Even though Exchange 2007 has been released for a while, I thought it would be worthwhile spending a moment on Exchange 2003 spam features, especially due to the large amounts of Small Business Server users still on SBS 2003 with Exchange 2003.

With the advent of Service Pack 2 for Exchange 2003, a number of anti spam features became available, these include:

• Connection filtering including Allow/Deny IP lists with Real-time block lists
• Sender Filtering
• Recipient Filtering
• Sender ID filtering
• Intelligent Message Filter including Anti-phishing

These features can be enabled globally and controlled per virtual SMTP server. Furthermore, since Exchange supports multiple virtual SMTP servers on an Exchange server, huge amounts of granularity and control became available. Messages could be split amongst incoming and outgoing SMTP stacks, even if only one physical exchange server was present.

As with most spam strategies, a combined approach is needed in order to combat spam. A number of these features are incredibly useful, such as:

Connection Filtering coupled with Real-time block lists cover the well known spam networks and hosts.

Recipient Filtering does not accept email for invalid recipients, greatly reducing the load on an Exchange Server. However this does increase the risk of a directory harvesting attack. Spammers may use dictionaries to generate inbound emails, using NDR’s as a validation mechanism to know which email addresses are valid and which ones are not. Recipient Filtering coupled with Tar Pitting (Microsoft KB article 842851) prevents a number of attacks including NDR flood attacks and lessens the effectiveness of a directory harvesting attack. NDR’s are greatly delayed, since Tar Pitting delays the reply for a 5.x.x conversation.

Intelligent Message Filters are updated regularly and offer intelligent protection by examining email headers, words and other data in the mail to make a classification decision. Based on the classification, email is stamped and deleted, rejected, archived or forwarded to the user. The user may find the mail in their inbox or spam folder based on the classification it carries.

The good news is that this technology is available in every version of Exchange 2003, Standard, Enterprise and SBS. Most businesses on a budget will benefit directly from these features.

The bad news is that as good as it is, it may not be enough.

Due to the very nature of spam and spam protection, spamming techniques are changing and constantly evolving. A number of years ago Real-Time Block Lists were sufficient protection. In my opinion, Exchange should not be exposed directly to the internet and should be protected by another vendor’s solution in order to add another tier and therefore another level of complexity protecting against SPAM attacks.  A multi tiered anti spam approach is required in order to gain a level of protection acceptable to any size organization.