Exchange 2013 Anti-Spam Technologies -The Sender Filter Agent

envelope1Last time, we introduced the agents that make up Exchange 2013’s anti-spam technologies. In this post, we’re going to take a closer look at the Sender Filter agent. Just in case you didn’t see our introductory article, here’s what we mentioned. The Sender Filter agent looks at the SMTP protocol exchange for the MAIL FROM: command. It compares this to a list of blocked senders and blocked domains, and if it finds a match, it refuses to accept email from the sender. Let’s take a closer look at the specifics of what happens when servers exchange email.

RFC 2821 specifies that all message transfer agents must use the MAIL command to specify the purported sender’s email address.

MAIL FROM:<reverse-path> [SP <mail-parameters> ] <CRLF>

The Sender Filter agent takes a look at the email address that makes up the reverse-path to see if it matches an entry on a list of blocked senders. This list, created and maintained by the Exchange administrator, can contain entries to match

  • Specific sender (user@example.com)
  • Domains (example.com)
  • Domains and Subdomains (*.example.com)

If a match is found, then one of two actions can be taken

  • Reject the message with a 554 5.1.0 response
  • Accept the message but mark it as from a blocked sender

Rejecting the message closes the connection. It does not prevent the sending system from attempting to deliver other messages, but it does kill the current session. Accepting the message and flagging it flags the message for the Content Filter so it will consider the message coming from a blocked sender when it calculates the Spam Confidence Level (SCL.) We’ll talk more about the Content Filter in a couple of weeks.

The Sender Filter agent can also reject messages when the MAIL FROM: is blanked. Valid messages from legitimate systems SHOULD include a valid SMTP address, so if that is blank, it’s a good idea to reject it. To do this, use EMS to run this command.
Set-SenderFilterConfig -BlankSenderBlockingEnabled $true
To maintain a blocked sender list, admins can use the EMS to configure it. The two commands you use are Set-SenderFilterConfig and Get-SenderFilterConfig. Set-SenderFilterConfig can add and remove entries from the list, while Get-SenderFilterConfig can display the contents of the filter. Here’s some useful examples for manipulating the filter.

This command will dump the contents of your Sender Filter list.
Get-SenderFilterConfig | Format-List BlockedSenders,BlockedDomains,BlockedDomainsAndSubdomains

This command will create the list and add blocked users, domains, and subdomains. Use commas to separate multiple entries.
Set-SenderFilterConfig -BlockedSenders casper@example.com,bob@example.com -BlockedDomains example.net -BlockedDomainsAndSubdomains example.org

This command will modify the filter list to add new names, and remove a domain.
Set-SenderFilterConfig -BlockedSenders @{Add="roy@example.com","joe@example.com"} -BlockedDomains @{Remove="example.net"} -BlockedDomainsAndSubdomains @{Add="yoyodyne.com"}

Note that there is only one list. If you need to append to that list, use the @{Add example above to do this. If you just run Set-SenderFilterConfig with a list of entries, you’ll overwrite your existing list.

Next time, we’ll take a look at the Recipient Filter agent. See you then.

Written by Casper Manes

I currently work as a Senior Messaging Consultant for one of the premier consulting firms in the world, I cut my teeth on Exchange 5.0, and have worked with every version of Microsoft’s awesome email package since then, as well as MHS, Sendmail, and MailEnable systems. I've written dozens of articles on behalf of my past employers, their partners, and others, and I finally decided to embrace blogging and social media, so please follow me on Twitter @caspermanes if you enjoy my posts.

0 Comments

  1. Celeste · December 31, 2013

    Now I know what happens to messages with a blank From section! I’ve always wondered about this…Anyway, it’s good to know that there’s something like the Sender Filter Agent to help us detect spam. This is also a good reminder to email users like me to review messages before sending them out, lest they be detected as suspicious by the Sender Filter Agent. At least, Gmail prompts me whenever I send an email with incomplete sender data (including the email subject). The fight against spam doesn’t depend solely on technologies and techniques, it also depends largely on us. We should be more vigilant in trying to detect which emails are suspicious looking. Likewise, we should constantly update ourselves with the latest in spam and phishing tactics.

Leave A Reply