Secure Messaging with Microsoft Exchange Server 2000

Content filtering is a thorny problem in computer science; humans are much better at recognizing patterns than software is, so even though it’s possible to construct filters that catch any arbitrary message, it’s equally possible for a determined human to come up with an equal message that doesn’t match. For proof, look at the ongoing war between spammers and antispam software—spammers continually change the subject lines and content of their messages in an ongoing attempt to outwit spam-blocking software that scans for characteristics of spam in messages.

Having said that, there are still many applications in which content filtering is useful. The most popular applications revolve around three primary elements: stopping “bad” content from coming into or out of an organization’s mail system, and removing (or at least flagging) any “bad” content stored in the mailbox stores. I put “bad” in quotation marks because what one organization considers bad or harmful might be acceptable to another. Examples include the following:

• Government agencies that want to block any messages with classification markings or sensitive keywords from leaving their internal mail systems

• Corporations that want to stop inbound and outbound mail that violates their diversity, sexual harassment, or workplace-environment policies

• Organizations that want to prevent internal users from sending confidential or sensitive documents outside the organization (at least over e-mail)

Exchange 2000 itself doesn’t include any content-filtering capabilities. That means that if you want to be able to filter mail as it arrives or departs, you have two choices: buy a commercial product, or implement your own filters using an event sink. The latter is outside the scope of this book, even though the OnArrival mechanism I mentioned earlier makes it fairly straightforward to get a peek at each inbound or outbound SMTP message. The problem with this approach is that you still have to write the code that does the matching, which is a nontrivial problem. For that reason, most sites that need content inspection end up with one of the several commercial content-filtering products.

These products offer a wide range of capabilities; in many cases, content filtering is integrated with antivirus or attachment control functionality. Overall, when you’re looking at commercial content management products you’ll probably notice the following:

• They can inspect inbound and outbound messages, flagging any that contain keywords you specify. Some products also allow messages to be flagged based on the number, kind, size, or type of attachments in the message.

• Flagged messages can be blocked (with or without notification to the sender), copied to a mailbox or public folder, or silently deleted.

• Messages with attachments can have the attachments removed, stored separately, or otherwise processed (one helpful application of filtering is to automatically compress outbound attachments so that they use less bandwidth).

Some products, like Nemx’ PowerTools (http://www.nemx.com) and GFI’s MailEssentials (http://www.gfi.com), install on the Exchange server, effectively centralizing the blocking or monitoring functions on an SMTP bridgehead. Others, like the IntelliReach Message Manager Suite (http://www.intellireach.com), install on a Microsoft Outlook client and monitor mail using the Collaboration Data Objects (CDO) interfaces. A third class of products are appliances like CipherTrust’s IronMail that act as SMTP proxies that coincidentally provide some level of content-filtering services.

Evaluating Filtering Products

Because you’re probably not going to create your own filtering product, it’s important to know what questions to ask when choosing a filtering system for your network. Prices range from a few hundred dollars for server-side tools up to tens of thousands of dollars for enterprise-scale filtering appliances. How can you tell which one is right for you? Here are some questions to ask during the evaluation process:

• What specific kinds of filtering do you want? Keyword filtering is common; more advanced tools, like the Nemx PowerTools suite, offer heuristics that attempt to classify message content by analyzing the text, not just matching strings. In either case, decide whether you need to scan message headers and bodies only, or whether you also need to be able to scan and process attachments.

• What do you want to be able to do to the filtered messages? If you’re filtering content to keep “bad” material out, you will probably want to reject inbound or outbound messages that fail the filtering checks; if you’re monitoring and filtering to keep internal users from sending out sensitive or inappropriate messages, you might prefer to copy the suspect messages to a mailbox or public folder.

• What volume of messages do you need to filter? For large, high-volume environments, you’ll probably have multiple SMTP bridgeheads, which means that you’ll probably need multiple copies of a server-based product.

• Can you specify policies? Simplistic scanners just look for terms or patterns you specify. More flexible policy-based tools can incorporate multiple criteria into rules and multiple rules into policies. A good policy-based system allows you to create policies based on criteria like sender or recipient domain or Internet Protocol (IP) address, message or header content, attachment presence or absence, and date and time. For example, you might want a policy that adds a disclaimer to mail sent from users in the Legal organizational unit unless it’s going to the domain of your company’s outside law firm. A separate policy might block all incoming mail with “mortgage” in the subject that isn’t coming from your company’s bank.

• What kind of management and reporting features do you need? In general, the more customizable the product is, the better; you’ll benefit from the additional flexibility. From the management side, be sure to find out how the product you’re evaluating handles remote management (so that you can adjust settings without sitting down in front of the server) and whether you can easily create one set of policies and then apply them to multiple machines.