Installing Anti Spam Agents
By default the Anti Spam agents are not installed on the hub servers ***these must be installed on each hub that you want to utilze the agents ****

Open EMC
Organizational Configuration
Select the Hub Transport Server

As you can see there is no reference to the anti spam agents

Lets go ahead and install the Agents”

1. Open EMS
2. you can change to the directory or input the path to the powershell script (I chose to change to the directory) Change to C:\progroam files\Microsoft\Exchange Server\Scripts (assuming install directory is default)
3. ./install-AntiSpamAgents.ps1

After the agents are installed the Transport Service needs to be restarted

Lets go back to EMC–Organizational Configuration — Hub Transport

We now have an Anti Spam Tab with a number of items to configure

CONFIGURATION:
Now that we have installed our Anti Spam Agents lets take a look at what we can configure. Some configuration can only be done from EMS and some can be done from both EMS and EMC.
Content Filtering
IP Allow List
IP Allow List Providers
IP Block List
IP Block List Providers
Recpient Filtering
Sender Filtering
Sender ID
Sender Reputation

Content Filtering:
When the Content Filter agent is enabled on a computer, the Content Filter agent filters all messages that come through all Receive connectors on that computer. Only messages that come from external sources are filtered. External sources are defined as non-authenticated sources that are considered anonymous Internet sources.
http://technet.microsoft.com/en-us/library/bb124739.aspx

Content filter provides us with 3 tabs that we can configure
1. Custom Words
2. Exceptions
3. Action

Lets first set a custom message to the users when a message is filtered, to do this you use the the set-contentfilterconfig command
Set-Contentfilterconfig -rejectionresponse “Your message was rejected due to content it contained”

Custom Words
This options allows us to configure 2 options 1: Messages with certain words will not be blocked and 2. Messages containing works or phrases to block.

Lets perform some Tests:
1. Add a word to by pass our content filter
2. Add a word/phrase to block the message

I have created 2 new rules:
1. bypass will exempt a message from being filtered
2. baseball or “my dog has fleas” will be blocked

Since Content filter is only done for remote domains I setup a 2nd Exchange Org remote.local for the my tests.

Test:
Send Message From External.User@remote.local to Brian.Tirch@Vm.local with Baseball to catch the message

Result:
The Sender External.User@remote.local receives Error message stating message is restricted, we can see our custom error message towards the bottom of the message.

Test2: Send Messge From External.User@remote.local to Brian.Tirch@vm.local with bypass to bypass the content filter

Result: Message was receieved by Brian

Exceptions
We have the ability to let users or groups by pass the content filter, this would be good for help desk mailboxes etc……

I have added Brian.Tirch@vm.local to the Exepctions

Test: Send message from External.User@remote.local with baseball to Brian.tirch@vm.local

Result: The message was delivered and bypassed our content filter blocking the word baseball

Action:
The Action tab alllows use to set thresholds to 1. Reject 2. Delete or 3. quarantine messages

For this test I have set all message with SCL rating of 2 to be quarantined and Brian.Tirch@vm.local receive a copy.

Test:
1. Removed Brian from the Exception
2. Sent message from External.User@remote.local with spam like content

Result:
Message was captured by the content filter and a Quarantined version was sent to our spam mailbox.
I then released the message from our spam mailbox to the recipient which was delivered.

** To release a messsage from the spam mailbox you open the message and click send again **

IP Allow List
IP Allow lists are not configurable at the Org level, this is a server level setting and we must look under server configuration -> Hub transport to be able to configure this via EMC.

Lets use the Get-IPAllowListConfig to see what our default configuration is.

We can see that by default only filtering of external domains is enabled, however this feature can be configured for internal and(or) exteranl filtering.

To add a single IP or range of IP’s we would use Add-IPAllowListEntry command
Add-IPAllowListEntry -IPAddress 1.1.1.1

Any address or range added to your filter be bypass the content filter that you have enabled. This would be good for any remote system or new groups that are trusted or any smtp relays that are trusted.

