Reducing Spam Mail in Exchange 2003 without using 3rd Party Software
Published:
Browse All Articles > Reducing Spam Mail in Exchange 2003 without using 3rd Party Software
I have seen lots of question recently asking how to stop spam emails when using an Exchange 2003 server without having to resort to 3rd party software.
There are various ways to combat spam in Exchange 2003 and these are:
• Setup Sender Filtering.
• Setup a Tarpit Delay
• Setup a Sender Policy Framework (SPF) record for your domain.
• Setup Sender ID filtering.
• Setup Recipient Filtering (and use Real-time Block Lists)
To explain a little about what each of the above options does, please read on.
Sender Filtering:
What Sender Filtering does is to check inbound emails against the Sender Filter(s) that you setup and if the sender email address matches a filter, the system rejects the message. In terms of spoofing, if you setup *@yourdomain.com in the Sender Filtering section, this will reject all messages that are sent externally with your domain name in the sender address.
One drawback with setting up *@yourdomain.com is that you won’t be able to send any mail at all from devices such as photocopiers if they are setup to send out mail as someone@yourdomain.com. This will also prevent external SMTP / POP3 users from sending mail into your server remotely, so think about what filter you setup before you set it up. This will not stop users configured using RPC over HTTPS from sending – but RPC over HTTPS is a different subject altogether!
You can setup individual email addresses instead of a global address ( * ) and this will mean that those addresses included in the filter will get rejected, but those that are not included in the filter will get through. So if you have 4 users, Bob, Jane, Sarah and Mark and you add Bob@yourdomain.com, Jane@yourdomain.com and Sarah@yourdomain.com to the filter, then they will not be able to send SMTP mail to your server externally, but Mark will be able to. Mark is more likely to received spoofed mail, but the other three will not.
This is the primary method to stop spoofed emails but if this cannot be setup easily, a combination of creating an SPF record and Sender ID Filtering will work just as easily.
Tarpit Delay:
A Tarpit Delay is a method to slow down spammers from sending their payload of rubbish to your server by injecting a pause of a specific period into the flow of communication, slowing down the rate at which the spammer can send out mail to your server.
Without a Tarpit Delay, your own server will respond to commands in a timely manner and thus the flow of mail is usually very quick and painless.
With a Tarpit Delay enabled, the sender ends up essentially ‘wading through treacle’ and communication with your server is slowed down dramatically.
Sender Policy Framework (SPF):
SPF is a way of defining the Mail server(s) that are allowed to send out mail on behalf of your domain. When you create an SPF record, you can specify various elements that describe your servers by IP address, or by domain name.
For companies that are spread across multiple sites, their SPF record needs to include ALL IP addresses that are going to send out mail on behalf of their domain name.
Not having an SPF record setup is not going to cause you any problems, but having an incorrect SPF record setup will cause your email to bounce. (A large airline who offer cheap flights have currently got an incorrect SPF record and every time I book a flight with them, I have to adjust my anti-spam software to allow their emails through!)
Once you have created an SPF record, you then need to publish this record in DNS so that the rest of the world has access to it and can query your domain to see what mail servers are allowed to send out mail on behalf of your domain.
Sender ID Filtering:
This element is the part that actually checks SPF records to see if the mail server sending mail is allowed to send mail on behalf of the domain that the email is claiming to come from. Sender ID Filtering can be configured to Accept but mark the Sender ID Status to the mail for further processing, Delete the message without sending a Non-Delivery Report back to the sender or to Reject the Message (forcing the sending server to generate a Non-Delivery Report).
Recipient Filtering:
Recipient Filtering can be configured to filter out recipients that are not listed internally on the receiving server or to specifically block specified recipients.
A vast amount of email is sent out to non-existent email addresses and simply accepting these messages can cause your server to send out Non-Delivery Reports back to the senders of those emails that were addresses incorrectly. This can get your IP address listed on Blacklisting sites which will cause you problems when sending to servers that actively use Blacklists to reduce the amount of spam that they receive.
To set these various Anti-Spam techniques up, you should first check that you are using Exchange 2003 Service Pack 2 by opening up Exchange System Manager, expanding Servers, then click onto your server and then right-click on your server and choose properties.
The screen that follows should advise you what Service Pack your Exchange Server is on. If it does not say Service Pack 2, please visit the following link to download and install it:
http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en
If you are already on Exchange 2003 Service Pack 2, then please review the following articles to setup the various Anti-Spam techniques:
• Sender Filtering - http://technet.microsoft.com/en-us/library/aa998083(EXCHG.65).aspx
• Recipient Filtering (and RBL filtering) - http://support.microsoft.com/kb/823866
• Tarpit Delay - http://support.microsoft.com/kb/842851
• Sender Policy Framework - Visit http://old.openspf.org/wizard.html to create an SPF record for your domain then add the SPF record to your domains DNS records as a Text record with the Wizard results as the detail of the record. An example SPF record looks similar to the following ; v=spf1 a mx ip4:123.123.123.123 mx:mail.yourdomain.com -all
• Sender ID Filtering - http://www.msexchange.org/tutorials/Configuring-enabling-Sender-ID-filtering-Exchange-2003-SP2.html
So, now having setup some or all of the above, you should see a dramatic drop in the amount of spam arriving in your inbox.
If you have tried the above and still get too much spam through, you could simply install some Anti-Spam software and one product that I have been using recently after being recommended it by a Microsoft Exchange MVP is Vamsoft ORF which is currently priced at $239 per server and has drastically reduced the amount of spam that I have been receiving. My customers who also have Vamsoft installed on my recommendation, have also seen a dramatic reduction in their spam levels too. Their website is www.vamsoft.com.
