Enable Built-in Anti-Spam Agents in Exchange 2010

Exchange 2010 comes with built-in anti-spam agents. You can enable these agents to tackle email spams. Anti-Spams are available in Edge Transport server role and Hub Transport server role. This article shows steps to enable built-in anti-spam agents in Exchange 2010 in Hub Transport server.

Enable Built-in Anti-Spam Agents in Exchange 2010

When you install Exchange server 2010, anti-spam agents are not enabled by default. To Enable Anti-Spam Agents, log on to Hub Transport server and open Exchange Management Shell. Go to %system drive%/Program Files\Microsoft\Exchange Server\V14\Scripts folder. And run .\install-AntispamAgents.ps1 script. This script is available in scripts folder automatically when you install Exchange server.

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>.\install-AntispamAgents.ps1

Enable Built-in Anti-Spam Agents in Exchange 2010

Now restart Transport service. Use following cmdlet to restart Exchange Transport service,

[PS] C:\>Restart-Service MSExchangeTransport

To view if all the agents are installed and enabled, type Get-TransportAgent,

 

Before configuring any anti-spam agents, you must specify internal SMTP servers. To do so, type following cmdlets with internal IP address of Exchange server running Hub Transport server role.

[PS] C:\>Set-TransportConfig -InternalSMTPServers 192.168.1.21,192.168.1.22

To view the configuration, use Get-TransportConfig cmdlet,

[PS] C:\>Get-TransportConfig | Select InternalSMTPServers
InternalSMTPServers
-------------------
{192.168.1.21, 192.168.1.22}

Now you can configure each anti-spam agents from Exchange Management Console. Expand Organization Configuration and select Hub Transport. You will see new tab named Anti-spam. This tab is visible only after you run the script to Enable anti-spam agents. Select Anti-spam tab. You will see all the anti-spam agents.

You will also see two anti-spam agents in Server Configuration. Expand Server Configuration and select Hub Transport. Select the Hub Transport server, you will see new Anti-spam tab again.

Enable Built-in Anti-Spam Agents in Exchange 2010

When you enable Anti-Spam agents in Hub Transport server, following agents are installed. These agents work in following order. Let’s configure each one of them.

  1. Connection filtering: When sender SMTP server establishes connection with our Exchange server, the connection filtering agent compares source IP of external server against Block list and Allow list. If the IP of sender is in allow list, the connection is allowed and blocked otherwise. Connection filtering has following agents,
    • IP Block list: To manually add one or more IP address to the block list, use following cmdlet in EMS,
      [PS] C:\> Add-IPBlockListEntry -IPAddress 2.2.2.2
      #To Disable IP Block List agent:
      [PS] C:\>Set-IPBlockListConfig -Enabled $False
      #To View list of blocked IP: 
      [PS] C:\>Get-IPBlockListEntry
    • IP Allow list: To manually add one or more IP address to the allow list, use the following cmdlet in EMS,
      [PS] C:\> Add-IPAllowListEntry -IPAddress 2.2.2.2
      #To Disable IP Allow List agent: 
      [PS] C:\>Set-IPAllowListConfig -Enabled $False
      #To view list of allowed IP:
      [PS] C:\>Get-IPAllowListEntry
    • IP Block List providers: Instead of manually adding list of allowed or blocked IP addresses, you can use the block list provided from third-party service like, Spamhaus, Surriel, SORBS, etc. Use following cmdlets to setup block list from these providers with rejection response.
      [PS] C:\>Add-IPBlockListProvider -Name "Spamhaus" -LookupDomain "zen.spamhaus.org" -AnyMatch $True -Enabled $True -RejectionResponse "Your IP is on the spamhaus.org block list"
      [PS] C:\>Add-IPBlockListProvider -Name "Surriel" -LookupDomain "psbl.surriel.com" -AnyMatch $True -Enabled $True -RejectionResponse "Your IP is on the Surriel block list"
      [PS] C:\>Add-IPBlockListProvider -Name "SORBS" -LookupDomain "dnsbl.sorbs.net" -AnyMatch $True -Enabled $True -RejectionResponse "Your IP is on the SORBS block list"
      #To view the list of block list providers configured, 
      [PS] C:\>Get-IPBlockListProvider
      Name             LookupDomain               Priority
      ----             ------------               --------
      Spamhaus         zen.spamhaus.org           1
      Surriel          psbl.surriel.com           2
      SORBS            dnsbl.sorbs.net            3
      
