Control spam with GFI's Mail Essential Exchange application

by John "Kull MCSE, Network+, A+" | Oct 04, 2005 8:53:00 PM

Tags: E-mail, Servers, E-mail servers, Groupware, John Kull MCSE, Network+, A+, server, Mail Essentials, SMTP, Microsoft Exchange Server, Microsoft IIS Server, GFI, software

3 comment(s)

Takeaway: As an administrator, managing the spam that comes into your organization takes some sophisticated software and a lot of hard work. One of the more effective applications for managing an Exchange Server is Mail Essentials from GFI.

GFI is a UK based software company that focuses on mail and security software. All of their products are available as a 30 day fully functioning evaluation product. After the evaluation period the software continues to function but with limited capabilities The Mail Essentials (ME) package can be downloaded from the company Web site along with documentation. The list price of ME for unlimited mailboxes is $1350 plus 20 percent yearly for software maintenance. Reduced pricing is available for 25, 50, 100 and 250 mailboxes. A 25-mailbox license is as little as $350 plus maintenance. Additional discounts are available when you purchase the ME companion Anti-Virus and attachment checking software product Mail Security.

ME can be installed in two different configurations: SMTP gateway mode or directly on the <a target="_blank" href="http://techrepublic.com.com/5138-1035-5689059.html">Exchange mail server</a>. Both installation methods offer advantages and disadvantages. SMTP gateway mode installs ME on a separate gateway server and is therefore independent of the type of mail server software you are running. Gateway mode allows the SPAM duties to be off loaded to a separate less powerful server, leaving the Exchange server to concentrate on running Exchange. Native Exchange mode is for Exchange 2000 / 2003 Exchange servers, and installs the ME product on the Exchange server. This installation method allows ME to deliver SPAM to a local SPAM or Junk mail folder within Outlook. Note: If you are still running Exchange 5.5 you must install ME in SMTP mode.

This article will look at the SMTP gateway option. I prefer this option for a number of reasons. First it removes the burden of SPAM filtering from the primary Exchange server(s) and is a first stop for all incoming and outgoing e-mail. In my environment I chose it because I knew we would be running GFI's Mail Security (more on that in another download) and Mail Archiving software and I did not want all the products on my Exchange server. Also having a separate gateway allows me to keep my Exchange server behind the firewall and out of the DMZ. If I need to reboot or perform maintenance on my Exchange box the gateway server can still receive incoming mail from the Internet.

Installing supporting components

Since we are setting up a separate gateway server, the installation is slightly more complicated. First thing we need to do is install Internet Information Server (IIS) on the server if it's not installed, and set up SMTP within IIS. The GFI documentation does a good job of explaining this but we will run through it here.

Install SMTP via Add Remove Programs - Windows programs. SMTP is a sub component of IIS. In Windows Server 2003 select Application Server - Internet Information Server (IIS) and then select the SMTP option. (Figure A) Once installed the Internet Information Services MMC is used to manage the server.

Figure A

Next we will configure the properties of the SMTP server. Open the IIS console and expand the server node. The Default SMTP Virtual server should be present. Right click and select properties. On the General tab assign an IP address to the server. Next click the Access tab. Here we can configure authentication and connection parameter. If you wish to configure secure communication between the gateway and your primary server you can configure those setting here. Our concern for this discussion is the relay tab. To keep the gateway from becoming an open relay we want to specify which server or servers can relay mail through this server. Click the relay tab and then click add. You can specify an IP address and group of servers of a domain. (Figure B)

Figure B

When completed your servers IP should be listed. Uncheck the check box titled "Allow all computers which authenticate to relay regardless, of the list above." (Figure C)

Figure C

Now we will configure the SMTP server to relay mail to your primary mail server. Under the Default SMTP server right click Domains and select New. Select the remote option and click next. Enter the name of the mail domain in the next box. When completed the IIS manager will list the local domain and your remote domain (Figure D).

Figure D

Right click on the newly created domain and select properties. Select the allow incoming mail to be relayed to this domain and the forward all mail to a smart host radio buttons. Enter the name of the primary server in square brackets that will receive the mail. (Figure E)

Figure E

We have now configured the gateway server to relay mail to and from your primary mail server. The next step is to configure the Exchange or other mail server to relay mail to the newly configured gateway server. (In this example we will use Microsoft Exchange, however in gateway mode installation ME can work with any SMTP server.)

From the Exchange System Manager expand the properties of your SMTP connector. On the general tab click the Forward all mail through this connector to the following smart hosts radio button. Add the IP address, enclosed in brackets of the newly configured server. (Figure F)

Figure F

Finally, test the configuration. Send an e-mail from an internal address to an external address such as a hotmail or yahoo account. Send a message in the reverse direction to test connectivity both ways. If both messages are received you have successfully set up the SMTP box to relay mail to and from your Exchange or SMTP server.

