Exchange 2007 ‘Sender Reputation Filter’ Story

Published 16 October 8 9:34 PM | Vlada.Ilic

Prologue:

“Sender Reputation is anti-spam functionality that is enabled on computers that have the Microsoft Exchange Server 2007 Edge Transport server role installed to block messages according to many characteristics of the sender. Sender reputation relies on persisted data about the sender to determine what action, if any, to take on an inbound message. “

Microsoft , 2006.

Scenario:

One of my old clients called me recently, saying that they have bought some new server boxes and, beside other changes, asking for best advice how to improve their e-mail infrastructure from both, performance and security aspects. They were using Exchange 2003 with GFI Mail Security  Antivirus and GFI Mail Essentials  Antispam protection that I have installed some time ago. They also have dedicated ISA server for proxy/firewall functionality:

Exchange 2003 (+GFI) <--------------------> ISA <---------------->  INTERNET

My advice to them was to migrate to Exchange 2007, and also to implement a Windows 2003 Web Edition Server in DMZ to act as a SMTP relay server, with GFI Mail Security and GFI Mail Essentials installed on that server. Since they were already paying for Exchange Enterprise CALs in their licensing program I suggested Forefront Security on internal Exchange (with 9 Antivirus and 2 Antispam engines they should be pretty safe….;)):

Exchange 2007 (+Forefront) <-------> ISA <------> IIS SMTP relay (+GFI) <----> INTERNET

I’ve installed GFI modules on Relay server and configured Antispam engine to append string “[SPAM]” in subject line for every message that is likely to be spam. Then, I created Transport Rule on Exchange server to increase SCL level for this type of messages to 9 so that they always end in user’s Outlook Junk E-mail folder.
I‘ve tested this configuration by  sending a few legitimate mails and also few with “sex $$$ Viagra” in subject and/or body, and everything worked perfectly (not a good sign….;))

Problem:

Not very long after, some of the employees said that their clients are complaining that all messages sent to them are rejected by our mail server.  
From Relay server, I've succesfuly telneted to port 25 on internal Exchange server, and typed:

HELO test.test.net
Mail from:test@test.net

and got this response:

550 5.7.1 External client with IP address 172.16.0.1 does not have permissions to submit to this server. Visit http://support.microsoft.com/kb/928123 for more information.

 

172.16.0.1 was IP address of external interface on ISA server…?!

Reason:

Sender reputation filter has characterized my own ISA server as a spammer, and added it to IP Block List for 24 hours..…;))

Solution:

I’ve removed 172.16.0.1 from IP Block List on Exchange server, add it to IP allow list and disabled Sender Reputation filter..…just in case…;)

Filed under:

Comments

# Christian Haberl said on December 23, 2008 3:09 AM:

The correct thing to do would have been to define the ISA and the IIS/Gateway as an Internal Server with the Set-TransportConfig -InternalSMTPServers x.x.x.x,y.y.y.y command.

That way you can leave the Sender Reputation filter and it has another very important reason: The Connection Filter, which uses, among other things, the IP Block List Provider feature (DNSBL) will not think that the message came into the Exchange organization from 172.16.0.1 but will look at the server before that in the mail headers (EnteredOrgFromIP). on another note: Personally I would have dumped GFI since the customer has both forefront and the enterprise cal - there is no stronger antispam and antivirus protection than exchange2007 + forefront. Microsoft protects their whole email infrastructure with nothing else: www.microsoft.com/.../edgetransport.mspx

# Vlada.Ilic said on December 23, 2008 7:05 PM:

Thanks for the neat solution....:)

Considering GFI:

This is one of the clients who don't beleive in sentence "There is no stronger antispam and antivirus protection than Exchange2007 + Forefront". I guess that is one of the reason why GFI and many other companies are still existing on the market by selling their own solutions for Exchange (and to be honest...they have some very nice features which are not available in both Forefront and built-in AntiSpam Exchange engine).

p.s Working as a technical consultant my job is to advice, not to persuade clients...;)

# Peter Ridgway-Davies said on September 29, 2009 7:00 PM:

advise not sell <vbg>

FWIW we are using Forefront on our systems with an edge server and Exchange 2007.

It works really well and the antivirus is so quiet I worry it may not be working (but it is). Anti-spam is good too.

Leave a Comment

Name:  
Website:
Are you a human?