If you have looked at Exchange Server’s anti-spam features or taken a peek at the headers of an email sent through an Exchange server you have probably encountered the term SCL before.

SCL stands for Spam Confidence Level.  It is the “score” that Exchange Server anti-spam assigns to an email based on the email’s contents.  This score is then used to make decisions as to how to handle suspected spam based on the thresholds that the Exchange administrator configures.

The SCL score is calculated and assigned by the Content Filter Agent, which examines all of the content within an email message to look for patterns that indicate spam.  Once the SCL score has been calculated it is added to the message header.

In this snippet of an example message header you can see the SCL score of 7 has been applied.

X-MS-Exchange-Organization-SCL: 7

How the SCL is Used by Exchange Server

The SCL score can then trigger certain actions to take place.  The Exchange server can take the following actions based on the SCL:

• Delete – the message is deleted with no notification to the sender or recipient.
• Reject – the message is rejected with a notification to the sender but not the recipient.
• Quarantine – the message is quarantined in a specified mailbox with no notification to the sender or recipient.  Typically only email administrators can access the quarantine mailbox.
• Junk – the message is delivered to the recipient’s Junk Email folder.

SCL scores range from 0-9 with 0 meaning not likely to be spam, and 9 meaning very likely to be spam.  There is also a -1 score for trusted email messages.  A -1 SCL would apply to email messages sent between recipients of the same Exchange organization, or messages from external senders that have been whitelisted in some way.

The SCL threshold is then configured for each of the actions.  However it is important to understand that the actions are assessed in a certain order. Continue reading Understanding the Spam Confidence Level in Exchange Server»

Anti-spam technology encompasses a lot of different practices, techniques, and systems for detecting and blocking spam emails.  Customers sometimes look for a turnkey, push button, set and forget anti-spam solution that will “just work”.

The reality is that not all anti-spam techniques are suitable for all occasions, and often require specific configuration or tuning to suit a given environment.  Here are some examples:

Recipient Filtering

This technique makes the assumption that email that is sent to a non-existent address is likely to be a spammer trying a dictionary attack, and should therefore be rejected.

However that assumption does not take into account some valid scenarios, such as:

• Email servers that are accepting email for other organizations and relaying it to them. In these cases the recipient does not exist in the first organization, but does exist in the second organization.  The first organization therefore must accept emails even for recipients that are invalid in its own organization.  This is quite common for two organizations going through a merger process.
• Companies that want to make use of a “catch all” mailbox to receive misspelled or incorrectly addressed email that might be critical to their business, such as sales and customer service enquiries.

Content Filtering on Specific Keywords

About 10 years ago it was very common to do anti-spam filtering by using a list of specific keywords and phrases.  Some organizations try to continue this technique even today, and it can work well, but in some industries it is impractical or impossible to block certain keywords that most people would associate with spam. Continue reading Anti-Spam is Not One Size Fits All»

When I meet a new customer to discuss their spam problems I often hear of the same complaint.

“We are getting spam from postmaster addresses and we don’t know why.”

This complaint has a multitude of variations but we tend to label the problem as “postmaster spam”.

Simply put, postmaster spam is any spam email that comes from a postmaster email address, whether it is the postmaster for your own domain or for someone else’s domain.

The postmaster address performs a critical role in email communication and its presence and use is prescribed in the RFCs for the SMTP protocol.

“Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox “postmaster” as a case-insensitive local name.”

…and…

“SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet.”

Who is the Postmaster?

The postmaster address is usually the source (or “from”) address for system generated emails such as non-delivery reports, although some email servers allow a different address to be used.

But this common usage, combined with the RFC requirements, creates a series of problems.  Spammers know that the postmaster@ email address is almost always going to be valid, and email servers often treat email from postmaster@ email addresses as more trusted.

