Stopping Spam for Exchange Users

Spam doesn’t have to be a way of life; add to the built-in spam tools in Exchange Server with services that can almost banish spam from the inbox.

Spam is out of control, and there’s no sign of things getting any better. Take out one spam-friendly hosting provider and the volume drops for a while, but it’s soon back up to its current ridiculous level of over 96% of all email. While much of it is still advertising, there are an increasing proportion of phishing mails and messages that either contain malware, or try to direct readers to Web sites that are ready to deliver malware to any passing PC. It’s not only the danger to information and networks, or even the waste of storage space - it’s also the time that users take deleting spam, time that costs your clients significant sums of money every day.

While spam is at an all-time high, the tools we have to defend networks and mailboxes from spam keep getting better. Protecting networks may not solve the spam problem, but it does mean that your clients’ users won’t be spending all day deleting messages from fake Viagra vendors and online casinos.

Google’s Postini service has a similar console view to Forefront, with details of the messages flowing through the service to your client’s mail server.
Google’s Postini service has a similar console view to Forefront, with details of the messages flowing through the service to your client’s mail server.

ISPs are the first line of defence, and many now apply anti-spam measures that stop spam from even reaching your routers. Generally these are passive approaches, for example rejecting mail that’s sent directly to a secondary MX record, rather than to a primary (a common spammer tactic). It’ll stop a reasonable percentage of spam messages from reaching your clients’ networks, but it’s by no means a panacea. To get around the wily ways of the spammer, you’re going to need to take much more active measures.

Those active measures often take advantage of one of the technologies that underpin the Internet – DNS. Using DNS technologies, DNS-based Block Lists (DNSBLs), or as they are often called Real-Time Block Lists (RBLs), give mail servers and anti-spam tools a quick and easy way of checking if mail is from a legitimate source or from a known spam gateway. That used to be a lot easier to do, when spammers used their own mail servers to deliver spam messages. Now it’s a lot harder, as botnets pump out spam using home DSL IP addresses. Some ISPs block any email associated with a DSL IP address (and lists are readily available if you want to do that yourself, although this approach can block legitimate customers too), while a new generation of RBLs use their own network of honeypots to track spam sources, updating their lists on the fly to take account of the changing environment of botnets and exploited desktop PCs.

Microsoft Exchange comes with a significant number of anti-spam measures out of the box; the tools we’ve covered in Exchange Server 2007 haven’t changed in Exchange 2010 and setting up and managing Exchange’s anti-spam tools is still as easy as ticking a few boxes and filling in the details of your chosen RBL provider (Spamhaus maintains its excellent reputation, and is well worth considering as it’s free for relatively low-volume queries). Microsoft regularly updates the content-based side of its anti-spam tools with new spam signatures – though you’ll need to make sure that you’re handling updates appropriately in order to keep them up to date.

It’s a good start, but Exchange’s built-in anti-spam tooling isn’t state of the art. It’s sufficient for most purposes, but can be prone to false positives. That means managing your own whitelists, and handling the contents of Exchange’s quarantine mailbox. There’s another downside to Microsoft’s signature-based approach to anti-spam: the signature files are publically available, and spammers can quickly re-tailor their spam content to bypass Microsoft’s filters.

There are alternatives – and additions – that can help reduce the risk of spam entering Exchange mailboxes. One of these is Microsoft’s Forefront Protection 2010 for Exchange Server. It’s a long name, but a very powerful tool. The result of Microsoft’s 2005 acquisition of Sybari (where it was called Antigen), Forefront is a family of security tools, with Forefront Protection adding spam and malware protection to Exchange servers. You can get an evaluation copy from

Forefront Protection 2010 uses multiple anti-spam and anti-malware engines to protect mail, blocking, deleting or quarantining mail. There are five antivirus engines: Microsoft AV, Kaspersky, Norman, VirusBuster and Authenium. You can use all five at once, or set up Forefront to use a subset of the available engines. The latter approach works well, as it means that you’re using a different mix of engines for each message, without overloading the server.Microsoft does change its engine strategy, so keep an eye on the Antimalware Engine Notifications and De-velopments Web page to ensure that your deployments are using the most up to date set of engines ( The main anti-spam engine is Cloudmark’s signature-based service, as used by many of the largest ISPs. There’s no need to manually update engines once Forefront Protection is in place – Microsoft will handle updates automatically.

