Exchange 2010 Safelist Aggregation ‘Crowdsources’ Anti-spam EffortsWritten by Casper Manes on January 16, 2012
You know that Exchange 2010 has its own anti-spam functionality, and you also know that users can set up their own safe and blocked sender and domain lists in Outlook 2007 and 2010, but did you know the two work together? Just like you can get chocolate in my peanut butter/I can get peanut butter in your chocolate, Exchange 2010 use these two great things, to provide more effective anti-spam measures at your edge. Safelist Aggregation uses data from users’ Safe Recipients Lists, Safe Senders Lists, Blocked Senders Lists, and contacts, to create a kind of metadirectory of good and bad addresses which makes the Edge Transport Server’s anti-spam functionality more effective, and also helps reduce the incidence of false positives.
When a user flags an email address as either safe or blocked, it adds a hash value to the appropriate attribute in their Active Directory account under one of these three attributes:
Each can contain up to 1024 entries per user account by default. One way hashing is used both to conserve space and to prevent malicious users from viewing or extracting usable data out of the lists should they gain access to the Edge Transport Server or data from the Active Directory.
Exchange 2010 uses Safelist Aggregation by default. The Junk E-mail Options mailbox assistant runs in the background, scraping user accounts for updates to the attributes that store hashes, aggregating the lists, and storing the data in the application partition of Active Directory. Edge Transport servers obtain this information through the EdgeSync process, and use it to compare the source address of incoming email to the list by comparing hashes.
Updates to users’ information will automatically propagate to Active Directory, but you can force that process using the PowerShell cmdlet Update-SafeList. If a user adds an address that you want to rapidly update through to help protect all users, you could update Active Directory, and then trigger an EdgeSync. An example of the processes to do this includes
Update-Safelist –Identity firstname.lastname@example.org –type SafeSenders [enter]
Then run Start-EdgeSynchronization.
If a user has the need for more than the 1024 entries, you can use the Exchange Management Shell to set different values. Use the Set-Mailbox command with the switches –MaxBlockSenders and –MaxSafeSenders to set values appropriate to your situation.
With Safelist Aggregation, Exchange 2010 uses the power of crowdsourcing to “learn” which senders are good, and which are bad, by using the decisions of your users to update its own Edge Transport Server lists. This is just another behind the scenes technology that makes Exchange 2010 such a powerful enterprise email solution.