There are various ways to combat spam in Exchange 2003 and these are:
• Setup Sender Filtering.
• Setup a Tarpit Delay
• Setup a Sender Policy Framework (SPF) record for your domain.
• Setup Sender ID filtering.
• Setup Recipient Filtering (and use Real-time Block Lists)
To explain a little about what each of the above options does, please read on.
Sender Filtering:
What Sender Filtering does is to check inbound emails against the Sender Filter(s) that you setup and if the sender email address matches a filter, the system rejects the message. In terms of spoofing, if you setup *@yourdomain.com in the Sender Filtering section, this will reject all messages that are sent externally with your domain name in the sender address.
One drawback with setting up *@yourdomain.com is that you won’t be able to send any mail at all from devices such as photocopiers if they are setup to send out mail as someone@yourdomain.com. This will also prevent external SMTP / POP3 users from sending mail into your server remotely, so think about what filter you setup before you set it up. This will not stop users configured using RPC over HTTPS from sending – but RPC over HTTPS is a different subject altogether!
You can setup individual email addresses instead of a global address ( * ) and this will mean that those addresses included in the filter will get rejected, but those that are not included in the filter will get through. So if you have 4 users, Bob, Jane, Sarah and Mark and you add Bob@yourdomain.com, Jane@yourdomain.com and Sarah@yourdomain.com to the filter, then they will not be able to send SMTP mail to your server externally, but Mark will be able to. Mark is more likely to received spoofed mail, but the other three will not.
This is the primary method to stop spoofed emails but if this cannot be setup easily, a combination of creating an SPF record and Sender ID Filtering will work just as easily.
Tarpit Delay:
A Tarpit Delay is a method to slow down spammers from sending their payload of rubbish to your server by injecting a pause of a specific period into the flow of communication, slowing down the rate at which the spammer can send out mail to your server.
Without a Tarpit Delay, your own server will respond to commands in a timely manner and thus the flow of mail is usually very quick and painless.
With a Tarpit Delay enabled, the sender ends up essentially ‘wading through treacle’ and communication with your server is slowed down dramatically.
Sender Policy Framework (SPF):
SPF is a way of defining the Mail server(s) that are allowed to send out mail on behalf of your domain. When you create an SPF record, you can specify various elements that describe your servers by IP address, or by domain name.
For companies that are spread across multiple sites, their SPF record needs to include ALL IP addresses that are going to send out mail on behalf of their domain name.
Not having an SPF record setup is not going to cause you any problems, but having an incorrect SPF record setup will cause your email to bounce. (A large airline who offer cheap flights have currently got an incorrect SPF record and every time I book a flight with them, I have to adjust my anti-spam software to allow their emails through!)
Once you have created an SPF record, you then need to publish this record in DNS so that the rest of the world has access to it and can query your domain to see what mail servers are allowed to send out mail on behalf of your domain.
Sender ID Filtering:
This element is the part that actually checks SPF records to see if the mail server sending mail is allowed to send mail on behalf of the domain that the email is claiming to come from. Sender ID Filtering can be configured to Accept but mark the Sender ID Status to the mail for further processing, Delete the message without sending a Non-Delivery Report back to the sender or to Reject the Message (forcing the sending server to generate a Non-Delivery Report).
Recipient Filtering:
Recipient Filtering can be configured to filter out recipients that are not listed internally on the receiving server or to specifically block specified recipients.
A vast amount of email is sent out to non-existent email addresses and simply accepting these messages can cause your server to send out Non-Delivery Reports back to the senders of those emails that were addresses incorrectly. This can get your IP address listed on Blacklisting sites which will cause you problems when sending to servers that actively use Blacklists to reduce the amount of spam that they receive.
To set these various Anti-Spam techniques up, you should first check that you are using Exchange 2003 Service Pack 2 by opening up Exchange System Manager, expanding Servers, then click onto your server and then right-click on your server and choose properties.
The screen that follows should advise you what Service Pack your Exchange Server is on. If it does not say Service Pack 2, please visit the following link to download and install it:
http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en
If you are already on Exchange 2003 Service Pack 2, then please review the following articles to setup the various Anti-Spam techniques:
• Sender Filtering - http://technet.microsoft.com/en-us/library/aa998083(EXCHG.65).aspx
• Recipient Filtering (and RBL filtering) - http://support.microsoft.com/kb/823866
• Tarpit Delay - http://support.microsoft.com/kb/842851
• Sender Policy Framework - Visit http://old.openspf.org/wizard.html to create an SPF record for your domain then add the SPF record to your domains DNS records as a Text record with the Wizard results as the detail of the record. An example SPF record looks similar to the following ; v=spf1 a mx ip4:123.123.123.123 mx:mail.yourdomain.com -all
• Sender ID Filtering - http://www.msexchange.org/tutorials/Configuring-enabling-Sender-ID-filtering-Exchange-2003-SP2.html
So, now having setup some or all of the above, you should see a dramatic drop in the amount of spam arriving in your inbox.
If you have tried the above and still get too much spam through, you could simply install some Anti-Spam software and one product that I have been using recently after being recommended it by a Microsoft Exchange MVP is Vamsoft ORF which is currently priced at $239 per server and has drastically reduced the amount of spam that I have been receiving. My customers who also have Vamsoft installed on my recommendation, have also seen a dramatic reduction in their spam levels too. Their website is www.vamsoft.com.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (3)
Commented:
I use this as a secondary SPAM filter. IMF companion allows me to whitelist items, so it cuts down on the items I need to manually release.
Commented:
I just now ran across this Article and it makes a really good read.
We get a lot of this type of question over in the Virus & Spyware Zones and I'll be sure to link to this in the future.
"Yes" vote above.
Vic
Author
Commented: