422 Chapter 7 • Managing the Edge Transport Server Firewall Perimeter Network Firewall Internal Network SPF Lookup SPF result Sender Public DNS Server with SPF record Inbound message Inbound message Inbound message Delivery Recipient Mailbox Server Edge Transport Hub Transport Figure 7.39 How Sender ID Works Behind the Scenes Sender ID can provide several different results and stamp them appropriately. Table 7.2 lists each of the results as well a short description and the action taken. Table 7.2 Sender ID Results Sender ID Result Description Action Taken Neutral Domain is neutral (makes no Stamp and Accept decision about IP address) Pass (+) IP address for PRA Stamp and Accept permitted set Fail (-) - Domain doesn’t exist - Sender isn’t permitted - Malformed domain - No Purported IP address for PRA Stamp and Accept then Responsible Address not permitted set either Delete or Reject (PRA) in header Managing the Edge Transport Server • Chapter 7 423 No matter what the result of the SPF check, the result will be used in the calculation process when an SCL rating is generated for a message. Table 7.2 Continued Sender ID Result Description Action Taken Soft Fail ( ) IP address for PRA not Stamp and Accept permitted set None No SPF record published Stamp and Accept for the domain Temp Error Transient error (could be Stamp and Accept unreachable DNS server) Perm Error Possible error in record so Stamp and Accept couldn’t be read correctly TIP In you want to check which IP addresses are allowed to send e-mail messages for a given domain, you can use a wizard such as the one at www.dnsstuff.com/pages/ spf.htm, or open a command prompt and type nslookup –q=TXT domain.com. You should then be able to see the SPF record, including the list of the IP addresses allowed to send e-mail messages for this domain. For additional information about Sender ID, visit http://en.wikipedia.org/wiki/Sender_id. When the Sender ID Filtering agent checks whether a sending SMTP server has an appropriate purported responsible address (PRA), you can specify what action it should take for a given e-mail message that doesn’t have an appropriate PRA. You can confi gure it to Reject message, Delete message or Stamp message with Sender ID result and continue processing; the last one is the option selected by default (see Figure 7.40). If you set Sender ID to reject the message, the message will be rejected by the Edge Transport server and an SMTP error response will be returned to the sender. If you confi gure Sender ID to delete message, the message will be deleted without sending an SMTP error response to the sender. Since the message is deleted without informing the sending SMTP server, you would think that the sending SMTP server would retry sending the message, but this is not the case. The Sender ID fi lter has been made so cleverly that the Edge Transport server will send a fake OK SMTP command before deleting the message. When you confi gure Sender ID to stamp messages with the Sender ID result and continue processing, the e-mail message will be stamped with information that will be used when the message is evaluated by the Content Filtering agent (which we will look at in a moment) to calculate the SCL. 424 Chapter 7 • Managing the Edge Transport Server Figure 7.40 The Action Tab on the Sender ID Properties Page SOME INDEPENDENT ADVICE If you haven’t already done so, we highly recommend that you create an SPF record for your domain. This will make it much more diffi cult for spammers to forge your domain so that they can spam domains in other organizations. Creating your own SPF record is a relatively simple process; Microsoft even provides a Web-based GUI wizard that will help you do it (see Figure 7.41). You can fi nd the wizard by visiting www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard. Content Filtering The Content Filtering agent can be considered the next generation of the Intelligent Message Filter (or IMF version 3), which most of us know from Exchange Server 2003 (version 2 came with Exchange 2003 SP2). This means that the Content Filter is based on the SmartScreen technology, originally developed by Microsoft Research. When an e-mail message is received by an Edge Transport server with the Content Filtering agent enabled, it will evaluate the textual content of the messages and then assign the message an SCL rating based on the probability that the message is spam. This rating is stored as a message property called an SCL rating. The Content Filter is regularly updated using the Antispam Update Service (Windows Update) to ensure that it always contains the most up-to-date information when it’s running. Since the Content Filter is based on the characteristics of many millions of messages (Hotmail, among others, is used to collect the necessary information about both legitimate as well as spam messages), it recognizes both legitimate messages and spam messages. The Content Filter can very precisely determine whether an inbound e-mail message is a legitimate message or spam. The Content Filter can also, via spam signatures, analyze messages for phishing characteristics. If the message is a phishing attempt, the Content Filtering agent will stamp it with a property before delivering it to the recipient’s inbox. When the message is delivered, Outlook 2007 will render it differently and warn the user that this most likely is a phishing attempt. When the message is viewed in Outlook 2007, all content will be fl attened, any links will be disabled, and no images will be loaded. Just as was the case with IMF in Exchange Server 2003, you can, with the help of the Content Filter, assign an SCL rating to the messages fl owing into your organization. The Content Filter stamps the messages that it inspects with an SCL property (actually a MAPI property) with a value Figure 7.41 The Sender ID Framework SPF Record Wizard 426 Chapter 7 • Managing the Edge Transport Server between 0 and 9. As you can see in Figure 7.42, depending on how a message is rated, you can delete, reject, or quarantine it to a specifi ed mailbox. Figure 7.42 The Action Tab on the Content Filtering Properties Page If a message equals the SCL delete threshold, the message will be deleted without notifying the sending server. If the message equals the SCL reject threshold, the message will also be deleted, but a rejection response will be returned to the sending server. If a message equals the SCL quarantine threshold, the message will be sent to the e-mail address specifi ed in the Quarantine mailbox e-mail address: fi eld. Bear in mind, though, that before a message can be quarantined, you need to create and confi gure a mailbox that should be used for this purpose. To do so, perform the following steps: 1. Create a new mailbox called Quarantined Messages or similar. 2. Depending on how many recipients as well as how many messages are received by your Exchange organization, confi gure a reasonable quota for this mailbox. . ) IP address for PRA not Stamp and Accept permitted set None No SPF record published Stamp and Accept for the domain Temp Error Transient error (could be Stamp and Accept unreachable DNS server). Description Action Taken Neutral Domain is neutral (makes no Stamp and Accept decision about IP address) Pass (+) IP address for PRA Stamp and Accept permitted set Fail (-) - Domain doesn’t exist. Scenes Sender ID can provide several different results and stamp them appropriately. Table 7.2 lists each of the results as well a short description and the action taken. Table 7.2 Sender ID Results Sender