Exchange 2010’s anti-spam capabilities are robust, and many companies find the protection offered by the Edge Transport server role to be strong enough to meet their needs. Sometimes, that protection (just like anti-spam measures on any system) may prove to be too strong, and you can find yourself wanting to add certain senders to what can be called the safe senders list, the permitted senders list, or the whitelist.

Exchange’s whitelist is a list of SMTP addresses that are permitted to send email to recipients on the Exchange system, without being subject to any of the spam filtering capabilities within the system. The whitelist can be both powerful and dangerous. Consider what will happen when you add user@example.com to the whitelist. If an email comes in to the system, and the header states that the mail is from user@example.com, then that email is accepted and passed through to the recipient’s mailbox. It won’t matter what else might be in the message, including key words, links, or anything else that screams “spam,” a whitelisted sender is passed right through. If the sending address was spoofed, this will result in spam messages reaching the user’s mailbox.

In this case, we are talking only about spam whitelists. Many applications that can scan messages and attachments for malware maintain their own whitelists. Unless you add the sender address to those whitelists too, messages and attachments will still be scanned for malware.

In Exchange 2010, the whitelist is handled by the ContentFilter, and the whitelist is an attribute known as the BypassedSenders. BypassedSenders is a comma delimited list of sender addresses, and is managed using the Exchange Management Shell. Let’s look first at the ContentFilter. Open the EMS, and execute this command:

Get-ContentFilterConfig [enter]

Unless you have already made changes to this, you will see the full list of attributes, including the BypassedSenders. You can add a list of addresses to this attribute, using the following command, where each sender address is separated by a comma:

set-contentfilterconfig –BypassedSenders user1@example.com, user2@example.com [enter]

You can add as many email addresses to that command as you want. Repeat the Get-ContentFilterConfig command and you will see this list of addresses you entered, starting with the last in the list. This works well, until you need to add another. Using the Set-ContentFilterConfig –BypassedSenders command will overwrite anything that is already on this list. If you want to add a new entry or two, while maintaining the existing entries, use the following commands:

$list = (Get-ContentFilterConfig).BypassedSenders
$list.add("user3@example.com, user4@example.com")
Set-ContentFilterConfig -BypassedSenders $list 

By creating the $list from the existing entries, and then adding the new entries, and feeding the combined list back into the Set command, you will preserve your existing entries. It’s kind of like adding a new directory to your path.

Why would you want to whitelist senders? It could be that for some reason, the sender is legitimate, but frequently sends messages that look spammy because of keywords, or a large number of links. Or it could be a business partner or critical customer, and you want to be sure that communications from them are not blocked. Just remember two things; any message that says it is from someone on that list will be passed without further checking, and that whitelist applies to all mailboxes, not just to an individual. As long as you can live with those caveats, you’re ready to go.

How to manage whitelists using the Exchange Management Shell

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

To help new administrators get on their feet for some common administrative tasks they will be faced with, I’ve put together some resources that I hope will help them get a head start on them.

Unattended setup of Exchange 2010

Looking to perform an unattended setup of Exchange Server 2010? Well, this guide highlights the required flags and properties to initiate an unattended setup, and also strings together a suggested command line to help administrators up to speed. Of course, Microsoft TechNet Library has the low-down for those who must have the full details of all applicable parameters here. [Unattended setup of Exchange 2010]

Configuring Exchange 2010 Certificate

This site from Microsoft highlights the steps administrators need to perform to set up a proper certificate as opposed to using the default self-signed ones. I found the step-by-step guide to be very clear, though you might also want to check out the 2.5 minutes video tutorial of the same put together by certificate authority Digicert here. [How to configure Exchange 2010 Certificate]

Enabling Anti-Spam Features on Exchange 2010 Hub Transport Server

New administrators might not necessarily be aware that Exchange’s built-in anti-spam functionality is enabled by default on Edge Transport servers, but not on Hub Transport servers. Given that smaller (or even mid-sized) organizations might only need to deploy a single Exchange server for their needs, the following resource walks through the steps to enable the anti-spam feature for such deployment scenarios. [How to enable Exchange 2010 anti-spam feature]

View the Current Mailbox Size, Message Count, and Last Logon

To aid their diagnosis of a wide range of issues, administrators will find themselves occasionally needing details such as the mailbox size, number of messages and last logon. TechNet Magazine highlights the simple steps to determine the above information using the Exchange GUI, as well as via command line. [Quickly view the current mailbox size, message count, and last logon]

Can you think of other common tasks (and how to do it) that new Exchange administrators will benefit from? Feel free to chip in below!

