582 Chapter 14  Planning Antivirus and Antispam for Exchange Server 2007 Exercise 14.5 outlines the instructions to configure sender filtering on the Exchange Server 2007 server. Note that the procedure described is applied only to the local system. If you are running more than one Edge Transport server in your organization, then follow the procedure on your other Edge Transport servers to maintain consistency. EXERCISE 14.6 Configuring Sender Filtering Use the following steps to configure sender filtering: 1. Log on to the server on which you want to run this command. 2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange Management Console. 3. Select Edge Transport in the Console tree. 4. Click on the Anti-spam tab, right-click on the sender-filtering agent, and then click on Properties. 5. The General tab of the Agent Properties window displays its current status (Enabled or Dis- abled), the last time the agent’s settings were modified, and a brief description of the agent. Click on the Blocked Senders tab to add, edit, or delete entries in the Blocked Senders list. 6. At the bottom of the window shown below, choose the Block Messages from Blank Senders option. This option blocks messages that do not specify the sender’s email address. (A com- mon technique of spammers is to hide the sender address or not specify an email address in the sender field.) Click on Add. 81461.book Page 582 Wednesday, December 12, 2007 4:49 PM Planning and Implementing Exchange Server 2007 Antispam Features 583 7. In the Add Blocked Senders dialog box, under Individual E-mail Address, type in the email address of a sender (rawlinson@externaldomain.com in this example), as shown below, and then click OK to continue. You also can choose Domain to block particular domains and subdomains. 8. On the Action tab, ensure that Reject Message is selected. Alternatively, you can choose to stamp messages with “Blocked Sender” and continue processing instead of rejecting the messages. 9. Click Apply to save changes, or click OK to save changes and close the window. 10. Close the Exchange Management Console. EXERCISE 14.6 (continued) 81461.book Page 583 Wednesday, December 12, 2007 4:49 PM 584 Chapter 14  Planning Antivirus and Antispam for Exchange Server 2007 Sender filtering allows you to use the asterisk (*) wildcard to block multiple email addresses. For example, you can add *@externalcompany.com to the Indi- vidual Email Address field to block all emails from externalcompany.com. You can get the same result by adding externalcompany.com to the Domain field. Sender filtering overrides the Outlook Safe Senders list, which means that your Edge Server will reject/stamp the message even if your users/recipients have included the sender on an Outlook Safe Senders list. Once you configure sender filtering, the next step is to test your changes. Exercise 14.7 outlines the steps to test sender filtering on the Exchange Server 2007. Recipient Filtering Emails that are not rejected by sender filtering are handed over to the recipient-filtering agent. Recipient filtering is similar to sender filtering, except it is designed for your Exchange orga- nization and is based on the recipient address instead of sender address. With recipient filter- ing you can block email messages from the Internet to specific internal email addresses. This EXERCISE 14.7 Testing Sender Filtering To test sender filtering, follow these steps: 1. Log on to the server on which you want to run this command. 2. Click Start  Run, type cmd.exe, then press Enter or click OK. 3. In the command-prompt windows, type telnet YourExchangeServername 25, and then press Enter. 4. Type EHLO, and then press Enter. 5. Type Mail From: mcitp.user2@externaldomain.com, and then press Enter. Confirm that you receive a “sender denied” message. 6. Type Quit to exit, and then press Enter. 7. Type Exit to close the command prompt and return to the Windows Shell. 81461.book Page 584 Wednesday, December 12, 2007 4:49 PM Planning and Implementing Exchange Server 2007 Antispam Features 585 option is extremely helpful in stopping spam to specific email accounts, such as those that are no longer active in your organization, or commonly named email accounts (such as info@mycompany.com or sales@mycompany.com). Recipient filtering checks the recipient of the email against the Blocked Recipient list. If the recipient is not listed, the email is handed over to the next agent. If the Edge Transport server receives an email message addressed to a recipient that is either listed on the Blocked Recipient list or not present in the Global Address List, a “550 5.1.1 User unknown SMTP” session error