Wednesday, April 09, 2008

Message hygiene in Exchange 2003 & Exchange 2007

Message hygiene is nothing more than a fancy expression that Microsoft uses when they mean techniques to defend your Exchange environment against spam, virusses and other e-mail attacks.

Below is a short overview of the various components that are natively available to you for the job of hardening your Exchange 2003 system:

- Connection filtering: Filters inbound messages by comparing their IP address against a block list provided by a third-party real-time block list service. You can also enter your own set of accepted/restricted IP addresses at a global level.
- Sender filtering: By default, SMTP connections that are created by senders on this list are dropped.
- Recipient filtering: Allows you to set global restrictions on mail to specific recipients.
These filtering options can be specified under the Global Settings of your Exchange Organization and choose for Message Delivery.

Restricted Distribution Lists
As you are aware, there are probably DL's in your organization that hold all contacts or at least divided per department.
By default, all users can use these DL's to send e-mails to. That's not just dangerous from an internal user point of view (a typing/clicking mistake is quickly made), but of course, hackers love this even more ...
You can restrict access to these DL's based on userID's. To do this, open the AD Users & Computers snap-in, browse to the DL and on the properties specify the "message Restrictions".

Intelligent Message Filtering (IMF)
Based on the characteristics of millions of messages, Intelligent Message Filter can accurately assess the probability that an incoming e-mail message is either a legitimate message or UCE(Unsolicited Commercial Email).
Based on the probability that the message is UCE, IMF rates it with a property called a spam confidence level (SCL).
You can specify 2 thresholds, the gateway threshold and the mailbox threshold, on the SCL that determine what is done with the incoming e-mail. If the e-mail has a rating equal or greater than the gateway threshold, your specified action is taken.
If the rating is lower than the mailbox threshold, the mail is delivered, if the rating is greater it is delivered to the junk inbox.

In Exchange 2003 there is not a built-in protection against virusses, but there is a anti-virus framework that is used by third-party companies, such as McAfee, TrendMicro, Kaspersky, ...

Address Spoofing Protection
By default, Exchange 2003 preserves the original SMTP message submission method and does not resolve the sender's address if the SMTP submission is anonymous. If the original message was submitted without authentication, Exchange 2003 marks the message as un-authenticated and, in this case, the sender's address is not resolved to the GAL display name (in the From line), instead it is displayed to the recipient in its SMTP format (for example, whatever@duh.euh).
Another mechanism you can use is to configure your SMTP virtual server to perform a reverse DNS lookup on incoming e-mail messages, verifying that the IP address and fully qualified domain name (FQDN) of the sender's mail server corresponds to the domain name listed in the message.
However, consider the following limitations to reverse DNS lookups:
- The sender's IP address may not be in the reverse DNS lookup record, or the sending server may have multiple names for the same IP, not all of which may be available from the reverse DNS lookup record.
- Reverse DNS lookups place an additional load on the Exchange server.
- Reverse DNS lookups require that the Exchange server is able to contact the reverse lookup zones for the sending domain.
- Performing reverse DNS lookups on each message can result in a substantial decrease in performance due to increased latency.

Tar pitting
SMTP tar pitting is the practice of artificially delaying server responses for certain SMTP communication patterns and it's used to help fight spam attacks, such as Directory Harvest Attack (DHA).
If a hacker guesses all the possible recipients in a domain, he will receive a bunch of "550 User unknown" messages to the non-existing addresses. So the other addresses are valid. A DHA attack with 4 caracters can be done in 20 minutes, if you delay the SMTP replies with 5 seconds, it will take several months!

With Exchange 2007, these roles have been moved to an "Edge Transport Server". This Exchange 2007 server role can not be combined with other roles and should be done on a server that is not part of your domain and resides in your DMZ. It's obvious this way of doing things is still much better since spam and virusses won't be entering your network at any point.

This in combination with the Forefront security for Exchange 2007 for anti-virus and anti-spam, your users will complain a lot less about spam and you will have to worry less about virusses entering your network.

Of course, the threat will always stay, hackers find always find a way ...

1 comment:

Anonymous said...

excellent.Please write topics on Exchange