Message Hygiene -- Microsoft Style: Part II -- Redmondmag.com

Message Hygiene -- Microsoft Style: Part II

Now that you've got those filters going, Joern takes a look at what else you can do to help keep incoming e-mails clean.

By Joern Wettern
02/01/2006

In the ongoing battle to keep your network clean, you have two general ways to filter incoming e-mail -- either by message origin or by message content. Microsoft Exchange Server can filter incoming e-mail by sender, originating connection or intended recipient, and reject any suspect e-mail even before it lands on your mail server. Unfortunately, these filtering methods only block a portion of unwanted e-mail.

Last month I explained how filtering works as a first line of defense. This month, I'll describe how Microsoft Exchange can also scan e-mail message content to keep your network spam and virus-free.

After initially making its Intelligent Message Filter (IMF) available as an Exchange add-on, Microsoft now includes it as an integrated part of Exchange Service Pack 2. The IMF scans incoming e-mail and analyzes the content of each message looking for typical spam characteristics. It assigns a rating to indicate the likelihood ofthat message being spam -- a SpamConfidence Level (SCL) rating of zero to nine, with nine indicating the highest likelihood of spam.

After scanning and classifying each message, you can have your Exchange server immediately delete any message with a high SCL rating, hold it at the mail server for your review or try to return it to the sender. It will deliver messages that are below the safe SCL threshold to the Exchange server that stores the user's mailbox.

Holding quarantined messages at the server ensures that you can later recover falsely classified mail (so you'll have to periodically review blocked messages). You can also let the IMF tag the message with an assigned SCL level, and leave all further processing to a third-party spam blocker that understands SCL ratings.

Dual Thresholds
Once the Exchange SMTP gateway has assigned an SCL, it's stored with the message. You can also define a second, lower threshold Exchange can use to decide whether it should deliver a message to a user's Inbox or junk e-mail folder. Delivering potential spam to the junk e-mail folder gives users several options:

They can review all suspected spam.
They can move good messages to the Inbox.
They can create blacklists of senders from whom mail should always be rejected.
They can create whitelists of senders from whom mail should always be accepted. (Exchange Server will apply those whitelists and blacklists to future messages even if Outlook isn't running, or if a user accesses e-mail via Outlook Web Access.)

Setting two separate thresholds lets you immediately delete messages with a high SCL rating, as there's a small likelihood they will be valid messages. Presorting messages with intermediate SCL ratings into users' Inboxes and junk e-mail folders reduces overhead because you won't have to review all flagged messages to determine whether or not they're valid.

Let Microsoft Do the Work

Toward the end of 2005, Microsoft announced a shift in strategy and an emphasis on offering software as services—not just products. As part of this strategy, Microsoft bought FrontBridge, a company that provides hosted e-mail services based on Exchange. Through FrontBridge, Microsoft will offer complete e-mail message hygiene, all performed at one of its data centers.

Because it uses several scanning mechanisms, FrontBridge can provide more accuracy and fewer false positives than many other solutions. It also helps you use your Internet connection more efficiently because it removes spam and viruses before they're sent to your local mail server. The FrontBridge service also provides message archiving, messaging continuity in case your local server isn't available and e-mail encryption without requiring a public key infrastructure.

Whether or not this type of service is for you depends on the cost and whether you feel comfortable letting a third party manage an important part of your IT infrastructure. More information is available at www.frontbridge.com. — J.W.

The IMF has a good detection rate -- in my experience -- particularly when you apply the latest updated detection rules. Microsoft creates those rules based onits analysis of the millions of e-mail messages that arrive at its Hotmail servers.

Like most other anti-spam programs, the IMF can generate false positives (legitimate e-mail messages incorrectly classified as spam). The best strategy for keeping the number of false positives low is to set your thresholds high enough to block most spam, but low enough to prevent messages from being incorrectly labeled. You'll have to experiment with different IMF settings to find the level that's right for you. Gradually reduce the threshold settings and make sure that messages aren't permanently deleted until you arrive at an effective level.

Gone Phishing
Phishing is another relatively recente-mail-based threat. Phishing attacks come in on e-mail that looks like it originated from a bank, auction site or some other company that requires password access to accounts or other valuable data. The e-mail prompts the user to go to a fake but legitimate-looking Web site and log on. The attacker can then capture the victim's credentials and use them to get access to the victim's bank account.

