Chances are that your company has probably invested big bucks in antispam software to keep junk mail off of your Exchange Server. While the commercial antispam software is effective, your best defense against spam is using Exchange's antispam mechanisms with the third-party solutions.
The reason: Most antispam software fights spam once it arrives in the SMTP queue or in the message store. Exchange's filtering mechanisms filter messages as they arrive at the server. Your server will perform better if you can prevent spam from ever making it into your mail server in the first place rather than trying to get rid of spam once it has been delivered.
The two primary ways in which you can filter inbound messages at the Exchange level are by filtering on Sender and on Recipient. Filtering by sender allows you to block messages being sent from a specific person. Filtering on Recipient allows you to filter mail that's being sent to a specific e-mail address.
The prep work
Before you can use any of the techniques that I am about to show you, you need to enable filtering at the SMTP level. To do so, open the Exchange System manager and navigate to Administrative Groups | your administrative group | Servers | your server | Protocols | SMTP | Default SMTP Virtual Server. Right click on the Default SMTP Virtual Server and select the Properties command from the resulting shortcut menu. This will cause Windows to display the Default SMTP Virtual Server's properties sheet. Select the properties sheet's General tab and click the Advanced button. When the Advanced dialog box appears, select the current IP address and click Edit to display the Identification dialog box. This dialog box contains check boxes that you can use to apply sender, recipient and connection filters. Select each check box and click OK three times.
Sender filtering is similar to creating a DNS black list. In case you are unfamiliar with the term, a DNS black list is a mechanism that allows you to block all mail from anyone whose address is on the list.
Generally speaking, the concept of a DNS blacklist is a bit outdated. A few years ago you could black list spammers to keep them from sending spam to anyone in your organization. Now, however, spammers never use an e-mail address more than once, so black listing each address that spam comes from is ineffective. Even so, sender filtering does have its place.
Sender filtering is most effective in blocking targeted harassment. For example, I recently fired someone who was doing some work for me. Since that time, the person has been flooding me with phone calls and e-mails, begging for a second chance. The only way that I could get the harassment to stop was to blacklist his e-mail address. Keep in mind that you can blacklist e-mail addresses through Outlook, but blacklisting an address at the Exchange level prevents the blacklisted person from e-mailing anyone in your entire Exchange organization (unless they change e-mail addresses).
You can black list a sender by opening the Exchange System Manager, navigating to Global Settings | Message Delivery, right clicking on the Message Delivery container and selecting the Properties command from the resulting shortcut menu. When you do, you will see the Message Delivery Properties sheet. Select the Sender Filtering tab and then click the Add button. Enter the e-mail address or the domain that you want to block and click OK. Now, just make sure that the Drop Connection If Address Matches Filter check box is selected and click OK.
The configuration that I just described will drop a connection if a designated sender attempts to send a message to the organization. The tab contains a couple of other handy check boxes as well. The Archive Filtered Messages check box allows you to keep a copy of anything that gets filtered out. The copy of the message is stored as a text file in the server's \Program Files\Exchsrvr\Mailroot\VSI 1\Filter folder. This folder pertains to the SMTP virtual server. Since the message is stored as a text file, you can open it by using Notepad, but you could also change the file's extension to .EML and open the message using Outlook Express.
The next available option is Filter Messages with Blank Sender. This one is really simple. If someone sends a message to your organization and doesn't specify a sender, then the message is filtered. Oftentimes mass mailing programs used for sending spam do not specify a sender.
The last available option is to Accept Messages Without Notifying Sender of Filtering. This option goes back to what I was saying about harassment. For example, if I were to simply block the messages from the guy who keeps sending me all those messages, then Exchange would notify him that his messages were being blocked. He could then use a different e-mail address to send messages to me, totally defeating the purpose of the block. On the other hand, if I were to select this check box, then the person's e-mail messages are blocked, but he isn't told that they are being blocked.
It might seem strange at first to filter messages based on recipient, but if you stop and think about it, doing so makes a lot of sense. A common technique for spammers and for virus authors to use is to send mail to all likely addresses at a given domain name.
For example, my company uses the domain name brienposey.com. Most of the valid e-mail addresses at this domain name consist of the recipient's first initial and last name. It's easy for a spammer to figure out the address format if they can simply get their hands on one good e-mail address. Assuming that a spammer knows my e-mail address format, they could use a dictionary of common last names and prefix each last name with each letter of the alphabet and then append the domain name. For example, such a program would send E-mail to AADAMS@brienposey.com, BADAMS@brienposey.com, CADAMS@brienposey.com.
Keep in mind that I don't have anyone with the last name Adams working for me. This doesn't stop spammers from trying to send messages to those addresses, though. Normally, when a message is sent to an invalid e-mail address within your organization, Exchange generates a non-delivery report (NDR).
While NDRs can be handy, in the case of spam they are a burden to your organization for two reasons. First, if a spammer is sending spam in the method I just described, thousands of NDRs can be produced and can consume a tremendous amount of Internet bandwidth. The second reason why NDRs are bad news is because they can allow a spammer to figure out which e-mail addresses are good and which don't exist. Spam organizations pay big bucks for lists of known good addresses.
My point in telling you all of this is to help you realize that it's important to filter out invalid recipient e-mail addresses. To do so, select the Recipient Filtering tab of the Message Delivery Properties sheet. Now, simply select the Filter Recipients who are not in the Directory check box and click OK. That's all there is to it.
You might notice that the Recipient Filtering tab does allow you to filter based on specific recipient e-mail addresses. The reason for this is that there are some e-mail addresses that people outside of your organization should not be sending mail to. A public folder is a good example of this. Public folders can be mail enabled and if improperly secured, spammers or anyone else can post messages to them. Entering the e-mail address associated with public folders gives you an extra layer of security. Exchange's built-in spam filtering mechanisms are nowhere near as advanced as those found in commercial antispam software. However, by enabling these mechanisms, you can prevent your spam software from working as hard and improve your server's overall efficiency.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
Did you find this tip useful? It first appeared in the free SearchExchange.com newsletter, Exchange Adviser. Sign up now so you can receive the Exchange Adviser, which is filled with technical articles, expert advice, news and everything Exchange!
Do you have a useful Exchange tip to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.