422 Chapter 7 • Managing the Edge Transport ServerFirewall Perimeter Network Firewall Internal Network SPF Lookup SPF result Sender Public DNS Server with SPF record Inbound message Inbo
Trang 1422 Chapter 7 • Managing the Edge Transport Server
Firewall
Perimeter Network
Firewall
Internal Network
SPF Lookup SPF result Sender
Public DNS Server with SPF record
Inbound message Inbound message Inbound message
Deliver y
Recipient
Mailbox Server Edge Transport Hub Transport
Sender ID can provide several different results and stamp them appropriately Table 7.2 lists each
of the results as well a short description and the action taken
Sender ID Result Description Action Taken
Neutral Domain is neutral (makes no Stamp and Accept
decision about IP address)
Fail (-)
- Domain doesn’t exist
- Sender isn’t permitted
- Malformed domain
- No Purported IP address for PRA Stamp and Accept then Responsible Address not permitted set either Delete or Reject (PRA) in header
Trang 2No matter what the result of the SPF check, the result will be used in the calculation process
when an SCL rating is generated for a message
Sender ID Result Description Action Taken
Soft Fail ( ) IP address for PRA not Stamp and Accept
None No SPF record published Stamp and Accept
for the domain Temp Error Transient error (could be Stamp and Accept
unreachable DNS server) Perm Error Possible error in record so Stamp and Accept
couldn’t be read correctly
TIP
In you want to check which IP addresses are allowed to send e-mail messages for
a given domain, you can use a wizard such as the one at www.dnsstuff.com/pages/
spf.htm, or open a command prompt and type nslookup –q=TXT domain.com
You should then be able to see the SPF record, including the list of the IP addresses
allowed to send e-mail messages for this domain
For additional information about Sender ID, visit http://en.wikipedia.org/wiki/Sender_id
When the Sender ID Filtering agent checks whether a sending SMTP server has an appropriate purported responsible address (PRA), you can specify what action it should take for a given e-mail
message that doesn’t have an appropriate PRA
You can confi gure it to Reject message, Delete message or Stamp message with Sender
ID result and continue processing; the last one is the option selected by default (see Figure 7.40)
If you set Sender ID to reject the message, the message will be rejected by the Edge Transport
server and an SMTP error response will be returned to the sender
If you confi gure Sender ID to delete message, the message will be deleted without sending
an SMTP error response to the sender Since the message is deleted without informing the sending
SMTP server, you would think that the sending SMTP server would retry sending the message, but this is not the case The Sender ID fi lter has been made so cleverly that the Edge Transport server will
send a fake OK SMTP command before deleting the message.
When you confi gure Sender ID to stamp messages with the Sender ID result and continue
processing, the e-mail message will be stamped with information that will be used when the message is evaluated by the Content Filtering agent (which we will look at in a moment) to calculate the SCL
Trang 3424 Chapter 7 • Managing the Edge Transport Server
If you haven’t already done so, we highly recommend that you create an SPF record for your domain This will make it much more diffi cult for spammers to forge your domain so that they can spam domains in other organizations Creating your own SPF record is a relatively simple process; Microsoft even provides a Web-based GUI wizard that will help you do it (see Figure 7.41) You can fi nd the wizard by visiting www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard
Trang 4Content Filtering
The Content Filtering agent can be considered the next generation of the Intelligent Message Filter (or IMF version 3), which most of us know from Exchange Server 2003 (version 2 came with
Exchange 2003 SP2) This means that the Content Filter is based on the SmartScreen technology, originally developed by Microsoft Research When an e-mail message is received by an Edge Transport server with the Content Filtering agent enabled, it will evaluate the textual content of the messages and then assign the message an SCL rating based on the probability that the message is spam This rating is
stored as a message property called an SCL rating The Content Filter is regularly updated using the
Antispam Update Service (Windows Update) to ensure that it always contains the most up-to-date information when it’s running Since the Content Filter is based on the characteristics of many millions
of messages (Hotmail, among others, is used to collect the necessary information about both legitimate
as well as spam messages), it recognizes both legitimate messages and spam messages The Content Filter can very precisely determine whether an inbound e-mail message is a legitimate message or spam The Content Filter can also, via spam signatures, analyze messages for phishing characteristics
If the message is a phishing attempt, the Content Filtering agent will stamp it with a property before delivering it to the recipient’s inbox When the message is delivered, Outlook 2007 will render it differently and warn the user that this most likely is a phishing attempt When the message is viewed in Outlook 2007, all content will be fl attened, any links will be disabled, and no images will be loaded Just as was the case with IMF in Exchange Server 2003, you can, with the help of the Content Filter, assign an SCL rating to the messages fl owing into your organization The Content Filter stamps the messages that it inspects with an SCL property (actually a MAPI property) with a value
Trang 5426 Chapter 7 • Managing the Edge Transport Server
between 0 and 9 As you can see in Figure 7.42, depending on how a message is rated, you can delete, reject, or quarantine it to a specifi ed mailbox
If a message equals the SCL delete threshold, the message will be deleted without notifying the sending server If the message equals the SCL reject threshold, the message will also be deleted, but a rejection response will be returned to the sending server If a message equals the SCL quarantine
threshold, the message will be sent to the e-mail address specifi ed in the Quarantine mailbox e-mail
address: fi eld Bear in mind, though, that before a message can be quarantined, you need to create and confi gure a mailbox that should be used for this purpose To do so, perform the following steps:
1 Create a new mailbox called Quarantined Messages or similar.
2 Depending on how many recipients as well as how many messages are received by your
Exchange organization, confi gure a reasonable quota for this mailbox.