Connect with us

Hi, what are you looking for?

Exchange 2003

Microsoft Exchange 2003 spam filtering made easy

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing pleasure :).  I can’t tell you how many times I have walked into a new environment only to find that the previous server admin had not been taking advantage of Exchange 2003’s built in spam filtering or had completely misconfigured the server to where it was barely blocking anything at all. If you do not have any 3rd party spam filtering in place, there is no reason not to use Exchange’s built-in filtering. It works very well if configured properly.

Here is a basic mail filtering setup guide for a small business environment running Exchange 2003 that I like to use (and yes, I will do a separate write up for Exchange 2007 content filtering in another post). Remember, this is just a basic setup and different environments will have different needs.

Let’s start assuming you have a brand new Exchange 2003 server setup. Make sure your Exchange server has been updated to SP2 before you do anything.

Then, in Exchange System Manager (ESM), drill down to Global Settings and right click on Message Delivery.

CONNECTION FILTERING
Now click on the Connection Filtering tab. Here, you can tell Exchange to go out and check RBLs (realtime block lists) to verify if mail coming into your Exchange server should be marked as spam or not. Here are the 2 that I like to use. Anymore than this and you’re making your block list strategy too redundant plus it holds up delivery of your email and increases overhead as your Exchange server queries each list. Make sure they are in this order by using the arrow tabs on the right to adjust:

zen.spamhaus.org
cbl.abuseat.org

(I also used to like using sbl.spamhaus.org and xbl.spamhaus.org but zen.spamhaus.org combines these all to one list as well as their pbl.spamhaus.org list. Just use zen.spamhaus.org so there is less overhead on your Exchange server.)

RECEPIENT FILTERING
Next, click on the Recipient Filtering tab. By default, there is nothing in there but way at the bottom, you will notice that the box for “Filter recipients who are not in the Directory” is left unchecked. Check this box. This will prevent email not addressed to someone in your organization to be dropped. Spammers often like to use a dictionary attack when sending out spam to your organization like “[email protected]” which your Exchange server will process unless you check this box.

INTELLIGENT MAIL FILTERING (IMF)
Next, click on the Intelligent Mail Filtering tab. This is the heart of your spam filtering so you must make sure to configure it properly. SCL ratings (spam confidence levels) are rated on a scale of 1-10. Exchange automatically assigns this rating to every message that it gets. A message with a rating of 1 means the message is not considered spam. A message with a value of 10 is definitely spam (think Viagra ads).

I like to set the Block level to 7, Archive as the block action, and Move messages with an SCL rating of greater than or equal to 4. This is usually pretty good for most environments but you should tweak the settings depending on your environment and feedback from your users overtime.

SENDER ID FILTERING
Next click on the Send ID Filtering tab and leave the default to Accept. The reason is a lot of mail servers don’t have an SPF record since this is a mostly Microsoft iniative so the default setting is fine. You don’t want to accidentally block email from a valid email.

APPLYING YOUR NEW SETTINGS TO YOUR EXCHANGE SERVER
Now on to the part a lot of people miss. You have setup everything but now you need to actually apply it to your SMTP virtual server or nothing is going to happen.

Click on Administrative Groups > First Administrative Group > Servers > the name of your Server > Protocols > SMTP > then right click Default SMTP Virtual Server

Next to the IP Address, you will see the Advanced button. Click on it and you will see something like the below.

This shows the SMTP virtual server. Click Edit and then check everything you see. Click OK through all the windows and when you’re back in the ESM, right click on the Default SMTP Virtual Server and hit Stop. Once it stops, right click on it again and hit Start. You can also just go into Services and restart the SMTP service from there as well.

CONFIGURING WINDOWS UPDATE FOR IMF UPDATES
Now it’s time to configure Windows Update on your server to download IMF updates (these are released by Microsoft twice a month). You have to make a registry change for this to happen. Click Start > Run > type regedit > press Enter. Now drill down to HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange. Right click in the right pane and Add a new DWORD called “ContentFilterState”. Right click on ContentFilterState and change the value from 0 to 1.

Now run Windows Update manually (using the Custom option instead of Express) and you will see the latest IMF definitions as part of your patches you need to install (if you don’t, restart the SMTP service and scan for updates again). Go ahead and install the latest update once you see it.

MANAGING IMF AND YOUR EMAIL MARKED AS SPAM
Okay, so now you have some pretty good filtering setup but is it working? How do you manage mail that is marked as spam?

The answer begins with installing IMF Companion (a free IMF management utility) that you can get at:

http://stoekenbroek.com/imfcompanion/default.htm

Install it and setup the Pickup and Archive directories correctly. On a default Exchange install (we’re going to use the C: drive for this example), the locations should be:

C:\Program Files\Exchsrvr\Mailroot\vsi 1\Pickup

and

C:\Program Files\Exchsrvr\Mailroot\vsi 1\UceArchive

Just to explain what these directories are, Pickup is the directory that Exchange stores messages that it is waiting to deliver and UCE Archive (Unsolicited Commercial Email Archive) is where Exchange dumps email it thinks is spam. This directory can get really big really fast so you want to setup a script to clear it once in a while.

When you open IMF Companion, you can see all the blocked messages in the UCE Archive in the top pane. Notice how the SCL rating column is missing? This is because you have to tell the Exchange server to store archive messages with their SCL rating. To do this, create this registry key if you don’t see it already:

HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter

Then create a new DWORD key value under it called “ArchiveSCL” and set the value data to 1. Now restart the SMTP service and when you open IMF Companion again, any new messages that come in will have their SCL rating displayed.

In addition to IMF Companion, you can also use the built in Windows Performance Monitor (perfmon) to keep an eye on Exchange.  If you don’t see the IMF performance objects, just reboot the server and they will show up in the drop down list.

7 Comments

7 Comments

  1. Paul

    January 5, 2009 at 4:44 PM

    Really good non-technical summary. Thank you.

  2. kelley r.

    February 14, 2009 at 4:45 PM

    Really great post, well written, concise and comprehensive. Thank you.

  3. Blake

    February 27, 2009 at 12:23 PM

    Being able to point my more technically savvy clients to this extremely informative plain english example and explaination helps me to help my clients to help themselves.
    I love your work!

  4. fumaderm

    October 29, 2012 at 7:05 PM

    Wow! This blog looks exactly like my old one! It’s on a totally different subject but it has pretty much the same page layout and design. Wonderful choice of colors!

  5. Arlen

    November 16, 2012 at 9:26 AM

    I will right away take hold of your rss feed as I can not find your email subscription
    link or newsletter service. Do you’ve any? Please let me realize in order that I may subscribe. Thanks.

  6. Dom Abbatiello

    August 20, 2014 at 11:06 AM

    The link for IMP Companion has changed. The new link is:

    But keep in mind it is not being updated anymore.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Apache

In a worst case scenario and all your web servers have failed, what do you do? You could have a standby group of servers...

Microsoft Identity & Access Management

EUC and Security Engineers have always had the capability to add a EULA to Citrix StoreFront and/or Citrix NetScaler Gateway (aka Citrix Gateway) for...

JasonSamuel.com began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023 JasonSamuel.com