Microsoft Small Business Server 2003 Unleashed

Email has quickly become one of the most popular ways that people communicate with each other. With it we can instantly send pictures, send attachments, or give someone information that just a few years ago would have required a phone call or fax, or would have taken days to receive.

Junk mail is typically defined as unsolicited email or pop-ups sent to you without your prior knowledge or approval. Also described as spam, these emails usually contain an advertisement for a product or service. This type of email not only wastes large amounts of network bandwidth and server resources but also costs companies millions with loss of labor by employees viewing or deleting them. Junk email is considered spam; however, not all spam is considered junk email.

A virus is a computer program loaded onto your computer without your knowledge. These programs are made by man, but have the capability to replicate themselves to other computers without others knowing it is happening. After the virus program is executed, it steals available memory and resources from the system making the unit unusable.

Both have become a significant problem for mail system administrators. Some problems stem from receiving spam and virus-infected attachments, some from the measures other companies have taken to curtail the flow of spam into their systems. The next two sections discuss each of these scenarios in more detail.

Recipient Filtering and Tar Pitting

A number of third-party solutions have come and gone over the years to help combat spam and viruses. Unfortunately, most of those work only on messages after they have been received by Exchange and processed into the message store. As the volume of received messages increases, this approach becomes less efficient. Exchange 2003 implements two features to help combat this problem.

Recipient Filtering in SBS 2003

Recipient filtering is a new feature in Exchange 2003 that allows the SMTP server to drop or reject email not addressed to a mail-enabled account in Active Directory. This is beneficial in two ways. First, it cuts down on the number of messages that have to be processed into the message store in Exchange, which reduces the load on the database. In an SBS environment, this might not seem like a significant issue, but considering that some sites have been hit with several thousand messages a minute in a reverse NDR attack (see the following sidebar), it can become a problem quickly.

Best Practice: Preventing the Reverse NDR Attack

A reverse NDR attack occurs when a spammer or other malicious individual sends a flood of email messages to a server with bad recipient addresses and bad return addresses. In normal Exchange operations, these messages are received by the SMTP server and passed on to Exchange for processing. Only when Exchange attempts to put the message in the message store does the process recognize that the address is invalid. At that point, Exchange generates a Non-Delivery Report (NDR) an sends it back to the sender.

This is where the invalid return address comes into play. When Exchange attempts to deliver the NDR back to the sender, it gets hung in the outgoing mail queue while Exchange goes through its normal process of attempting to send the message. By default, Exchange attempts delivery for 48 hours before deleting the message. When thousands upon thousands of these undeliverable NDRs begin filling up the queue, however, not only does the Exchange/SMTP process slow down, but it can slow down the entire server. In addition, server disk space is used up quickly for storage of these messages that will simply never get delivered.

The best way to prevent a reverse NDR attack is to simply refuse delivery of messages with invalid mail addresses at the SMTP server level so that no NDR is generated within Exchange. If Exchange is not configured this way, the pain inflicted by a reverse NDR attack can be sudden and severe.

Follow these steps to enable recipient filtering on the SBS server:

1.

In the Server Management Console, expand Advanced Management, First Administrative Group (Exchange), Global Settings.

2.

Right-click on Message Delivery and select Properties.

3.

Click the Recipient Filtering tab.

4.

Enable the Filter Recipients Who Are Not in the Directory check box, as shown in Figure 12.1, and click OK.

Figure 12.1. Recipient filtering is first enabled in the Message Delivery properties.

5.

A dialog box appears indicating that you must manually enable recipient filtering on the SMTP virtual server. Click OK.

6.

Under the Exchange node, expand Servers, your server name, Protocols, SMTP.

7.

Right-click the Default SMTP virtual server and select Properties.

8.

On the General tab, click the Advanced button.

9.

In the Advanced dialog box, click Edit.

10.

In the Identification dialog box, enable the Apply Recipient Filter check box, shown in Figure 12.2, and click OK.

Figure 12.2. Enable the recipient filter in the Default SMTP Virtual Server properties.

11.

Click OK twice more to close out the Default SMTP Virtual Server properties.

