Message Hygiene -- Microsoft Style: Part II
Now that you've got those filters going, Joern takes a look at what else you can do to help keep incoming e-mails clean.
- By Joern Wettern
In the ongoing battle to keep your network clean, you have two general ways
to filter incoming e-mail -- either by message origin or by message content.
Microsoft Exchange Server can filter incoming e-mail by sender, originating
connection or intended recipient, and reject any suspect e-mail even before
it lands on your mail server. Unfortunately, these filtering methods only block
a portion of unwanted e-mail.
month I explained how filtering works as a first line of defense. This month,
I'll describe how Microsoft Exchange can also scan e-mail message content to
keep your network spam and virus-free.
After initially making its Intelligent Message Filter (IMF) available as an
Exchange add-on, Microsoft now includes it as an integrated part of Exchange
Service Pack 2. The IMF scans incoming e-mail and analyzes the content of each
message looking for typical spam characteristics. It assigns a rating to indicate
the likelihood ofthat message being spam -- a SpamConfidence Level (SCL) rating
of zero to nine, with nine indicating the highest likelihood of spam.
After scanning and classifying each message, you can have your Exchange server immediately delete any message with a high SCL rating, hold it at the mail server for your review or try to return it to the sender. It will deliver messages that are below the safe SCL threshold to the Exchange server that stores the user's mailbox.
Holding quarantined messages at the server ensures that you can later recover falsely classified mail (so you'll have to periodically review blocked messages). You can also let the IMF tag the message with an assigned SCL level, and leave all further processing to a third-party spam blocker that understands SCL ratings.
Once the Exchange SMTP gateway has assigned an SCL, it's stored with the message.
You can also define a second, lower threshold Exchange can use to decide whether
it should deliver a message to a user's Inbox or junk e-mail folder. Delivering
potential spam to the junk e-mail folder gives users several options:
- They can review all suspected spam.
- They can move good messages to the Inbox.
- They can create blacklists of senders from whom mail should always be rejected.
- They can create whitelists of senders from whom mail should always be accepted.
(Exchange Server will apply those whitelists and blacklists to future messages
even if Outlook isn't running, or if a user accesses e-mail via Outlook Web
Setting two separate thresholds lets you immediately delete messages with a high SCL rating, as there's a small likelihood they will be valid messages. Presorting messages with intermediate SCL ratings into users' Inboxes and junk e-mail folders reduces overhead because you won't have to review all flagged messages to determine whether or not they're valid.
Microsoft Do the Work
Toward the end of 2005, Microsoft
announced a shift in strategy and an emphasis on offering
software as services—not just products. As part of this
strategy, Microsoft bought FrontBridge, a company that provides
hosted e-mail services based on Exchange. Through FrontBridge,
Microsoft will offer complete e-mail message hygiene, all
performed at one of its data centers.
Because it uses several scanning mechanisms,
FrontBridge can provide more accuracy and fewer false positives
than many other solutions. It also helps you use your Internet
connection more efficiently because it removes spam and viruses
before they're sent to your local mail server. The FrontBridge
service also provides message archiving, messaging continuity
in case your local server isn't available and e-mail
encryption without requiring a public key infrastructure.
Whether or not this type of service is for you
depends on the cost and whether you feel comfortable letting
a third party manage an important part of your IT infrastructure.
More information is available at www.frontbridge.com.
The IMF has a good detection rate -- in my experience -- particularly when
you apply the latest updated detection rules. Microsoft creates those rules
based onits analysis of the millions of e-mail messages that arrive at its Hotmail
Like most other anti-spam programs, the IMF can generate false positives (legitimate e-mail messages incorrectly classified as spam). The best strategy for keeping the number of false positives low is to set your thresholds high enough to block most spam, but low enough to prevent messages from being incorrectly labeled. You'll have to experiment with different IMF settings to find the level that's right for you. Gradually reduce the threshold settings and make sure that messages aren't permanently deleted until you arrive at an effective level.
Phishing is another relatively recente-mail-based threat. Phishing
attacks come in on e-mail that looks like it originated from a bank, auction
site or some other company that requires password access to accounts or other
valuable data. The e-mail prompts the user to go to a fake but legitimate-looking
Web site and log on. The attacker can then capture the victim's credentials
and use them to get access to the victim's bank account.