4 Common Tasks for New Microsoft Exchange Administrators

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When your e-mails are flagged by the spam filters as legitimate spam, it can be bad for your business as communication gets derailed, especially if you are expecting an important email.  To avoid losing an important client or work getting prolonged due to e-mails not being read, you need to ensure your messages always reach the intended mailboxes.

It seems that the spam filters sometimes automatically move messages tagged as “illegitimate messages” into the spam inbox section.  You can actually prevent this from happening by composing a good message that will pass the spam filters.  The spam filters generally work by employing a scoring system.  If an e-mail message gets a high score, the higher the chances of the message arriving at the spam folder and eventually being deleted without being read.  To get over the spam filters, you need to know some dos and don’ts so you can guarantee that your important messages will appear in the proper mailbox of the recipient.

1. Control the excitement in your message
   Spammers usually use words and phrases that will excite the readers.  On top of the list are offers of large sums of money and amazing breakthroughs.  Money back guarantees and offering the same products that cost less can be part of legitimate offers but will definitely trigger spam filters to give the message a high spam index score.  You need to avoid using all uppercase in your text and putting more than one exclamation point at the end of a sentence.  Find out spam keywords that most spam filters are looking for such as “Affordable,” “Bargain,” and “Free,” among others.
2. Plain text is still better
   E-mails can be sent either as a plain text or as an HTML page.  Most of the time spam filters are strict with e-mails that are in the HTML format and will most probably be sent to the spam folder unless you use good coding procedures in your HTML.  In conveying the desired message, plain text format is still more suited.  You should know that there are more recipients who prefer to receive e-mail correspondences using the plain text format.
3. Avoid including attachments
   Most spam contains attachments that are destructive.  Sending e-mail messages with inappropriately named attachments will trigger spam filters all the time.  As much as possible, put the content of your attachment inside the body of the message and provide links rather than attach a file to your message.
4. Always check your sender score
   There is actually a sender score that determines the reputation of your e-mail address as a sender.  Businesses that often launch e-mail campaigns are the ones that get affected more with the sender score rather than an average personal or business account.  You need to check your sender score as often as possible for you to be able to repair the damages if there are any.
5. Avoid sending spam
   Those who market things by way of e-mail even to those people who did not subscribe to the mailing list will often be blacklisted.  Getting your e-mail account and domain name off a blacklist list is quite difficult.  Make sure that you send e-mails to those who want to receive e-mail from you.   Spam filters will flag your messages no matter what is inside your message.
6. Use black fonts over coloured fonts
   Even though black-coloured fonts seem a bit boring, they are safe from spam filters.  More often than not, coloured fonts excite most spam filters and will likely move your messages to the spam folder.  If the consequence of having a more stylish message will make your message be tagged as spam, then it is not worth it.  Black text can also be professional and looks clean.
7. Make it a point to test your list of recipients
   If you intend to send a message to a large mailing list, test your message by including your e-mail in the recipient list.  You can create e-mail accounts specifically just for testing if the message gets through the inbox or the spam folder.  As much as possible, test your message using your test accounts on different machines with different platforms to be able to see if there are problems with a specific operating system.  There are also e-mail clients like “Microsoft Outlook” that you need to check.  Testing your message is a necessary step especially if you are sending important e-mail correspondences like newsletters to a huge list.
8. Avoid using the word “test” in your test email
   When you use test accounts and test messages, you need to avoid using the word “test” in your e-mail in the subject line and in the body of the message to ensure that your message will not trigger the spam filters.  Most spam filters include the word “test” in their watch list.
9. Make your subject very specific
   Most often, messages get flagged as spam by spam filters due to the way the subject was written down.  Make your subject line as specific as it can be without divulging important details.  Spam filters know that spammers will not put details in the subject line.  For example, if your message is about a reminder about an important meeting, the subject that says “Important Meeting Tomorrow” is acceptable but it will be much better if you include a little detail like the time and place for the meeting.
10. Hire professional online marketers
    If your messages always end up on the spam folders of your recipients even if you apply the necessary precautions, it can be a big problem for your business.  It is important that you get professional help from experienced online marketers.  Before any damage is done to your online marketing campaign, it is important that you receive professional advice as well as pinpoint the cause of the problem.  Online marketing companies usually know how to salvage the reputation of your marketing campaign and eventually your company’s name.

