EXCHANGE 2010: Filtrando SPAM con Exchange 2010 y Forefront Protection for Exchange 2010

En una infraestructura de correo electrónico Exchange 2010, al pensar en la protección contra el correo spam se ha de pensar en las siguientes capas de protección:



- En la red perimetral: se configuran los servers con el rol Edge Transport con los filtros antispam activados que se deseen, de tal manera que los correos que sean descartados no llegarán a entrar al interior de nuestra organización.


- En la red interna: puede llegar a interesar configurar también esta protección, en casos de infraestructuras que estén vinculadas con otras organizaciones de correo internas, que suelan ser proclives a tener fallos de seguridad que les permitan realizar envíos de spam por parte de agentes externos.

- En el buzón del usuario: Mediante el cliente Microsoft Outlook o OWA, el usuario puede establecer un filtrado adicional al que realizan los servidores de correo, el cual consiste básicamente en analizar el correo que entra en la bandeja de entrada ( mediante el filtro smartscan de Microsoft ), y actuar en consecuencia ( según lo tenga configurado).

¿ Con Forefront o sin Forefront ?

Exchange 2010 ya nos provee de ciertos filtros que nos posibilitan protegernos, opcionalmente tenemos la opción de instalar Forefront Protection for Exchange 2010 ( nueva versión de nuestro viejo amigo Microsoft Antigen 9.0 ), este producto nos permitirá tener un filtrado mejor y más avanzado que lo que lleva por defecto Exchange.

A continuación pasaré a explicar el detalle de como se realiza el filtrado en una infraestructura Exchange 2010 sin Forefront y con Forefront.


Detalle del filtrado de correo en una infraestructura Exchange 2010 sin forefront


. Red perimetral:  se activarán los filtros (agentes) que lleva Exchange 2010 al instalar el rol Edge Trasport, los podremos identificar en la propia consola de administración Exchange 2010:

A modo de resumen, paso a explicar qué hace cada uno:

Cuando un correo entra en nuestro servidor Edge, los agentes se ejecutan en este orden:

Red interna: como protección extra se activan los



Infraestructura  Exchange 2010 + Forefront Protection for Exchange 2010

http://technet.microsoft.com/en-us/library/aa997658.aspx

The anti-spam and antivirus filters are applied in the following order. For more information, see Understanding Anti-Spam and Antivirus Mail Flow.

• Connection filtering    Connection filtering inspects the IP address of the remote server that is trying to send messages to determine what action, if any, to take on an inbound message. The remote IP address is available to the Connection Filter agent as a byproduct of the underlying TCP/IP connection that is required for the Simple Mail Transfer Protocol (SMTP) session. Connection filtering uses a variety of IP Block lists, IP Allow lists, as well as IP Block Providers services or IP Allow Provider services to determine whether the connection from the specific IP should be blocked or should be allowed in the organization.
  
• Sender filtering   Sender filtering compares the sender on the MAIL FROM: SMTP command to an administrator-defined list of senders or sender domains who are prohibited from sending messages to the organization to determine what action, if any, to take on an inbound message.
  
• Recipient filtering   Recipient filtering compares the message recipients on the RCPT TO: SMTP command to an administrator-defined Recipient Block list. If a match is found, the message is not permitted to enter the organization. The recipient filter also compares recipients on inbound messages to the local recipient directory to determine whether the message is addressed to valid recipients. When a message is not addressed to valid recipients, the message can be rejected at the organization's network perimeter.
  
• Sender ID   Sender ID relies on the IP address of the sending server and the Purported Responsible Address (PRA) of the sender to determine whether the sender is spoofed or not. PRA is calculated based on the following message headers:
  
  • Resent-Sender:
    
  • Resent-From:
    
  • Sender:
    
  • From:
  For more information about the PRA, see Understanding Sender ID and RFC 4407.
  
