Using Sender/IP Reputation to Filter Content
Sender
Reputation when combined with the other antispam technologies in Edge
Services can help reduce unwanted email very efficiently and
effectively. Sender Reputation, simply put, allows administrators to
answer the question, “Can I trust who sends us email and if I can’t,
why should I process it?” The Sender Reputation Agent answers this
question for you by learning from values obtained in email messages to
determine whether the source of the messages is legitimate or if it is
sending junk.
Configuring Sender/IP Reputation
Email
that is routed through Receive Connectors is processed by the Sender
Reputation Agent. These messages are received from the Internet and
travel inbound to the Edge Transport server for delivery to the
recipient. The Sender Reputation Agent is enabled by default and can be
configured using the Exchange Management Console or Exchange Management
Shell.
Note
Changes
described in this section are applied only to the local system. This is
important if you have more than one Edge Transport server in your
environment.
To disable
the Sender Reputation Agent using the Exchange Management Console,
right-click the agent icon in the action pane, and select Disable. To
disable the Sender Reputation Agent using the Exchange Management
Shell, run the set-SenderReputationConfig command with the -Enabled $false parameter.
"set-SenderReputationConfig -Enabled $false"
The General tab of the Agent
Properties window displays a brief description of the agent and its
capabilities, its current status, and the last time the agent’s
settings were modified.
The Sender
Reputation Agent works by evaluating several items in an email
message(s) and then assigns a score, known as the Sender Reputation
Level (SRL). The SRL works very similarly to the SCL assigned to
messages themselves. The SRL gets assigned to the IP address
from which the email message(s) are originating. The Sender Reputation
Agent adds the IP address to the IP Block List when the SRL corresponds
with the tolerance threshold you have set for this action. The SRL can
be adjusted from 0 to 9. You can also configure the amount of time (in
hours, 0 to 48) the flagged IP address should remain on your IP Block
List.
The SRL for an IP address is derived
from the following four items: an open proxy test, HELO/EHLO validation
check, reverse DNS lookup, and SCL ratings derived from messages
received from the sending IP address. The Sender Reputation Agent takes
the cumulative results of these items into account when composing the
SRL.
An open proxy test determines whether
the receiving Edge Transport server can communicate back to itself
through the network on which the sending IP address resides. Open
proxies are easy to establish and are commonly used by spammers to
conceal the true identity of the server sending email. When email
messages are routed through an open proxy, the information contained in
the message changes to reflect that of the local host, that is, the
network on the “other side” of the proxy server.
Note
Performing
an open proxy test is enabled by default. This setting can be changed
on the Sender Confidence tab of the Sender Reputation Properties window.
The
HELO/EHLO SMTP commands are another item often forged by spammers.
Their purpose is to provide the domain name or IP address from which
the message originated. Spoofing the From address, using the same
domain in the To and From fields, and forging the sending IP address
are very common spam tricks.
A reverse DNS
lookup is performed to determine if the domain name registered with the
sending IP address is the same as that provided with the HELO/EHLO
commands.
Note
Although there are a couple of similarities, this is not the same as SenderID and the use of SPF records.
The
SCL of a message is the last item taken into account by the Sender
Reputation Agent when calculating a SRL for a particular IP address.
The Sender Reputation Agent tabulates SCL scores obtained from messages
previously received from the same IP address.
Configuring the Sender Reputation Agent Using the Exchange Management Console
The
Sender Reputation Agent can be configured using the Exchange Management
Console interface. To configure the sender reputation from EMC, do the
following:
1. | Launch the Exchange Management Console.
|
2. | Select Edge Transport in the console tree.
|
3. | The
General tab provides a quick overview of the Sender Reputation Agent
along with the last time the agent’s settings were modified. Typically,
you would not make changes to items on this tab.
|
4. | The Sender Confidence tab allows you to enable (default) or disable the open proxy test. This typically remains enabled.
|
5. | The Action tab allows you to set the block threshold for SRL on a scale of 0 to 9. (The default setting is 9, the maximum.)
|
6. | The
Action tab also allows you to configure how long (0 to 48 hours) the IP
address should remain on the Edge Transport server’s IP Block List.
(The default setting is 24 hours.)
|
7. | Click Apply to save changes or click OK to save changes and close the window.
|
Configuring Sender Reputation Using the Exchange Management Shell
Sender
Reputation can also be configured through the Exchange Management
Shell. Each shell command has its own parameters you can set based on
the action(s) performed by the command. There are two commands: Get- and Set-.
The Get- command is used to retrieve the configuration of Sender Reputation. For example, entering Get-SenderReputationConfig displays the Sender Reputation configuration on the local system.
The Set-
command allows an administrator to enable or disable the agent and
modify the configuration of the agent. The following example enables
sender reputation on email received on external SMTP connections,
activates the open proxy detection test, and configures the blocking
options.
Set-SenderReputationConfig -Enabled $true -ExternalMailEnabled $true
-OpenProxyDetectionEnabled $true -ProxyServerName proxy1.companyabc.com
-ProxyServerPort 8080 -SenderBlockingEnabled $true -SenderBlockingPeriod 48 -SRLBlockThreshold 8