10 Ways to Make Sure your Emails Never End Up in the Spam Folder

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

I read a tip just recently that advocated the use of fake MX records as a spam deterrent.  The solution was apparently devised after struggling with the server load that was being generated by spam emails.

As we all know, spam makes up as much as 90% of global email traffic, so it is not unusual for spam load to be a serious issue for email server performance.  The natural instinct is to prevent that load from being applied to the server in the first place.  Fake MX records are not the best way to do this.

MX records are the DNS records that tell email servers where to send email that is addressed to a particular domain.  For example, if I send an email to john@company.com my email server will look up the MX record for company.com, determine the associated IP address, and transmit the message over SMTP to that IP address.

To maintain redundancy most organizations will use multiple MX records that point to multiple email servers, so that if one is unavailable the others can still receive incoming email.  MX records are given a priority, an arbitrary number that is only relative to the priority of other MX records for that domain.  The lower the number, the higher the priority.

So for the same example as above, my email server looks up the MX record for company.com and gets the following response.

company.com MX preference = 10, mail exchanger =
 maila.company.com

company.com MX preference = 20, mail exchanger =
 mailb.company.com

It knows then to send to maila.company.com first, and then try mailb.company.com if the first try is not successful.

The idea of fake MX records is to create multiple MX records (usually at least 3) of varying priority, and have the highest and lowest priority MX records be pointing to non-existent servers.  The theory is that spammer’s botnets will only try to send to the highest or lowest priority MX, and then when they get no response will give up and move on to the next victim.  Some email administrators use as many as 10 MX records with only one real one among them.

The theory has some merit.  Spammers want to send out as much email as possible so usually won’t waste time and resources by having their bots try multiple MX records for a targeted domain.  However the technique impacts legitimate senders as well.If my email servers are sending hundreds of thousands of outbound emails per day (this is not unusual for larger organizations), and the recipient domains are making use of fake MX records for spam prevention, then each time my server attempts to connect to a fake MX record it needs to wait for the time out period to elapse, store the email in its queue, and retry again.

In effect this means that while the receiving organization is trying to reduce their server load, they are increasing mine.  If enough organizations are doing this, they are increasing my server load by a very large amount.

This leads us to the second issue with this technique.  It only works if hardly anyone tries to use it.  If we all populated our DNS zones with fake MX records the spammers would quickly catch on and reprogram their bots to send spam to multiple MXes instead.

Now we’re back at square one, having invested time, effort, and server resources into a technique that is at best a short lived success.

Advocates of this technique seem to miss an obvious alternative.  Connection filtering, or IP filtering, is a much more effective method of blocking spam sent by botnets.  When an IP address is a known or likely source of spam it is blacklisted by organizations such as Spamhaus.  Email servers can be configured to check a sender’s IP address against these lists, and the check is performed at the earliest stage of an SMTP connection, making it fast and efficient.

Bad IP addresses are blocked, often resulting in as much as 90% of spam being blocked immediately with minimal server resource usage.  Good IP addresses are allowed to send the email message through for more thorough inspection.

And the best part of all is that it does not penalise legitimate senders by forcing them to try sending to multiple MX records before they are able to get through.

Fake MX Records More Harm Than Good

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Is your business drowning in spam? Do you want an efficient and free way to stop spam from entering your inbox? ExchangeServerPro.com and GFI Software have teamed up to achieve a Spam Free 2010 by giving away two license packs of GFI MailEssentials™.

Two people have the chance of winning either the first prize which is a 50 user license pack or the runner up prize – a 25 user license pack.

For details on how to enter the competition check out Paul’s blog post. The deadline for the contest is 31 January 2010, Australian EST.

Save your business from spam – Win a copy of GFI MailEssentials with ExchangeServerPro

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Despite the generally excellent performance of most modern, well-tuned anti-spam engines, some spam is going to get through. We may be lulled into a false sense of superiority when for a period of time our anti-spam tools and techniques have borne fruit, and we see that we have more-than-just-excellent results; we have no spam in our inboxes for an entire day, week, whatever. Then, it returns. We’ve all seen it happen. Some strangely formatted message that you or I can surely tell is garbage, a bizarre attempt to sneak through your heuristics that has surprisingly succeeded.

Lately it has been some rather clever nonsense. I’ve been getting these spam emails with a particularly peculiar twist. Many of them have what appear to be at first glance meaningful, but “non-spam” sentences. On closer look, the sentences are strange, and not quite sensible. For some reason they consistently were getting through the spam filtering. What was strangest to me was the lack of any marketing content or attempt to sell whatsoever. They did have a link in the message, and the link was not ever to the same web destination or even clearly directed to an obvious undesirable site. This may have been one of the reasons this set of spam got by; to the filters, it looked really no different than a sentence or two sent by a friend describing some link they thought I would be interested in.

