Executive Summary:
| Microsoft Exchange Server 2007 includes new message hygiene features to filter spam at the network perimeter or demilitarized zone (DMZ). |
| A new server role in Exchange Server 2007, the Edge Transport server role, provides built-in filtering features, such as connection filtering, content filtering, attachment filtering, sender and recipient filtering, Sender ID, and transport rules. |
| Advantages of the Exchange Server 2007 Edge Transport server role include its integration with Active Directory (AD) and Microsoft Outlook, but it lacks some message hygiene features that large enterprises might need. |
The ubiquitous usage of Internet-based messaging and collaboration services has intensified malware threats. To protect your organization’s messaging and collaboration infrastructure, you need to implement some type of message hygiene. Starting with Exchange 2000 Server, Microsoft has been gradually embedding more message hygiene features in Exchange. In Exchange Server 2007, Microsoft provides a special server role—the Edge Transport role—to provide message hygiene and routing services at the edge of organizations’ internal networks. To become familiar with the Edge Transport role, you’ll need to understand the Edge server’s architecture and spam- and content-filtering features. Once you have a grasp on these features, you can determine whether Exchange 2007’s Edge-based message hygiene services are rich enough to replace your third-party message hygiene solution.
Exchange as a Message Hygiene Provider
Organizations typically implement message hygiene services at the perimeter of their enterprise networks—for example, in the demilitarized zone (DMZ). The rationale behind filtering at the perimeter is simple: The sooner malware is filtered from incoming mail traffic, the better. Early filtering of messages in the DMZ benefits security because such filtering isolates malware and blocks it from reaching internal servers. Since message filtering reduces the total number of messages flowing into an organization, DMZ-based message hygiene services also reduce the load on internal messaging servers.
In previous versions, Exchange wasn’t the best solution for providing message hygiene services in the DMZ, for several reasons. The first and most important reason is Exchange’s dependency on Active Directory (AD) for storing messaging-configuration and user (sender and recipient) data. If organizations want to use Exchange-based message hygiene services in the DMZ, they must deploy an AD server in the DMZ. This means organizations must expose their internal directory to the external world, which is, from a security point of view, unwise. One alternative is to deploy a separate AD forest in the DMZ, but to do so you’ll need a mechanism to synchronize filtering parameters, such as internal recipients’ email addresses, between the internal and DMZ AD. A second alternative—often used and much easier to set up—is to use a non-Microsoft message hygiene solution that doesn’t require AD.
Exchange 2007 resolves the AD-dependency issue by letting an Edge server use an Active Directory Application Mode (ADAM) directory for storing its configuration and recipient data and by providing an easy-to-configure synchronization mechanism, called EdgeSync, between this DMZ-based ADAM instance and an organization’s internal AD. ADAM is a standalone LDAP-based directory that organizations can use without deploying a complete Windows domain infrastructure (unlike AD).
Another reason Exchange hasn’t excelled at providing DMZ-based message hygiene services is that in comparison with the services provided by specialized solutions such as Symantec Mail Security, Tumbleweed MailGate, or even the free UNIX-based Postfix service, previous Exchange message hygiene services have a fairly limited feature set. Table 1 lists the spam- and content-filtering features included in various Exchange versions. However, Exchange 2007 contains important spam- and content-filtering additions that enable Exchange to compete with established third-party message hygiene solutions.
Although I’m focusing here on the new spam- and content-filtering services bundled with the Exchange 2007 Edge server, Microsoft provides a couple additional services that you might want to consider for your message hygiene infrastructure. First, Microsoft offers a virus-scanning and spam-filtering product, Microsoft Forefront Security for Exchange Server (formerly Sybari’s Antigen product). In Exchange 2007, Microsoft provides Forefront Security for Exchange Server at no additional cost to customers who have an Enterprise Client Access License (CAL) and a volume licensing agreement with Microsoft. (For more information about the Exchange 2007 CALs, see http://www.microsoft.com/exchange/evaluation/editions.mspx.)
As part of the Enterprise CAL, Microsoft also offers an outsourced message hygiene service called Exchange Hosted Filtering (this service was previously part of FrontBridge Technologies). This service can be a valid option for smaller organizations and organizations that don’t want to operate and maintain their own message hygiene infrastructure.