Postmaster Forgeries

One way in which spammers try to exploit this is by forging the sender address of spam to make it appear that it is coming from a postmaster@ address for a well known domain name.  This is an effective technique because most email users have received genuine NDRs in the past and have at least some idea that a postmaster@ address is valid and trustworthy. Continue reading How to Prevent Postmaster Spam»

British ISPs have reacted strongly to the suggestion of Trend Micro CTO David Rand that the ISPs should actively combat the problem of spam on the internet.

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient. Continue reading ISPs Don’t Want to be Spam Cops»

Independent security organization Virus Bulletin has called for makers of email security products to collaborate in the fight against spam.

Virus Bulletin conducted a test of 14 anti-spam products using 200,000 emails made up of both spam and legitimate content.  They found that this both increased the rate of detection as well as decreasing the likelihood of false positives.

Although the increased detection rate compared to typical rates from popular anti-spam products was only a minor percentage this can account for many thousands of additional spam messages blocked in larger business environments.

Combining multiple email security engines into a single product is not a new concept.  Antivirus products have been doing this for several years now, with major antivirus companies licensing their engines as optional plugin components to an email security product.  It is not unusual to find email systems protected by 3 to 5 different antivirus engines.

In the fight against spam, collaboration could make significant improvements for businesses.   Primarily this would occur in the content filtering engine component of anti-spam products.  Different vendors produce different content filtering databases that are more effective against some spam threats than others.

But the collaboration would not work, or would not even be necessary at other levels of an anti-spam system.  For example DNS block lists from different providers are already easily plugged in to most email security systems and can be used in combination with each other.

Bayesian filtering would also not benefit from collaboration because of the way it works.  What a Bayesian filter learns about one organization’s email patterns would not always translate well to other organizations, so the sharing of this data would be pointless (and potentially a security risk in itself). Continue reading Two Heads Fight Spam Better Than One»

Anyone who uses the internet whether for business or for leisure has had first hand experience with spam at some point in time.  Spam is a problem that plagues the internet and affects us all in some way.  Like most problems the spam problem is a very complex one.  There is no single source or cause of spam, which means there is no single solution to the problem.  In this post I’ll explain some of the sources and causes of the spam that we see every day.

Botnets and Zombies

Bots or zombies are typically home computers that have been infected with some type of virus or malware, which puts the computer under remote control by a malicious person.  A group of these computers is referred to as a botnet, and is used by a spammer to send out millions of emails containing spam, phishing scams, and computer viruses.

Examples of botnets include the Cutwail and Rustock botnets that are responsible for massive spam attacks around the world.

Because botnets are made up of computers located within ISP customer IP subnets they can often be blocked by using connection filtering to block any SMTP connections from those IP address ranges.  When this fails you have to rely on content filtering to detect the spam content within the messages.

Open Relays

An open relay is a poorly configured email server that allows anyone to relay messages through it to any other destination email address.  Modern email server software is not configured to permit open relay by default, it usually takes human error to cause a server to be configured this way, and there are few genuine reasons to run an open relay especially not one that is open to the internet where it can be abused by spammers. Continue reading 7 Major Sources of Spam on the Internet»

Exchange Server 2007 anti-spam functionality includes the Content Filter agent which is designed to provide spam detection based on the contents of an email message.

The Connection Filter agent is based on the Intelligent Message Filter first introduced in Exchange Server 2003.  The Intelligent Message Filter bases its spam detection on a database of email submissions from Microsoft partners that is used as a basis for heuristic scanning of email content.  A “spam confidence level” (SCL) rating is then assigned to the email message and used to determine whether to classify the message as spam or not.

The SCL rating is a number from 0 to 9 where the higher the number the more likely the email message is spam.

The Content Filter agent assesses the content of email messages after the Connection Filter agent has initially determined whether the sending host should be blocked entirely or not.  The order of priority improves Exchange server performance by removing the most obvious spam based on the sending IP address before the more resource intensive content filtering takes place. Continue reading How to protect Exchange Server 2007 with Content Filtering»