A Deeper Look at Spam and Malware Filtering with Exchange Server
Configuring Edge Transport Server
The Edge Transport server role was really created to serve as an additional layer to assess and filter incoming messages before allowing them into Exchange proper. In this regard, various policies and rules are used to identify and eliminate spam and other undesirable messages. Do note that it is not installed by default; a deployment done without one is still considered a fully operational Exchange Server messaging environment.
An Edge Transport server works on new incoming messages in the following order:
- IP Block and Allow Lists are first checked for a match (blacklisting and whitelisting respectively).
- Next, IP Block List Providers and IP Allow List Providers are checked.
- The Sender Filtering Agent checks the Blocked Senders list for a match.
- A Sender Policy Framework (SPF) lookup is conducted.
- The Blocked Recipients list is checked for a match; this also filters out nonexistent recipients.
- Content Filtering Agent looks into the content of messages and filters them according to the company’s policy.
- Mail attachments are then analyzed by the Attachment Filter Agent.
- Finally, if everything checks out, the message is delivered into Exchange inboxes. Depending on the exact configuration, rejected messages could get an error message, be deleted without further notice, sent to the spam quarantine mailbox, or placed in a user’s Junk E-mail folder.
One downside is that the accurate way to determine the impact or effectiveness of various rules would be to deploy an Edge Transport server in a “live” environment. As such, it makes sense to start with laxer filter configuration so as not to unwittingly delete legitimate emails – slowly tightening it over time.
Third Party Solutions
Administrators who prefer a more autonomous set of spam and malware filtering capabilities than those offered by an Edge Transport server have a number of anti-spam solutions to choose from:
Cloud-based provider: A popular option, anti-spam cloud providers work by redirecting incoming email messages at the DNS MX level, with only legitimate mails being channeled back. This has the advantage of ensuring that no processing and bandwidth overhead enters your network. The downside is that regulatory rules or sensitivity of certain data may preclude this approach.
Spam appliance: The spam appliance is attractive as it prevents CPU cycles from being wasted to process spam. Deployment is also generally straightforward, with little or no need for maintenance. However, spam appliances may be expensive, and prone to hardware obsolesce.
Server deployed: This is usually the preferred option for businesses with on-premise Exchange deployments, and tends to saddle the middle ground between a cloud-based provider and spam appliance in terms of cost. Be prepared for a higher maintenance and administrative overheads here however.
Endpoint protection: Many antimalware suites feature endpoint spam protection. Personally, I least prefer this option due to the general lack of central manageability in such software.
There are many options that can be brought to bear against spam and malware. Indeed, a mix-and-match approach would work too, though it will obviously result in a higher cost. Ultimately, the ideal solution would depend on the company’s infrastructure, its overall budget, as well as the amount of spam that an organization is receiving.
Like this post?
If you like this post and would like to receive more Exchange Server tips, as well as the latest Exchange Server posts from across the web, plus a free ebook with 42 Exchange tools, subscribe to the IT Dojo – Exchange Sensei series!