Microsoft Exchange 2016 Anti Spam

As expected from Microsoft, the Exchange 2016 anti spam feature-set is relatively reliable. It incorporates real-time block lists, Recipient Verification Protocols, Sender Policy Frameworks and a proprietary version of Bayesian analysis (the “Content Filter” agent) that allows a Spam Confidence Level to every inbound email. However, spam emails still manage to get sent into email users´ inboxes. Why does this happen?

This is generally blamed on spam becoming more sophisticated. Spammers are skilled and are always trying to find new ways to bypass email filters. Sometimes they are lucky due to system managers setting the acceptable Spam Confidence Levels too low. Other times they may be ahead of the game and have come up with a method of delivery by which their spam emails can bypass detection.

In order to tackle the increasing level of sophistication, the Microsoft Exchange 2016 spam filter has three front line defenses at which emails can be blocked, quarantined or allowed through for further testing. Although the aim of the Connection Filtering agent, Recipient Filter agent, and Sender Filter agent is to save processing, bandwidth and disk resources later in the transport pipeline, it does make the Exchange 2016 spam filter complicated to manage.

Due to the extra administrative process, there is a higher likelihood of configuring the Exchange 2016 spam filter too aggressively or too generously – leading to the scenarios where either genuine mail is rejected or categorized as spam, or spam emails potentially harboring ransomware and malware are allowed to go further along the transport pipeline. Indeed, in the Exchange 2016 spam filter guide, it is recommended system administrators monitor false positives and spam avoiding detection in order to change and adjust the Exchange 2016 antispam settings as necessary.

Despite the amount of Exchange 2016 anti spam features, there is one key anti spam feature missing – Greylisting. Greylisting is a process that sends back every incoming email to its originating server with a request for the email to be sent again. Usually genuine emails are returned by the originating servers within a few minutes, after which they are processed by the remaining anti-spam features and given a Spam Confidence Level.

Spam emails rarely get sent back. This is because hacker’ servers are so busy sending fresh spam emails, the request to resend the returned email is ignored and times out. Therefore, regardless of the email´s sophistication, the acceptable Spam Confidence Levels applied, or whatever method of delivery has been tried, the spam email never gets delivered – or clogs up a quarantine folder. This is a much more simple approach than three front line tests that are complicated to administer.

Microsoft states that the Exchange 2016 antispam features capture more than 99% of spam emails when used as part of its premium Exchange Online Protection package. This claim is likely subject to what Spam Confidence Levels have been created. With Greylisting, verified spam detection levels can be as high as 99.97% even if Spam Confidence Levels have been relaxed to stop false positives.

What this means to a company being sent 10,000 spam emails per week is that the Microsoft 2016 antispam features will fail to discover about one hundred emails or 100 per week. An email filter with a Greylisting feature will fail to detect just three out of the 10,000. The huge reduction in spam email will reduce annoyance levels and the time it takes to spot and erase spam emails; and, more importantly, substantially reduce the risk of a successful phishing attack, malware deployment or ransomware infection.

Greylisting can be added as an optional spam control, but it is strongly recommended to allow greylisting due to the added protection it offers. To avoid messages from key groups from being delayed, trusted email addresses can be added to a white list to ensure they are always delivered quickly.

Anti spam mail filters should include:

  • Simple administration using a centralized, web-based management portal.
  • Deployment options including a cloud-based option and anti spam software.
  • Standard directory synchronization as standard and not as a premium option.
  • Whitelist or blacklist senders instantly.
  • Easily changeable user policy application.
  • A range of web authentication settings.
  • Can be used with all operating systems.
  • Unrestricted scalability.