Troubleshooting Exchange’s Built-In Anti-Spam Technologies: Pt. 7 Sender ReputationWritten by Casper Manes on September 10, 2012
One of the more involved, and also more internal ways that Microsoft Exchange 2010 helps to combat spam is through the use of Sender Reputation filtering. No, Exchange servers don’t meet up in some secret chat room to gossip about other MTAs, but each Exchange organization does keep a database of information on senders, and as time goes on and as more and more email is received from a particular sender, Exchange can get very good at figuring out whether a specific sender is legitimate, or is just another low-down dirty spammer whose messages should be routed straight to the bit bucket. Here’s more information on how you can with Sender Reputation filtering, and how to troubleshoot it if you think there is a problem.
How it works
Sender Reputation filtering runs on Edge Transport servers. This process maintains a database of senders within Active Directory, where each system that sends an email to your Exchange org has an entry. These entries include a value from 0 to 9, where 0 indicates that the likelihood a particular sender is a spammer is extremely unlikely, and a 9 indicates that the sender is almost certainly spamming. All senders start off with a value of 0, and can work their way up to higher values in a variety of ways, including…
- Being an open relay. Sender Reputation filtering tests the sender to see if it is an open relay.
- Analysis of the HELO or EHLO message-If the HELO/EHLO looks suspicious, the score goes up.
- Reverse DNS lookup-If the domain in the HELO doesn’t line up with DNS records, the score goes up as well.
- SCL ratings from earlier agents-If the content filter says it’s spam, then the score goes up again.
Senders are analyzed over time, and if a sender sends enough messages that trigger an increase and it earns a 9, Sender Reputation filtering will add the sender’s ip.addr to the IP Block List. Entrees age out over time, so this is not a permanent block, but it is very effective to stop repeat offenders from delivering mail to your system.
Enabling or disabling Sender Reputation filtering
Sender Reputation filtering is enabled by default but only for external email. Unless you change something, it will not look at internal email sources. You can enable Sender Reputation filtering using the command
Set-SenderReputationConfig –enabled $true|$false
and set it for internal or external filtering in much the same way, using either
Set-SenderReputationConfig –ExternalMailEnabled $true|$false
Set-SenderReputationConfig –InternalMailEnabled $true|$false
Managing your configuration
You can manage many of the settings in the Exchange Management Console, but as with most things Exchange, the real power comes in the Exchange Management Shell. Open the EMS, and run this command to get a full listing of all the Sender Filtering configuration settings.
Get-SenderReputationConfig | fl [enter]
You will see the whether or not Sender Reputation filtering is enabled, the thresholds and time intervals, and more information about how Sender Filtering is configured. Of course each of those values is something you can configure using the Set-SenderReputationConfig –option –value command.
What if the database corrupts?
The Sender Reputation database is an ESE (Jet) database, and can be repaired with ESEUTIL just like any other database. If you see errors in your Application log including 454 and/or 17003 and mentioning the Sender Reputation Database, you can take the easy way out, or you can work on a repair of the database. The easy way is to wack all the files in “C:Program FilesMicrosoftExchange Serverv14TransportRolesdataSenderReputation” and restart the Transport Service. It will rebuild a blank Sender Reputation database and life will be good. This may seem extreme, but the database is not likely to hold lifetime information, only data from the past few days as information ages out. Otherwise, you can run an integrity check, and then either a recovery or a repair on the EDB file in that directory. See this excellent article (it’s an oldie, but a goodie) http://blogs.technet.com/b/exchange/archive/2004/06/18/159413.aspx on how to repair an Exchange database with ESEUTIL.
Adjusting the sensitivity
If Sender Reputation filtering is blocking messages you would rather permit, adjust the sensitivity higher so that it takes a higher score to trigger. Remember the scale is from 0 to 9, and the default SRL level is set to 7. You can adjust that property in the EMS using
Set-SenderReputationConfig –SrlBlockThreshold 9 [enter]
or to any other value you want. Lower is more sensitive, and will block more senders.
Now that you have a better understanding of how Sender Reputation filtering works and how to tweak it, you are in a much better position to troubleshoot issues.