Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall - Part 3: Configuring Antispam Policy

by [Published on 23 Feb. 2010 / Last Updated on 20 May 2013]

What is available when configuring the anti-spam features on the TMG 2010 firewall.

If you would like to read the other parts in this article series please go to:

Introduction

In part 2 of our series on the TMG firewall’s email hygiene solution, we saw how to turn the feature on. When the feature is turned on, it starts working right away (assuming that you have configured the supporting infrastructure to support the TMG email gateway). In this, part 3 of the series, we will take a look at what’s available when configuring the anti-spam features.

Configure Spam Filtering

Click the Spam Filtering tab in the middle pane of the console. Here you can see the Configure Spam Filters collection of options. Here you will find the following:

  • IP Allow List: This enables you to configure a collection of IP addresses that messages are always accepted from
  • IP Allow List Providers: This enables you to configure the address of one or more IP Allow List providers
  • IP Block List: This enables you to configure a list of addresses from which you never want to receive mail
  • Content Filtering: Enables you to block email based on the content of the messages
  • Recipient Filtering: This allows you to control delivery of mail based on the recipient
  • Sender Filtering: This allows you to control deliver of mail based on sender
  • Sender ID: Control whether you allow or deny mail based on the presence of a Sender ID record
  • Sender Reputation: Enables you to allow or deny mail based on a sender reputation value.

Let us get started by clicking on the IP Allow List option.


Figure 1

IP Allow List

In the IP Allow List dialog box, click on the Allowed Addresses tab. Here you can add an address, or range of addresses, from which you will always accept messages.


Figure 2

IP Allow List Providers

Click the IP Allow List Providers option in the middle pane of the console. In the IP Allow List Providers dialog box, click the Providers tab. Here you can configure a list of IP Allow List Providers. Click the Add button to add an entry. If you want to enter a single address, you can enter the same address for the Start and End fields.


Figure 3

In the IP List Provider dialog box, you can enter the following information:

  • Provider name. Enter the name of the IP Allow List provider in this text box. This is just for identification, it’s not a value that’s used by the system
  • Lookup domain. This is the name of the domain of your IP Allow List provider
  • Match any return code. This option enables the system to treat any IP address status code as a match


Figure 4

IP Block List

Click the IP Block List option in the middle pane of the TMG firewall console. This brings up the IP Block List dialog box. Click the Blocked Addresses tab. Here you can click the Add button to add one or more addresses from which you never want to receive mail. Messages from those addresses will then be blocked.

Note that in the Blocked IP Address – IP Range dialog box you have the option to:

  • Never let this address expire or
  • Block until date and time

This is useful if you should want to temporarily block mail from a range, perhaps due to a spam flood, but you want to allow delivery again once the problem has been fixed.


Figure 5

Click on the Providers tab. The Providers tab has options similar to what we saw on the IP Allow List dialog box and you make entries here in the same way.


Figure 6

The IP List Provider dialog box again is very similar to that for the IP Allow List option, showing provider name, DNS suffix and status columns. To add a provider, click the Add button.


Figure 7

If you click on the Error Messages button, you’ll see the IP Block List Provider Error Message dialog box. This feature is undocumented at this time, but apparently it allows you to create error messages that will be returned to the providers whose messages are blocked.


Figure 8

You can use a default error message or you can create a custom message. If you choose to do the latter, you type the content of the message into the text box and then click OK.

Content Filtering

Click the Content Filtering option in the middle pane of the console. This brings up the Content Filtering dialog box. Click the Custom Words tab. On the Custom Words tab, click the Add button. In the Add Word or Phrase dialog box you can enter a key word or phrase that, when it appears in a message, will cause the message to be allowed or blocked. Note that there are two Add buttons in this dialog box: one to always allow when the word appears and one to always block when the word or phrase appears.


Figure 9

What if you want to always get mail from certain senders even if their messages do contain the key words or phrases? No problem – you just need to create an exception.

Click on the Exceptions tab. When you click the Add button, you can enter in the Add E-mail address dialog box an email address for a sender for which you do not want to filter email messages.


Figure 10

Click the SCL Thresholds tab. This stands for “Spam Confidence Level.”  The Content Filter agent uses Microsoft SmartScreen technology to examine each message and assign it an SCL rating. The rating is a number from 0 to 9. The higher the number, the more likely it is that the message is spam. The Content Filter processes messages after Exchange 2010’s other anti-spam agents have already been applied, which reduces the number of messages that need to be examined by the Content Filter. For information about the order in which the anti-spam agents are applied, follow this link.

You can adjust the SCL threshold actions to suit your organization’s needs. The thresholds are the SCL values at which an action (delete, reject or quarantine) takes place.

Here you have three important options:

  • Delete messages that have an SCL rating great than or equal to
  • Reject messages that have an SCL rating greater than or equal to
  • Quarantine messages that have an SCL rating great than or equal to

When you enable these options, the default value is 9. This means most messages that arrive at the Content Filtering stage will go through to the users’ mailboxes. If, for example, you set the Delete value to 7, all messages with an SCL rating of 7 or above would be deleted.

When messages are deleted, the sending system is not notified. When messages are rejected, the Content Filter sends a rejection notice to the sending system.

You also have the option to send rejected messages to a Quarantine mailbox address. You’ll need to check the quarantine mailbox periodically and decide what to do with the messages there. 


