Agents work on inbound messages that come from the Internet but are not authenticated.

An agent is a program with specific function.

Ex20073--Edge Transport Server

Get-TransportAgent

Reasonable order of priority

Set-TransportAgent 'Sender Filter Agent' -Priority 4

Set-TransportAgent 'Recipient Filter Agent' -Priority 5

Set-TransportAgent 'Sender ID Agent' -Priority 6

Set-TransportAgent 'Protocol Analysis Agent' -Priority 7

Ex20071--Transport Server:

By default, a transport server has two agents (Transport Rule and Journaling Rule) enabled. After running $ExScripts\install-AntispamAgents.ps1, other agents are installed.

Get-TransportAgent

Set-TransportAgent 'Sender Filter Agent' -Priority 5

Set-TransportAgent 'Recipient Filter Agent' -Priority 6

Set-TransportAgent 'Sender ID Agent' -Priority 7

Set-TransportAgent 'Protocol Analysis Agent' -Priority 8

Connection Filtering Agent

When a message is sent to work.com organization, the SMTP server on the sender side (Opath.com, Toto.com, etc) will provide its IP address.

The Connection Filter agent compares the IP address of the server that is sending a message to any of the following data stores of IP addresses:

• Administrator-defined IP Allow lists and IP Block lists
  
  
• IP Block List providers
  
  
• IP Allow List providers
  

You must configure at least one of these data stores of IP addresses for the Connection Filter agent to be operational. If the data stores of IP addresses do not contain the IP addresses on the IP Allow lists or IP Block lists, or if you do not have any IP Block List providers or IP Allow List providers configured, you should disable the Connection Filter agent.

Administrator-defined IP Block Lists

Add-IPAllowListEntry -IPAddress 209.66.141.34

Add-IPBlockListEntry -IPAddress 76.45.23.100

Many companies provide the service that lists IP addresses which have transmitted spam. The http://mxtoolbox.com/blacklists.aspx web site can be used to find the DNSBLs. Input any IP address and click "Blacklist Check".

Valuable sites:

http://www.mxtools.com

Example 1: zen.spamhaus.org

Querying zen.spamhaus.org returns the following result codes

Use of the Spamhaus DNSBLs is free of charge for low-volume non-commercial use.

Example 2:

http://www.us.sorbs.net/using.shtml

Anyone can use SORBS.

This site maintains many zones. The following are some of them:

smtp.dnsbl.sorbs.net - List of Open SMTP relay servers.

new.spam.dnsbl.sorbs.net - List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 48 hours.

spam.dnsbl.sorbs.net - List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS at any time, and not subsequently resolving the matter and/or requesting a delisting. (Includes both old.spam.dnsbl.sorbs.net and escalations.dnsbl.sorbs.net). escalations.dnsbl.sorbs.net - This zone contains netblocks of spam supporting.

Return codes are:

• smtp.dnsbl.sorbs.net 127.0.0.5
• new.spam.dnsbl.sorbs.net 127.0.0.6
• block.dnsbl.sorbs.net 127.0.0.8

AnyMatch--it is by default set to $true.

Add-IPBlockListProvider -Name:zen.spamhaus.org -LookupDomain:zen.spamhaus.org -RejectionResponse "Originating IP addressed matched to zen.spamhaus.org's IP Block List provider service"

IPAddressesMatch

Add-IPBlockListProvider -Name:smtp.dnsbl.sorbs.net -LookupDomain:smtp.dnsbl.sorbs.net -AnyMatch $False -IPAddressesMatch 172.0.0.5

BitmaskMatch

to match 127.0.0.4-8

Bitmask will be 0.0.0.15

Add-IPBlockListProvider -Name:"zen.spamhaus.org exploit" -LookupDomain:zen.spamhaus.org -AnyMatch $False -bitmaskMatch 0.0.0.15 -RejectionResponse "Originating IP addressed matched to zen.spamhaus.org's IP Block List provider service"

The default action of connection filtering agent is to block the SMTP Sender, except the intended recipients has set the bypass spam filter parameter on their mailbox:

Set-Mailbox –id Bond –AntiSpamBypassEnabled:$True

When –AntiSpamBypassEnabled:$True, the connection filtering agent will not block the SMTP sender.

Sender Filter Agent

To block inbound messages from senders that do not specify a sender and a domain in the MAIL: FROM SMTP header:

Set-SenderFilterConfig -BlankSenderBlockingEnabled $true

to block the domain and all its subdomains:

Set-SenderFilterConfig -BlockedDomainsAndSubdomains contoso.com,tick.com

To block a domain:

Set-SenderFilterConfig -BlockedDomains fine.com, bad.com

To block a specific e-mail address:

Set-SenderFilterConfig -BlockedSenders Joy@fun.com

Recipient Filter Agent

The Recipient Filter agent blocks messages according to the characteristics of the intended recipient in the organization.