• Content filtering   Content filtering uses Microsoft SmartScreen technology to assess the contents of a message. Intelligent Message Filter is the underlying technology of Exchange content filtering. Intelligent Message Filter is based on patented machine-learning technology from Microsoft Research. During its development, Intelligent Message Filter learned distinguishing characteristics of legitimate e-mail messages and spam. Regular updates with Microsoft Anti-spam Update Service ensure that the most up-to-date information is always included when the Intelligent Message Filter runs. Based on the characteristics of millions of messages, Intelligent Message Filter recognizes indicators of both legitimate messages and spam messages. Intelligent Message Filter can accurately assess the probability that an inbound e-mail message is either a legitimate message or spam.
  Spam quarantine is a feature of the Content Filter agent that reduces the risk of losing legitimate messages that are incorrectly classified as spam. Spam quarantine provides a temporary storage location for messages that are identified as spam and that should not be delivered to a user mailbox inside the organization.
  Content filtering also acts on the safelist aggregation feature. Safelist aggregation collects data from the anti-spam safe lists that Microsoft Outlook and Office Outlook Web Access users configure and makes this data available to the Content Filter agent on the computer that has the Edge Transport server role installed in Exchange 2010.
  When an Exchange administrator enables and correctly configures safelist aggregation, the Content Filter agent passes safe e-mail messages to the enterprise mailbox without additional processing. E-mail messages that Outlook users receive from contacts or that those users have added to their Outlook Safe Senders List or have trusted are identified by the Content Filter agent as safe. The result is that messages that are identified as safe are not classified as spam and unintentionally filtered out of the messaging system.
  
• Sender reputation   Sender reputation relies on persisted data about the IP address of the sending server to determine what action, if any, to take on an inbound message. The Protocol Analysis agent is the underlying agent that implements the sender reputation functionality. A sender reputation level (SRL) is calculated from several sender characteristics that are derived from message analysis and external tests.
  Senders whose SRL exceeds a configurable threshold will be temporarily blocked. All their future connections are rejected for up to 48 hours.
  In addition to the locally calculated IP reputation, Exchange 2010 also takes advantage of IP Reputation anti-spam updates, available via Microsoft Update, which provide sender reputation information about IP addresses that are known to send spam.
  
• Attachment filtering   Attachment filtering filters messages based on attachment file name, file name extension, or file MIME content type. You can configure attachment filtering to block a message and its attachment, to strip the attachment and allow the message to pass through, or to silently delete the message and its attachment.
  
• Microsoft Forefront Security for Exchange Server   Forefront Security for Exchange Server is an antivirus software package that is tightly integrated with Exchange 2010 and offers antivirus protection for the Exchange environment. The antivirus protection that is provided by Forefront Security for Exchange Server is language independent. However, the setup, administration of the product, and end-user notifications are available in 11 server languages. For more information, see Protecting Your Microsoft Exchange Organization with Microsoft Forefront Security for Exchange Server.
  
• Outlook Junk E-mail filtering   The Outlook Junk E-Mail Filter uses state-of-the-art technology to evaluate whether a message should be treated as a junk e-mail message based on several factors, such as the time that the message was sent and the content and structure of the message, and the metadata collected by the Exchange Server anti-spam filters. Messages caught by the filter are moved to a special Junk E-mail folder, where the recipient can access them later.

http://technet.microsoft.com/en-us/library/dd639368.aspx

• Connection Filtering—FPE examines the IP address of the original sender. FPE has user configurable static IP block and allow lists and a dynamic DNS block list maintained by Microsoft that can filter up to 90% of spam e-mail. For more information, see Using connection filtering.
  
• Sender Filtering—FPE examines the SMTP sender information. This filter enables administrators to configure allowed and blocked senders by domains and e-mail addresses. For more information, see Configuring sender filtering.
  
• Sender ID Filtering—FPE uses a Sender ID framework to validate that the sender is not spoofing the identity of another sender. For more information, see Configuring sender ID filtering.
  
• Recipient Filtering—FPE can also be configured to allow and block e-mail messages to certain recipients in your organization. In addition, FPE has the capability, through Active Directory Domain Service queries, to validate that the recipient exists in the company’s Active Directory Domain Service. For more information, see Configuring recipient filtering.
  
• Content Filtering—FPE also examines the content of the message itself, including subject line and the message body. FPE uses a third-party antispam engine to scan all e-mail for spam. For more information, see Configuring content filtering.
  
• Backscatter Filtering—FPE includes new technology that enables administrators to prevent false Non-Delivery Reports (NDR) generated from spoofed sender addresses from entering their environment. For more information, see Configuring backscatter filtering.