Introducing Forefront Security for Exchange Beta 2 Antispam Technologies

  • Article

Hi, my name is Alex Nikolayev and you might remember me for my previous work with Exchange server Transport. Having an unconditional love for Transport, I moved to Forefront Server Security team to help with delivering cool new features to protect it from all sorts of malware (spam included).

Over the years, talking about the spam problem and how to get it under control, we were referencing four major pillars that contribute to the overall strategy and success in the fight against spam:

1. Effective Legislation,

2. Innovative Technologies,

3. Industry Cooperation and Collaboration,

4. User Education.

While I can’t really talk about the legislation (I’m not a lawyer) and user-ed (this needs to be done by every Forefront admin in every Exchange organization), I want to tell you about the new antispam technologies Forefront team delivers in close collaboration with the industry partners.

Forefront Server Security is well known for integrating the most efficient antimalware engines into the product, so it’s no wonder we decided to do the same for the antispam. The new Beta 2 release of Forefront Server Security 2010 comes with features that were jointly developed with our external partners. So what is under the FSE 2010 Beta 2 hood?

Today I will talk about the new content filter. I know it’s an impossible task to cover a wealth of new information in a single blog so this time I will provide only a high level “introductory” overview of what it is and how it functions (do not worry, I will write more blogs about the filter internals, best deployment and configuration practices, and how to get the most out of it).

The new Forefront content filter is a result of collaborative work between my team and Cloudmark®. At the heart of the filter is the Cloudmark Authority® Engine which is natively integrated into Forefront’s antispam framework. It functions exactly the same way as the antispam content filter engine in Exchange 2007 by verifying the content of the message for spamminess. The engine produces a raw spam score that is normalized by the content filter agent (actually by the adaptor which does the translation from the raw spam score to SCL) and at the end the content filter agent stamps an SCL value onto the message. The SCL value is in the same format as the SCLs previously stamped by the Exchange 2007 and Forefront 2007 content filter agents. So if you have any custom agents acting upon an SCL value on the message, they will continue to function without the need for modification. The biggest difference in SCL assignments is the SCL range distribution. Do not expect to see a lot of SCLs between SCL:5 and SCL:9 and do not expect to see anything in the range between SCL:1 and SCL:4 inclusively. The bulk of messages will be assigned either SCL:-1 or SCL:9. This means no more garbage in the Junk E-mail Folder! Sure, occasionally there could be a couple of messages with an SCL:5 or SCL:6, but the bulk of e-mail will be correctly classified as the legitimate or unsolicited bulk e-mail. Look at the chart below (from the real data supplied by one of the Forefront Beta 2 TAP customers who is running with the Beta 2 build in production):

SCL Chart

As you can see, almost 100% of all incoming mail was classified either as good mail or spam! These results may vary depending on the deployment configuration, but the general trend is that you won’t see a whole lot of messages with SCLs between 0 and 8.

You might ask what about the accuracy of the engine and whether you can trust these results? Just recently, the Forefront Security for Exchange running on Beta 2 build with the new Cloudmark-based content filter was rigorously tested by the West Coast Labs on live spam for 2 weeks. At the end of the test, FSE was awarded a Checkmark certification as a Premium product. Throughout the testing cycle the filter maintained a detection rate of 99%.

I realize it’s quite a departure from the model and behavior we all got so used to – open the Junk E-Mail Folder in the morning and comb through the junk triaging it for potential false positives… Guess what – no more junk with the new Forefront content filter so you’ll get your time back!

Now keep in mind that this is not a silver bullet against spam. Spammers constantly find ways to penetrate through the best defenses and deliver spam. However, with our new Forefront Content Filter backed by Cloudmark’s technology with real-time response via Global Threat Network™ and advanced fingerprinting algorithms allowing for identification of spam mutations in real time, you will feel much safer and better protected from new spam outbreaks.

Alex Nikolayev

Program Manager

Forefront Server Security