The content appears to be randomly generated by some sort of sentence constructor, which picks nouns, verbs, adjectives and strings them together, so that they seem to be part of a coherent sentence, but are not. The sentences are not riddled with attempts at sales or exciting your interest; instead they are just random. Oftentimes eerie in their close-but-not-quite structure.  Here’s an example, to show what I mean.

Part of him was shocked, but most. of him wasn’t even surprised. seen that right away.
There were maybe fifty in all, most. no bigger than plump raisins. No.

This is just one of the most recent ones. Often they have better punctuation, notice that this one has a few periods without spaces following and missing a few capital letters. One thing we don’t see is the crazy mixed-case words, with sexual content misspelled intentionally and with an obvious attempt to excite or lead us on into clicking the link that was attached and apparently unrelated to the text.

Now here’s the thing I found problematic. I can’t see where this content is going to work to be parsed in an anti-spam scanner in most cases, as it’s random enough when compared with the other spam of the same “type”, and yet the content could easily be valid if you wrote me: “Part of him was shocked, but most of him wasn’t even surprised.” Does it make sense to try to include this in our heuristic anti-spam scanners? I think not. We have to combat this by another means.

An old standby would have been to block inbound messages from this sender or IP address, but unfortunately this one came from Hotmail and I just can’t see blocking all email from any Hotmail senders, as much as I might want to do it some days. That was the first thing to do, though, is examine the headers and the log files to be sure that the mail did in fact come from where it claimed, from a Hotmail address and not from some other source. I still see significant forging of email headers.

The next comparison I made was to determine if the link embedded in the email was actually pointing to the Web site it said it was, and not apparently a link with a different URL within it.  In this particular case, the link was to a Google reader URL, and did have some objectionable content. So, although I can’t very well block any messages that might have Google reader links in them, you might be able to.  It depends on your email use policy and Internet access policy. Perhaps your business and your employees just have no use for Google reader at work. If not, I found several more spam messages that got through, with completely different text content, completely random and almost literary, with no obvious mention of sexual content, all sent from major web based email services.

The common relationship was the inclusion of a link that pointed to Google Reader. That’s what we’d need to filter as objectionable content. Other links to other sites came in some other spam emails, but there were enough (three) in a short time that we can see this was the mechanism they were using. The near-random and non-contextual nature of the Google Reader links make just blocking them based on the URL difficult, the ones posted by users have simply long numerical strings as identifiers. Pretty much random as well, although it might be possible rather than blocking any and all links to Google Reader content to selectively block ranges of users, although how to do that efficiently, I can’t yet see.

The Latest Spam Getting Through Your Filtering – and What to Do About It

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The National Cyber Security Alliance (NCSA) has announced their annual campaign for cyber-security awareness.

Awareness, more than anything, is the most important weapon in securing your enterprises and ensuring that malware doesn’t sneak in through your email servers. Awareness? Doesn’t everybody know about the dangers lurking in cyberspace by now? What we folks in the IT business take for granted is often unknown or ignored by ordinary users. When we get emails from a deposed general of a third world country, asking for assistance in moving $40 million into the US, and offering a percentage for the service, our immediate reaction is to simply delete the email. It’s a painfully obvious scam to most of us and we pay it no attention. But yet, they keep coming in every day. Why do people keep sending out these pathetic attempts to get our bank account numbers? Simple. Because not everybody is aware that it is a scam.

Do people understand the dangers of the Internet, and do they have adequate protection in place? Not really. And even if they do understand the risks, most people just aren’t as protected as they like to believe. A study conducted by NCSA this month showed that over 80 percent of American computer users reported having a firewall installed, but only 42 percent had adequate firewall protection. The study also showed a big disparity between the percentage of people who use anti-virus and anti-spam protection, and the number of people who feel safe from hacker attacks.

NCSA offers several suggestions for staying safe online, and while these suggestions may seem obvious to most, we must take measures to make sure every user is aware of the risks and understands how to safely use email. Their suggestions include protecting your identity, and exercising extreme caution when sharing things like social security numbers and birth dates. The NCSA also advises us to stay up to date on all security tools, and to learn how to “email safely”–and learn how to spot the signs of a fraudulent email.

Confusion over cyber-security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators