Security Advisor

The Forefront of E-Mail Protection

• By Joern Wettern
• 09/01/2009

Microsoft is about to release Forefront Security for Exchange (FSE) 2010. It includes many incremental changes to existing functionality, but what really makes it stand out is its exemplary anti-spam performance.

A few years ago, Microsoft bought Sybari Software and morphed Sybari's Antigen e-mail protection product into what is now Microsoft FSE.

Living Without Spam
The Antigen product included spam filtering, but Microsoft dropped this functionality because it was ineffective. Instead of giving up on the feature altogether, though, Redmond worked to redesign it and have it work properly in its latest product.

There are two basic things to look for when evaluating any anti-spam solution: The percentage of spam blocked should be close to 100 percent, and no legitimate e-mail messages should be erroneously classified as spam. There's a lot of e-mail that can't be easily classified, including many e-mail newsletters.

When messages fall into this gray area, most IT managers prefer to err on the safe side, quarantine the messages and sort through them manually. Or, they let users weed out spam themselves. Manual secondary filtering can be very time-intensive. What makes an anti-spam product stand out from its competition is that it keeps the number of e-mails that fall into this gray area low.

My experience with beta versions of FSE 2010 is that it blocks almost all spam and has a false-positive rate of close to zero. The best part is that, without having to fiddle with the default settings, I had almost no messages that FSE quarantined as questionable.

Two Ways to Fight Spam
FSE performs this well because of two main components: blacklisting and an advanced detection engine. Blacklisting is controversial. The principle is easy: when a connection to a mail server is opened, the server performs an online check against a database of addresses that are known spam senders and drops the connection before any data is sent. The hard part of that is finding a blacklist that is both comprehensive and reliable.

Many blacklists that you can subscribe to are overly aggressive and might tell your mail server to drop a connection from a company with which you do business.

Microsoft has combined multiple blacklists from reliable providers and has added addresses that have developed a bad reputation for spamming Microsoft's hosted e-mail network. This approach is highly efficient and is responsible for blocking most attempts to send spam.

The next line of defense is an anti-spam engine that examines the remaining e-mail and applies both signature-based and analytical processing. For FSE 2010, Microsoft licenses this engine from Cloudmark, one of the leaders in this area.

There are additional elements that can help reduce the amount of spam your mail server receives. For example, FSE can perform backscatter filtering. Backscatter, one of the fastest-growing types of spam, involves delivery status notifications (DSNs) for e-mail messages that were never sent by your mail server. Backscatter filtering blocks phony DSNs while leaving legitimate ones alone.

Resource-Intensive but Worth It
Additional new features of FSE include a connector for Microsoft customers who subscribe to the hosted Forefront Online Security for Exchange, and tight integration with other components of the Forefront product suite. If you're responsible for multiple mail servers, you'll find FSE's support for Windows PowerShell scripting a time-saver.

While FSE 2010 is an impressive product, it's not without flaws. Administration could be more intuitive, and the product requires some hefty resources, especially RAM and processor power. But this is a small price to pay for effective malware and spam protection that performs admirably without a lot of configuration or ongoing maintenance.