Come combattere lo SPAM in un
ambiente Exchange Server
2003: tecniche e metodi
11 novembre 2005 - 10:30
Alessandro Appiani
MCT MCSE (2000 NT 4.0 NT 3.5)
Agenda


Spam: come affrontare il problema in
azienda
Exchange Server 2003 Anti-Spam




mail filtering e ambiti di azione
Intelligent Message Filter & Outlook
integration
VSAPI e integrazione con sistemi Anti-Virus
Per concludere



Exchange Server 2003 Service Pack 2 news
Message Hygiene @ Microsoft
Best Practice
Spam world

I messaggi indesiderati sono il problema
numero 1 del mondo e-mail

Sono un rischio per security, privacy, availability
 Phisher scams, ID and information theft



Unauthorized relay
Spam rappresenta più del 60% del traffico e-mail



Spoofing detected in 95% of phishing
attacks
Hotmail blocca più di 3 miliardi di messaggi
al giorno
Virus, Spyware, Trojan
Fare Spam costa poco, genera alti profitti, può
essere fatto in modo anonimo
 è difficile bloccare alla fonte spammer e phisher
Message Classification
Critical
Legitimate
Mail

Less Critical
Legitimate
Mail

Legitimate
Commercial
Mail
Spam
Destructive


Business and Personal mail
Easily classified at gateway
Subscriptions
Listservs

Mail from company with a
pre-existing business relationship

Unsolicited promotional messages,
phishing, scams

Viruses, malware, spyware
Easily classified at gateway

* External communication only, all internal communication is assumed to be legitimate
Enterprise Requirements per
Anti-Spam


Evitare i falsi positivi
Bloccare quanto più possibile a livello di
gateway



Trasparente per gli utenti (non se ne
accorgono)
Minimizza l’impatto dello spam sulla banda e
sulle risorse di sistema (anche client)
Amministrazione



Soluzioni complete
Facili da gestire
Ottimizzare il compromesso tra controllo
aziendale e scelte utente
Come combattere lo spam
Cosa analizzare
La struttura di un messaggio
 Da dove proviene (Connection)
 Da chi arriva (Sender)
 A chi è destinato (Recipient)
 Di cosa tratta (Content)


La struttura del messaggio viene gestita
direttamente da singole funzionalità di
sicurezza di exchange
analizzando il messaggio possiamo
decidere cosa farne (accept / reject)
Exchange Filtering

Da dove proviene: Connection filtering (IP)



Da chi arriva: Sender filtering



Filter messages sent from particular e-mail addresses or
domains
Internal spoof detection
A chi è destinato: Recipient filtering



Global allow and deny lists
DNS Block Lists (RBL)
Block messages to non-existent recipients or specific e-mail
recipients
Restricted DLs
Di cosa tratta: Content filtering


SmartScreen
Intelligent Message Filter (IMF)
 Message taxonomy mapped to Exchange Features
Da dove proviene: Connection
Filtering
 Liste
globali “Allow / Deny”
 Specifici IP o subnet
 “Deny” by design
 Supporto ad abbonamento a
servizi esterni “real-time block
list (RBL)”
 Es: Mail from 62.190.247.12




12.247.190.62.bad.bl.org
Supporto per diversi fornitori
RBL (3 o 4 ideale)
NDR personalizzabile per
ogni fornitore
Possibilità di sovrascrittura
del filtro (exception by Email address)
Live Meeting Sharing Slide
Connection Filtering Demo
Edit this slide by selecting Properties in the Live
Meeting Presentation menu.
Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu.
Da chi proviene: Sender filtering



Filtro di messaggi spediti da un indirizzo
e-mail o dominio smtp
Filtro di messaggi senza mittente
Può eventualmente droppare la
connessione
Live Meeting Sharing Slide
Sender Filtering Demo
Edit this slide by selecting Properties in the Live
Meeting Presentation menu.
Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu.
A chi è destinato: Recipient
Filtering

Filtro di messaggi spediti a destinatari non
esistenti




Filtro di messaggi spediti a specifici indirizzi
Restricted Distribution List



nessuna NDR (protocol level)
verifica in tempo reale in Active Directory
Solo utenti autenticati possono usarle per inviare
mail
si possono differenziare DL interne e pubbliche
In aggiunta all’Address Filtering sul client –
Safe/Block list
Recipient Filtering
Recipient Filtering


Recipient Filtering
Distribution List security
Live Meeting Sharing Slide
Recipient Filtering Demo
Edit this slide by selecting Properties in the Live
Meeting Presentation menu.
Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu.
Antispam: Microsoft Exchange
Intelligent Message Filter