After we have added the IP/Range we want to allow we can use the Get-IPAllowListEntry to view our configured systems.

http://technet.microsoft.com/en-us/library/bb123554.aspx
http://technet.microsoft.com/en-us/library/bb124385.aspx

IP Allow List Providers
IP Allow list provider aka Save List Services can be manged via EMS or EMC

Lets look at the properties of the IP Allow List Providers

Click Add

Provider name :Type the name of the IP Block List provider service. This name is for your own use
Lookup domain : type the domain name that the Connection Filter agent queries for updated IP Block list information.

Match to any return code When you select this option, the Connection Filter agent treats any IP Address status code that is returned by the IP Block List provider service as a match.
Match to the following mask When you select this option, the Connection Filter agent acts only on messages that match the return status code of 127.0.0.x, where the integer x is any one of the following values:
1 The IP address is on an IP Block list.
2 The Simple Mail Transfer Protocol (SMTP) server is configured to act as an open relay.
4 The IP address supports a dial-up IP address.
Match to any of the following responses When you select this option, the Connection Filter agent acts only on messages that match the same IP address status code that is returned by the IP Block List provider service.

IP Block List
IP Block Lists are the opposite of our allow lists, there are IP that we want to block from sending messages to our Exchange environment. IP block lists are not configurable at the Org level, this is a server level setting and we must look under server configuration -> Hub transport to be able to configure this via EMC.

We can use the Get-IPBlockListConfig to view our current

To modify our configuration we need to utlize the Set-IPBlockListConfig
http://technet.microsoft.com/en-us/library/bb123578.aspx

Lets create a custom response message for a blocked server:
[PS] C:\>Set-IPBlockListConfig -StaticEntryRejectionResponse “Your machine has been identified as malicious and all messages will be rejected from your server”.

Now lets add the IP address of our remote mail server to our block list:
Add-IpblockListEntry -IpAddress 192.168.1.120

Test:
Send a message from External.User@remote.local to Brian.tirch@vm.local

Result:
The Sender received an NDR with our custom message stating the server has been blocked

We can see that our message was reject by our content filter and our custom message was displayed.

IP Block List Providers IP Block List Providers like Spam Haus http://www.spamhaus.org/index.lasso have been around for a number of years and have compiled a list of known spamers and can greatly assist Exchange Administrators by using thier compiled list instead of manually blocking IP’s.

The agent can be managed from both EMS and EMC
On the properties of the agent we see the following

Let configure our server to use Spam haus as an Block List ProviderSelect the Providers Tab and Click Add

you can test to see if the SBL blocking is working by sending an email (any email) to: nelson-sbl-test@crynwr.com (you must send the email from the mail server which you wish to test). The Crynwr system robot will answer you to tell you if your server is correctly blocking SBL-listed addresses or not.We can also configure Exceptions so that email sent TO a user are not blocked even if they are found to be from someone on the Block List.

Recipient Filtering
Recipient Filtering allow the system to reject messages of users that are not in your address book or you can block recipients that should not be receiving mail from the outside.

Lets look at our settings
1. check the box to block messages to recipients not listed in the GAL
2. We can block messages to specific users or groups
Test1:
I am going to add Brian.Tirch@vm.local as a blocked users, then send a message from External.User@remote.local

Result:

Sender receives a 550 5.1.1 User unknown ##
Test2:
With the block messages to recipients not listed in the GAL checked, I sent a message from External.User@remote.local to Madeup@vm.local

Result:
Sender recieves a 550 5.1.1 User unknown ##

Test3:
With the block messages to recipients not listed in the GAL NOTchecked sent a message from External.User@remote.local to Madeup@vm.local 

Result
Sender recieves a #< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP# error

For more information on Recipient Filtering review the following
http://technet.microsoft.com/en-us/library/aa998898.aspx

Sender Filtering
Sender filtering compares the sender on the MAIL FROM: SMTP command to an administrator-defined list of senders or sender domains that are prohibited from sending messages to the organization to determine what action, if any, to take on an inbound message.

