client will be from a different vendor than the software running on the
server. Running multiple types of scanning software improves the
likelihood that newer threats will be stopped.
Some organizations decided that they don't want to
have to maintain perimeter-based message hygiene systems, so they use a
third-party vendor that provides Internet-based scanning for them. These
are usually known as managed providers, and they have SMTP-based
scanning systems that will scan messages coming to your mail system
before they are delivered to your Exchange servers. Figure 2 shows an example of using a managed provider.
The additional cost of using a managed provider is
offset by the fact that you don't have to maintain your own
perimeter-based scanning system and that most malicious or unwanted
email content can be stopped prior to entering your network in the first
place. Some third-party managed providers can also provide additional
message security, disaster recovery, and message archival functions.
2. Levels of Inspection
There are a lot of ways that your message hygiene
system can determine whether something is spam or it's being sent by an
unauthorized sender. Though each of these topics deserves in-depth
treatment, our intent here is merely to familiarize you with the
concepts.
Content Inspection
The most common way that a message is determined
to be spam or a phishing message is through content inspection. The
software opens the message and looks for characteristics of spam
messages, such as a message with nothing but a URL or image, messages
that mention certain words or phrases, and so on. Based on the content,
the software ranks the message with a number (usually called the Spam
Confidence Level [SCL]) from 0 to 9, with 0 being likely the message is
not spam and 9 being very spammy. Internal messages and messages that
are sent by an authenticated connection are set to an SCL level of
negative one (−1). The message transport can then be configured with
your tolerance level for spam and can reject, delete, or quarantine
messages with higher SCL values. Arguably, content inspection is
considered the most accurate method of detecting spam.
Quarantines
Most message hygiene systems offer a quarantine
feature that allows the administrator to temporarily move inbound
messages that are marginally suspicious or that may require some level
of additional inspection. Quarantines may work okay for a small
organization, but they can quickly consume valuable manpower in
medium-sized and large organizations.
Block Lists
Block lists are lists that either you or a third
party maintains. The lists contain IP addresses of known spammers,
dial-up IP addresses, DHCP IP addresses, or IP addresses of systems that
will allow spammers to send through. The third-party lists are often
known as real-time block lists (RBLs) and are maintained (usually by
volunteers).
Tarpitting
An SMTP tarpit is frequently used to combat
dictionary spammers or bots that go through a list of common names and
prepend those to your domain name. They can attempt to send a million
messages to your mail server and will probably guess correctly on at
least some recipients' names. A tarpit tells the SMTP server to wait
some number of seconds (such as 30 seconds) prior to responding to
invalid names. This makes dictionary spamming much more difficult.
Sender Protection Framework/Sender ID
The Sender Protection Framework (SPF) and Sender
ID are initiatives that are backed by Microsoft. These require that all
known senders on the Internet register the addresses of mail servers
that will send mail on their behalf. The registration is in the form of a
DNS record that defines the mail servers that will send mail for
aspecific domain.
Domain Keys
The Domain Keys initiative (DKIM) is backed by
Yahoo! and requires that a sending system include a calculation in the
header of each outgoing message that the receiving system then verifies.
Both of these initiatives are more directly "antispoofing" systems than
they are "antispam" systems, but they are useful in helping ensure that
messages are coming from the stated sender — which can help reduce
spam. It is important to note that Exchange 2010 does not natively
provide support for DKIM.
DNS Name and IP Verification
Though Exchange Server cannot do some of these
verifications, some SMTP systems will verify things such as whether your
public IP address has a valid pointer (PTR) record and whether the DNS
domain name you are using is valid. This can help reduce spam but also
increases the probability of false positives. (A false positive occurs
when the message hygiene mistakenly tags a legitimate message as spam
and quarantines, deletes, or rejects it.)
Recipient Filtering
Recipient filtering allows you to configure
servers so that they reject mail sent to specific users. While filtering
to individual addresses is not particularly useful, you can configure
Exchange so that it rejects inbound mail sent to unknown recipients.
This prevents the message hygiene system from having to process it
further before the message is rejected.
Sender Inspection
Sender inspection or sender filtering is the
least useful method of blocking spam because it requires maintaining
lists of senders' SMTP addresses or lists of domains from which you will
not accept inbound mail. The problem with this approach is that
spammers usually do not use the same sender address twice.
3. Why Is My Mail Being Rejected?
Naturally, if you put a system in place that scans
and possibly rejects email based on the characteristics or the sender of
the message, you are occasionally going to end up with false positives.
These false positives will always be in the form of an important email
that is being sent to your CEO or one that she is waiting to receive.
Take a look at the nondelivery report (NDR) shown in Figure 3; this message was rejected by the receiving mail system.
Exchange Server 2010's message transport system does a
pretty good job of examining rejection codes and letting you know why a
message was rejected, but you may still have to do some detective work.
A remote mail system might reject mail from your users for a number of
reasons:
The public IP address from which you send mail is on a real-time block list (RBL) provider.
Your public IP address is registered as a DHCP IP address on some RBLs; your Internet service provider (ISP) must correct this.
You do not have Sender ID records registered in DNS for your public IP addresses, or the records are incorrect.
The
message has content that makes it look like spam such as suspicious
words (mortgage, Viagra, enlargement, free) or the messages is very
short (one sentence, for example).
Your public IP address does not have a DNS PTR record; your ISP or the owner of the IP address must fix this.
Your
mail server is sending out the wrong mail domain name when it connects
to a remote mail system. For example, your mail domain is somorita.com butitis sayingyourdomain name is somorita.local.
