Quarantine in Exchange Server IMF

 

Exchange 2003 IMF and Exchange 2007 Content Filter do have their own Quarantine functionality.  In Exchange 2003 you can Quarantine Emails into an archive directory.  You can then use one of the freely available Archive viewers to release emails. This is a little fiddly to do.

 

 Exchange 2007 provides the Quarantine by routing blocked emails to a central mailbox.

 

 In addition both versions support routing emails to the user Junk Email folder. In this manner users can review filtered spam on their own. In order to release the email more configuration is required

The disadvantages of quarantining spam inside Exchange or in user mailboxes are as follows:

– Once in the Exchange server the spam has already wasted processing resources. There may be many thousands of spam email!

– Once in the Exchange server the spam has already wasted storage resources

– If using a central quarantine, the admin has to manually review and release spam using limited tools to browse the quarantine and identify the spam vs non spam email

– If spam goes to user mailboxes then the administrator cannot easily mass-delete blocked spam for users

– If spam goes to user mailboxes then the administrator cannot easily add specific blocks and reject rules based on the  blocked spam to prevent similar spam even arriving in the quarantine in future.

–  If spam goes to user mailboxes then the users may inadvertently trigger malware or scripts or open attachments in the spam email and infect their machines. Any images shown in the spam may track their viewing

of the spam and notify the spammer that the email address is active.

So it seems its best to keep spam (as email) away from the user mailboxes, and quarantine it outside of Exchange.

Hexamail Guard allows you to  quarantine spam BEFORE it reaches Exchange. The advantages of this approach:

– Eliminate  processing and storage requirements on Exchange.

– The Administrator can review spam in large volumes, grouped by subject, block rule, country code, ip address etc.

– The Administrator can perform batch operations such as deleting all spam of a similar nature

– The Administrator can perform batch operations such as releasing all nonspam of a similar nature

– The Administrator can use blocked spam to setup new rules to automatically  reject or delete future spam before it is even quarantined

– The Administrator can whitelist nonspam senders so that in future they are never blocked.

– Users can review their spam using a web interface that is entirely safe, only the text of the email is rendered so no scripts or attachments can be triggered.

– Users can whitelist non spam senders for their specific account so that they will receive email from those senders unhindered in future.

– Users on restricted bandwidth (such as mobile devices) don’t have to waste time downloading spam email. They can review the headers and delete or accept email in a fully responsive web app.

Some of the features of the administrator spam quarantine are shown here

antispamquarantine

batch-action

Challenge Response in Exchange

challenge–response is another  technique for filtering spam that automatically sends a reply to email from new senders with a “challenge” to the (alleged) sender of the  e-mail. The reply contains a link allowing the sender to verify that they did in fact send the email. They may be asked to enter a captcha to prove that they are a human and not a robot.

The advantage of this system is that senders add themselves to a whitelist by verifying that they sent the email so email from the same sender is never challenged again. The technique can be used to block a lot of Exchange Server spam. The only disadvantage is that email such as newsletters and other mail-shot/group/list email may be challenged and a challenge sent to an automated script that cannot verify. In these cases a good challenge -response system ALSO quarantines the incoming email to allow the recipient to release (and whitelist) it.

Microsoft Exchange  does not by default support Challenge Response. It can be added using options in Hexamail Guard, or Hexamail Nexus which can filter and challenge email before they get to Exchange. Both products also feature a quarantine allowing users to release email such as newsletters that may inadvertently be stopped using this technique

challengesettingspage

Adding Greylisting to Exchange Server 2013 Antispam

Greylisting (or graylisting) is a method of spam protection. A mail server using greylisting temporarily rejects any email from a sender it does not recognize. If the originating server is  areal email server it will rety to send the email after a short delay. The receiving server will accept the email on the next attempt. Spammers often use poorly scripts that do not retry. In this way most spam from bot-nets is avoided. The only disadvantage of greylisting is that there is ashort (configurable) delay for incoming email from new senders. This can be as short as 10 minutes.

To add greylisting features to Exchange server you can use a tool such as Hexamail Guard

This allows greylisting options to be easily added to an existing Microsoft Exchange or Small Business Server, with lots of flexible options controlling and managing the greylist and clear and concise logging.

Hexamail is the only product that allows the greylist to be optionally used depending on the country of origin and time of day of the email. For example you may want to only greylist email during the night, so daytime email are not delayed in any way, and over night all email is greylisted when a short delay is of no consequence.

spamblockergreylist

Greylisting Options in Hexamail Guard

Similarly you can greylist only email from other countries. If most of your customers are in your timezone then the delay to email from other countries will not be noticeable:

spamblockergreylistlocation

Once greylisted a sender’s email will travel unimpeded through to the mailserver.