You can install Forefront Protection directly onto an Exchange Server, or on its own hardware as part of a distributed messaging architecture. Most SMEs don’t need complex mail infrastructures, so we’d recommend installing on the same server. You’ll need to be careful about resources though, as the combination of Exchange and Forefront Protection can be both processor and memory intensive: we’d suggest a quad core system with at least 8GB of memory for a combined Exchange/Forefront installation servicing up to around 50 users (smaller networks can get away with less, but this will require some tuning of Forefront’s scanning engines).

Installing on an existing Exchange system won’t affect operations, with minimal downtime as the system configures itself. Once in place the system will quickly download the latest engine updates, protecting mail without needing additional configuration. Security out-of-the-box means that your clients’ networks will be protected as soon as you’ve finished installation, though you probably will want to provide additional configuration to support site-specific needs.

Once installed, open the Administrator Console to complete configuration. One of the first areas that you’ll want to change is how Forefront notifies users (and senders) of rejected and quaran-tined messages. There are a number of different messages that can be configured, ranging from errors to whether malware has been found in a message. In some cases, especially for malware detection, it’s a good idea to notify the sender that a message has been blocked. You should spend some time sitting down with your clients determining what response policies you should use – including the often contentious issue of whether to notify senders if a message has been identified as spam.

Other configuration options let you control the size of the database used for handling what Fore-front Protection calls ‘incidents’, logs of spam and malware, as well as quarantined messages. You can also purge stored information automatically; the default of 30 days should be sufficient for most small and medium size organisations.

One of Forefront Protection’s capabilities is its ability to scan existing mailboxes. It’s a good idea to do this regularly, to ensure that updated malware signatures keep your clients’ networks clean (configure a Mailbox Scheduled malware scan to handle this). However, sometimes you’ll need to run a scan right now (if you’re dealing with a malware outbreak or you join new users or PCs to the server). Use the Tasks section of the Administrator Console to configure and run On-Demand scans of mailboxes, where you can scan individual mailboxes, or an entire mail server. Messages that contain malware can be deleted and replaced with an appropriate message to keep users informed.

Switching to Policy Management gives you the tools you need to fine tune a Forefront Protection installation. Use the Mailbox Realtime option to configure malware scans, where you can choose how to deal with viruses and spyware. You can also choose the number of processes used by Forefront Protection, increasing them for busy mail systems with lots of users and reduc-ing them for smaller networks. Other options let you choose to use all the available scanning engines, or a dynamically-chosen subset. The latter option helps keep your servers more flexi-ble, and reduces the effects of scanning on performance. Use the Mailbox Scheduled option to handle regular scans of mail in mailboxes with the latest malware signatures.

You can also use the console’s Policy Mangement tools to configure the anti-spam tools. Forefront Protection uses a pipeline of different anti-spam features, which can be enable separately. Connection filtering uses DNSBL techniques, along with your own IP block and allow lists. One thing to note: you can only whitelist IP addresses with Forefront Protection. There’s also support for Sender ID, Sender Block Lists and Recipient Filtering, which will reject messages sent to addresses that aren’t in the Exchange Global Address List. One other option helps protect users from Backscatter spam (often received when spammers fake a users’ email address).

There’s another side to Forefront Protection, as it can also be used as part of a data leak pre-vention strategy. You can create filters that stop specific files or file types from leaving a net-work – as well as blocking messages to specific email addresses. Of course there’s also the option to give certain users additional privileges, so while most users can be blocked from sending mail to Hotmail or Gmail, a client’s marketing department can be allowed to send mail anywhere.

