Skip to main content
Mail

Mail

Search
UK Wiki Portal
Blackboard
HPC
Mail
Sharepoint
VPN
Enterprise CAL
Networking
Voicemail
  
UK Wiki Portal > Mail > wiki pages > Forefront Protection 2010 for Exchange  

Wiki Pages: Forefront Protection 2010 for Exchange

How much spam do we get?

Here is a plot of recent mail processed by Forefront Protection 2010 for Exchange

Plot of mail processing 

Messages

550 5.7.1 :127.0.0.4:Client host 41.222.208.170 blocked using 87.blocklist.zap; Mail from IP banned. To request removal from this list please visit http://www.spamhaus.org/query/bl?ip=$,BlockListProvider

550 5.7.1 :127.0.0.5:Client host 83.228.39.0 blocked using 88.blocklist.zap; Mail from IP banned. To request removal from this list please forward this message to delist.forefront@messaging.microsoft.com

550 5.7.1 Message rejected due to content restrictions

550 5.7.1 Missing purported responsible address

550 5.7.1 Sender ID (PRA) Not Permitted

550 5.7.1 Sender ID (PRA) Domain Does Not Exist

How to "whitelist" a recipient

Occasionally the Microsoft Forefront Protection 2010 for Exchange will reject a piece of mail that an individual wants delivered. Forefront provides a "self-service" mechanism for allowing delivery. This is commonly called "whitelisting".  This feature is called “safelist-aggregation”. This works as follows:

 

  1. Using Outlook Web Access or Outlook desktop, add the exact email address of the sender to the "safe-senders" table. This list is can be updated even if the Outlook junk filter is disabled. Note that entire domains are not extracted, only specific addresses. This list includes Contacts if that box is checked on the junk options. Refer to the coments below.
  2. At 5 a.m. each day all mailboxes are scanned and a digested list of items on a user’s “safe senders” is constructed.
  3. At four hour intervals, the digested list is uploaded to the Forefront Edge servers and stored in an ADAM directory on each Forefront server. This means that everyone's latest list will be available by 9 a.m.
  4. Incoming mail that is not specifically blocked is compared to the individual’s list and if the sender’s email address matches the user’s safe senders the mail is next virus scanned and allowed through if safe.

 

 

This feature has some plus and minus benefits in terms of control.

 

1.       If the sender's e-mail system is on a “blacklist” or “blocklist”, the sender will need to work to get themselves removed. The message to the sender will explain how to contact.

2.       If the sender was explicitly blocked by UK, then a mail admin must remove the block. The message to the sender will explain how to contact.

3.       If the mail item would have been blocked by the content filter (spam scanner), it will be allowed through.

4.       If the mail item is “fake” mail and the "From:" address is on the “safe senders list” it will be allowed through.

 

A couple of side effects of the safe-senders lists maylikely to generate complaints are related to “fake” mail.

 

1.       If the user has their own email address in safe senders or in a contact (if they include contacts in safe senders), all spam using their address as the “From:” address will be allowed through. A large amount of spam does this.

2.       If the user has a commonly faked “From:” address in the safe senders list, all spam will that address will be allowed through.

 

To check if an item is "whitelisted" by the safe senders list, look at the mail headers. In the example below, the header “Received: from EX7ES01.ad.uky.edu “ indicates that the Edge/Forefront server processed the message. The header “X-MS-Exchange-Organization-Antispam-Report: SenderOnRecipientSafeList” indicates that the sender wanted the mail delivered.

 

Received: from EX7ES01.ad.uky.edu (128.163.184.132) by EX7HB04.ad.uky.edu

 (128.163.187.54) with Microsoft SMTP Server (TLS) id 8.1.393.1; Tue, 26 Jan

 2010 13:13:01 -0500

...

...

Received-SPF: Pass (EX7ES01.ad.uky.edu: domain of durbin512@gmail.com

 designates 209.85.211.195 as permitted sender) receiver=EX7ES01.ad.uky.edu;

 client-ip=209.85.211.195; helo=mail-yw0-f195.google.com;

X-MS-Exchange-Organization-Antispam-Report: SenderOnRecipientSafeList

X-MS-Exchange-Organization-SCL: -1

X-MS-Exchange-Organization-SenderIdResult: PASS

Outlook and Outlook Web Access blocked senders

If the Spam Confidence Level (SCL) in the mail headers is -1, Submitting false positives and false negatives to Cloudmark

To submit a false positive or false negative spam e-mail message to Cloudmark, send the e-mail message as an RFC 2822 attachment (.eml). Do not send misclassified messages by using the Forward command. The Forward command strips the messages of essential header information and results in an invalid submission.

False positives (legitimate e-mail messages marked as spam by Cloudmark) should be sent to the following e-mail address:
Forefront-legit@submit.cloudmark.com
False negatives (spam not detected by Cloudmark) should be sent to the following e-mail address:
Forefront-spam@submit.cloudmark.com
Note To attach an e-mail message as an RFC 2822 attachment, follow these steps:
  1. In Microsoft Outlook, create a new e-mail message.
  2. Address it to the appropriate address.
  3. Click the Attach Item button, select the e-mail messages that were falsely classified, and then click OK.
 