will be returned to the sender of the message. Recipient filtering is enabled by default and can be configured using the Exchange Manage- ment Console or Exchange Management Shell. If you decide to disable recipient filtering, you can do so by using the EMC and the EMS. Disabling recipient filtering using the EMC is simple. Right-click on the agent icon in the Action pane and select Disable. To disable recipient filtering using the EMS, run the set-RecipientFilterConfig -Enabled $false command. Exercise 14.8 outlines the instructions to configure recipient filtering on the Exchange Server 2007 server. Note that the procedure described in the exercise applies only to the local system. If you are running more than one Edge Transport server in your organization, follow the procedure on your other Edge Transport servers to maintain consistency. EXERCISE 14.8 Configuring Recipient Filtering Use the following steps to configure recipient filtering: 1. Log on to the server on which you want to run this command. 2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange Management Console. 3. Select Edge Transport in the Console tree. 4. Click on the Anti-spam tab, right-click on the recipient-filtering agent, and then click on Properties. 5. The General tab of the Agent Properties window displays its current status (Enabled or Disabled), the last time the agent’s settings were modified, and a brief description of the agent. Click on the Blocked Recipient tab to add, edit, or delete entries in the Blocked Recipient list. 81461.book Page 585 Wednesday, December 12, 2007 4:49 PM 586 Chapter 14  Planning Antivirus and Antispam for Exchange Server 2007 Any email addresses entered on the Blocked Recipients list will be blocked only for senders who are located outside of your organization or who are sending emails from the Internet. Internal users will still be able to send messages to recipients listed in the Blocked Recipient list. Recipient filtering allows you to enter up to 800 email addresses. Once you configure recipient filtering, the next step is to test your changes. Exercise 14.9 outlines the steps to test recipient filtering on the Exchange Server 2007. 6. Click on Block the Following Recipients. In the Block the Following Recipients text box, type mcitp.baduser@exchange2007.com and then click Add to continue. Click Add again to add more recipients. Spammers often send emails to common names (such as Michelle, Cindy, Lisa, John, Jason, James, etc.). To address the “common recipient” spamming technique, you can block messages that are sent to recipients not listed in your Global Address List. As shown below, simply check the box to block messages sent to recipients not listed in the Global Address List. 7. Click Apply to save changes, or click OK to save changes and close the window. 8. Close the Exchange Management Console. EXERCISE 14.8 (continued) 81461.book Page 586 Wednesday, December 12, 2007 4:49 PM Planning and Implementing Exchange Server 2007 Antispam Features 587 The Edge Transport server receives the recipient list from the Active Direc- tory. Because recipient filtering can only check recipients in the Global Address List, you must configure the EdgeSync process between the Active Directory Application Mode (ADAM) and Active Directory forest for recipient lookup. Sender ID Filtering If an email message has not been rejected by sender filtering and recipient filtering, it goes to sender ID filtering. Sender ID filtering counters domain spoofing and phishing schemes by ensur- ing that an email message is sent from an SMTP server that is authorized to send email messages for a specific domain. Recipient servers accomplish this by extracting the email address in the From field of the message headers and checking the address of the sending email server against a list of registered servers that the domain owner has authorized to send emails. When config- ured correctly, sender ID filtering can help you accurately eliminate malicious email without additional analysis of its content. All verification is performed automatically by the Edge Trans- port server or Hub Transport server before the message is delivered to the recipient. Once the sender ID has been recognized and authenticated, the email message is delivered to other filters for additional processing. EXERCISE 14.9 Testing Recipient Filtering Follow these steps to test your recipient filtering: 1. Log on to the server on which you want to run this command. 2. Click Start  Run then type cmd.exe. Press Enter or click OK. 3. In the command-prompt window, type telnet YourExchangeServername 25, and then press Enter. 4. Type EHLO and then press Enter. 