Exchange SP 2 updates its filters to counter this threat. The IMF assigns a Phishing Confidence Level (PCL), which labels messages suspected to be phishing attacks and warns the recipient. The PCL is also used to assign the SCL rating. Microsoft doesn't publish the exact rules it uses to detect phishing attempts (as with spam detection rules), but my informal tests have shown that it has high-detection accuracy.

Enter Antigen
Until recently, you had to rely on third-party software for e-mail virus protection. Microsoft then licensed Antigen, which was developed and sold by Sybari. When Microsoft decided to widen its security portfolio to provide virus protection, it bought Sybari and folded Antigen into its product line.

At this point, Antigen still carries the Sybari name. Microsoft is revising it and now the next version will be called Microsoft Antigen. Unlike the IMF, Antigen is not included with Exchange, and requires a separate license based on the number of users within an organization. The next version will be more closely integrated with other Microsoft licensing schemes, but will still be a separate product.

Antigen may not be the most-well-known product, but many large enterprises already use it for virus protection. In my own informal tests, it had a 100 percent detection rate. In more formal evaluations, it always ranks among the top products for the percentage of viruses detected.

Outlook 2003, Spam and Phishing

If you're using Outlook 2003 as an e-mail client, you can still get the anti-spam and anti-phishing protection of the Exchange Intelligent Message Filter (IMF). The Outlook 2003 junk e-mail filter uses the same scanning and detection rules as the IMF and Hotmail.

You won't get the central management or same level of detailed control over when to delete messages and when to move them to your junk e-mail folder. However, you'll still have the advanced detection engine and the ability to hold suspect messages in the junk e-mail folder. As with the IMF, make sure to apply signature updates that Microsoft releases about once a quarter. — J.W.

Antigen is effective because it can use up to eight scanning engines to check each message. (An anti-virus engine is the component that scans the data passed to it by other components of the anti-virus software.)

Antigen's multiple scanning engines, all of which are developed and updated by well-known anti-virus companies, increase the likelihood that a newly discovered virus will be blocked early on. This increases overall detection rates.

Fortunately, using multiple engines doesn't impede performance, as all virus scanning is done in memory. Because Antigen is a single program that manages the different engines and controls updates, you decrease administrative overhead and increase reliability over using multiple anti-virus products on your Exchange Server or SMTP gateway.

[Click on image for larger view.]

Figure 1. The Antigen Client lets you fine-tune spam and virus detection settings.

Antigen's spam identification and blocking technology is quite different than the IMF's. It doesn't look for spam characteristics in e-mail. Instead, it compares messages against a database of actual spam signatures. The database is updated hourly, based on spam detected by a dedicated network of SMTP servers set up with the sole purpose of attracting spam. Antigen labels each message as spam or non-spam, depending on whether or not it matches a known signature.

Unlike the IMF, which assigns a likelihood of spam, Antigen makes a definite spam/no spam decision. The biggest advantage of this method is that the number of false positives is extremely low. On the other hand, Antigen seems to let more spam slip through than I would like. You manage Antigen with the Sybari Client program (see Figure 1) or one of several enterprise-wide administration tools.

Antigen is one of the best products on the market for blocking viruses and spam. Once Microsoft has fully integrated Antigen into its broader scheme of messaging and security tools, it may be even more appealing as a message-hygiene tool.

E-Mail Strategies
Combining all types of message-hygiene tools and technologies is the most effective approach. For example, I use connection and sender filtering as a first pass at my network's edge. Because these filtering techniques block e-mail before the message is ever received, it reduces bandwidth usage and deletes about 90 percent of the spam sent to my mail server.

The IMF is an indispensable tool in my spam-fighting arsenal. I've set the threshold for deleting messages relatively high because I use a third-party anti-spam product as well. A high threshold also keeps the false positives low. However, even with conservative settings, the IMF detects half of the spam that makes it past the initial filtering.

If you're willing to set your thresholds lower, you should be able to significantly increase detection rates. That comes at the cost of a slightly higher rate of false positives, so if you use this strategy, configure the IMF to let users review blocked messages so they can recover legitimate e-mail.

Relying solely on the IMF can work for smaller organizations. However, most larger companies will need another tool to achieve a reasonable spam detection rate. In my experience, a signature-based spam filtering program like Antigen is a good complement to the IMF, as it uses a very different detection mechanism. Several anti-spam products, including Antigen, integrate with the IMF to use the SCL as a message classification factor.

Just two years ago, Microsoft had no credible solution for Exchange message hygiene. Now, it has a number of virus-protection and spam-filtering tools you can use together to easily reach 90 percent detection rates with very few false positives. Expect these technologies to improve and become better integrated.

Featured

Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.