Managing the Edge Transport Server • Chapter 7 437 Figure 7.47 The Attachment Filter List Confi guration Settings If you want to see a list of the current settings for AttachmentFilterListConfi g, type Get-AttachmentFilterListConfi g and press Enter (see Figure 7.47). For any additional information on how to confi gure the attachment fi ltering behavior using the Set-AttachmentFilterListConfi g CMDlet, see the Exchange Server 2007 Help fi le or type Get-Help Set-AttachmentFilterListConfi g in the EMS. Sender Reputation The Edge Transport server also includes a brand-new antispam feature called Sender Reputation. The Sender Reputation agent, which is enabled by default (although only for externally received messages), is an antispam feature that blocks inbound messages according to characteristics of the sender. The agent actually relies on persistent data about the sender so that it can determine which action to take on inbound messages. 438 Chapter 7 • Managing the Edge Transport Server The Sender Reputation agent analyses whether a sender forges the HELO/EHLO statement when establishing an SMTP session to the edge transport server. This is done on a per-sender basis, which makes it easier to see whether it’s a spammer or a legitimate sender. A spammer typically provides many different unique HELO/EHLO statements in a specifi c time period, and they often also provide an IP address in the HELO/EHLO statement that doesn’t match their original IP address (that is, the IP address from which the connection originated). In addition, they often try to provide a local domain name, which is the name of the organization to which the Edge Transport server belongs. In most cases the behavior of a legitimate sender is to use a different but more constant set of domains in the HELO/EHLO statement. The Sender Reputation agent also performs a reverse DNS lookup when an external SMTP server establishes an SMTP session. This means that the edge transport server verifi es that the IP address of the SMTP server matches the registered domain name, which the server submits in the HELO/EHLO command. If the IP address doesn’t match the resolved domain name, there’s a good chance you’re dealing with a spammer. As you already know, an inbound message is assigned an SCL rating when the Content Filter is applied. This SCL rating is also analyzed by the Sender Reputation agent. The agent calculates statistics about a sender by looking at how many messages from that sender in the past had either a low or high SCL rating. Lastly the Sender Reputation agent is capable of performing an open proxy test against the sender’s IP address. If the connection is looped back to the edge transport server through known open proxy ports and protocols—more specifi cally, SOCKS 4 and 5, Wingate, Telnet, Cisco, HTTP CONNECT, and HTTP POST—the sending server is considered an open proxy. As you can see in Figure 7.48, you enabled this feature on the Properties page of Sender Reputation. NOTE For the Edge Transport server to perform an open proxy test against an external server, keep in mind that you need to open the required outbound ports in any fi rewall located between the edge transport server and the Internet. The following ports are used during an open proxy test: 1080, 1081, 23, 6588, 3128, and 80. If you’re using a proxy server in your organization, you also need to configure the Sender Reputation agent to use the proxy server for open proxy tests. You do this using the Set-SenderReputationConfi g –ProxyServerName CMDlet. For details on how to confi gure a proxy, type Get-Help Set-SenderReputationConfi g in the EMS or refer to the Exchange Server 2007 Help fi le. Managing the Edge Transport Server • Chapter 7 439 Figure 7.48 The Sender Confi dence Tab on the Sender Reputation Properties Page Depending on the results of these analyses and tests, the Sender Reputation agent assigns a sender reputation level (SRL) to the sender. As is the case with the SCL rating, this SRL can be a number between 0 and 9. The higher an SRL rating that is assigned to a sender, the more likely it is that the sender is a spammer. Under the Action tab, which also is found on the Sender Reputation Properties page, you can confi gure an SRL block threshold (see Figure 7.49), and when the threshold is exceeded, the sender is added to the IP Block list for a specifi ed number of hours (the default is 24 hours). 440 Chapter 7 • Managing the Edge Transport Server Figure 7.49 The Action Tab on the Sender Reputation Properties Page NOTE Senders that haven’t yet been analyzed by Sender Reputation are assigned an SRL rating of 0. Only after the Edge Transport server has received 20 or more messages from a particular sender is an SRL calculated. It’s not in the hands of the Sender Reputation agent to decide how blocked messages are handled; this is instead controlled by the Sender Filter agent, which can be confi gured to block, reject, or stamp messages from blocked senders and continue processing. Managing the Edge Transport Server • Chapter 7 441 Antivirus Scanning After a given message has been through the Attachment fi lter, it will be scanned by the antivirus product installed on the server, which could be ForeFront Security for Exchange Server 2007 (included in the Exchange 2007 Enterprise CAL) or a supported third-party product. It should come as no surprise that the Edge Transport server role integrates perfectly with the ForeFront Security for Exchange Server 2007 product, but the server role also has rich support for partner antivirus providers. So you’re not bound to use the ForeFront Security for Exchange Server product if you choose to deploy an edge transport server in your organization’s perimeter network (DMZ or screened subnet). Some of the third-party products that have shipped since Exchange Server 2007 was released in December 2006 are: ■ Symantec ■ Trend Micro ■ GFI ■ Kaspersky ■ McAfee ■ Sophos All of these third-party providers participated in the Exchange 2007 Technology Adoption Program (TAP), so these products take full advantage of Exchange Server 2007 features. NOTE On February 8, 2005, Microsoft acquired the security software fi rm Sybari, the company behind the Exchange AntiGen product. The primary reason behind this purchase was to help enterprise customers become more secure. Since then Microsoft rebranded the AntiGen product series to ForeFront Security, which means that the old Exchange AntiGen product now is known as ForeFront Security for Exchange Server. Not only has the product name changed, but Microsoft has also been busy improving the product as well as integrating it more tightly with Exchange Server 2007; now the product is recommended as the antivirus solution for the edge transport server. For more information about ForeFront Security for Exchange Server, see www.microsoft.com/forefront/default.mspx. SOME INDEPENDENT ADVICE As some of you might be aware, in 2004 Microsoft published a document called The Coordinated Spam Reduction Initiative (which can be downloaded from http://tinyurl. com/yxzsc5). Even today, it’s an extremely interesting document that focuses on how . edge transport server through known open proxy ports and protocols—more specifi cally, SOCKS 4 and 5, Wingate, Telnet, Cisco, HTTP CONNECT, and HTTP POST—the sending server is considered an open. rewall located between the edge transport server and the Internet. The following ports are used during an open proxy test: 1080, 1081, 23, 6588, 3128, and 80. If you’re using a proxy server in your. these analyses and tests, the Sender Reputation agent assigns a sender reputation level (SRL) to the sender. As is the case with the SCL rating, this SRL can be a number between 0 and 9. The higher