Solved

Exchange 2007 Spam and Edge server

Posted on 2009-06-29
8
338 Views
Last Modified: 2013-12-09
I have exchange 2007 setup on a single server. It is behind my firewall and I am doing a static mapping to go from the public IP to the private IP the exchange server is on. Since we switched to Exchange 2007, the spam is out of control. Outbound queue's are filling up with what looks like NDR attacks to other domains and we are constantly receiving spam such as email addressed from ourselves, to ourselves (Spoofed). With exchange 2003, I had this under control. There was the ability to control this somewhat. I could setup DNS block list and had control over NDR attacks and could check against SPF texdt records. It does not look like I can do any of this now. I have heard that if I want to do any of this, I now need a separate edge server. Could someone help me with this? If an edge server is what I need, I could use some setup advise. If that is not what I need, please tell me what I need to do. The spam is out of control.
0
Comment
Question by:VoyagerHealthCare
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 13

Expert Comment

by:shadowlesss
ID: 24736485
You can control Spam on your Hub Role

http://technet.microsoft.com/en-us/library/bb201691.aspx
0
 
LVL 13

Expert Comment

by:shadowlesss
ID: 24736506
If you want to install the Edge Role...here is some good information on how to do this...

http://searchexchange.techtarget.com/generic/0,295582,sid43_gci1262392,00.html
0
 
LVL 13

Expert Comment

by:shadowlesss
ID: 24736524
The edge role must be on a seperate server. This role can not be installed with any other role.
0
Office 365 Training for Admins

Learn how to provision tenants, synchronize on-premise Active Directory, and implement Single Sign-On with these master level course.  Only from Platform Scholar

 

Author Comment

by:VoyagerHealthCare
ID: 24736552
Shadowless: Thanks for the ultra fast response. I have the resources to install an edge server if it is needed, but if the script that enables the ability for me to use the HUB transport role to fight spam is just as effective as the Edge transport metthod, would it be ok to use the HUB role method, or would I get better results from the edge server method? Also, maby I could do the hub method as a temp fix until I get the edge transport server up. Thoughts?
0
 
LVL 2

Expert Comment

by:purpleoak
ID: 24736642
There is a range of ways of stopping spam with some ways being better than others;

Software based Solution

This is where you install an application on a PC or Server that scans the messages.
Pros
None over other solutions
Cons
The software consumes resources such as CPU and Memory and Hard Disk Capacity so your PC or servers run inefficiently.
You may get hit by a DOS or DDOS attack and your server has to handle the load.
The spam and virus are downloaded thus consume your bandwidth.
Scanning is done on the Server inside you network.  This is obviously inviting trouble into your network past your firewall unnecessarily.
The software is not future proof (A good example of this is Exchange 2003 and Exchange 2007, a lot of people will be finding their old software is not 64 bit compatible which Exchange 2007 insists on and the Software houses charge to upgrade!)
Many software based products integrate themselves so much that in the un-install guide it suggests flattening the Server and reinstalling the Operating System so this means you cant change providers easily.
Training and Updating  To install the software correctly you firstly need to understand how to use it, this represents a cost in time.
The products also need constant updating and tweaking to make them work well, again, this represents a cost in time.
Backups  There are a few problems with this, you only have email as far back as your last backup (EG Server fails at 4:30PM then you lose the best part of a days email) and someone has to remember to conduct the backup and check it worked which is more time and more money.  The other problem is that email stores are normally very large so off site solutions are either not possible or you need to spend more money on a decent backup solution.
This is a single point of failure so if the server or internet connection fails will mean lots of bounce back messages.
Recommendation
If you think this is right for you then GFI would be my recommendation.

Hardware based Solution
This is where you install a Hardware Firewall which handles all the scanning.
Pros
They are part or totally managed by the manufacturers.
They stop the threats before it gets onto your network.
They handle the load which frees up and speeds up your server.
Some backup your email but this is normally extra cost in most cases.
Cons
Unless you have deep pockets and buy two then you have a single point of failure and even then, if you lose your internet you still will get lots of bounce back messages.
They are traditionally expensive as there is Hardware involved and then a maintenance agreement on top.
The licenses are normally pretty rigid and you normally get roped into a support contract for updates and support
Yes they perform a backup but they still need to backed up themselves as they are still susceptible to Fire, Flood, Theft and Total Failure!
They still need some configuration which is time and money.
Recommendation
If you think this is right for you then PineApp or Barracuda are good.

SaaS based Solution
This is where a provider processes your email and then sends it (Relays) it to you.
Pros
They are totally managed by the provider so anyone of any technical ability can use them.
They usually have very high SLAs so you can virtually guarantee your email will be working and no bounce backs.
They work in the cloud so threats never make it to your network.
They take the load and only pass good messages to your network so your server or PC runs faster.
There is no software to install so you can have any SMTP based system and it will work.
There is no software to install so it doesnt matter if you want to change your system.
Backups are done with some providers and this is a live backup so you wont lose a message between backups or have to copy many gig of data off site each night.
Some of the emerging ones are a very cheap alternative.
They are unmanaged so leave it to the experts and get on with something else and also, stopping spam is very tedious.
Cons
Some are not highly configurable but some are so choose wisely.
Recommendation
If you think this is right for you then Message Labs or the one I use MailFilterUK are brilliant.
0
 
LVL 13

Accepted Solution

by:
shadowlesss earned 500 total points
ID: 24736644
The hub will function just just as effective.  The drawbacks are that you don't have a machine on the perimeter and turning on this functionality will have some impact on your hub servers perfomance.
0
 
LVL 13

Expert Comment

by:shadowlesss
ID: 24736661
VoyagerHealthCare:

You could always look at products like this for fighting spam...

http://www.sophos.com/products/enterprise/email/security-and-control/appliances/
0
 

Author Comment

by:VoyagerHealthCare
ID: 24736729
Thanks Purple, I pretty much know all that, I was just trying to determine what my options are withing Exchange 2007. If I went with a 3rd party, I would use Spam assassin for sure.

Shadowlesss:  Thanks for your help, I think for know, I will go with the script just to stop the bulk of the spam. In the future, I would like to use Spam Assassin on the front and let that hand off to exchange.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
how to add IIS SMTP to handle application/Scanner relays into office 365.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question