Basato sulla tecnologia SmartScreen





presente in Outlook2003
utilizzata da Hotmail dal 24 Febbraio 2004
integrata con l’infrastruttura SCL ( Spam
Confidence Level )
E’ un’estensione (gratuita) di Exchange
2003 Server SP1 (è Built-in in SP2)
Coesistenza con le soluzioni di 3° parti
Exchange Anti-Spam Filtering
caratteristiche



E’ un componente di Front-End (no
cluster setup)
Aggiornabile
Non filtra messaggi da connessioni
autenticate e accettate


Documentato in Exchange SDK


evita i falsi positivi su mail interne o trusted
http://msdn.microsoft.com/exchange
Introduce nuove proprietà del messaggio
(fields) per associare ad ogni messaggio
informazioni specifiche sullo spam
Spam Confidence Level (SCL)



La probabilità che il messaggio sia
Unsolicited Commercial E-mail (UCE) o
junk e-mail
E’ un numero da 0 (no spam) a 9 (spam
sicuro)
E’ memorizzato nel database insieme al
messaggio (tag property) e con esso
persiste (routing, inbox, ...)
Microsoft Exchange Intelligent
Message Filter


Si amministra con
Exchange System Manager
Basato su soglie

Gateway SCL threshold





Reject, delete, archive,
and no action
Store SCL threshold
Built-in performance counters
MOM management pack extension
Comprehensive deployment guide
How it works (Server & Client settings)

Intelligent Message Filter


basic configuration
Customizing Intelligent Message Filter (deployment
guide – capitolo 6)
Live Meeting Sharing Slide
IMF Demo
Edit this slide by selecting Properties in the Live
Meeting Presentation menu.
Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu.
Outlook & OWA Client Features
Web/Spam Beacon blocking
Blocca contenuti HTML potenzialmente pericolosi
Outlook2003 & OWA2003
Enhancements

User specified Safe & Blocked Senders lists
 Safe Senders, Safe Recipients, Blocked Senders
 Possono includere Contatti e GAL
 Supporta anche la modalità Safe Senders Only

User Lists CONDIVISE da Outlook 2003, Exchange 2003 ed
OWA
 memorizzate sul server (mbx store)
 richiede Outlook 2003 per la configurazione

Spostamenti in junk-folder determinati da:
 Exchange 2003 Mailbox Store based on user lists
 Per message SCL
 Client Side based on Microsoft SmartScreen Technology

Block all external content by default (Web beacons)
Il client Outlook
Posta indesiderata


Outlook 2003 security (Smartscreen, ...)
Client settings (junk-mail, ...)
Live Meeting Sharing Slide
Outlook Web Access Demo
Edit this slide by selecting Properties in the Live
Meeting Presentation menu.
Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu.
Come combattere i virus
Enterprise Requirements for
Antivirus



Sono necessarie difese adeguate
Trattamento differenziato di messaggi
inbound e outbound
Non solo AV scanning





Attachment management is key
Directory lookups before scanning
Security notifications
Message purging versus cleaning
Metrics and reporting
Anti-Virus Protection


In Exchange Server 2003 è presente una
API specifica per la gestione dei Virus
(Virus Scanning API 2.5)
Previene la possibilità che i virus arrivino
in Outlook




Come per lo SPAM a maggior ragione per i
virus il blocco deve essere il più possibile
lato server
Blocca allegati potenzialmente pericolosi
Gateway scanning (non-mailbox server)
Cancella messaggi infettati
How to Fight Viruses

VSAPI 2.5 exposed at the Exchange transport
level (gateway)




Additional message properties are exposed to
the scanner


Inbound message arrives at gateway using SMTP
Transport event sink hands message to VSAPI queue
VSAPI removes message from queue and passes to
scanner
For example, sender and recipient addresses can be used
in notifications
Message deletion is possible

Allows an antivirus solution to implement message purge
feature
Exchange Server 2003 Antivirus
Features

VSAPI 2.5



Backward compatible with VSAPI 2.0
Optional infected message deletion
Additional message properties



Sender e-mail address
Recipient addresses (To: and Cc:)
Additional MAPI error codes


Virus present
Virus present, message deleted
Exchange Server 2003
Service Pack 2
news
Exchange Server 2003 SP2 AntiSpam Features



Updated SmartScreen Technology
Anti Phishing Technology
Sender ID Framework (SIDF) Support
Updated SmartScreen
Technology

Integrated Intelligent Message Filter



Latest Filter Updates
User Interface updates to Exchange System
Manager – Junk E-Mail Filtering
Added Anti Phishing Technology
Anti Phishing Technology