Sender Filtering can be managed via EMC or EMS, lets look at the settings we have available

You can see we have 3 tabs
1. General – provides a description of what sender filtering does
2. Blocked Senders – allow us to block users,domains, or messages with blank sender fields
3. Action – allows the message to be rejected or stamped with blocked sender

Lets configure some settings
1.Add External.User@remote.local as a blocked user and set the action to reject

Test:
Send a message from External.User@remote.local to Brian.Tirch@vm.local

Result:
The sender receives and NDR #554 5.1.0 Sender denied ##

Now we have remove the individual user from the block list and added the entire domain, for this test we will still leave the action to block.

Test2:
send a message from External.User@remote.local to Brian.Tirch@vm.local

Result:
The sender receives and NDR #554 5.1.0 Sender denied ##

I have left the domain block in place however this time changed the actions to stamp

Test3
send a message from External.User@remote.local to Brian.Tirch@vm.local

Result:
Message was received by Brian.Tirch@vm.local ….

“Stamp message with blocked sender and continue processing If you select this option, messages from a sender or domain that is on the Blocked Senders list are stamped with the blocked status and continue to process. This message metadata is evaluated by the Content Filter agent when a spam confidence level (SCL) is calculated. Additionally, sender reputation uses the message metadata when it calculates a sender reputation level (SRL) for the sender of the message.” http://technet.microsoft.com/en-us/library/aa997235.aspx

http://technet.microsoft.com/en-us/library/aa996031.aspx
http://technet.microsoft.com/en-us/library/aa996920.aspx

Sender ID
“The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail messages are sent. Sender ID validates the origin of e-mail messages by verifying the IP address of the sender against the alleged owner of the sending domain.”
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx
http://www.microsoft.com/mscorp/safety/technologies/senderid/overview.mspx

Lets take a look at what options we have

We have 2 tabs, general and actions

General: Gives an overview of what Sender ID does
Actions: Allow us to reject, delete, or Stamp message with sender ID result and continue to process

**that many people have not adopted sender ID and I would recommend the default action of tamp message with sender ID result and continue to process

Notice these action state the message MUST FAIL the sender ID check, if the sender ID look finds no SPF record then the message will be process and the header be tagged

X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (VMCASHUB.VM.Local: External.User@remote.local does not
designate permitted sender hosts)

To force a reject or delete, I will have to configure an SPF record and leave the IP of just hub server off the list. To use a wizard you can go to the following link http://www.openspf.org/

Sender Reputation
When Sender Reputation is enabled a sender reputation level (SRL) is calculated by Exchange using the following:

HELO/EHLO analysis
Reverse DNS lookup
Analysis of SCL ratings on messages from a particular sender
Sender open proxy test
http://technet.microsoft.com/en-us/library/bb124512.aspx

We have 3 tabs General, Sender Confidence, and Action

The Sender Confidence tab allow us to perform an open proxy test

The actions tab allows us to set a threshold for our SRL

The last item I want to mention is how to set the SCL Junk threshold
SCL Junk E-mail folder threshold
If the SCL value for a specific message exceeds the SCL Junk E-mail folder threshold, the Mailbox server puts the message in the Outlook user’s Junk E-mail folder. If the SCL value for a message is lower than the SCL delete, reject, quarantine, and Junk E-mail folder threshold values, the Mailbox server puts the message in the user’s Inbox.

use the Get-OrganizationalConfig command to display the current settings

we can see our current value is set to 8, let change this to 2 and generate a message that will exceed this value.
C:\>Set-OrganizationConfig -SCLJunkThreshold 2

Lets send a message from External.User@remote.local to brian.tirch@vm.local and simulate a junk message.

If we look at the message header we can see the SCL was 4 which exceeded our SCL threshold of 2 and sent the message to junk

X-MS-Exchange-Organization-SCL: 4
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report

http://support.microsoft.com/kb/555924
http://technet.microsoft.com/en-us/library/bb123502.aspx