Edge Server Spam- and Content-Filtering Services
The Edge server’s spam- and content-filtering services inspect an email message’s different parts and properties to decide whether to block a message or let it pass completely or partially through the Edge message gateway. The Edge Transport role supports the following spam- and content-filtering features, which Table 1 summarizes. The order in which the services are listed is the default order in which they execute on new email messages that enter the Edge message gateway.
Connection filtering—checks the IP address of the server sending mail messages against lists of allowed and blocked IP addresses to determine what action to take on a message. Connection filtering supports Realtime Blackhole Lists (RBLs)—lists of IP addresses and domains known to generate spam messages. RBLs are maintained and distributed by specialized online service providers, such as Trend Micro’s MAPS (http://www.mail-abuse.com).
Sender filtering—compares a message’s sender address to a list of blocked senders to determine what action to take on a message.
Recipient filtering—compares a message’s recipient mail address to a list of blocked recipients and the organization’s internal recipient directory to determine what action to take on a message.
Sender reputation—performs several checks to determine the likelihood that a message’s sender is a spammer. Based on the outcome of these checks, the sender reputation service assigns the sender a Sender Reputation Level (SRL) rating. If a sender’s SRL exceeds a certain threshold, the sender is added to the blocked-senders list for a predefined period of time (by default, 24 hours).
Sender ID—service that fights domain name spoofing. A spoofed email message is a message whose sending domain name was modified to appear as if it originated from a domain other than the domain of the message’s sender. To check the validity of a mail message’s domain name, the sender ID service queries for a DNS Sender Policy Framework (SPF) record that’s associated with the sender’s domain name.
Edge Transport rules—service that lets administrators define transport rules that filter or drop messages according to message properties or content. Transport rules can be useful when a spam (or virus) outbreak occurs: They let administrators take immediate action and block malware based on its known characteristics. Transport rules can block malware even when the spam or virus signatures haven’t yet been updated.
Content filtering—examines a message’s content and applies a spam confidence level (SCL) rating to the message. The content is examined by Microsoft Exchange Intelligent Message Filter (IMF), which contains logic to distinguish the characteristics of legitimate email messages and spam. New in the Exchange 2007 content filter is support for spam quarantining, which is a great help in reducing spam false positives. False positives occur when a spam filter incorrectly categorizes a message sent by a legitimate sender as spam. The Exchange 2007 quarantine feature adds incoming messages that have a certain administrator-defined SCL rating in a special quarantine mailbox instead of deleting them. This capability lets administrators perform a second manual check on quarantined messages, so that they can either let them through to the recipient’s destination mailbox or effectively delete them.
Attachment filtering—lets administrators define specific actions based on a mail message’s attachments. The default action is to strip the attachment and let the message through. Administrators can also configure the Edge server to block or delete the message and its attachments.
When you use Exchange 2007’s Exchange Management Console, you’ll notice that spam- and content-filtering services are implemented as transport agents. This implementation differs from Exchange Server 2003 and Exchange 2000, where these services are implemented as transport sinks. From the console you can enable or disable transport agents and set their properties; the antispam-related transport agents are listed on the console’s Anti-spam tab, as Figure 1 shows for the Exchange server named Edge.
The Connection Filtering and Attachment Filtering agents won’t actually show up in the console’s Anti-spam tab. The Connection Filtering agent is represented by four other “sub”-agents, which are displayed on the tab: IP Allow List, IP Allow List Providers, IP Block List, and IP Block List Providers. You can configure the Attachment Filtering agent only from the command line by using Exchange Management Shell. (For more information about how to set up attachment filtering, see the Exchange 2007 documentation at http://technet.microsoft.com/en-us/library/aa997139.aspx.) Also notice in Figure 1 that an Edge Transport Rules agent is missing from the console’s Anti-spam tab; this is because Edge Transport Rules are configured from the Transport Rules tab.
What Edge Offers...
Let’s review the message hygiene features that the Edge Transport server role offers and those it lacks, to help you decide whether or not Exchange 2007’s built-in message hygiene capabilities will suffice for your organization.