Installing ME

Now that the SMTP relay is set up we can move on to installing the actual ME product. The download will extract and begin the setup process. When setup first launches it gives you the chance to check for a newer build. GFI releases new builds quite frequently, so if it's been even a few days since you downloaded the file go a head and select Check for a newer build of GFI Mail Essentials on the GFI Web site, otherwise select do not check for a newer build and move on. (Figure G) The next screen prompts to accept the license agreement to proceed.

Figure G

The next screen prompts for an installation location. (Figure H) Accept the default or point the software to the appropriate place.

Figure H

The next screen prompts for user, company and license key information. If you are current customer you can enter your key or leave the word Evaluation in the license key field. (Figure I)

Figure I

The next screen requires the IP address of your server and the local domain. (Figure J).

Figure J

The next screen after that requires an e-mail addresses for the administrator e-mail. This is used for critical notification e-mail. (Figure K) If the server you are installing ME on is part of an AD Domain, setup will prompt for access to Active Directory. GFI can use AD or SMTP addresses to build rules for ME. In this example my server is not part of an AD Domain so the prompt does not appear.

Figure K

The next screen asks to install the Microsoft Message Queuing Service. This service is only required if you are using ME to manage a list server. In this article we are focusing on the SPAM capabilities so we won't install it here. (Figure L)

Figure L

The next screen displays the local e-mail domains found by the installation program. These should match the domains that were created when we set up the SMTP server earlier. The localhost domain is created by default. (Figure M) The wizard will complete the file copy and display a message that the SMTP service needs to be restarted. Click Yes. The SMTP service will restart and the wizard finish dialog will display. Click Finish and ME has been installed.

Figure M

Managing ME

The installation program installs several tools for managing the ME product. The ME Configuration MMC is the primary tool used to manage the product. In addition, a reporting tool, GFI monitor, troubleshooter and on line help system are also installed under the GFI ME group.

Let's dive in and look at the ME configuration tool. Select Start | Programs | GFI Mail Essential | Mail Essentials Configuration to launch the tool. (Figure N) The Configuration provides a clean interface for managing the product. I have found the configuration tool to be quit intuitive to use. The ME configuration is divided into three main sections: Anti-Spam, E-mail Management and General.

Figure N

First let's look at the Anti-SPAM configuration

As you can see from the previous screenshot the Anti-SPAM section has ten different parameters or rules for detecting SPAM. Each rule can be configured by double clicking the item in the right windows pane or selecting it in the left pane and then selecting properties. We'll look at each one below and discuss what it does and how effective it might be in fighting SPAM. In addition the order in which the rules are applied can be configured as well.

The Properties of each rule are divided into multiple tabs. Several of the tabs, such as the Actions tab are the same in each rule. The configuration process works like this: Enable each rule as desired, fine tune it, and then decide what action to take when a piece of SPAM meets the criteria of the rule.

First up is the Sender Policy Framework. This is new in version 11.0. It fights SPAM by detecting e-mail with forged senders. The Sender Policy Framework feature is a community effort to fight SPAM. SPF requires that the sender has published its mail server in a SPF record. When the mail is received, GFI can check to see if the sender is authentic or forged. More information about SPF can be found at the Sender Policy Framework Web site. After configuration of SPF, ME will prompt to configure the perimeter server option for proper operation of the SPF function. In this example we have installed GFI on a perimeter server (gateway) so no configuration is needed.

The General Tab (Figure O) allows SPF to work at various levels. Sliding the bar all the way to the top sets SPF to never block messages, effectively turning the rule off. All the way to the bottom sets it to high which will block any e-mail that has not passed the SPF test. GFI recommends the medium setting, which blocks e-mail from addresses that appear to have forged senders.

Figure O

The Exceptions tab allows a list of IP addresses or recipient exclusion lists to be created. (Figure P)

Figure P

The Actions tab (Figure Q) allows the desired action to be configured when a rule is triggered. Several options are available here: Delete the e-mail, forward to another mailbox, move to a specified folder on the server, or tag the e-mail with text such as SPAM. The tag option can be used to send e-mail to a specified folder in the user's mailbox. This feature requires configuring the rule manager tool to configure rules for each user mailbox or a group of mailboxes. This can be useful if certain users wish to sort their own junk mail.

Figure Q

Note: IF ME is installed on an Exchange 2003, mail can be routed directly to the users junk mail folder by selecting the Move to users junk mail folder radio button. In this example we are using the gateway mode installation, which would require us to use the rule manager tool.

The Other tab (Figure R) allows additional actions to be taken such as logging an occurrence of the rule. This is useful if you chose the delete action and then later need to verify if an e-mail was "eaten" by a SPAM rule. Unfortunately you could not retrieve the e-mail but you could confirm its demise.