5. Type Mail From: mcitp.user1@externaldomain.com and then press Enter. 6. Type Rcpt To: mcitp.user2@yourdomain.com and then press Enter. Confirm that you receive a “user unknown” message. 7. Type Quit to exit, and then press Enter. 8. Type Exit to close the command prompt and return to the Windows shell. 81461.book Page 587 Wednesday, December 12, 2007 4:49 PM 588 Chapter 14  Planning Antivirus and Antispam for Exchange Server 2007 Sender Policy Framework (SPF) Records To configure sender ID filtering, you must first understand the Sender Policy Framework (SPF) records. SPF records work with sender ID filtering to stop malicious emails. The SPF record is a piece of information on the DNS servers that is required by sender ID filtering to determine whether the email message was sent by an authorized server for the specified domain. In simple terms, an SPF record is a listing of authorized SMTP servers for a particular domain or set of domains in the DNS database. Publishing an SPF record in the public DNS allows the recipient SMTP servers to perform a reverse Mail Exchanger (MX) lookup by cross-referencing the IP addresses of the authorized SMTP servers against that organization’s DNS entry for their domain. SPF records can be in different formats. Here are few examples: mcitpdomain.com IN TXT “v=spf1 mx -all” This indicates that all servers identified by an MX record for the mcitpdomain.com domain are allowed to send email for that domain. v=spf1 mx ip4:192.168.10.10 –all This SPF record indicates that server 192.168.10.10 identified by an MX record is allowed to send email for your domain. MAIL IN TXT “v=spf1 a -all” This SPF record indicates that server MAIL is allowed to send email for your domain. mcitpdomain.com IN TXT “v=spf1 ip4:192.168.10.10 -all” This SPF record indicates that a server with IP address 192.168.10.10 is allowed to send email for the mcitpdomain.com domain. v=spf1 mx mx:mail1.mcitpdomain.com mx:mail2.mcitpdomain.com mx:mail3.mcitpdomain .com -all This SPF record for mcitpdomain.com uses an MX record to identify three mail servers (mail1, mail2, and mail3) that are authorized to send emails from the mcitpdomain .com domain. Creating a Sender Policy Framework (SPF) Record To create SPF records, you can use Microsoft’s four-step wizard. If you want to use the advanced features of SPF format, you may need to manually edit the SPF record created by the wizard. Exercise 14.10 outlines the steps to create an SPF record. EXERCISE 14.10 Creating an SPF Record 1. The wizard is found online at http://www.microsoft.com/mscorp/safety/content/ technologies/senderid/wizard/. 2. At Identify Your Domain, enter the domain name for which you want to create a new SPF record (in this example, mcitpdomain.com). 3. At Display Published DNS Records, you’ll see that the wizard checked the DNS for infor- mation about mcitpdomain.com, including existing SPF, MX, and A records. If an SPF record was found, you can verify its contents and use the remaining steps of the wizard to modify the record. If no SPF record was found, you can use information from the domain’s MX and A records to create a new SPF record. 81461.book Page 588 Wednesday, December 12, 2007 4:49 PM Planning and Implementing Exchange Server 2007 Antispam Features 589 The record example for mcitpdomain.com looks like this: v=spf1 mx mx:mail1.mcitpdomain.com mx:mail2.mcitpdomain.com mx:mail3.mcitpdomain.com -all Where: v=spf1 designates that this is an SPF record and it is version 1. mx mx:mail1.mcitpdomain.com mx:mail2.mcitpdomain.com mx:mail3.mcitpdomain.com signifies that mail1, mail2, and mail3 are authorized to send and receive email for mcitpdomain.com. -all designates that no one besides the IP addresses in mcitpdomain.com’s MX records are authorized to send email. Configuring Sender ID Filtering Sender ID filtering is enabled by default and can be configured using the Exchange Management Console or Exchange Management Shell. You also can disable sender ID filtering by using the EMC and the EMS. Disabling sender ID filtering using the EMC is simple. Right-click on the agent icon in the Action pane, and then select Disable. To disable sender ID filtering using the EMS, run the set-SenderIDFilterConfig -Enabled $false command. 