Integrated into SmartScreen
Technology


Transparent to administrators and endusers
Phishing Confidence Level (PCL)

Weighted 1-8 (higher = more likely bad)
Sender ID Framework (SIDF)

Industry standard created to counter
domain spoofing



SIDF has been reviewed and submitted to the
Internet Engineering Task Force for final
review
Combines Sender Policy Framework and
Microsoft Caller ID for Email
Email domain authentication framework
that uses Sender Policy Framework (SPF)
records in DNS as an authentication
mechanism
Message Hygiene @
Microsoft
Message Hygiene at Microsoft
Gateway Server
Transport
Gateway Server
Transport
Connection Filtering
RBLs
Sender/Recipient
Filtering
Mailbox Server
Store
SCL Store
Threshold
User Safe/
Blocked
Senders
Outlook 2003 &
Outlook Web
Access
Desktop Anti-Virus
Attachment Stripping
Attachment blocking
Spam?
Exchange IMF
Yes
No
User Safe/Blocked
Senders
Virus Scanning
SCL=Gateway
Threshold?
Spam?
No
Yes
Junkmail
Inbox
Filter Action
Inbox
Junkmail
Internet
Anti-Spam
Antivirus and
Attachments
Mailbox servers
Clients
Message Hygiene at Microsoft
Connection
filtering
Blocks
of all
incoming SMTP
connections
Sender and recipient
filtering
Blocks
of
remaining messages
Intelligent
Message Filter
Blocks
of
remaining messages
Outlook 2003 and
Outlook Web Access
junk e-mail
Blocks
of remaining
messages
Best Practice
Best Practice - 1

Connection Filtering



Recipient Filtering



Abilitare Accept/Deny IP al gateway (e se
possibile anche RBL)
le liste IP restrictions possono essere
modificate da codice (KB 810913)
Recipient Lookup al Gateway
Abilitare ricerca in AD
Restricted DL


solo quando tutti i membri sono interni
attenzione all’uso da parte di applicazioni
(autenticazione o no)
Best Practice – 2 (IMF)

In realtà Multi-Forest





abilitare l’autenticazione (cross-forest) sui
connettori SMTP
in questo modo vengono mantenute le info su
SCL Tagging & c.
non abilitabile su Exchange 2003 Cluster
(è un tipico servizio di Front-End)
iniziare “laschi” per evitare falsi positivi
Configurare Outlook 2003 Trusted
Senders (& Junk setting) via CIW
Best Practice – 3 (IMF)

Reject vs Archive




controllabile con Performance Monitor






controllare la cartella
location modificabile (registry)
può contenere anche SCL (registry)
Total Messages Scanned for UCE
Messages Scanned for UCE/sec
% UCE out of Total Messages Scanned
Total Messages Assigned an SCL Rating of X
....
Microsoft Exchange Intelligent Message
Filter Deployment Guide

IMF Archive Manager
Live Meeting Sharing Slide
IMF Archive Manager Demo
Edit this slide by selecting Properties in the Live
Meeting Presentation menu.
Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu.
Riferimenti e risorse

IMF Archive Manager (C# tool released with
source on GotDotNet)
http://workspaces.gotdotnet.com/imfarchive

Microsoft Safety Technology and Strategy
www.microsoft.com/mscorp/safety/default.mspx

Security Resources
http://www.microsoft.com/technet/security

Sender ID:
http://www.microsoft.com/senderid
Riferimenti e risorse (Exchange)
Exchange Home
http://www.microsoft.com/exchange
Exchange Italy Home
http://www.microsoft.com/italy/exchange
Exchange Server TechCenter
http://www.microsoft.com/technet/prodtechnol/exchange/default.mspx
Exchange Server 2003 Technical Documentation Library
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx
Exchange Developer Documentation on MSDN
http://msdn.microsoft.com/exchange
Exchange Server 2003 Errors and Events Web Site
http://www.microsoft.com/technet/support/ee/search.aspx?LCID=1033&DisplayNam
e=Exchange%20Server%202003&ProdName=Microsoft%20Exchange&MajorMinor=
6.5
Exchange Support Center
http://support.microsoft.com/default.aspx?scid=fh;EN-US;exchange
Exchange Downloads
http://www.microsoft.com/exchange/downloads/
Exchange Server Community Center
http://www.microsoft.com/Exchange/community/default.mspx
Domande?
Live Meeting Web
Feedback
https://mseventseu.microsoft.com/cui/WelcomePage.aspx?EventID
=118764263&culture=it-IT
Changes directly made to this slide will not be displayed in Live Meeting. Edit this slide by selecting Properties in the Live Meeting Presentation menu.
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.