The next SPAM filter is the white list. (Figure S) The white list is enabled by default and is one of the oldest SPAM fighting techniques. ME automatically builds a white list based on outbound e-mails. Other options include manually adding e-mail addresses or importing them from a list.

Figure S

White lists can also be built from Keywords in the Body, subject or based on IP address of the sender. Creating a key word white list based on subject was particularly effective in my organization for allowing inbound e-mail from list servers that employees had subscribed too. (Figure T)

Figure T

The next filter is Directory Harvesting. This detects e-mails sent to an e-mail server that are addressed to non-existent recipients. This is often a sign of a directory harvest attack to discover e-mail addresses on a particular server. In my environment we receive allot of SPAM addressed to employees who no longer work for the organization. Enabling this filter allowed us to dump the e-mail so we did not have to sort through it later to determine if it was legitimate. The general tab is used to enable the feature. This feature requires AD or LDAP connectivity to a DC to work. (Figure U)

Figure U

The Custom Blacklist filter allows creation of custom black lists to be created for known domains and e-mail addresses. (Figure V)

Figure V

The Bayesian filter is main SPAM fighting filter in ME. Bayesian technology uses probability to analyze your company's mail patterns and determine if an e-mail is SPAM. The Bayesian filter is turned off by default. (Figure W) GFI recommends that you train the filter for a minimum of one week or until at least until 3000 messages have passed through the filter. Once the training period is done the filter can be enabled.

Figure W

Checking the Automatically learn from outbound e-mails radio button enables the filter to continually analyze e-mail patterns. The update tab allows automatic updates of the SPAM database from GFI. (Figure X)

Figure X

The DNS blacklist (Figure Y) allows checking the sending mail server against know blacklists managed by multiple outside blacklist organizations. This feature requires a properly configured DNS server. If the blacklist is configured and the DNS server is miss-configured a time out may occur and the e-mail will be processed slowly. Use care when configuring and use the test button to verify connectivity. See GFI's Knowledge Base article KBID001770 for more information. Multiple lists can be queried but each list adds additional e-mail processing time.

Figure Y

The Spam URI Real-time Block lists rule (Figure Z) checks e-mails for the presence of URL's and URN's embedded in e-mails that are known to originate from spammers. Multiple lists can be queried by selecting each list you wish to use. As with the DNS blacklists, the more lists selected will add to the mail processing time of the ME product. The multi.surbl.org list combines several lists into one and results in faster processing that if multiple lists are selected.

Figure Z

The Header Checking rule looks at the e-mail header field, SMTP and MIME. The SMTP field is generated by the sending e-mail server and the MIME field is generated by the e-mail client. The General tab and the General Continued tabs have eight different criteria that can be detected. (Figure AA) Each checkbox provides an explanation of the criteria. If you require a detailed explanation of each criteria, review the ME documentation.

Figure AA

The Keyword checking is the oldest SPAM fighting tool. (Figure BB) Many SPAM e-mails can be singled out by this criterion alone. Of course depending on your business, this can also eat allot of valid e-mail. This filter comes predefined with keywords for both e-mail subject and body. Additional words and conditions can be added to make this filter more effective than just detecting the presence of a single word. For instance, a condition could be created to detect the presence of more than one word or group of words before the e-mail is marked as SPAM.

Figure BB

The New Senders rule automatically identifies e-mails that have come from a sender that you have never sent e-mail. These could be new contacts as well as SPAM that was not detected by other ME rules. (Figure CC) Exceptions can be configured based on the MIME TO address.

Figure CC

Now that we have looked at all the rules, you may be wondering, in what order do the e-mails get processed? The order is set by right clicking the Anti-Spam item in the left pane and selecting order module priorities. (Figure DD) Here we canset the order from highest priority to lowest priority of each rule.

Figure DD

E-mail Management

Besides the SPAM capabilities ME provides several other E-mail management capabilities as well. Expanding the E-mail management branch in the left pane reveals several additional capabilities of the ME product: List Server, Disclaimers, Mail Archiving, Mail Monitoring, Auto Replies and Reporting.

The List Server module allows management of an e-mail list service. I did not examine this capability for this download.

The Mail Archiving section provides the ability to create an inbound and outbound e-mail archive. (Figure EE) Archives can be flat text files without attachments, or saved to a SQL / MSDE database. Once created an HTML search page is used to query the e-mail archive. While the functionality is quite primitive, it still can provide an archive for those organizations trying to provide an archive to meet regulations that are on a limited budget. GFI also offers a dedicated e-mail archive product.