4. At Create SPF Record, the wizard prompts you to choose proper options to create SPF records. This step is divided into different sections. Your choices are as follows: No Mail Is Sent from Domain: Choose this option if the domain does not send email. Domain’s Inbound Servers May Send Mail: Choose this option if your inbound mail servers are also used to send outbound mail. All Addresses Listed in A Records May Send Mail: If all the IP addresses listed in A records for your domain in DNS are outbound mail servers, you should include this option in your new SPF record. You also can enter any additional IP addresses you wish to add to your SPF record. All PTR Records Resolve to Outbound Email Servers: Choose this option if all reverse DNS Pointer records (PTR) resolve to the domain’s outbound email servers. Outsourced Domains: Choose this option if domain’s outbound email is routed through another domain (outsourced). Does Your Domain Send Email from Any IP Addresses That Are Not Identified in the Above Sections? Choose appropriate settings for your environment. 5. At Generate SPF Record, the wizard will provide you with the generated SPF records. EXERCISE 14.10 81461.book Page 589 Wednesday, December 12, 2007 4:49 PM 590 Chapter 14  Planning Antivirus and Antispam for Exchange Server 2007 The following exercise outlines the steps to configure sender ID filtering on the Exchange Server 2007 server. Note that the procedure described in the following section applies only to the local system. If you are running more than one Edge Transport server in your organization, follow the procedure on your other Edge Transport servers to maintain consistency. EXERCISE 14.11 Configuring the Sender ID Filtering Agent To configure the sender ID filtering agent, follow these steps: 1. Log on to the server on which you want to run this command. 2. Click Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange Management Console. 3. Select Edge Transport in the Console tree. 4. Click on the Antispam tab, right-click on the Sender ID agent, and then click on Properties. 5. Click on the Action tab. As shown below, you can configure sender ID filtering to reject a message, delete a message, or stamp a message with the sender ID result and con- tinue processing. Choose Reject Message if you want to reject the message and send an error response to the sending server. Choose Delete Message if you want to delete the message without notifying the sender. Choose Stamp Message with Sender ID Result and Continue Processing if you are planning to append certain information to the message headers for the content-filter- ing agent. This information, often referred to as metadata, is used by the content filter to create the SCL. 81461.book Page 590 Wednesday, December 12, 2007 4:49 PM Planning and Implementing Exchange Server 2007 Antispam Features 591 How Sender ID Filtering Works To use sender ID filtering, the sender organization must create a Sender Policy Framework records and publish it as a DNS host record on the sender’s public DNS servers. The published SPF record is a single TXT record in the public DNS database that holds the IP address information of the SMTP servers that are allowed to send emails for that domain. The receiving Exchange servers check the SPF records to confirm that the sending SMTP server is on the list of authorized servers for that particular domain. If the sending SMTP server is not listed, then the receiving Exchange server will assume the email is com- ing from an unauthorized server and either drop the message or forward it with additional header information. In general, sender ID filtering works as follows: 1. The message is received by the Exchange Edge Transport server. 2. The Edge Transport server checks the IP address of the sending SMTP server and queries the DNS for the SPF record. 3. If the SPF record matches the sender SMTP server, the Edge Transport server forwards the message to the next filter for additional processing or sends it to the recipient, depending on how your environment is configured. 4. If the SPF record does not match the sender SMTP server, the Edge Transport server will drop the message or forward it with additional header information. We highly recommend that you create an SPF record for your domain. Doing so helps protect your domain and makes it difficult for spammers to forge your domain name and use it to spam to other organizations. Content Filtering Content filtering is another antispam agent that blocks or quarantines messages based on their content, regardless of the originating SMTP servers. Content filtering analyzes the content of all the emails received by your Edge Transport server to evaluate whether the messages are spam. It is useful for identifying messages containing content deemed unacceptable to your organization, such as advertisements or sexually explicit remarks. 6. Click OK to continue. 7. Close the Exchange Management Console. EXERCISE 14.11 (continued) 81461.book Page 591 Wednesday, December 12, 2007 4:49 PM [...]