A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing pleasure :). I can’t tell you how many times I have walked into a new environment only to find that the previous server admin had not been taking advantage of Exchange 2003’s built in spam filtering or had completely misconfigured the server to where it was barely blocking anything at all. If you do not have any 3rd party spam filtering in place, there is no reason not to use Exchange’s built-in filtering. It works very well if configured properly.
Here is a basic mail filtering setup guide for a small business environment running Exchange 2003 that I like to use (and yes, I will do a separate write up for Exchange 2007 content filtering in another post). Remember, this is just a basic setup and different environments will have different needs.
Let’s start assuming you have a brand new Exchange 2003 server setup. Make sure your Exchange server has been updated to SP2 before you do anything.
Then, in Exchange System Manager (ESM), drill down to Global Settings and right click on Message Delivery.
Now click on the Connection Filtering tab. Here, you can tell Exchange to go out and check RBLs (realtime block lists) to verify if mail coming into your Exchange server should be marked as spam or not. Here are the 2 that I like to use. Anymore than this and you’re making your block list strategy too redundant plus it holds up delivery of your email and increases overhead as your Exchange server queries each list. Make sure they are in this order by using the arrow tabs on the right to adjust:
(I also used to like using sbl.spamhaus.org and xbl.spamhaus.org but zen.spamhaus.org combines these all to one list as well as their pbl.spamhaus.org list. Just use zen.spamhaus.org so there is less overhead on your Exchange server.)
Next, click on the Recipient Filtering tab. By default, there is nothing in there but way at the bottom, you will notice that the box for “Filter recipients who are not in the Directory” is left unchecked. Check this box. This will prevent email not addressed to someone in your organization to be dropped. Spammers often like to use a dictionary attack when sending out spam to your organization like “[email protected]” which your Exchange server will process unless you check this box.
INTELLIGENT MAIL FILTERING (IMF)
Next, click on the Intelligent Mail Filtering tab. This is the heart of your spam filtering so you must make sure to configure it properly. SCL ratings (spam confidence levels) are rated on a scale of 1-10. Exchange automatically assigns this rating to every message that it gets. A message with a rating of 1 means the message is not considered spam. A message with a value of 10 is definitely spam (think Viagra ads).
I like to set the Block level to 7, Archive as the block action, and Move messages with an SCL rating of greater than or equal to 4. This is usually pretty good for most environments but you should tweak the settings depending on your environment and feedback from your users overtime.
SENDER ID FILTERING
Next click on the Send ID Filtering tab and leave the default to Accept. The reason is a lot of mail servers don’t have an SPF record since this is a mostly Microsoft iniative so the default setting is fine. You don’t want to accidentally block email from a valid email.
APPLYING YOUR NEW SETTINGS TO YOUR EXCHANGE SERVER
Now on to the part a lot of people miss. You have setup everything but now you need to actually apply it to your SMTP virtual server or nothing is going to happen.
Click on Administrative Groups > First Administrative Group > Servers > the name of your Server > Protocols > SMTP > then right click Default SMTP Virtual Server
Next to the IP Address, you will see the Advanced button. Click on it and you will see something like the below.
This shows the SMTP virtual server. Click Edit and then check everything you see. Click OK through all the windows and when you’re back in the ESM, right click on the Default SMTP Virtual Server and hit Stop. Once it stops, right click on it again and hit Start. You can also just go into Services and restart the SMTP service from there as well.
CONFIGURING WINDOWS UPDATE FOR IMF UPDATES
Now it’s time to configure Windows Update on your server to download IMF updates (these are released by Microsoft twice a month). You have to make a registry change for this to happen. Click Start > Run > type regedit > press Enter. Now drill down to HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange. Right click in the right pane and Add a new DWORD called “ContentFilterState”. Right click on ContentFilterState and change the value from 0 to 1.
Now run Windows Update manually (using the Custom option instead of Express) and you will see the latest IMF definitions as part of your patches you need to install (if you don’t, restart the SMTP service and scan for updates again). Go ahead and install the latest update once you see it.
MANAGING IMF AND YOUR EMAIL MARKED AS SPAM
Okay, so now you have some pretty good filtering setup but is it working? How do you manage mail that is marked as spam?
The answer begins with installing IMF Companion (a free IMF management utility) that you can get at:
Install it and setup the Pickup and Archive directories correctly. On a default Exchange install (we’re going to use the C: drive for this example), the locations should be:
C:\Program Files\Exchsrvr\Mailroot\vsi 1\Pickup
C:\Program Files\Exchsrvr\Mailroot\vsi 1\UceArchive
Just to explain what these directories are, Pickup is the directory that Exchange stores messages that it is waiting to deliver and UCE Archive (Unsolicited Commercial Email Archive) is where Exchange dumps email it thinks is spam. This directory can get really big really fast so you want to setup a script to clear it once in a while.
When you open IMF Companion, you can see all the blocked messages in the UCE Archive in the top pane. Notice how the SCL rating column is missing? This is because you have to tell the Exchange server to store archive messages with their SCL rating. To do this, create this registry key if you don’t see it already:
Then create a new DWORD key value under it called “ArchiveSCL” and set the value data to 1. Now restart the SMTP service and when you open IMF Companion again, any new messages that come in will have their SCL rating displayed.
In addition to IMF Companion, you can also use the built in Windows Performance Monitor (perfmon) to keep an eye on Exchange. If you don’t see the IMF performance objects, just reboot the server and they will show up in the drop down list.