To block messages to recipients that do not exist in your organization:

Set-RecipientFilterConfig -RecipientValidationEnabled $true

To block a specific recipient from receiving messages:

Set-RecipientFilterConfig -BlockedRecipients President@work.com, alan@work.com

Understanding Tarpit

Recipient Filter agent will verify the recipient of an incoming message against the ADAM or Active Directory database. If a matched recipient is found, a "250 2.1.5 Recipient OK" SMTP response is sent to the sending server. If not found, a "550 5.1.1 User unknown" SMTP response is sent to the sending server. A spammer can exploit the functionality to find all recipients in your organization.

The default tarpit interval is set to 5 seconds. It is used to defer the a "550 5.1.1 User unknown" response. To change the tarpit interval for a receive connector:

Get-ReceiveConnector | Set-ReceiveConnector -TarpitInterval 0:00:6

Sender ID Agent

For example, vanarts.com domain has the DNS record:

You can create the SPF record following the wizard at http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/default.aspx

Sender ID agent checks the address of the server that sends the message against a registered list of servers defined by the SPF ( Sender Policy Framework) record.

The IP4:66.199.140.51 is the sole IP that sends out mail for vanarts.com.

A spoofed mail is an e-mail message that has a sending address that was modified to appear as if it originates from a sender other than the actual sender of the message.

How about the DNS server of Sender domain does not have the SPF record?

How about the DNS server of Sender domain is temporarily down?

How about the format of SPF record of Sender domain is wrong?

If you set the Sender ID Action to REJECT or DELETE, some users cannot send mail to your organization.

Sender ID action

• Stamp the status   This option is the default action. All inbound messages to your organization have the Sender ID status included in the metadata of the message.
  
  
• Reject   This option rejects the message and sends an SMTP error response to the sending server. The SMTP error response is a 5xx level protocol response with text that corresponds to the Sender ID status.
  
  
• Delete   This option deletes the message without informing the sending system of the deletion. In fact, the Edge Transport server sends a fake "OK" SMTP command to the sending server and then deletes the message. Because the sending server assumes the message was sent, it does not retry sending the message in the same session.

Set-SenderIDConfig -SpoofedDomainAction <StampStatus | Reject | Delete>

To exclude recipients from Sender ID filtering

Set-SenderIDConfig -BypassedRecipients rob@work.com,Joe@work.com

To exclude sender domains from Sender ID filtering

Set-SenderIDConfig -BypassedSenderDomains Canoe.com, Fine.com

Sender Reputation

The Protocol Analysis agent is the underlying agent for sender reputation functionality. When you enable the Sender Reputation, you must run ENABLE-TRANSPORTAGENT "Protocol Analysis Agent".

Set-SenderReputationConfig -Enabled $true

Sender Reputation does the reverse DNS test. If the returned DNS domain does not match the domain name of the message, the sender is most likely a spammer. There are other tests included.

Set-SenderReputationConfig -SrlBlockThreshold 6 -SenderBlockingEnabled:$true -SenderBlockingPeriod 36

Content Filter Agent

Safelist aggregation is performed by the Content Filter agent.

Safelist aggregation function collects data from the anti-spam safe lists that Microsoft Office Outlook and Outlook Web Access users configure and makes this data available to the anti-spam agents on the Edge Transport server in Exchange Server 2007.

The Content Filter agent must be enabled for safelist aggregation to function.

Set-ContentFilterConfig -Enabled:$true

You must regularly run UPDATE-SAFELIST on Hub Transport server inside your organization.

At Ex20071 Hub Transport server, updatesafelist.bat batch file:

"%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" -PSConsoleFile "%programfiles%\Microsoft\Exchange Server\bin\exshell.psc1" -command "get-mailbox | where {$_.RecipientType -eq 'UserMailbox' } | update-safelist"
Exit

Create a schedule:

at 23:00 /every:M,T,W,Th,F,S,Su cmd /c "c:\UpdateSafeList.bat"

Understanding the safe recipient list of outlook

One thing is for sure, which is you should not put your own e-mail address under the Safe Recipients list. If you do, all mail including junk mail goes to your inbox.

Another thing is for you to understand the distribution group or distribution list. If you are the member of SeniorGroup distribution list with e-mail address SeniorGroup@terrace.com, a message sent to SeniorGroup@terrace.com will be delivered to your inbox if you put SeniorGroup@terrace.com under Safe Recipients List.

From: BaseShaw1 <BaseShaw1@terrace.com>To: Senior Group <SeniorGroup@terrace.com>Date: Sat, 20 Sep 2008 17:06:39 -0700Subject: test

Within your own organization, you don't need to put the Distribution List under Safe Recipients List. If you are a member of distribution list of Internet domain and you want to receive e-mail delivered to this group, it is better to put the distribution group e-mail address in Safe Recipients List.