If you’re using Forefront Protection 2010 for Exchange, it’s well worth downloading the Forefront Protection Script Kit ( This set of PowerShell scripts helps you manage server configurations, letting you push snapshots to several servers, ensuring they’re all using the same configuration. Other scripts help you compare configurations, which can be a useful debugging tool when trying to track down why one server isn’t quite performing the way you want. The kit also gives you scripts to extract server statistics, helping build management reports outside of the Forefront management console.

Cloud protection

You don’t need local protection tools to keep your clients’ mail servers almost spam-free. Cloud services can take processor-intensive scans away from their networks and servers, while ensuring that the latest malware and spam signatures are in use. Microsoft offers a cloud-based version, Forefront Online Protection for Exchange, which you can manage using the familiar Administration Console, choosing to quarantine messages in Microsoft’s own data centre or on your clients’ servers.

You’re not restricted to Microsoft’s tools and services, although other options may require reconfi-guration of the mail infrastructure. Google’s Postini service offers spam and malware filtering, acting as an SMTP relay for your existing mail services. Messages are sent through Postini’s servers – with the service relaying both incoming and outgoing messages. Postini offers additional services, including mail discovery tools that help with compliance and data-loss prevention. You will need to move clients’ MX DNS records to point to any cloud security provider, so you will need to run existing anti-spam tools for a few days while MX records propagate through DNS. Once all mail is flowing through your chosen cloud provider, you can turn off any anti-spam servers you’re running for your clients.

Another option comes in the shape of network anti-spam appliances. Some SonicWall SME rou-ters offer a hybrid cloud and local anti-spam service without requiring additional hardware, while Symantec’s Brightmail appliances offer comprehensive anti-spam solutions for larger networks. With spam still flowing faster and faster, it’s good to know that there are many different options for protecting your clients’ mail systems; if can’t completely stop spam, you can certainly make it manageable.


Forefront Protection 2010 for Exchange on TechNet
Microsoft’s best practices and documen-tation for Forefront:

Forefront Protection 2010 for Exchange Free Trial
Evaluate Forefront Protection with this free download:

Forefront Team Blog
Follow announcements and tips from the Forefront team at Microsoft:

See Also

Volume 2, Edition 2
Dealing with spam in Exchange 2007
feature finder code 2232a


Forefront Protection 2010 For Exchange Server
Contact resellers for pricing

Forefront Online Protection For Exchange
Contact resellers for pricing

Google Postini
£6 per user per year

Symantec Brightmail Gateway Small Business Edition
Contact resellers for pricing

Cloudmark DesktopOne
$19.95 per year

Protecting the desktop – on a budget

Forefront Protection 2010’s Administrator Console gives you a quick look at just how effective it is at protecting a mail server; here it’s blocked over 2000 messages from known spam hosts, 600 more that don’t meet the SMTP rules, and a further 137 that have been identified as spam by their content.
Forefront Protection 2010’s Administrator Console gives you a quick look at just how effective it is at protecting a mail server; here it’s blocked over 2000 messages from known spam hosts, 600 more that don’t meet the SMTP rules, and a further 137 that have been identified as spam by their content.

Forefront Protection 2010 for Exchange uses the Cloudmark cloud-based anti-spam service. One of the first anti-spam services, Cloudmark uses a mix of techniques to detect and identify spam. Part of this is a network of crowd-source spam notification tools. Users with Cloudmark’s toolbar in their mail client indicate false positives and false negatives, their selections acting as votes for or against a message being classified as spam.

If your clients don’t use a local mail server, you can still provide them with strong anti-spam tools, as Cloudmark has recently launched DesktopOne, a simple to use anti-spam client that works with both desktop and Web mail. Free for single account/mailbox folder use, DesktopOne can be configured to work with Gmail and Hotmail, as well as with free mail clients like Thunderbird and Windows Live Mail. The tool is easy to configure, and if your clients pay for subscriptions, can be installed on two machines per user – protecting a desktop and a laptop. Messages sent by people in a user’s address book are automatically whitelisted, reducing the risk of false positives.

