Hello – Andy Day from the EMEA Antigen/Forefront Support Team here to give you some tips on oiling your anti-spam engine in Antigen for Exchange/SMTP. Let the spring cleaning commence...
Over recent years, spam has emerged as a more prominent pain point than the traditional virus concerns that any company will have. Spammers are always trying to get the upper hand on anti-spam vendors, bringing out new ways to bypass scanners and hit as many inboxes as possible (sure, why wouldn’t they?...they get paid for doing that, after all!)
So, as an Antigen for Exchange administrator, how do you tweak the ASM component (Anti-Spam Manager) to maximise your spam protection, in order to outwit the spammers?
Well, first of all, you are probably using one or both of these Antigen ASM features already:
· Spamcure anti-spam engine
· RBLs (Realtime Block Lists)
Alongside these features, you may also have implemented the IMF feature in Exchange (Intelligent Message Filter).
All of these features and technologies are preventative measures. A configuration guide can be found in the Antigen Spam Manager Best Practices guide. The key points from this guide are to:
Spam is more dynamic than (other) malware; therefore anti-spam updates tend to be released more frequently than anti-virus updates. It is common to see several anti-spam engine version releases every hour, so getting Spamcure to check for updates this frequently is strongly advised.
RBL lists, (non-Microsoft) lists of known spam mailhosts that are updated in realtime, are a good way of blocking spam from the source. Always try to use a reputable service here and be aware that free services may not always be the best. Note that Microsoft does not recommend any specific RBL providers. In Support, we do see a lot of customers using www.spamhaus.org and www.spamcop.net, which might be a good place to start. Please ensure that you observe any usage terms and conditions when using these 3rd-party lists.
RBLs rely heavily upon DNS lookups (of mailhosts), so if there is any latency in doing this, you could see SMTP mail queuing on your server. As a rule of thumb, it’s best to limit RBL lookups by using a maximum of 1-3 RBL providers.
OK, this isn’t strictly an Antigen feature, but we strongly recommend its use in conjunction with Antigen. The Spamcure engine and other filtering features on the SMTP scanjob can be used to set a SCL Rating on messages. Basically, if you enable the SCL Rating option for a feature in Antigen, any detection on that feature will cause Antigen to set a SCL Rating of 9 for the message. The SCL scale ranges from 0 (definitely not spam) to 9 (definitely spam).
Exchange 2003’s IMF feature allows you to set a threshold for the SCL Rating. You can also set a SCL threshold in Outlook that can steer spam messages into Outlook’s Junk Mail Folder (also governable via a GPO).
An example of how these 3 technologies might work together is setting the IMF threshold to 8 and the Outlook threshold to 5. Here, messages tagged with a SCL Rating of 0-4 will go through to users’ inboxes, 5-7 will go to users’ Junk Mail Folders and 8-9 will be deleted by IMF. As Antigen sets only ‘9’ values for the SCL rating, any Antigen-tagged messages will therefore be deleted by IMF.
For more information on Exchange’s Intelligent Mail Filter, click here.
4. Submit Spam Messages: False Positives (legitimate emails that were falsely detected as spam) and False Negatives (spam emails that were not detected) should be submitted ASAP to Mail Filters.
As an administrator, you’ve experienced that no technology is perfect and it’s expected that some false-positives and false-negatives will crop up from time to time. Sending these to Mail Filters (our partner company that produces the Spamcure engine) through the appropriate addresses is an efficient way to flag the problem without having to open a Microsoft Support case.
· Send False Positives to Spam.mail-filters "at" antigen.microsoft.com
· Send False Negatives to Notspam.mail-filters "at" antigen.microsoft.com
From these Best Practices, the key actions to take away are to make sure that Antigen is checking for Spamcure updates every 15 minutes and submit false positives/negatives to the above addresses.
If you’re working in a large organisation, you may find that a lot of spam seems to get through (even though the actual detection rate is still pretty high), due to the sheer volume of mail that you receive every day. Consider setting-up a designated spam Mailbox or shared Public Folder to collect false negatives from users.
Before opening any support cases for false negatives, we recommend that you cover the 2 areas above, since we’re likely to suggest that you do this J.
In the case that Spamcure or other ASM components don’t seem to be working as they should, take a look at my troubleshooting tips and extra features that can help to provide additional spam defence:
If you want to minimise your dependency on Microsoft Support, you can always try to troubleshoot the issue by yourself.
For Spamcure-related issues, try to determine from any errors whether the problem relates to the download of the engine (the first part of the update process), or to the integration of a new engine into Antigen (the second part of the update process); then follow these steps:
Engine Download Issues:
· Check that you can reach the file being downloaded through Internet Explorer.
· Confirm that any proxy settings entered in the Antigen Administrator are still valid.
· In general, try to stagger engine updates by 10-15min per engine.
Engine Integration Issues:
· Make sure that the engine has updated at least once following install, to avoid this error:
"ERROR: Could not load SpamCure mapper."
· Try rebuilding the scan engine, as per KB920304.
Antigen also gives you various filtering features that can be used in either a preventative or reactive manner to block spam.
o Sender/Domain Filtering
o Subject Line Filtering
There’s a lot of information and syntax about filtering already explained in the Antigen for Exchange User Guide, so I won’t repeat it here. However, you might consider setting some filters for basic pre-emptive defence and perhaps more importantly to block prominent spam mail that got through. It’s not worth the effort to do this for every undetected spam, of course, but if you’re facing a sudden wave of similar spam, this could warrant a Subject Line or Keyword Filter until engine definitions become available.
Following the guidance I outlined, we hope you find Spamcure is filtering out most of your spam just fine and you won’t really need to tackle this troubleshooting or use these extra features for this reason. If you do, however, I hope this post has been useful to you.
CSS Security Support Engineer (Antigen/Forefront Server Security)