... in Exchange 2000 and Exchange 2003 and has integrated several built-in features in Exchange Server 2007 to stop threats before they affect your organization and users Exchange Server 2007 supports Forefront Security for Exchange Server 2007, which is included in the Exchange 2007 Enterprise CAL, and it also supports third-party products such as McAfee, Symantec, and others It is important to understand... Security for Exchange Server also will be licensed to use Microsoft Antigen for Exchange, Microsoft Antigen for SMTP Gateways, and Antigen Spam Manager to protect Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 environments Mail cluster support Supports Exchange Server 2007 cluster continuous replication (CCR), ensuring that both active and passive nodes have up-to-date signatures and configuration... or OK to save changes and close the Content Filtering dialog box 8 Close the EMC Microsoft Exchange Server 2007, and then click on Exchange 81 461.book Page 597 Wednesday, December 12, 2007 4:49 PM Planning and Implementing Exchange Server 2007 Antispam Features 597 Content filtering also allows you to define keywords or phrases to be blocked on the Exchange 2007 Edge Transport server For example, you... agent, and then click on Enable or Disable 5 Close the Exchange Management Console Microsoft Exchange Server 2007, and then click on Exchange To disable the content-filtering agent using the Exchange Management Shell, run the set-ContentFilterConfig -Enabled $false command 81 461.book Page 594 Wednesday, December 12, 2007 4:49 PM 594 Chapter 14 Planning Antivirus and Antispam for Exchange Server 2007. .. Type mcitp. user1@yourcompany.com, as shown below, and then click Add Microsoft Exchange Server 2007, and then click on Exchange To add more email addresses to the list, repeat the procedure To remove an entry, highlight it, and click Delete To edit the email address of an entry, highlight it, and click Edit 81 461.book Page 599 Wednesday, December 12, 2007 4:49 PM Planning and Implementing Exchange Server. .. changes, or click OK to save changes and close the window 8 Close the Exchange Management Console Understanding Microsoft Exchange Forefront Security Microsoft has introduced several new antivirus features for messaging environments In 2005 Microsoft acquired Sybari and its Antigen products The former Antigen antivirus is now integrated in Exchange Server 2007 as Microsoft Exchange Forefront Security The... box, type Sex and then click Add, as shown below Repeat the procedure to add more words to the list 6 To remove an entry, highlight it and click Delete 7 Click Apply to save your changes, or OK to save changes and close the Content Filtering dialog box 8 Close the EMC Microsoft Exchange Server 2007, and then click on Exchange 81 461.book Page 5 98 Wednesday, December 12, 2007 4:49 PM 5 98 Chapter 14 Planning... Security for Exchange Server is included in the Exchange Enterprise CAL Microsoft also recently introduced Forefront Client Security (for business desktops, laptops, and server operating systems) and Forefront Security for SharePoint 81 461.book Page 610 Wednesday, December 12, 2007 4:49 PM 610 Chapter 14 Planning Antivirus and Antispam for Exchange Server 2007 Forefront Security for Exchange provides... denial-of-service attacks, and worms To respond to these challenges, Microsoft integrated several built-in features in Exchange Server 2007 and introduced Microsoft Exchange Hosted Services Understand the use of antispam agents Exchange Server 2007 has several built-in antispam agents You must understand the differences between them, and the usage and configuration of these antispam agents for the exam Know... Which of the following Microsoft Exchange Hosted Services will help you to achieve this? A Microsoft Exchange Hosted filtering (known as FrontBridge) B Microsoft Exchange Hosted archive C Microsoft Exchange Hosted continuity D Microsoft Exchange Hosted encryption E None of the above 2 Which of the following is not a component of Microsoft Exchange Hosted Services? A Microsoft Exchange Hosted filtering . changes and close the window. 8. Close the Exchange Management Console. EXERCISE 14 .8 (continued) 81 461.book Page 586 Wednesday, December 12, 2007 4:49 PM Planning and Implementing Exchange Server 2007. close the command prompt and return to the Windows Shell. 81 461.book Page 584 Wednesday, December 12, 2007 4:49 PM Planning and Implementing Exchange Server 2007 Antispam Features 585 option is. exit, and then press Enter. 8. Type Exit to close the command prompt and return to the Windows shell. 81 461.book Page 587 Wednesday, December 12, 2007 4:49 PM 588 Chapter 14  Planning Antivirus and