There is one significant downside to enabling recipient filtering on an Exchange server. When recipient filtering is enabled, a spammer can run scripts against your server's SMTP service looking for valid email addresses. If the script gets an immediate rejection for an email address, the spammer knows to mark that address as invalid and not to use it again. If the script does not get an immediate rejection, the address can be marked as valid and sold to bulk mailers or used directly by the spammer. Fortunately, there is a way around this issue by using tar pitting.

SMTP Tar Pitting

The tar pit feature was first introduced in Microsoft KB article 899492 (http://support.microsoft.com/kb/899492/) as a hotfix for Windows Server 2003. The feature is also included in Windows Server 2003 SP1 and is described in Microsoft KB article 842851 (http://support.microsoft.com/kb/842851).

In normal operations when recipient filtering is enabled, an SMTP request for an invalid email address gets an immediate 5.1.1 User unknown response. Enabling the tar pit feature delays the error message, which generally causes problems for spammers running scripts against the mail server.

By default, the tar pit feature is enabled when SBS SP1 is installed in a slipstreamed media version. If you are adding SP1, you can enable tar pitting by following the instructions in Microsoft KB article 842851. The necessary code is on the service pack installed version but not yet enabled. Only SBS installations performed with the SP1 slipstreamed media have the value enabled out of the box.

Exchange Intelligent Message Filter (IMF)

Another tool that Microsoft provides to help counter spam on Exchange servers is the Intelligent Message Filter (IMF). This free download from Microsoft's website can be installed on any Exchange 2003 server. The IMF works with both the SMTP and Exchange services to help mail administrators filter or block unwanted email from the server.

The IMF scans each piece of incoming email at the SMTP service and assigns a Spam Confidence Level (SCL) value, ranging from 19, to the message based on a number of factors. Then, depending on the configuration, the message is blocked or delivered based on two different filters. The first filter is the blocking filter. When the IMF installs, it sets a value of 8 for this filter. This means that any message with an SCL value of 8 or 9 will have one of four actions taken on it. Those actions are

  • ArchiveThe message is moved into an archive folder on the system for later review by the mail administrator.

  • DeleteThe message is deleted from the system with no other action taken.

  • No ActionThe message is passed through to the next phase of filtering.

  • RejectThe message is not delivered, and a rejection email is sent to the message sender.

Any message with an SCL value of 7 or less at the first filter gets passed on to the second filter automatically.

The second filter determines whether the message is delivered to the user's Inbox or the Junk Mail folder. Again, the default value on this at installation is 8, meaning that a message with an SCL value of 8 or higher gets put into the user's junk mail folder. Again, messages with an SCL value of 7 or less get stored directly in the user's Inbox.

Follow these steps to install the Exchange IMF on SBS:

1.

Download both the Exchange Intelligent Message Filter and the Filter Update for Exchange Intelligent Message Filter from Microsoft.

2.

Start the IMF install by double-clicking on the ExchangeIMF.MSI file.

3.

Click Next on the opening page of the wizard.

4.

Select the I Agree radio button on the End User License Agreement page and click Next.

5.

When the components finish installing, click Finish to close the wizard.

6.

Launch the Filter Update by double-clicking on the Exchange 2003-KB883106-v2-x86-ENU.exe file.

7.

In the first page of the Installer Wizard, click Next.

8.

Select the I Agree radio button on the Licensing Agreement page and click Next.

9.

When the update completes, click Finish to close the installer.

After the IMF has been installed, you need to configure it for your environment. If you accept the default installation values, mail with an SCL value of 8 or higher will get filtered into the user's Junk Mail folder, and all other messages will be delivered into the Inbox. You can change the values of the filter at any time, but you may want to start with a more aggressive filter configuration. Follow these steps to configure the IMF:

1.

Open Exchange System Manager.

2.

Expand Global Settings and open the Properties for Message Delivery.

3.

Click on the Intelligent Message Filtering tab.

4.

Select the desired values for the Gateway Blocking Configuration and the Store Junk E-mail Configuration. Figure 12.3 shows the settings for a moderately aggressive junk mail filter. Click OK when complete.

Figure 12.3. Settings for the Intelligent Message Filter.

5.

In the Exchange System Manger, expand Servers, your server name, Protocols, SMTP.

6.

Right-click on the Intelligent Message Filter and select Properties.

7.

Enable the check box for the Default SMTP Virtual Server and click OK.