Figure EE

Adding a disclaimer to an outbound e-mail is another feature of the ME product. Disclaimers are created for outbound e-mail only and can be configured on a per-domain or per-user basis. Another feature is Auto-Replies. Auto Replies are handy if you run a service organization and want to let your customer now that an e-mail has been received.

Mail monitoring allows the creation of inbound and outbound monitoring rules. Mail can be examined from specific senders or domains and a copy routed to a monitoring mailbox. (Figure FF)

Figure FF

General Settings

The general section provides links to version information, license key and links to information on other GFI products. The General tab under version information is the most useful in that it provides the ability to automatically check for product patches and version updates.

Other components

Several other tools appear in the GFI Mail Essentials program group. The GFI monitor provides a real-time window into the ME engine. Here you can actually view e-mails being processed. (Figure GG) This can be helpful during initial configuration and setup.

Figure GG

The ME Reports tool allows various canned reports to be generated such as User usage statistics, Mail server Daily usages and Daily SPAM statistics. The Daily SPAM report gives a good insight into how effective each rule is in detecting SPAM. The Mail Essential Help system is a Windows help version of the PDF based manual that is available for download with the ME product. The Mail Essentials troubleshooter is a wizard-based tool used at the direction of GFI when an issue is encountered and you must contact support. The wizard creates a zip file that is sent to GFI for analysis.

Now what?

OK, so we have installed Anti-SPAM software. Now what? This is the part that Anti-SPAM software vendors do not talk about. Do we install it and then walk away? All the SPAM is gone and we can go back to doing other things? Wouldn't that be nice? The reality is that once the SPAM is detected you have to "do something" with it. Do we just set the action of each rule to delete and walk away? You could do that. But you might have some angry high-level employees who are missing e-mails that their colleges insist they sent.

The reality is that SPAM technology is not perfect. What if a legitimate e-mail is detected and the rule was set to delete? In this case you would not know if the e-mail ever made it. You could, however, check the log file to confirm, as I mentioned earlier, its demise.

The bottom line is that you must choose HOW, and also, WHO will manage the SPAM. The how side addresses what you will do with the SPAM: Send it all to a central folder or mailbox for analysis and final deletion? Delete it permanently upon detection? Configure some rules to delete and other to send to a SPAM box?

The who side of the equation asks the question, does IT manage the SPAM or just send it on to the user, categorized as SPAM for them to sort through? Do you want your users to look through their own SPAM? If SPAM causes productivity losses than what have the users gained? Now their detected SPAM is all in one place instead of scattered throughout their in box. Having users manage their own SPAM brings up many legal issues. Several employees have sued employers over porn SPAM, claiming these e-mails caused them to work in a hostile work environment, by exposing them to nudity or other undesirable images. These are all questions and processes you must work out when implementing a SPAM solution.

A real life example

Here is how we manage the SPAM process using ME at my Organization: First, we made the decision early on that we could not afford to lose e-mails that were incorrectly tagged as SPAM. We knew we would quickly lose the trust of our employees and upper management if the SPAM filter was "eating" their good e-mails. Second we did not want our users to sort their own SPAM because of fear of lawsuits and lost productivity. Also, many users were complaining about getting SPAM in the first place that we figured they did not want to manage it.

On the Mail Essentials product, I felt very confident in the Custom Blacklist, DNS Blacklist and the Directory Harvesting rules so I set all SPAM detected by these rules to delete, with the logging option turned on. All other rules are set to forward all mail to a central mailbox, called spam@mycompany.com. Our IT help desk employees check this mailbox several times during the day and delete the known SPAM and forward mail suspected as good to the user. If the user confirms the mail as good the sender is manually added to the white list so as not to be tagged again as SPAM. Sorting the detected SPAM e-mail by sender quickly weeds out the SPAM from the legitimate e-mail. Since many of our employees receive the same SPAM, sorting this way causes all the duplicates to appear together and makes mass deletion easy. Additionally our help desk employees integrate SPAM management as part of their daily process.

In addition we use the archive feature of ME so we have a flat text file record, minus attachments of all mail flowing in and out of the organization. Be careful of archiving to a text file, as the file can grow large quickly. We simply create a new archive each week to keep the file size manageable. Long term we will look to other solutions but have implemented this until we settle on a final solution. The archive is also helpful in troubleshooting whether an e-mail was actually sent or left the organization.

Not just a set and forget system

We have used the product for over a year and have had great success. Unfortunately SPAM management is not a set it up and forget about it process. It takes time to analyze the rules and fine-tune them as needed. The reporting mechanism can be helpful in explaining the severity of the problem to management as well as give the mail administrator insight into how effective each rule is at detecting SPAM. The list server, mail archiving, disclaimers and reporting tools all add value to an economically priced product, making it quite a value. Before you invest $1000 of dollars in an appliance or other product, check out the GFI Mail Essentials product.

3 comment(s)