How much spam do we get?
Here is a plot of recent mail processed by Forefront Protection 2010 for Exchange
Plot of mail processing
550 5.7.1 :127.0.0.4:Client host 18.104.22.168 blocked using 87.blocklist.zap; Mail from IP banned. To request removal from this list please visit http://www.spamhaus.org/query/bl?ip=$,BlockListProvider
550 5.7.1 :127.0.0.5:Client host 22.214.171.124 blocked using 88.blocklist.zap; Mail from IP banned. To request removal from this list please forward this message to firstname.lastname@example.org
550 5.7.1 Message rejected due to content restrictions
550 5.7.1 Missing purported responsible address
550 5.7.1 Sender ID (PRA) Not Permitted
550 5.7.1 Sender ID (PRA) Domain Does Not Exist
How to "whitelist" a recipient
Occasionally the Microsoft Forefront Protection 2010 for Exchange will reject a piece of mail that an individual wants delivered. Forefront provides a "self-service" mechanism for allowing delivery. This is commonly called "whitelisting". This feature is called “safelist-aggregation”. This works as follows:
Using Outlook Web Access or Outlook desktop, add the exact email address of the sender to the "safe-senders" table. This list is can be updated even if the Outlook junk filter is disabled. Note that entire domains are not extracted, only specific addresses. This list includes Contacts if that box is checked on the junk options. Refer to the coments below.
At 5 a.m. each day all mailboxes are scanned and a digested list of items on a user’s “safe senders” is constructed.
At four hour intervals, the digested list is uploaded to the Forefront Edge servers and stored in an ADAM directory on each Forefront server. This means that everyone's latest list will be available by 9 a.m.
Incoming mail that is not specifically blocked is compared to the individual’s list and if the sender’s email address matches the user’s safe senders the mail is next virus scanned and allowed through if safe.
This feature has some plus and minus benefits in terms of control.
1. If the sender's e-mail system is on a “blacklist” or “blocklist”, the sender will need to work to get themselves removed. The message to the sender will explain how to contact.
2. If the sender was explicitly blocked by UK, then a mail admin must remove the block. The message to the sender will explain how to contact.
3. If the mail item would have been blocked by the content filter (spam scanner), it will be allowed through.
4. If the mail item is “fake” mail and the "From:" address is on the “safe senders list” it will be allowed through.
A couple of side effects of the safe-senders lists maylikely to generate complaints are related to “fake” mail.
1. If the user has their own email address in safe senders or in a contact (if they include contacts in safe senders), all spam using their address as the “From:” address will be allowed through. A large amount of spam does this.
2. If the user has a commonly faked “From:” address in the safe senders list, all spam will that address will be allowed through.
To check if an item is "whitelisted" by the safe senders list, look at the mail headers. In the example below, the header “Received: from EX7ES01.ad.uky.edu “ indicates that the Edge/Forefront server processed the message. The header “X-MS-Exchange-Organization-Antispam-Report: SenderOnRecipientSafeList” indicates that the sender wanted the mail delivered.
Received: from EX7ES01.ad.uky.edu (126.96.36.199) by EX7HB04.ad.uky.edu
(188.8.131.52) with Microsoft SMTP Server (TLS) id 8.1.393.1; Tue, 26 Jan
2010 13:13:01 -0500
Received-SPF: Pass (EX7ES01.ad.uky.edu: domain of email@example.com
designates 184.108.40.206 as permitted sender) receiver=EX7ES01.ad.uky.edu;
Outlook and Outlook Web Access blocked senders
If the Spam Confidence Level (SCL) in the mail headers is -1, Submitting false positives and false negatives to Cloudmark
To submit a false positive or false negative spam e-mail message to Cloudmark, send the e-mail message as an RFC 2822 attachment (.eml). Do not send misclassified messages by using the Forward command. The Forward command strips the messages of essential header information and results in an invalid submission.False positives
(legitimate e-mail messages marked as spam by Cloudmark) should be sent to the following e-mail address:
(spam not detected by Cloudmark) should be sent to the following e-mail address:
Note To attach an e-mail message as an RFC 2822 attachment, follow these steps:
- In Microsoft Outlook, create a new e-mail message.
- Address it to the appropriate address.
- Click the Attach Item button, select the e-mail messages that were falsely classified, and then click OK.
Attachments containing executable files will be removed. Forefront is more strict about detecting executable files.
A two workable methods to send these files follows.
1. Create a password protected archive with a third-party program such as PKZip or WinZIP.
2. Send this file as an attachment
1. Rename all the files to a non-filtered extension.
2. Use Windows Explorer's "Send To" feature to create a compressed (zipped) folder
3. Send this file as an attachment