Forefront antispam filtering
The University of Kentucky is using Forefront Protection 2010 for Exchange Server. This will be abbreviated FPE for the rest of this article.
The overwhelming majority of messages received by our external mail servers can be classified as spam. It generally fall into the range of 75-85 percent. In order to allow the e-mail system to be useful and operatorational, as much of this spam must be kept out of our users Inbox.
FPE uses several kinds of filtering in layers in order to identify and mitigate spam e-mail, viruses, and malware.
- Connection filtering - FPE compares the sending mail server, identified by its IP address with multiple lists of known spam senders licensed from Microsoft. The University also adds entries when it notices a particular site that should be blocked.
- Sender ID filtering - FPE uses a sender ID framework to validate that the sender is not spoofing the identity of another sender. An example of this is mail from "facebook.com" that is not coming from a server owned by facebook.
- Sender filtering - FPE examines the SMTP sender information. This filter examines both safelists and blocklists. The central blocklist is to block senders that have sent spam in the past. The central safelists are addresses of external mailers that have a continuing relationship with the University. FPE also collects each individual user's safe lists, the Outlook and Outlook Web Access Safe Senders lists. FPE does not use the user's blocked senders lists, but they can still be used locall by outlook.
- Recipient filtering - FPE uses a list provided by us of addresses that should be blocked from receiving mail. This list is often used to prevent overloading the system with mail to popular addresses that do not have a mailbox in our mail system.
- Content filtering - FPE examines the content of the message, including the subject line and the message body. FPE uses a third-party antispam engine from Cloudmark to scan all e-mail for spam.
- Antivirus filtering - FPE scans each mail item and all attactments with up to five different anti-virus/anti-malware patterns from different vendors to maximize protection.
- Client filtering - FPE is not involved in client filtering using the Outlook, or other e-mail client.
These layers are often referred to as the email pileline. In the Connection, Sender, Sender ID, Recipient, and Content layers, FPE can reject an e-mail item with a message to the sender. This is often referred to a "bouncing" the mail. The Antivirus layer will remove the virus or remove the entire attachment and replace it with a short text message to the recipient about the action taken.
Mail that has passed though the filters will have a Spam Confidence Level (SCL) assigned to it. This will be a number between -1 and 9. FPE does not use SCL:1 through SCL:4. This mail is likely not spam and is classified as -1 or 0.
- -1 and 0 indicate non-spam. This mail is sent to the recipient's Inbox folder on the Exchange server. Mail that is on a safelist is always stamped with an SCL of -1.
- 5 through 7 indicate mail that may be spam. This mail is sent to the Junk E-mail folder on the Exchange server unless this action is overridden by user settings..
- 8 and 9 indicate definite spam. This mail is rejected ("bounced"). A message is generated to notify the sender.
In practice, about 10-15 percent of the mail will receive a score of -1 and 85-90 percent will receive a score of 9. Only a fraction of 1% will be categorized with an SCL of 5-8. This will explain why the Junk e-mail folder is almost always empty.
The following graph shows how the volume of spam decreases as it passes through each layer.
Graph of recent spam activity