Exchange EDGE Anti-Spam Filter config

Antispam protection in Exchange Server (2013, 2016 & 2019)

Spammers, or malicious senders, use a variety of techniques to send unwanted email into your organization. No single tool or process can eliminate all spam. However, Microsoft Exchange provides a layered, multifaceted approach to reducing these unwanted messages. Exchange uses transport agents to provide antispam protection, and the built-in agents that are available in Exchange Server 2016 and Exchange Server 2019 are relatively unchanged from Exchange Server 2010. In Exchange 2016 and Exchange 2019, configuration and management of these agents is available only in the Exchange Management Shell.

Antispam agents on Edge Transport servers

If your organization has an Edge Transport server installed in the perimeter network, all of the antispam agents that are available on a Mailbox server are installed and enabled by default on the Edge Transport server. However, the following antispam agents are available only on Edge Transport servers:

• Connection Filtering agent: Connection filtering uses an IP block list, IP allow list, IP block list providers, and IP allow list providers to determine whether a connection should be blocked or allowed. For more information, see Connection filtering on Edge Transport servers.
• Recipient Filter agent: Recipient filtering uses a recipient block list to identify messages that aren’t allowed to enter the organization. The recipient filter also uses the local recipient directory to reject messages sent to invalid recipients. For more information, see Recipient filtering on Edge Transport servers. Note Although the Recipient Filter agent is available on Mailbox servers, you shouldn’t configure it. When recipient filtering on a Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the message is rejected. The Recipient Filter agent is enabled when you install the antispam agents on a Mailbox server, but it isn’t configured to block any recipients.
• Attachment Filtering agent: Attachment filtering blocks messages or attachments based on the attachment file name, extension, or MIME content type. For more information, see Attachment filtering on Edge Transport servers.

Based on the default priority value of the antispam agent, and the SMTP event in the transport pipeline where the agent is registered, this is the order that the antispam agents are applied to messages on Edge Transport servers:

1. Connection Filtering agent
2. Sender Filter agent
3. Recipient Filter agent
4. Sender ID agent
5. Content Filter agent
6. Protocol Analysis agent (sender reputation)
7. Attachment Filtering agent

Antispam stamps

Antispam stamps are applied to messages and are used by the antispam agents. You can view the antispam stamps to help you diagnose spam-related problems. For more information, see Antispam stamps.

Strategy for antispam approach

Antispam is a balancing act between blocking unwanted messages and allowing legitimate messages. If you configure the antispam features too aggressively, you’ll likely block too many legitimate messages (false positives). If you configure the antispam features too loosely, you likely allow too much spam into your organization.

These are some best practices to consider when configuring the built-in antispam features in Exchange:

• Reject messages that are identified by the Connection Filtering agent, Recipient Filter agent, and Sender Filter agent rather than quarantining the messages or applying antispam stamps. This approach is recommended for these reasons:
  • Messages that are identified by the default settings of the connection filtering, recipient filtering, or sender filtering typically don’t require further tests to determine if they’re unwanted. For example, if you configured sender filtering to block specific senders, there’s no reason to continue to process messages from those senders. (If you didn’t want the messages rejected, you wouldn’t have put them on the blocked senders list).
  • Configuring a more aggressive level for the antispam agents that encounter messages early in the transport pipeline saves processing, bandwidth, and disk resources. The farther in transport pipeline a message travels, the greater number of variables that the remaining antispam features need to evaluate to successfully identify the message as spam. Reject obvious messages early so you can process ambiguous messages later.
• You need to monitor the effectiveness of the antispam features at their current configuration levels. Monitoring allows you to react to trends and increase or decrease the aggressiveness of the settings. You should start with the default settings to minimize the number of false positives. As you monitor the amount of spam and false positives, you can increase the aggressiveness of the settings based on the type of spam and spam attacks that your organization experiences.

Step 1: Run the Install-AntispamAgents.ps1 PowerShell script

Run the following command in the Exchange Management Shell on the Mailbox server: PowerShell

& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

Step 2: Restart the Microsoft Exchange Transport service

Run the following command in the Exchange Management Shell on the Mailbox server: PowerShell

Restart-Service MSExchangeTransport

Step 3: Specify the internal SMTP servers in your organization

You need to specify the IP addresses of every internal SMTP server that should be ignored by the Sender ID agent. In fact, you need to specify the IP address of at least one internal SMTP server. If the Mailbox server where you’re running the antispam agents is the only SMTP server in your organization, specify the IP address of that computer.

To add the IP addresses of internal SMTP servers without affecting any existing values, run the following command in the Exchange Management Shell on the Mailbox server: PowerShell

Set-TransportConfig -InternalSMTPServers @{Add="<ip address1>","<ip address2>"...}

This example adds the internal SMTP server addresses 10.0.1.10 and 10.0.1.11 to the transport configuration of your organization. PowerShell

Set-TransportConfig -InternalSMTPServers @{Add="10.0.1.10","10.0.1.11"}

How do you know this step worked?

To verify that you have successfully specified the IP address of at least one internal SMTP server, run the following command in the Exchange Management Shell on the Mailbox server, and verify that the IP address of at least one valid internal SMTP server is displayed. PowerShell

Get-TransportConfig | Format-List InternalSMTPServers

Step 4: Next steps

• The Content Filter agent, Sender ID agent, Sender Filter agent, and Protocol Analysis (sender reputation) agent should now be installed and running on the Mailbox server. To verify this, run the following commands in the Exchange Management Shell on the Mailbox server: PowerShell

Get-TransportAgent

PowerShell

Get-ContentFilterConfig | Format-Table Name,Enabled; Get-SenderFilterConfig | Format-Table Name,Enabled; Get-SenderIDConfig | Format-Table Name,Enabled; Get-SenderReputationConfig | Format-Table Name,Enabled

To see detailed information about the configuration of each agent, run the following commands: PowerShell

Get-ContentFilterConfig | Format-List *Enabled,RejectionResponse,*Postmark*,Bypassed*,Quarantine*;

PowerShell

Get-SenderFilterConfig | Format-List *Enabled,*Block*

PowerShell

Get-SenderIDConfig | Format-List *Enabled*,*Action,Bypassed*

PowerShell

Get-SenderReputationConfig | Format-List *Enabled*,*Proxy*,*Block*,*Ports*

To configure each agent, see the following topics:

• Content filtering procedures
• Safelist aggregation procedures
• Configure Content Filtering to Use Safe Domain Data
• Exchange spam confidence level (SCL) thresholds
• Sender filtering procedures
• Sender ID procedures
• Sender reputation procedures

By default, the Content Filter agent, the Sender Filter agent, and the Sender ID agent record their activities in the antispam agent log on the Mailbox server. You can verify that these antispam agents are working when information is written to the log. To see the location and configuration of the log, run the following command in the Exchange Management Shell on the Mailbox server: PowerShell

• Get-TransportService | Format-List AgentLog*

For instructions on how to configure the log, see Configure antispam Agent Logging.