The Edge Server role can be integrated with an organization’s internal Exchange organization and AD or deployed in standalone mode. For example, organizations can use an Exchange 2007 standalone Edge server to provide message hygiene services to an Exchange 2003 or Exchange 2000 organization. To integrate an Edge server with an internal Exchange organization and AD, you must define what Microsoft calls an Edge subscription. An Edge subscription enables the Edge server to become a virtual part of the Exchange organization. It also enables one-way synchronization of configuration and recipient data between AD and the Edge’s ADAM instance (using the EdgeSync process) and routing of mail traffic between the Edge server and internal Exchange organization (the Edge subscription automatically creates Exchange send and receive connectors). An Edge subscription also lets the Edge server appear in your Exchange organization’s management interfaces; for example, it lets you configure the Edge server from the same Exchange Management Console view that you use to configure all the other Exchange servers in your organization.
The Exchange 2007 and Edge safelist aggregation feature refers to a new service that makes Microsoft Office Outlook 2007 and Outlook 2003 users’ Safe Senders and Contacts information available to the Edge Server’s spam- and content-filtering services. Safe Senders are email addresses and domain names from which an Outlook user wants to receive mail messages. Users can configure them from the Safe Senders tab in the Outlook 2007/2003 Junk E-mail Options, as Figure 2 shows. Making this information available to the Edge server has two important advantages. First, it benefits the processing load and storage on the Exchange mailbox servers. Because more content can be filtered on the Edge, less processing must be done on the mailbox servers, and users’ junk mail folders will require less storage space. Second, it reduces spam false positives; a message that the Edge server previously blocked is now allowed through because the message’s sender is, for example, defined on an internal user’s Safe Senders list.
Safelist aggregation uses the Exchange Management Shell Update-Safelist cmdlet to synchronize a user’s safelist information between the user’s Exchange mailbox server and AD and the EdgeSync service to push the safelist data stored in AD to the Edge Server’s ADAM instance. It’s important to note that safelist aggregation is available only when an Edge subscription is in place; it isn’t available on standalone Edge servers.
Exchange 2007 can leverage the Microsoft Update infrastructure (http://update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?) to manually or automatically update the Edge server’s spam- and content-filtering engines. Microsoft offers more frequent and diverse Exchange 2007 spam and content filter Microsoft Update–based updates for customers who have a CAL. In the Enterprise CAL, content filters are updated daily; in the Standard CAL, updates occur biweekly. Enterprise CAL customers can also benefit from automated spam and IP reputation signature updates. (For more information about how to configure spam- and content-filter updates, see the Microsoft Exchange Team Blog at http://msexchangeteam.com/archive/2007/01/03/432050.aspx.)
...And What It Lacks
Of course, the Edge server role has some shortcomings. First, only one Exchange organization can subscribe to a particular Edge server. This limitation can be problematic in merger and acquisition scenarios in which you might want multiple organizations to subscribe to an Edge server.
If an Edge server is deployed in standalone mode and a farm of standalone Edge servers is set up to provide fault tolerance and high availability, the Edge role can’t leverage the built-in ADAM synchronization mechanism to sync its configuration data between the different Edge instances. In this type of standalone Edge farm setup, configuration data must be kept up to date by using an XML file-based export/import mechanism.
Edge attachment filtering doesn’t support different actions for different attachment types. If attachment filtering is enabled, you can set only one action for all attachment types. For example, if you filter messages on both *.exe and *.zip attachments, you can’t set a delete-message-and-attachment action for messages with *.exe attachments and a let-message-through-and-strip-attachment action for messages with *.zip attachments.
Can Exchange Finally Live on the Edge?
The Exchange 2007 Edge Transport server role is an attractive message hygiene and routing solution for Exchange-centric customers who don’t already have a robust message hygiene solution at their network’s perimeter. For smaller organizations, the Edge role might be a valid option since Edge is integrated in Exchange 2007 and doesn’t require additional software licenses. It’s unlikely, though, that enterprise organizations that already have full-blown message hygiene solutions will switch to Edge when they upgrade their messaging infrastructure to Exchange 2007 since such products already provide a complete set of message hygiene features.