How to understand the Safe Senders aggregation?--bypass content filtering

Canada.itsme.com
IP:15.80.80.80 255.0.0.0 preferred DNS: 15.80.80.80
DNS server installed with the following zones:
itsme.com zone: primary
areyou.com zone: secondary
Windows 2008, Domain Controller
Exchange 2007 SP1 with mailbox, client access, and transport roles

US.areyou.com
IP:15.90.90.90 255.0.0.0 preferred DNS:15.90.90.90
DNS server installed with the following zones:
itsme.com zone: secondary
areyou.com zone: primary
Windows 2008, Domain Controller
Exchange 2007 SP1 with mailbox, client access, and transport roles

Edgecomputer
IP:15.100.100.100 255.0.0.0 preferred DNS:15.90.90.90
FQDN: Edgecomputer.areyou.com
Windows 2008 standalone installation
Exchange 2007 Edge transport role

In itsme.com, MX record maps to 15.80.80.80
In areyou.com, MX record maps to 15.100.100.100

At canada.itsme.com:

new-SendConnector -Name 'Internet' -Usage 'Custom' -AddressSpaces 'SMTP:*;1' -IsScopedConnector $false -DNSRoutingEnabled $false -SmartHosts '[15.100.100.100]' -SmartHostAuthMechanism 'None' -UseExternalDNSServersEnabled $false -SourceTransportServers 'CANADA'

Set-ReceiveConnector -Identity "Default Canada" -PermissionGroups AnonymousUsers,ExchangeUsers,ExchangeServers,ExchangeLegacyServers

Open the SMTP relay for testing purpose--everyone can send message to this SMTP receive connector.

Get-ReceiveConnector "Default Canada" Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

At EdgeComputer:

Add-ContentFilterPhrase -Phrase:"Win a lottery" -Influence:BadWord

In areyou.com domain, two user boxes: US1@areyou.com and admin@areyou.com are created.

Safe Senders for US1@areyou.com are kmliao@hotmail.com and abc@cnn.com.

Safe Senders for Admin@areyou.com are att@new.com and bot@old.com

At US.areyou.com--push the aggregated safe senders list to EdgeComputer:

Get-Mailbox Update-safelist -Type SafeSenders
Start-EdgeSynchronization

At canada.itsme.com:

Exchange Management Shell
telnet 15.80.80.80 25
ehlo cnn.com
mail from: abc@cnn.com
rcpt to: us1@areyou.com
data
subject: Win a lottery

You are a lucky man!
.

HTTPS://us.areyou.com/owa with us1@areyou.com account sign-in
You will receive the message from abc@cnn.com even though the badword "Win a lottery" matches.

At canada.itsme.com:
Exchange Management Shell
telnet 15.80.80.80 25
ehlo cnn.com
mail from: abc@cnn.com
rcpt to: admin@areyou.com
data
subject: Win a lottery

You are a lucky man!
.

HTTPS://US.areyou.com/owa with admin@areyou.com sign-in

The message does not be delivered to admin@areyou.com inbox because the "Win a lottery" matches.

With aggregation of safe senders from all mailboxes, the receive connector facing the Internet will deliver the message only to mailbox with the safe sender defined. Safe senders will bypass the content filter.

With the following configuration, a message will bypass the content filtering process.

Set-ContentFilterConfig -BypassedRecipients support@work.com,reception@work.com

Set-ContentFilterConfig -BypassedSenders Tom@vanarts.com,Kaiming@gmail.com

Set-ContentFilterConfig -BypassedSenderDomains vanarts.com

If the recipient mailbox is set to AntiSpamBypassEnabled:$True, the message to this mailbox will bypass the content filtering.

Set-Mailbox –id Spencer –AntiSpamBypassEnabled:$True

If The sender's IP address is on the IP Allow list, the message from this IP address will bypass the content filtering.

Add-IPAllowListEntry -IPAddress 209.66.141.34

Other examples:

Set-ContentFilterConfig -SclQuarantineEnabled:$true -SclRejectEnabled:$true -SclDeleteEnabled:$true -SclQuarantineThreshold 5 -SclRejectThreshold 6 -SclDeleteThreshold 8 -QuarantineMailbox spamQ@work.com -RejectionResponse "Message rejected due to content restrictions"

For individual mailbox:

Set-Mailbox -id Rob.Prince -SCLDeleteThreshold 8 -SCLDeleteEnabled $True -SCLRejectEnabled $True -SCLRejectThreshold 6

AD RMS Prelicensing Agent

Active Directory Rights Management Services (AD RMS) Prelicensing agent to certify the Microsoft Office Outlook recipient's authenticity so that the recipient can open messages without receiving a credential prompt on every attempt.

Disable-TransportAgent "AD RMS Prelicensing Agent"

Transport Rule Agent

Transport Rules agent   The Transport Rules agent runs on all computers that have the Hub Transport server role installed.

Edge Rules agent   The Edge Rules agent runs on all computers that have the Edge Transport server role installed.

Each Hub Transport server queries Active Directory to retrieve the organization's current transport rule configuration and then applies that transport rule configuration to e-mail messages that the server encounters. When you create a transport rule, it will be saved in Active Directory. The rule will apply to all transport servers in the organization.

The Edge Rules agent runs transport rules that are configured only on the local Edge Transport server.

Microsoft AntiSpam Update service

Home