Part 1 of a Series exploring How to Deploy a Spam Filter on Exchange
Spam, any unwanted email, has been an increasing problem for business. Not only is it a nuisance, it can often be downright dangerous for your business, carrying viruses and other malware. Various spam filters exist; however, choosing the best option for your company can get complicated. Do you use a separate server to act as a mail relay, a third party program, or integrate the filter into your firewall or your mail server? And what kind of filter should you use: a white or blacklist, a keyword list, a header checker, an algorithm or an IMF (an intelligent program provided by Microsoft)?
Placement
An obvious choice is to filter spam before it enters your server since this saves CPU and database size. Unfortunately, doing so can mean putting up with false positive emails (desired mail that gets filtered out) and dealing with clients and/or employees desperate calls to tech support. Addressing false positives can take IT time to respond to the client or employee, or time training employees to access quarantined email. While in large corporations, the allocation of resources to resolve such problems may be commonplace, small- and medium-sized firms may not be able to afford such solutions.
Another option is to use your Exchange server to filter spam. This could involve setting up spam folders separate from the Outlook Inbox, which could be consulted by employees for any wanted email. By creating a policy in the Exchange Manager System to delete all spam older than seven days (or more), you can reduce crowding the mailboxes.
As well as deciding placement of the spam filter, you will have to choose the type of filter which best suits your needs.
Whitelist
A list of valid senders, a whitelist can be created manually or automatically. Whitelists do decrease the number of false positives and thus the load on your CPU. However, if you create a list of “safe” senders based on internal users, a virus could potentially spread malware throughout the system. If you do choose to use a whitelist, you must make sure that your anti-virus solution is kept strictly up-to-date.
Blacklist
Another alternative is to use a blacklist of known spammers. Blacklist servers host publically available databases of known spammers and are generally free. However, their efficacy is only good as long as the lists are kept up-to-date, a difficult thing to do these days.
Header Checks
You can also check email headers which contain information about the email and its origins. You can see this information by opening Outlook and choosing Options. The history of the email delivery path is listed under “Internet Headers”. Headers can show some common characteristics of spam, e.g. if the email doesn’t originate from the server responsible for the sender’s domain, or if the email contains remote images, i.e. images not contained within the email. Creating a simple rule such as counting the number of digits in a sender’s email address can filter out a lot of unwanted mail. People often include a year (4 digits) in their address but spammers frequently use more digits because they must constantly change their address to avoid simple spam filters (like those based solely on blacklists).
Keyword list
While verifying a list of keywords can be effective, spammers have become increasingly clever at finding ways to avoid these filters, e.g. by replacing the letter o with the number 0 or misspelling words. Nonetheless, when filtering spam in languages other than English, keyword lists can provide better spam control.
If your spam program has a built-in keyword list, go over the list to be sure there are no keywords relevant to your business. For example, you should remove the word “drugs” if your business deals with pharmaceuticals.
Algorithms
More complicated methods of filtering involve statistical algorithms which analyze and compare incoming and outgoing email against a database of known spammers. These algorithms need a list of valid email traffic (HAM) to create the database, which is then compared against known spam characteristics found in unwanted bulk email to determine whether the email is desirable. Of special use is the Bayesian filter (now a catch-all phrase for the use of statistical analysis to determine whether an email is spam). This filter uses the number of times an event does not occur to determine the future probability of an occurrence.
Read more about Bayesian algorithms here:
IMF
Finally, Microsoft provides a downloadable Intelligent Mail Filter (IMF) for Exchange 2003/2007/2010. One of the easier filters to configure, it is enabled via the Exchange System Manager.
Download site: http://technet.microsoft.com/en-us/exchange/bb288484.aspx
While this filter works well for small to medium businesses, companies with high spam volumes might be better off with a more sophisticated filter.
Conclusion
Configuring spam filters to meet your needs requires some knowledge of your mail server and your particular mail requirements. Enabling all available features can increase the number of false positives and the hassles that come with them. Blocking all spam mail is impossible, and you cannot completely prevent false positives. Nonetheless, understanding how the spam filter works can make your life easier and your employees happier.
In part 2 of this series, we will take a closer look at Placement of your Spam Filter.
Leave a Comment