Best Practice: Install the Intelligent Message Filter on All SBS Installations

Any server not running any third-party antispam solutions should definitely install and use IMF on SBS because there is no cost, and the immediate benefit of reduced spam is invaluable. Even if other third-party programs are being used, the IMF can still be used to provide additional protection. In the same way that no single antivirus or antispyware program catches every threat across the board, no single antispam product can either. When possible, always use two comparable tools to protect against unwanted items, and when one of those tools (IMF) is free, there is no financial reason to avoid it.

Getting Mail Delivered Despite Antispam Measures

Many organizations have begun taking drastic measures to combat the flood of spam their accounts are receiving. They have started using a number of new technologies that have made it more difficult for smaller businesses to get mail through to their clients. The following are a few examples of the technologies used to fight spam:

  • BlacklistsThe ISP obtains updated lists from organizations such as www.ordb.org for suspected spam servers. These lists contain servers/domains that have been listed as having open Relay servers and could be used for spamming.

  • Dynamic IP listsMost ISPs designate these for residential use. ISPs such as AOL view that residential users would be using their ISP's SMTP servers for sending mail (smart host), so there should not be a need for receiving mail directly from a dynamic IP that appears in the list. In turn, the direct connection would be denied.

  • Reverse DNS lookupsBefore a connection is accepted, the remote email server performs a DNS lookup on the originating server ensuring that the IP being presented matches the domain name.

How Mail Gets Delivered

Exchange can use two methods to send email to other mail servers. These are commonly referred to as DNS delivery and smart host delivery.

DNS

By default Exchange uses DNS to send Internet email. It is through the use of DNS records and MX records registered for a public domain that addresses are discovered and email is routed. When Exchange needs to send mail, it attempts to look up the MX record for the remote domain's mail server using a public DNS server. It then takes the IP address listed for the remote server and attempts to connect to the remote mail server directly.

Smart Host

A smart host is a "middleman" email server that forwards/sends email for your domain's email server on its behalf. When a smart host is in place, Exchange takes outgoing mail and sends it to another mail server that you specify (the smart host). The smart host then sends your email to the destination mail server. This feature makes it appear that email from your domain is originating from the smart host server. A good example of this would be if you or someone else uses Outlook Express to send email through your ISP's SMTP servers.

Routing All Mail Through DNS

If your have a static IP address for your network, this is usually the best option for delivering mail. Here are some reasons why:

  • No "middleman" is needed.

  • You don't have to rely on third-party email servers to ensure delivery of email.

  • You have more control over email delivery.

  • The server continues to attempt to resend email if needed.

When you run the CEICW, you can choose to have mail delivered through DNS by selecting the Use DNS To Route E-mail button in the E-mail Delivery page of the wizard. The wizard then creates the Default SMTP Virtual Server and the SmallBusiness SMTP Connector and configures both to route mail directly using DNS.

Note

If you think you have a static IP, check with your ISP to make sure that it really is a static address. Some ISPs use DHCP reservations to reserve a specific IP address for a client, but the address still shows up in the dynamic address pool.

Routing All Mail Through a Smart Host

If you do not have a static IP address, or if you cannot get a reverse DNS pointer record for your static IP address, you may have difficulty delivering mail directly from your site. There are other reasons that you may choose to router your email through a smart host, including the following:

  • You avoid antispam measures to larger ISPs.

  • It may be the only way to send email when using a dynamic IP.

  • The server continues to attempt to resend email if needed.

  • Some ISPs view access to their email servers as a Premium Service. In this case, you may need to subscribe to an additional third-party email service.

The smart host configuration can also be set in the CEICW. In the E-mail Delivery page of the wizard, select the Forward All E-mail To E-mail Server At Your ISP radio button and then enter the address for your ISP's SMTP mail server.

Note

Smart hosts can be created or identified by either IP or FQDN (fully qualified domain name). FQDN is preferred to avoid any possible issues with unexpected IP changes. If you use an IP address to specify a smart host, the address must be enclosed in square brackets.

If your ISP requires you to authenticate to its smart host to send mail (not all do), you need to manually enter the authentication settings in Exchange System Manager. Follow these steps to add outbound authentication for the SMTP server:

1.

Open Exchange System Manager.

2.

Expand Servers, your server name, Protocols, SMTP.

3.

Right-click on the Default SMTP Virtual Server and select Properties.