DesktopOne’s toolbar integrates well with the Outlook 2010 ribbon, and gives users a one-click approach to marking messages as spam or redirecting them out of DesktopOne’s spam folder.

Setting up Forefront to block spam

  1. Use the Forefront Protection 2010 Administrator Console to control how it scans for messages. The Mailbox real time scan monitors incoming mail for spam, scanning it as it arrives in your clients’ users’ mailboxes.

  2. Use the Antispam configuration screen to manage Forefront Protection 2010’s anti-spam pipeline. Messages are passed through successive filters, with the most basic connection filtering first, and processor intensive content filtering last. The result is an efficient use of server resources for maximum protection.

  3. If you need to configure Forefront Protection’s anti-malware and anti-spam engines, choose the Advanced Options. You can choose which engines to use for which type of scan, helping optimise server resources.


Alexandr Vlasov

Business Development Executive Groteck Business Media

How would you compare IT market in Russia with IT markets in Europe?

Today, the IT market in Russia is less than that in Europe. However, the Russian market grows many times faster than the European one. Until 2008, the information technologies market in Russia was growing by leaps and bounds – up to 40% per year – meanwhile the market in Europe was growing by 5% per year. In 2009, the IT market in Russia grew by approximately 10%. In 2010, a 15-20% growth of the Russian IT market is expected.

Who are the featured speakers and hot topics at “Infosecurity Russia. Storage Expo. Documation’2010”?

The speakers at the event will be the representatives of the biggest Russian and foreign companies like Qualys Inc. (Philippe Courtot, Chairman and CEO), Trend Micro (Raimund Genes, CTO), OAO Gazprom (Yuriy Lavrukhin), JSC “Russian Railways” (Alexandr Glukhov); the representatives of Russian regulators like FSB (Federal Security Service of Russia) (Alexey Kuzmin, Alexandr Baranov), FSTEC of Russia (Federal Service for Technical and Export Control) (Vladimir Selin), Security Council of the Russian Federation (Sergey Korotkov); heads of the biggest Russian and foreign vendors.

According to a study conducted by Groteck Business Media in January-May 2010, the most inter-esting and actual topics for both exhibitors and visitors at Infosecurity Russia. Storage Expo. Do-cumation’2010 are:

  • Personal data protection,
  • Safety of mobile users,
  • PCI DSS (Payment Card Industry Data Security Standard),
  • DLP (Data Leak Prevention),
  • Data storage – corporate and outsourcing,
  • New threats,
  • Green Internet
  • Security and safety of the national strategic infrastructure (rail ways, telecoms, etc),
  • Cloud computing,
  • Virtualization.

What makes Infosecurity Russia event stand out from other events in the area?

Unlike other Russian events in the field, we do introduce innovations at Infosecurity Russia. Storage Expo. Documation’2010. Firstly, we measure results (ROI) for every single exhibitor. Secondly, we thoroughly chose the audience; it is prequalified as the most compelling and successful speeches and events are reached when interests of the audience and the audience structure are known beforehand. Thus, up to 60% of visitors register through Groteck Smart Event on-line tool well before the exhibition. Thirdly, our unique system Groteck Smart Event allows participants to schedule their appointments. And finally, we are striving to reach the balance between exhibitors presenting equipment in the area of information security, data storage and document management.


Show other articles by this author

Share |
Write comment
security image
smaller | bigger



Subscribe and get the magazine in the post before it's online

Subscribe and get access to all of the back issues

To read a sample eMagazine - March 2010



Need to script file uploads to a SharePoint site? DavCopy is a command-line tool with a rich set of options including whether files get overwritten, whether they trigger the New file notification in SharePoint and what user credentials to upload them with. read more


Unified communications


The #1 Bestseller for Only 77p