Microsoft Antigen Spam Manager Best Practices

Microsoft Antigen Spam Manager Best Practices

Microsoft Antigen for Exchange Version 9

Microsoft Antigen for SMTP Gateways Version 9

Microsoft Corporation

Published: March 2010

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2010 Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Privacy policy

Review the "Microsoft Antigen Privacy Statement" at the Microsoft Antigen Web site.

Contents

Introduction to Microsoft Antigen Spam Manager best practices 5

Configuring Cloudmark engine updates 5

Configuring RBL services 5

Configuring the Exchange Intelligent Message Filter 7

Submitting false positives and false negatives to Cloudmark 9

Introduction to Microsoft Antigen Spam Manager best practices

This guide provides instructions for configuring the Antigen Spam Manager to help you to combat spam. The following steps are recommended:

1. Ensure that the Cloudmark engine is updating successfully.

2. Configure one or more Realtime Block Lists (RBLs) services.

3. Configure the Exchange Intelligent Message Filter (IMF).

4. Submit missed spam or false positives.

Configuring Cloudmark engine updates

Cloudmark distributes signature updates directly to the Antigen server. This differs from the other scan engines, which receive updates directly from Microsoft. Cloudmark signature updates are not configurable in the Antigen Administrator.

Administrators can schedule Antigen to check for a new version of the Cloudmark engine. Unlike the micro signature updates which occur throughout the day and are not configurable, administrators can schedule Antigen to check to see if Cloudmark has released an entire new engine. Because these “cartridge” releases occur much less frequently than the micro signature updates, it is recommended that you schedule this update to occur once daily during off hours. Historically, a new cartridge release occurs once every several months but these releases occur as needed.

For additional details about the Cloudmark engine, see “Chapter 17 – Antigen Spam Manager overview” in the Microsoft Antigen for Exchange User Guide.

Configuring RBL services

Realtime Block Lists (RBLs) are anti-spam services that offer another layer of protection against spam. These services block e-mail messages based on the IP address from which they originate. The service uses various methods to detect spamming IP addresses and enters them into a database. E-mail messages entering your organization are compared against the RBL database and are blocked if they match an IP on the block list. These services can be effective against a wide variety of spam because the content of the spam does not matter, only the source.

Notes:

· Each RBL service has its own terms of use and may request a fee from commercial organizations using its service.

· Some RBL services are more aggressive than others. This can result in too many false positive detections for your organization. Make sure that you test a service before activating it in your network. This is easily done by using the Skip: detect only setting, which logs spam detections without blocking the e-mail messages.

· Each RBL that you use will adversely affect system performance. It is recommended that you start with one RBL and increase RBLs only if needed. Using more than three RBLs is not recommended.

To configure an RBL service

1. In the Antigen Administrator, click FILTERING in the left navigation shuttle, and then click the Mailhost icon. The Mailhost Filtering pane appears.
2. Select a scan job in the upper pane (for example, the SMTP Scan Job).
3. In the Mailhosts Lists pane, select RBL Servers, and then click Add. The RBL Servers pane appears.
4. In the RBL Servers pane, type the domain name or the IP address of the RBL Server.

Note:
The RBL servers shown here are examples and are not real RBL servers.
5. Set the Filter to Enabled.
6. Choose the Action. When first testing a new RBL service, it is recommended that you use the Skip: detect only setting. When you are satisfied that the service meets your needs, you can switch to the Purge or Identify setting, as desired.
7. Enable or disable notifications and quarantine files that are detected by this filter.
8. Click Save.
Notes:
If you have specific e-mail server IP addresses from which you want to receive all e-mail, it is recommended that you to enter these addresses into the Allowed Mailhosts setting to prevent e-mail from these IPs from being blocked. Conversely, if you have specific e-mail server IP addresses from which you do not want to receive e-mail, it is recommended that you enter these addresses into the Rejected Mailhosts setting to prevent e-mail from these IPs from being allowed. To do this, you must create and populate an Allowed Mailhosts or a Rejected Mailhosts filter list, and then access the Mailhost Filtering pane to configure the filter list for a specific scan job (for example, the SMTP Scan Job).
You can also use allowed senders lists to maintain lists of safe e-mail addresses or e-mail domains that will not be subjected to filtering or spam scanning. Antigen will check the sender address (entered in the format: ) or the domain (entered in the format: *customer.com) against the allowed senders list. If the e-mail address or domain appears on the allowed senders list, Antigen will bypass all filtering that has been enabled for the list. For step-by-step instructions for creating allowed senders lists, see the Microsoft Antigen for Exchange User Guide at the Microsoft Antigen TechNet Library.

