Here's Part 13 (Maintaining Anti-Spam Systems) of the 24 part Exchange 2007 series. Once again, I'm very sorry for the delay and let me know if you have any questions.
Exchange Server 2007 Webcast Series (Part 13 of 24) Questions and Answers Log (03-02-07)
Question: The Edge server contains SPAM blocking technology. Is there a list available that outlines what technologies the Edge server uses to block SPAM. RBL, SPF, etc?
Answer: http://technet.microsoft.com/en-us/library/aa996604.aspx is a great reference on the Edge Transport server role spam filtering capabilities.
Question: Does Exchange 2007 have Anti-Spam filtering out of the box, or is it an additional license?
Answer: Anti-spam is built into the Edge Transport server role of Exchange Server 2007. If you do not wish to deploy the Edge Transport server role, you can also install the agents onto your Hub Transport server role. In terms of licensing requirements, you will need an Exchange Server License for each physical server you deploy. If you choose to install the anti-spam agents onto your Hub Transport server, then there is no additional licensing requirements other than the Exchange Server License to install that server.
Question: If we don't have an Edge server and decide to enable spam filtering on the hub server, will we lose any functionality? thank you
Answer: It is not a best practice to run anti-spam functionality on the Hub Transport server. We recommend that you run anti-spam features on the Edge Transport server at the perimeter of your organization. Only run anti-spam features on the Hub Transport server if you have not deployed Edge Transport server. There is some functionality that is unique to the Edge Transport server role and not found in Hub Transport. Examples include Sender Reputation, Local Reputation and Outlook Safe Sender aggregation.
Question: You might want to give people this link.... It's the Edge transport servr role architecture map. http://www.microsoft.com/downloads/details.aspx?familyid=612F811D-2953-4C08-945E-833C17150083&displaylang=en.
Answer: thanks!! will do, now they have that.
Question: Is there in any way possible to enable Attachment filtering on the Hub Transport Server?
Answer: This is a feature that is specific to the Edge Transport server role.
Question: Where do you get your blacklisted lists?
Answer: Microsoft does not provide this service. I referenced an “imaginary” Block List Provider during my demo.
Question: can i generate statistics, such as # of messages blocked per day, attachments removed per dat, etc...?
Answer: Yes, there are a number of statistical elements exposed as performance counters, including counters and objects for Sender ID, Sender Filter Agent, Connection Filter Agent, Content Filter Agent, etc. You can see and collect this data using Performance Monitor (perfmon) aka System Monitor, as well as with Microsoft Operations Manager, and third-party tools.
Question: what i dont understand is why the edge server MUST have 2 network cards - if its sitting in a dmz which is one subnet why should i bypass my backend firewall by connecting it directly to my internal network and therefore compromise security - surely I should be able to use one network card for both ?
Answer: There is NO requirement that the Edge Transport server have two network cards. Depending on how you configure your Perimeter network, it may be helpful to have 2 network cards.
Question: For Sender Reputation Filtering, is there a central storage location for Internet IP's to block known bad IP'S?
Answer: No, there is not.
Question: Does Microsoft provide a IP Block list?
Answer: No, Microsoft does not provide RBL or Safe List services. You will need to use 3rd party services.
Question: Can we add to these lists from the command prompt?
Answer: You can configure the different Filters from the Exchange Management Shell. This includes adding IP addresses to the Block List
Question: So...Sender Filtering relies on knowing who you want to block by IP, not excluding known spammer IP's, correct?
Answer: No. Connection Filtering blocks based on IP address. Sender Filtering blocks on MAIL FROM, and it can use an SMTP address, or wildcards to block address patterns and entire domains.
Question: if you have an enterprise cal for exchange 2007 you get exchange hosted services included - this includes blacklisting etc for end users (by the mere fact its doing spam filtering) isnt that the case ?
Answer: Yes, except that we actually do not use the term blacklisting – we refer to this as Block Lists. :-) See http://www.microsoft.com/exchange/evaluation/editions.mspx for licensing information.
Question: Which SPF return value does the Sender ID filter use when blocking messages? i.e. Fail, Softfail, Unknown, etc.
Answer: See http://technet.microsoft.com/en-us/library/bb124414.aspx.
Question: ForeFront is not always included in the license purchase, is this correct?
Answer: You are correct. ForeFront Security for Exchange does not come with the Exchange Server 2007 Server License or the Exchange 2007 Standard CAL. It does come with the Exchange 2007 Enterprise CAL. See http://www.microsoft.com/exchange/evaluation/editions.mspx.
Question: will harold run through setting the tarpitting theshhold ?
Answer: No, but tarpitting is on by default.
Question: Re Filters (white/black/grey lists): the Q is if their functionality and implementation differs from Exch2003/2000 ?
Answer: We have greatly enhanced the antispam and antivirus capabilities of Exchange 2007. The entire transport stack was completely rewritten. Many of the principles are the same, but it’s effectively the next generation in Exchange 2007. You can start at http://technet.microsoft.com/en-us/library/aa996551.aspx to get more information.
Question: can i filter on the BCC field?
Answer: BCC is not available to filter from specifically. You can filter on BCC, but the filter also includes TO and CC. For more information, please look at: http://technet.microsoft.com/en-us/library/aa995960.aspx.
Question: Can we control the Outlook junk email filtering option using GP
Answer: Outlook 2007 - http://technet2.microsoft.com/Office/en-us/library/d5538a83-5d2f-4acb-b372-8741afe1f2121033.mspx?mfr=true.
Question: Is whitelist/blacklisting at the Outlook client level integrated into the edge or hub lists?
Answer: The Outlook Safe Sender List can be aggregated and synchronized to the Edge Transport server via Edge Sync. This capability does not exist if you do not deploy the Edge Transport server role and only install the anti-spam agents onto your Hub Transport server role.
Question: how do we find the levels of SCL and what they mean ?
Answer: SCL is well documented at http://msdn2.microsoft.com/en-us/library/aa579855.aspx.
Question: can you have different attachement actions for different types
Answer: No. There is one action for all attachment types.
Question: I am not planning to install Edge Transport server in my environment since we are using McAfee e3300 Appliance, can I still have all filtering features in today's webcast from my single Ex2007 acting as Hub Transport, Mailbox & Client Access server?
Answer: No, you will not have all features as some features are only available with the Edge Transport server role. Please see an earlier answer towards the beginning of the Q&A Log.
Question: Does my past experience with Exchange 4.0, 5.0, 5.5, 2000 and 2003 help with Exchange 2007 mangement, or do I have to completely throw out every thing I have learned about SMTP routing and start over aagain with the training from scratch?
Answer: It will help quite a bit. Remember, we build our products to comply where applicable with public standards (for example RFCs 2821 and 2822, which govern SMTP). While transport and routing is different in Exchange 2007 (mainly because we now use AD Sites for routing), there's still plenty of carryover knowledge and experience from previous versions.
Question: Is there any GUI for adding the attachment filtering?
Answer: Unfortunately, there is not.
Question: what is the command to enable the antispam filter in the hub transport?
Answer: http://technet.microsoft.com/en-us/library/bb201691.aspx has the commands to do that. It is essentially running the Install-AntispamAgents.ps1 script.
Question: Would the last configuration work for SBS 2003 R2 ?
Answer: Exchange Server 2007 is not part of SBS 2003 R2, so this would be a moot point.