Exchange SP 2 updates its filters to counter this threat. The IMF assigns a Phishing Confidence Level (PCL), which labels messages suspected to be phishing attacks and warns the recipient. The PCL is also used to assign the SCL rating. Microsoft doesn't publish the exact rules it uses to detect phishing attempts (as with spam detection rules), but my informal tests have shown that it has high-detection accuracy.
Until recently, you had to rely on third-party software for e-mail virus protection.
Microsoft then licensed Antigen, which was developed and sold by Sybari. When
Microsoft decided to widen its security portfolio to provide virus protection,
it bought Sybari and folded Antigen into its product line.
At this point, Antigen still carries the Sybari name. Microsoft is revising it and now the next version will be called Microsoft Antigen. Unlike the IMF, Antigen is not included with Exchange, and requires a separate license based on the number of users within an organization. The next version will be more closely integrated with other Microsoft licensing schemes, but will still be a separate product.
Antigen may not be the most-well-known product, but many large enterprises
already use it for virus protection. In my own informal tests, it had a 100
percent detection rate. In more formal evaluations, it always ranks among the
top products for the percentage of viruses detected.
2003, Spam and Phishing
If you're using Outlook
2003 as an e-mail client, you can still get the anti-spam
and anti-phishing protection of the Exchange Intelligent Message
Filter (IMF). The Outlook 2003 junk e-mail filter uses the
same scanning and detection rules as the IMF and Hotmail.
You won't get the central management or
same level of detailed control over when to delete messages
and when to move them to your junk e-mail folder. However,
you'll still have the advanced detection engine and
the ability to hold suspect messages in the junk e-mail folder.
As with the IMF, make sure to apply signature updates that
Microsoft releases about once a quarter. — J.W.
Antigen is effective because it can use up to eight scanning engines to check
each message. (An anti-virus engine is the component that scans the data passed
to it by other components of the anti-virus software.)
Antigen's multiple scanning engines, all of which are developed and updated by well-known anti-virus companies, increase the likelihood that a newly discovered virus will be blocked early on. This increases overall detection rates.
Fortunately, using multiple engines doesn't impede performance, as all virus scanning is done in memory. Because Antigen is a single program that manages the different engines and controls updates, you decrease administrative overhead and increase reliability over using multiple anti-virus products on your Exchange Server or SMTP gateway.
Antigen's spam identification and blocking technology is quite different than
the IMF's. It doesn't look for spam characteristics in e-mail. Instead, it compares
messages against a database of actual spam signatures. The database is updated
hourly, based on spam detected by a dedicated network of SMTP servers set up
with the sole purpose of attracting spam. Antigen labels each message as spam
or non-spam, depending on whether or not it matches a known signature.
Unlike the IMF, which assigns a likelihood of spam, Antigen makes a definite
spam/no spam decision. The biggest advantage of this method is that the number
of false positives is extremely low. On the other hand, Antigen seems to let
more spam slip through than I would like. You manage Antigen with the Sybari
Client program (see Figure 1) or one of several enterprise-wide administration
Antigen is one of the best products on the market for blocking viruses and
spam. Once Microsoft has fully integrated Antigen into its broader scheme of
messaging and security tools, it may be even more appealing as a message-hygiene
Combining all types of message-hygiene tools and technologies is the most effective
approach. For example, I use connection and sender filtering as a first pass
at my network's edge. Because these filtering techniques block e-mail before
the message is ever received, it reduces bandwidth usage and deletes about 90
percent of the spam sent to my mail server.
The IMF is an indispensable tool in my spam-fighting arsenal. I've set the threshold for deleting messages relatively high because I use a third-party anti-spam product as well. A high threshold also keeps the false positives low. However, even with conservative settings, the IMF detects half of the spam that makes it past the initial filtering.
If you're willing to set your thresholds lower, you should be able to significantly increase detection rates. That comes at the cost of a slightly higher rate of false positives, so if you use this strategy, configure the IMF to let users review blocked messages so they can recover legitimate e-mail.
Relying solely on the IMF can work for smaller organizations. However, most
larger companies will need another tool to achieve a reasonable spam detection
rate. In my experience, a signature-based spam filtering program like Antigen
is a good complement to the IMF, as it uses a very different detection mechanism.
Several anti-spam products, including Antigen, integrate with the IMF to use
the SCL as a message classification factor.
Just two years ago, Microsoft had no credible solution for Exchange message
hygiene. Now, it has a number of virus-protection and spam-filtering tools you
can use together to easily reach 90 percent detection rates with very few false
positives. Expect these technologies to improve and become better integrated.