4.

Click on the Delivery tab and then click Outbound Security.

5.

Select the Basic Authentication radio button, enter the username and password for the mail server, as shown in Figure 12.4, and then click OK when finished.

Figure 12.4. Setting the outbound authentication information in the SMTP Virtual Server.

6.

Click OK to close the Properties of the Default SMTP Virtual Server.

7.

Expand the Connectors node in Exchange System Manager.

8.

Right-click on the SmallBusiness SMTP Connector and select Properties.

9.

Click the Advanced tab; then click the Outbound Security button.

10.

Select the Basic Authentication radio button; then click the Modify button.

11.

Enter the username and password for the ISP mail server connection and click OK. When the authentication has been set, as shown in Figure 12.5, click OK to close the window.

Figure 12.5. Setting the outbound authentication information in the SMTP Connector.

Note

Outbound SMTP authentication information must be entered in both the Default SMTP Virtual Server and the SmallBusiness SMTP Connector objects before Exchange can successfully route email through the smart host.

12.

Click OK twice to close the SmallBusiness SMTP Connector Properties window.

Routing Some Mail Through DNS, Some Through Smart Host

In some rare circumstances, you may find a need to route some mail through a smart host and some mail through DNS. One large ISP in the United States has reconfigured its SMTP servers so that attempts to authenticate to a smart host from an Exchange server fail, even though connection attempts from other mail systems work successfully, forcing some businesses to use third-party smart host systems to route mail. The following steps walk you through the process of setting up a new SMTP mail connector and configuring Exchange to route mail appropriately:

1.

Open Exchange System Manager.

2.

Right-click on Connectors and select New, SMTP Connector.

3.

In the General tab, enter a name for the connector.

4.

Select the Forward All Mail Through This Connector to the Following Smart Hosts radio button and enter the SMTP address for the smart host.

5.

In the Local Bridgehead section, click Add, select your Exchange server from the list, and click OK.

6.

Click the Address Space Tab.

7.

Click Add, select SMTP, and then click OK.

8.

Enter the name of the domain you want to route through the smart host, as shown in Figure 12.6. Click OK when finished.

Figure 12.6. Enter the mail domain in the SMTP connector Address Space Properties page.

Note

Address space defines the domains or mail addresses to route through the connector. Routing through a connector is done through the closest match to an address space. Wildcards can be used in address spaces, as follows:

  • *Includes all external domains

  • *.netIncludes all external domains with the .net extension

  • aol.comSpecifies the domain only.

Exchange selects which connector to use based on the address spaces listed for the connector. If more than one connector has the same name space, the cost is the deciding factor. For a typical SBS server, you will not have multiple connectors with the same name space, so dealing with cost values is not as critical as with larger Exchange installations.

9.

Repeat steps 7 and 8 to add additional domains for delivery through this connector.

Caution

Do not list your inbound domains on an SMTP address space for a connector. Internal domains are handled through recipient policy.

10.

Close the SMTP Connector properties when finished.

11.

Open the properties for the SmallBusiness SMTP Connector.

12.

Click on the Address Space tab, select the * SMTP space from the list, and click Modify.

13.

Change the cost on the * space to 2 or higher.

14.

Click OK twice to close the SmallBusiness SMTP Connector properties.

Best Practice: Route Outbound Email Through a Smart Host

Even if you can get a static IP address and have no issues delivering email directly to recipients through DNS, your best option for reliable email delivery is to route your mail through a smart host. Some of the more compelling reasons include

  • PerformanceWhen all mail is routed through a smart host, the SBS server does not have to queue up and attempt redelivery of email to sites that do not respond on first request.

  • Blacklist protectionEven with a static IP address, you still run a risk of a site misidentifying you and adding you to a blacklist, preventing you from delivering mail to that site. Routing your mail through a smart host minimizes that risk.

  • Reverse NDR protectionIf you choose not to implement recipient filtering as described previously, you can still avoid performance issues related to a reverse NDR attack. Even if your server gets hit and generates a large number of NDRs, routing outbound mail through your smart host puts the burden of filtering through the bogus NDR messages on the smart host and not on the SBS server. This also reduces the number of messages that would end up in the badmail folder, which reduces the risk of running out of disk space on the server in case of such an attack.

Категории