Even though the default Microsoft Exchange spam filter has a range of features to help prevent spam and protect businesses from email-based danger like phishing, malware and ransomware, few people speak highly of the built-in mechanism of anti spam for Exchange. One of the most common criticisms is that the default Exchange anti spam mechanisms are not as good at detecting spam as third party solutions and many threats bypass Microsoft’s controls and are sent to inboxes. Since all it takes for a data breach to occur is for one member of staff to respond to a phishing email, it is vital that the vast majority of threats are detected and removed.
One of the reasons for this is the way in which some third party solutions tackle spam detection – using Greylisting to prevent spam from previously unknown sources, and SUBRL filters to discover malicious URLs within the body of emails. Other features that could increase Exchange email security are also missing from the default Microsoft Exchange spam filter – Exchange Online Protection (EOP), or have to be paid for separately by upgrading to Advanced Threat Protection (APT). For many companies, APT is cost prohibitive especially when third-party solutions can be purchased at a fraction of the cost and supply equivalent or better protection.
One of the “absent/paid for” features is anti spam Exchange outbound scanning. Outbound scanning is very important for Office 365 users following the introduction of the “IP reputation” marking system, as any business thought to be sending spam or malware could find its IP address on Microsoft´s real-time blackhole list. This would not only impact business-critical communication channels, but could potentially lead to the business´s website being blacklisted.
Antispam Exchange outbound filtering monitors outbound emails for any indication of spam which could indicate an email account has been compromised due to a phishing attack.
Antispam Exchange outbound filtering is crucial, but Office 365 users only get access to this feature if they pay for it using an Advanced Threat Protection package.
Another common criticism of the Microsoft Exchange spam filter is it is too complex. Naturally, the aim of anti spam for Exchange is spam detection and reporting. However, due to the complicated nature of anti spam for Exchange, Spam Confidence Levels can be set at a level which is too low with the consequence that the filter is ineffective at preventing spam. Alternatively the levels can be set too high – leading to genuine emails being quarantined for having marginally spam text.
Once you combine anti spam for Exchange with Office 365 and Exchange Online Protection (or Forefront Protection for Exchange 2010), the complex nature of anti spam for Exchange multiplies. Furthermore, companies that want to use the Directory Synchronization feature to help better manage their email accounts have to pay for an Advanced Threat Protection package. Third party email filtering solutions eliminate the complexity, which is another reason why they are often selected over the default Microsoft Exchange spam filter.
Greylisting and SUBRL filtering could seriously strengthen Exchange email security – if they were present. When third party anti-spam solutions are configured, these two mechanisms work independently of Microsoft´s real-time blackhole lists (RBLs) to improve spam detection rates and prevent phishing emails reaching their intended recipients. Greylisting in particular can increase spam detection rates from the 99% achieved by the default Microsoft Exchange spam filter to 99.97% with no false positives returned. Greylisting involves rejecting a message and requesting it be resent by the server where it came from. Hackers’ servers are usually involved in massive spam campaigns, and are too busy to respond. The delay shows that the messages have come from a new spamming source. While it is highly recommended to have greylisting enabled, messages may be delayed by a few minutes. When used in tandem with whitelisting for trusted senders, important emails will not be delayed.
SUBRL filtering works in a similar fashion to real-time blackhole lists; but rather than compare the IP addresses of inbound emails against a list of known sources of spam, the filter compares links in emails against a list of URLs known to be dangerous. This feature stops users from clicking on a link they believe to be safe and visiting a phishing website or malicious site hosting malware.
Copyright © 2021 ComplianceHome