Configuring the Exchange Intelligent Message Filter

Microsoft® Exchange Server 2003 includes a built-in spam-fighting tool called the Intelligent Message Filter (IMF). This filter uses sophisticated technologies to evaluate e-mail to determine whether it is spam. IMF can be used in conjunction with Antigen Spam Manager to provide another layer of spam detection. (Note that you must be running an Exchange 2003 server; a Windows SMTP server does not include IMF functionality.)

IMF works by assigning a Spam Confidence Level (SCL rating) to each message. Message ratings range from 0 to 9, with 0 being the least likely to be spam and 9, the most likely. Generally, anything rated 7 or higher is very likely to be spam, although this may vary in any given environment.

You can decide how the system will handle e-mail messages based on the SCL rating. There are two levels of settings. One level will delete and potentially archive the message; the next level will send it to the end user’s Junk E-Mail folder. Consult the Exchange Server documentation for specifics about these features.

To configure IMF on Exchange

1. Select your IMF global settings.
a. In the Exchange System Manager, expand the Global Settings node. Right-click Message Delivery, and then select Properties.
b. In the Message Delivery Properties dialog box, click the Intelligent Message Filtering tab.

c. Select your blocking levels and blocking behavior.
d. For an even higher level of detection, and fewer false positives, it is recommended that you turn on the Sender ID Filtering (this feature was added in Exchange Server 2003, SP2). Even if your organization does not provide the Sender ID in its DNS records, this option can help the Intelligent Message Filter make better antispam decisions. To turn on this feature, click the Sender ID Filtering tab, and then click Accept. This will not block any message that fails the Sender ID filter, but it will use the Sender ID information as part of the IMF calculation process.
Note:
There are special considerations when using Sender ID on a server that is not directly connected to the Internet. Click Help on the Sender ID tab for more details.
e. Click OK.
2. Activate these settings on each Exchange SMTP Virtual Server.
a. From within the Exchange System Manager, expand the Servers node, and then select the server name. Expand the Protocols node, and then expand the SMTP node. Right-click your first SMTP Virtual Server, and then click Properties.
b. On the General tab, click Advanced.
c. For each IP address listed, click Edit. In the Identification dialog box, click Apply Intelligent Message Filter, and, optionally, Apply Sender ID Filter. Click OK to save your changes. You must do this for each IP address and SMTP Virtual Server.

Notes:
· The IMF filter is updated every first and third Wednesday through Microsoft Update and Automatic Updates technologies. These updates provide new rules to detect the latest spam. For the best protection, make sure that you update IMF as soon as possible after the release of a new filter update.
· On a server that is running both IMF and Antigen Spam Manager (ASM), the IMF filter will scan messages before the ASM filter does. If you are deleting or archiving messages, anything that IMF blocks will not go on to be scanned by Antigen Spam Manager. If you are using the SCL rating to deliver spam messages to the user Junk E-Mail folder, then Antigen Spam Manager will also scan the messages.
For more information about IMF, see the IMF Operations Guide.

Submitting false positives and false negatives to Cloudmark

You can submit false positives and false negatives to Cloudmark for analysis.

Information regarding target spam catch-rates, false positive and false negative rates, and other advantages of using the Cloudmark anti-spam solution can be found on the Cloudmark anti-spam Web site.

To submit false positive or false negative spam e-mails to Cloudmark, send the e-mail as an RFC 2822 attachment (.eml). Do not send misclassified messages by using the Forward command; this strips them of essential header information and results in an invalid submission.

False positives (legitimate e-mail marked as spam by Cloudmark) should be sent to:

False negatives (spam not detected by Cloudmark) should be sent to:

To attach an e-mail message as an RFC 2822 attachment

1. In Microsoft Outlook, create a new e-mail message.
2. Address it to the appropriate address.
3. Click the Attach Item button, select the e-mails that were falsely classified, and then click OK.