Figure 11

If a message’s SCL is below the values set for Delete, Reject and Quarantine, the message still has to make it over the hurdle of the Junk mail filter, which puts messages in the user’s Junk Mail folder where the individual users can review them and decide whether to mark them as “not junk.”  If the SCL value is lower than the Junk mail threshold, that message makes it to the user’s Inbox.

You don’t set the Junk Mail threshold here; you can do that with the Set-Mailbox cmdlet in the Exchange Management Shell. For more about the Set-Mailbox cmdlet, follow this link.

Recipient Filtering

You can also filter mail by recipient. Click the Recipient Filtering option in the middle pane of the TMG firewall console. This opens the Recipient Filtering dialog box. Click on the Blocked Recipients tab. Here you have the option to Block messages sent to recipients not listed in the Global Address List. This allows you to prevent delivery to addresses such as administrator@yourdomain.com .

You also can enable the block the following recipients option. This allows you to prevent outside mail from being delivered to addresses that should only be used internally within your organization. After enabling that option you can then click the Add button to add the email address of the recipient you want to block.


Figure 12

Sender Filtering

You can block mail based on the sender. The Sender Filter agent uses the MAIL FROM: SMTP header to determine which messages to block. You can block single senders, entire domains or domains with all subdomains. It’s important to note that the MAIL FROM: SMTP header could be spoofed, thereby circumventing sender filtering. You can use Sender ID (discussed in the next section) to prevent spoofed mail from getting through.

Click the Sender Filtering option in the middle pane of the TMG firewall console. In the Sender Filtering dialog box, click the Blocked Senders tab. Here you can click the Add button to open the Blocked sender dialog box. Here you can choose to enter the address of a individual sender, or you can block an entire email domain, with the option to block subdomains too.


Figure 13

Click the Action tab and you will see that you have two options when there is a sender match:

  • Reject the message
  • Stamp the message with blocked sender and continue processing

The second option enables other components of the email solution to make decisions based on this header information. The fact that this message is marked as being from a blocked sender will be used in calculating the SCL rating.


Figure14

Sender ID

The Sender ID agent uses the RECEIVED SMTP header to send a query to the DNS of the sending system to verify that the IP address the message came from is authorized to send mail from the domain listed in the headers. The only problem is that the domain admins must publish sender policy framework (SPF) records on their DNS servers. To find out more about using Sender ID, follow this link.

To configure Sender ID, click the Sender ID optionin the middle pane of the TMG firewall console. Click the Action tab. Here you have three actions you can choose from if the Sender ID check fails for the message:

  • Reject message
  • Stamp the message with Sender ID and continue processing
  • Delete message

When the message is rejected, it sends an SMTP error to the sending server. When you select the delete option, the message is deleted without informing the sending server. When the message is stamped as having failed the Sender ID check, that information is used by the Outlook Junk Mail filter in calculating the SCL rating.


Figure 15

Sender Reputation

Sender Reputation uses information that has published about the sender to calculate a Sender Reputation Level (SRL). To configure Sender Reputation, click on the Sender Reputation option in the middle pane of the TMG firewall console.

The Sender Reputation Level works much like the Spam Confidence Level, in that a value from 0 to 9 is calculated for each sender and you can configure a threshold at which the sender is blocked from sending messages into the organization. The sender is added to the Blocked Senders list, and you can configure a time period for which the sender stays on the list.

In the Sender Reputation dialog box, click on the Sender Confidence tab. Here you have the option to Perform an open proxy test when determining sender confidence level.

This is an interesting option. It connects to the sender’s IP address with an outbound SMTP message. If the TMG firewall finds out that the SMTP server will allow it to send the message to itself, the determination is that the sending SMTP server is an open SMTP relay. Open SMTP relays can be used by spammers to send spam to any email domain in the world, and should immediately raise a red flag about what’s happened to the messages as they traverse such a server.

You typically see open SMTP relays when someone misconfigures a server, or when someone has been infected with malware that acts as an SMTP relay. In either case, you’ll not want to be receiving mail from an open SMTP relay so you should leave this option enabled.


Figure 16

In configuring the thresholds, the best thing to do is use the default values first, and then increase the block threshold over time until you reach a point where you are receiving false positives, then you can dial down the value.

Note that you also have a customizable Threshold Action. This value allows you to configure how long to block the sending SMTP server before allowing mail to be received from it again. This allows a bit more flexibility, as often the problems are temporary, and you don’t want to permanently block the sender.


Figure 17

Summary

In this, part 3 of our article series on the TMG firewall’s email hygiene solution, we went over some of the configuration options available for fine tuning the spam blocking feature. There are a number of options, and not all of them need configuration. The most interesting and useful ones are related to Sender Reputation, Recipient Filtering and Content Filtering. The vast majority of spam is sent over well-known spam servers, so blocking mail based on sender reputation is a powerful method for reducing over 95% of the spam messages you receive. Recipient filtering is also an effective method, because spammers send a large amount of spam to email addresses that do not exist in your organization. Finally, the content filtering feature allows for sophisticated analysis of messages to come up with a SCL value which can be used to determine if a message is spam, and this is especially useful when the sending server is a hijacked desktop computer that’s part of a botnet. In the next part in this series, we will take a look at the virus and content filtering options. See you then! – Deb.

If you would like to read the other parts in this article series please go to:

The Author — Deb Shinder

Deb Shinder avatar

DEBRA LITTLEJOHN SHINDER, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.

Latest Contributions

Featured Links