Reduce Spam by using Sender Reputation with Exchange 2007

The majority of the anti spam mechanisms that are built into Exchange Server 2007 have been around for years. However, Microsoft has included a new anti spam feature called Sender Reputation Filtering. In this article, I will explain what sender reputation filtering is, and how it works.

The basic concept behind sender reputation filtering is fairly simple. Sender reputation filtering works by using what is known about the sender to determine the likelihood of the senders message being spam. This is done in a few different ways. The sender reputation filter looks at the message header, checks to see if the sender is using an open relay, and looks at the recent history of messages sent by the sender. These various factors combine to make sender reputation filtering an effective weapon in the war against spam.

The sender reputation filter is found on edge transport servers. In case you’re not familiar with edge transport servers, an edge transport server is a specially designed Exchange Server that sits between the Internet and the rest of the Exchange Server organization.

Its job is to filter spam and malicious content before it can make it into your Exchange Server organization. The nice thing about the sender reputation filter is that it is enabled by default, and you really don’t have to do much configuration. In fact, the Sender Reputation Properties sheet is so simple that a lot of administrators may not even realize how much work the filter is actually doing.

Before I show you how to configure the sender reputation filter, I want to talk a little bit about how the filter works. The first thing that the sender reputation filter does is to try to determine whether the sender has forged the HELO / EHLO statement when the ESMTP session was initialized. Remember that spammers often use many different HELO / EHLO statements over time. HELO / EHLO statements also usually include an embedded IP address. If this embedded address does not match the IP address from which the message claims to originated, then it is a giveaway that the message is probably spam.

The second thing that the sender reputation filter does is to check the sender’s mail server to see if it has an open proxy. If the sender does have an open proxy, it doesn’t necessarily mean that the message is spam, but it does mean that the message is a whole lot more likely to be spam since spammers can easily pass messages through an open proxy.

Keep in mind that testing for an open proxy is a bit more involved in testing for an open relay. When Exchange Server performs an open proxy test, it attempts to pass a message through the sender’s mail server back to itself. If the edge transport server receives this test message, then the sender’s mail server is known to have an open proxy. To determine whether or not the sender has an open proxy, Exchange performs tests using HTTP Connect, HTTP Post, Telnet, Wingate, SOCKS 4, and SOCKS 5. Keep in mind that in order for the open proxy tests to work correctly, you must open ports 1080, 1081, 23, 6588, 3128, and 80 on your firewall.

The last thing that the sender reputation filter looks at is the sender’s recent history. As you probably know, each inbound e-mail is assigned a Sender Confidence Level rating that reflects the percentage chance that the message is spam. The sender reputation filter checks to see how many messages from the sender have had a high or low sender confidence level ratings in the past.

The sender reputation filter takes all of the criteria that I’ve talked about, and calculates a Sender Reputation Level value, ranging from zero to nine. The higher the Sender Reputation Level, the more likely that the sender is a spammer.

Now that I’ve talked about how sender reputation filtering works, I want to show you how to configure it. As I mentioned earlier, sender reputation filtering is enabled by default, and there is a minimal amount of configuration that can be performed.

Begin the configuration process by opening the Exchange Management Console on your edge transport server. When the console opens, select the Edge Transport container. When you do, the console’s lower middle pane will display the various filtering mechanisms that are available to you, as shown in Figure A.

 

Figure A – The Exchange Management Console contains a variety of filtering mechanisms.

Now, right-click on Sender Reputation can choose the Properties command from the resulting shortcut menu. When you do, the console pull display the Sender Reputation Properties sheet, shown in Figure B.

 

Figure B – The Sender Reputation Properties sheet allows you to configure sender reputation filtering.

As you can see in the figure, the properties sheet’s General tab offers a brief explanation of sender reputation filtering. This tab doesn’t actually allow you to configure anything. That being the case, go ahead and select the Sender Confidence tab, shown in Figure C.

 

Figure C – The Sender Confidence tab gives you the option of perform open proxy tests.

The Sender Confidence tab gives you the option of performing an open proxy test. Open proxy testing is enabled by default, but if you want to disable it you can do so by simply deselecting the check box.

Now take a look at the Action tab, shown in Figure D.

 

Figure D – The Action tab allows you to set the Sender Reputation Level threshold.

The Action tab allows you to set the Sender Reputation Level threshold. When the sender’s Sender Reputation Level exceeds the threshold value that you specify, that sender is added to the IP block list for the amount of time specified in the lower portion of the tab.

Conclusion

In spite of its rather simple interface, the Sender Reputation Filter is a powerful weapon in the war against spam. The best part is that sender reputation filtering is enabled by default on edge transport servers.

Related Articles