Wednesday, 18 February 2015

Anti-spam protection options for the mailbox transport service and edge transport service

Anti-spam by default is not available on the Mailbox server's transport service, although can be added by using "Install-AntispamAgents.ps1" command which can be found in:

C:\Program Files\Microsoft\ExchangeServer\V15\Scripts\Install-AntispamAgents.ps1

You can then simply restart the transport service via PowerShell:

Restart-Service MSExchangeTransport

Although by default the Edge transport service has anti-spam functionality installed and enabled. If in the event that antispam is being performed on more than one service (for example the Mailbox transport service and the Edge transport service) the latter service will check the X-Headers in the message and if it already contains anti-spam X-header values the anti-spam check will be omitted.

Below I have extracted the filtering methods (taken from TechNet):

Sender Filter agent: Sender filtering compares the sender on the MAIL FROM: SMTP command to an administrator-defined list of senders or sender domains who are prohibited from sending messages to the organization to determine what action, if any, to take on an inbound message.

Sender ID agent: Sender ID relies on the IP address of the sending server and the Purported Responsible Address (PRA) of the sender to determine whether the sender is spoofed or not.

Content Filter agent: Content filtering assesses the contents of a message.
Spam quarantine is a feature of the Content Filter agent that reduces the risk of losing legitimate messages that are incorrectly classified as spam. Spam quarantine provides a temporary storage location for messages that are identified as spam and that shouldn't be delivered to a user mailbox inside the organization.

Protocol Analysis agent: The Protocol Analysis agent is the underlying agent that implements the sender reputation functionality. Sender reputation relies on persisted data about the IP address of the sending server to determine what action, if any, to take on an inbound message. A sender reputation level (SRL) is calculated from several sender characteristics that are derived from message analysis and external tests. For more information, see Sender reputation and the Protocol Analysis agent.

Additionaly the Edge transport service has exclusive access to the following additional filterin methods:

Connection Filtering agent: Connection filtering inspects the IP address of the remote server that's trying to send messages to determine what action, if any, to take on an inbound message. Connection filtering uses an IP Block list, IP Allow list, IP Block List provider services and IP Allow List provider services to determine whether the connection IP should be blocked or allowed.

Recipient Filter agent: Recipient filtering compares the message recipients on the RCPT TO: SMTP command to an administrator-defined Recipient Block list. If a match is found, the message isn't permitted to enter the organization. The recipient filter also compares recipients on inbound messages to the local recipient directory to determine whether the message is addressed to valid recipients. When a message isn't addressed to valid recipients, the message is rejected.

Attachment Filtering agent: Attachment filtering blocks messages based on attachment file name, file name extension, or file MIME content type. You can configure attachment filtering to block a message and its attachment, to strip the attachment and allow the message to pass through, or to silently delete the message and its attachment.


Post a Comment