Today preventing spam is more important than ever. A lot of script kiddies and other deviants would be severe headache and cause disruption to your Exchange, or simply just leverage it to send copious amounts of spam.
Supposing that your Exchange environment is running smoothly, I will try to give you
some best practices to help securing your Exchange environment against spammers.
1. Review Your DNS Records
There is a special DNS record called SPF that could help you to stop email spoofing. The SPF record determines whether or not email servers are authorized to send emails in name of a domain name. Using one of this would prevent spammers from spoofing your email addresses, and supplanting your organizations authority.
Creating a SPF record is an a easy task using a configurator. You'll find many by searching across the internet, for example, Microsoft has one here
, but to start with, we will use this:
Create a next TXT record on your DNS
Paste this code making your changes:
v=spf1 ip4:184.108.40.206 ip4:220.127.116.11~all
Where 18.104.22.168 is your first OUTGOING mailserver, 22.214.171.124 is your secondary outgoing server, etc.
You can add more servers or a network subnet using this format: <space>ip4:126.96.36.199/24
2. Configure RBLs
I hate opening my mail and seeing a lot of mails trying to sending me Viagra, Rolex or whatever. You can fight against this emails using RBL.
Also known as real-time blocking list, an RBL is a mega list with suspicious IP addresses of sending spam. Some of them are free to use and others may require a subscription. I have using Spamhaus and Spamcop for a few years now, and have not had any problems.
Implementing an RBL is easy. First, you can use as many as you want, but you must consider that when your server receives an email, it must be do a query to your list. Using ten list equals to ten queries and may exhaust your internet access or your server resources.
First, you must install antispam features on your server. Run: ./install-AntispamAgents.ps1command from the %system drive%/Program Files\Microsoft\Exchange Server\V14\Scripts folder.
Then, restart Microsoft Exchange Transport service using this Restart-Service MSExchangeTransport command.
Open your Exchange console, go to Organization configuration, hub transport, antispam tab.
Enable IP Block List providers and go to properties.
Click add. Provide a identification name (p. ex Spamcop) and lookup domain (bl.spamcop.net)
Depending of your list, would provide return code or not. You will check this with your provider but usually spam is 127.0.0.2. Is a great idea add a error message to help legitimate email senders that might be listed incorrectly. I usually include a delisting procedure for them in our bounce message. For example: "This e-mail server has been blocked because is in a Black List. To delist, visit: http://www.spamcop.net/bl.shtml
Repeat this procedure with other list that you desired.
3. Other Antispam Features
Exchange 2010 has more antispam features than RBL. I also suggest you enable:
Recipient filtering. Open properties, go to blocked recipients and mark block messages sent to recipients that do not exist in the directory.
Sender filtering. Open properties, go to blocked senders and mark block messages that don´t have sender information.
Sender ID. This feature enable SPF checks to incoming email. Depending on your antispam policy, you can configure delete message, reject or mark with sender ID and continue. Try the last one because it only marks emails as spam, and if the filter is accurate, it will consider other options.
On untested implementations, will discard delete option by evident reasons. Any email detected as spam will be deleted without generate any notification. Anybody knows that this email will be deleted, to sender email was delivered and receipt has no evidence of this email.
The question is mark or reject. Usually when SPF fails is because email was spoofed, but sometimes SPF was not correctly implemented and reject some important emails. This disturbs to users and causes delays to receive an important email. But marking as spam, users receive the email (on junk folder, but arrives to his/her mailbox) and can read it. When users are advised that are running a new spam filter and are committed to check more frequently his/her junk folder, is easy as report false positive to Exchange admin and read the email. But rejecting email will cause that sender ask to his/her Exchange admin (if exist) or call to our company very upset because you are rejecting legitimate email.
This options are configured on properties, action tab.
Sender reputation. Open properties and go to sender reputation. Mark perform an open proxy test when determining sender reputation level and go to action tab Configure a value (default is 7) of threshold. Unless you have a clear concept of how sender reputation works, don't change this parameters.
Content Filtering. You can configure blocking emails using keywords. Have you got a spammers words list? you can add here and increase deficiency of
spam filtering. In case you need a list, you can use this list from Wordpress
. I suggest that configure (action tab) to reject emails with SCL of 8 or greater.
IP Allow list/IP Allow list providers. This is the same as RBL, you can use white lists to void false positives. Here you can add an IP or a whitelist providers. This must be configured as an EXCEPTION to blacklist, if only permit whitelist servers may be blocking legitimate email.
4. Always Use Encryption
By default Exchange blocks non encrypted access to POP3 and IMAP4. This prevents sniffing passwords and/or emails. Consider keep this configuration if
is possible. If you really must have non-encrypted traffic, then do it on a non-standard port so that it is at least hidden from plain view.
You can check this using Get-PopSettings and Get-ImapSettings cmdlets. Login type
shows if login is secure or not. To enable only secure login use:
Set-PopSettings -LoginType SecureLogin or Set-ImapSettings -LoginType SecureLogin
Exchange uses a self-signed certificate to this, but consider acquiring a certificate from a CA such as GoDaddy, VeriSign, eTrust, GeoTrust, or any other CA you prefer.
Using Outlook 2003 clients may cause problems too. By default, Exchange 2010 encrypts all traffic but Outlook 2003, by default, does not encrypt any. This causes a problem where Outlook cannot connect because the server and client cannot agree on encryption. Thus, Outlook get permanently stuck in a disconnected state. I recommend you force encryption on clients. this KB from Microsoft will help.
As you can see, with a few clicks can help to users getting better experience with email, in 2010 year, as least 89,1% of email was spam, this unnecessary email is not only disturbing, it increases your server workload and by extension the hardware requirements needed to process all that spam. Using these configurations can save you time, money, hardware resources, and keep your users much happier.
The fight against spam is everyone's responsibility.