Sending executable (filtered) files as attachments
 
Attachments containing executable files will be removed. Forefront is more strict about detecting executable files.
 
A two workable methods to send these files follows.
 
Method 1
 
1. Create a password protected archive with a third-party program such as PKZip or WinZIP.
2. Send this file as an attachment 
 
Method 2
 
1. Rename all the files to a non-filtered extension.
2. Use Windows Explorer's "Send To" feature to create a compressed (zipped) folder
3. Send this file as an attachment
 
Filtered file types
 
This is the current list of blocked filetypes:

Type

Name

Identity

 ContentType  application/x-msdownload  ContentType:application/x-msdownload
 ContentType  message/partial  ContentType:message/partial
 ContentType  text/scriptlet  ContentType:text/scriptlet
 ContentType  application/prg  ContentType:application/prg
 ContentType  application/msaccess  ContentType:application/msaccess
 ContentType  text/javascript  ContentType:text/javascript
 ContentType  application/x-javascript  ContentType:application/x-javascript
 ContentType  application/javascript  ContentType:application/javascript
 ContentType  x-internet-signup  ContentType:x-internet-signup
 ContentType  application/hta  ContentType:application/hta
 FileName  *.xnk  FileName:*.xnk
 FileName  *.wsh  FileName:*.wsh
 FileName  *.wsf  FileName:*.wsf
 FileName  *.wsc  FileName:*.wsc
 FileName  *.vbs  FileName:*.vbs
 FileName  *.vbe  FileName:*.vbe
 FileName  *.vb  FileName:*.vb
 FileName  *.url  FileName:*.url
 FileName  *.shs  FileName:*.shs
 FileName  *.shb  FileName:*.shb
 FileName  *.sct  FileName:*.sct
 FileName  *.scr  FileName:*.scr
 FileName  *.scf  FileName:*.scf
 FileName  *.reg  FileName:*.reg
 FileName  *.prg  FileName:*.prg
 FileName  *.prf  FileName:*.prf
 FileName  *.pif  FileName:*.pif
 FileName  *.pcd  FileName:*.pcd
 FileName  *.ops  FileName:*.ops
 FileName  *.mst  FileName:*.mst
 FileName  *.msp  FileName:*.msp
 FileName  *.msi  FileName:*.msi
 FileName  *.psc2  FileName:*.psc2
 FileName  *.psc1  FileName:*.psc1
 FileName  *.ps2xml  FileName:*.ps2xml
 FileName  *.ps2  FileName:*.ps2
 FileName  *.ps11xml  FileName:*.ps11xml
 FileName  *.ps11  FileName:*.ps11
 FileName  *.ps1xml  FileName:*.ps1xml
 FileName  *.ps1  FileName:*.ps1
 FileName  *.msc  FileName:*.msc
 FileName  *.mdz  FileName:*.mdz
 FileName  *.mdw  FileName:*.mdw
 FileName  *.mdt  FileName:*.mdt
 FileName  *.mde  FileName:*.mde
 FileName  *.mdb  FileName:*.mdb
 FileName  *.mda  FileName:*.mda
 FileName  *.lnk  FileName:*.lnk
 FileName  *.ksh  FileName:*.ksh
 FileName  *.jse  FileName:*.jse
 FileName  *.js  FileName:*.js
 FileName  *.isp  FileName:*.isp
 FileName  *.ins  FileName:*.ins
 FileName  *.inf  FileName:*.inf
 FileName  *.hta  FileName:*.hta
 FileName  *.hlp  FileName:*.hlp
 FileName  *.fxp  FileName:*.fxp
 FileName  *.exe  FileName:*.exe
 FileName  *.csh  FileName:*.csh
 FileName  *.crt  FileName:*.crt
 FileName  *.cpl  FileName:*.cpl
 FileName  *.com  FileName:*.com
 FileName  *.cmd  FileName:*.cmd
 FileName  *.chm  FileName:*.chm
 FileName  *.bat  FileName:*.bat
 FileName  *.bas  FileName:*.bas
 FileName  *.asx  FileName:*.asx
 FileName  *.app  FileName:*.app
 FileName  *.adp  FileName:*.adp
 FileName  *.ade  FileName:*.ade

How see if a server is on the "whitelist"

Examine a mail item from the server in question. Look at the "Received:" headers to make sure it passed through Forefront. The Forefront servers name begins with "EX7ES". Internal mail does not pass through these servers and "Whitelisting" should be unnecesary.

Under "Message Options" and "Internet Headers" look for these two headers.

X-MS-Exchange-Organization-Antispam-Report: IPOnAllowList
X-MS-Exchange-Organization-SCL: -1

If a server is on the "whitelist", the blocked senders list is not used to move the mail to the Junk E-mail folder.