      #To test the block list provider, use following cmdlets, 
      [PS] C:\>Test-IPBlockListProvider -Identity SpamHAUS -IPAddress 2.2.2.2
      RunspaceId      : 92fdd738-9841-4cf8-a92e-79daf93db723
      Provider        : Spamhaus
      ProviderResult  : {}
      Matched         : False
    • IP Allow List providers: Similar to IP block list provider, you can use IP allow list provider from third-party provider. Like dnswl.org and others.
  2. Content filtering: You can use content filtering to allow or block messages based on words or phrases contained in the email message. For example, you can block emails containing word ‘viagra’, and so on. Similarly, content filtering also filters messages based on Spam Confidence Level (SCL). SCL is rated from 0 to 9 for messages. Messages above SCL 6 is considered as spam, suspicious or harmful. To enable/disable Content filtering,
    [PS] C:\> Set-ContentFilterConfig -Enabled $true|$false

    #To enable Content filtering for external messages. It is not recommended to enable content filtering for messaging generating from internal servers as there can be false positive.

    [PS] C:\> Set-ContentFilterConfig -ExternalMailEnabled $true

    # Block messages containing phrase/word ‘viagra’

    [PS] C:\> Add-ContentFilterPhrase -Phrase "viagra" -Influence BadWord

    # Use Get-ContentFilterPhrase cmdlet to view list of blocked or allowed phrases

    [PS] C:\>Get-ContentFilterPhrase
    RunspaceId : 92fdd738-9841-4cf8-a92e-79daf93db723
    Influence : BadWord
    Phrase : viagra
    Identity : viagra
    IsValid : True

    If you open the properties of Content Filtering and click Action tab, you can see option to delete, reject or quarantine message based on different SCL rating. 

  3. Sender ID filtering: Sender ID filtering verifies if the message coming from the source SMTP server is authoritative server. It checks so by using SPF (Sender Policy Framework) DNS resolution. This filtering checks if the sender IP address is listed in SPF record or not. If user@gmail.com send email to bgiri@mustbegeek.com. Our Exchange server performs DNS SPF lookup, checks if source/sender IP address is listed in SFP record or not.

    If you open the properties of Sender ID filtering, you have options to reject, delete or stamp and continue the message as shown above.
  4. Sender filtering: Sender filtering blocks messages from specific senders or email addresses, or domain names. You also have option to block messages that don’t have sender information.
    Enable Built-in Anti-Spam Agents in Exchange 2010
  5. Recipient filtering: Recipient filtering checks whether the recipient is valid or not. Spammers often sends thousands of emails to random recipients. So this filter drops messages sent to unknown recipients or recipients that doesn’t exist at all. You can also specify recipients to block incoming messages.
  6. Sender reputation: Sender reputation level (SRL) is a value that the Sender Reputation agent calculates based on tests that it performs on messages received. The test results are stored in database called Pasetting.edb in \TransportRoles\Data\Senderreputation. Based on the test results gathered by Send reputation agent, SRL value is calculated. SRL number is between 0 and 9. 4 means sender is neutral and above 4 is likely to be spam and below 4 is safe. You can also use Get-SenderReputationConfig cmdlet to view more information about Sender reputation filtering.

In this way you can enable and configure Anti-Spam agents in Exchange 2010.

 

 

The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork . Follow Bipin Giri on Google+. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.