Configuring Exchange & Trend for spam/filtering

These comments come from Les:


This reply is a little more than you need, hope you don’t mind. But the answer is contained within ;-). I was hoping to clean it up a bit before posting (but that may never happen). It’s relevent to several recent posts.

Basically, I’ve been trying to get the best spam/antivirus protection I can with SBS2k3 OOB and Trend Micro CSM SMB – no other third party products.

If you don’t use CSM, then just ignore those parts. I have been experimenting with this configuration for a while, and am very pleased with the present result.

<snip>

I believe I have this under control presently. Possibly at the expense of a few legit emails (but very few, if any).

Without any third party apps except Trend CSM – here is what I use.

1. Exchange

a) Internet Message Format

Advanced Tab

Disallow:
Out of Office responses
Automatic replies
Automatic forward
Delivery Reports
non-delivery Reports
Allow:
Preserve sender’s display name on message.

b) Message Delivery > properties

Sender Filtering Tab

Filter messages with blank sender
Drop connection if address matches filter

Recipient Filtering Tab

Filter recipients who are not in the directory

c) Default SMTP Server

| General | Advanced | Edit (all unassigned)

Apply Sender Filter (although I have no filters presently)
Apply Recipient Filter
Apply Connection Filter (although I have none of these either, presently)

Messages Tab

Send copy of NDR reports is blank.

2. Trend Scanmail eManager

a) Antispam

Enabled
Threshold: High
Action: Quarantine
Notifications Button: None
Approved Senders Button: I have had to add a few to the list, but not many –
mostly list subscriptions.
Blocked Senders Button: None – useless against a reasonably competent
spammer.

b) Content Filter
Anti-spam, hoaxes, chainmail, and Melissa Virus enabled.
The other items will do a *lot* of blocking – too much when your threshold
is set to high.

c) Update

The automatic updates don’t work. No reason, no error. But the Update button does. I’ve been meaning to take this up with Trend, but haven’t yet looked into it. There are reasonably frequent updates, and they do make a difference. I update whenever I think of it, generally at least monthly.

d) Log Files

Log files are daily, set to delete after 30 days. The reporting is useful here, especially for initial tuning.

3. Scanmail

a) Options

Attachment Blocking is *not* enabled in Scanmail, but it is in Exchange. I think you want to go with one or the other, not both. I may turn off attachment blocking in Exchange, and instead do it in Scanmail as there are more options in scanmail.

Virus actions are set to delete, delete, delete, delete.

b) Active Message Filter

Filter Inbound Messages *see Outlook section for a note.

c) Notification

virus scan – windows event log only
outbreak alert – email me, and event log.
attachment blocking – windows event log.

d) Quarantine Manager

This is where you go to check on the blocked items, including eManager spam blocked mail. You spend some time here initially tuning things for your environment.

Quarantine Maintenance is set to delete at 7 days. Works well.

4. Outlook

Junk Mail was identifying about 50% of what got through to the mailbox with Scanmail Filter Inbound turned OFF, and the old junk mail pattern file (or whatever they call it)

A new junk mail pattern file was released (office update) not long ago, I installed it a few days ago. This has caught 100 % of what got through to the mailbox, no false positives thus far.

With the Scanmail Filter Inbound turned ON, you can even keep your junk mail folder almost empty by letting Scanmail handle attachment blocking instead of Exchange. Much of the junk mail that does get through has attachments, mostly replaced by either Exchange (blocked att. type) or Scanmail (virus). With scanmail doing attachment blocking, you can elect to kill these before
they come to the mail store.

Notes: (these are out of date, and system specific – just examples – YMMV).

In the past 48 hours, my inbox has been 100% clean of junk. Junk Mail folder has about 100 that made it through the Exchange, Emanager, and Scanmail filters. (this is with Scanmail Filter Inbound Off)

**** New info – with the Scanmail Filter Inbound *on*, junk mail has been reduced to about 10 per 24 hours. I’ve been checking the blocked emails in Scanmail console, and have been pleasantly surprised at the lack of false positives.

The exchange server has about 25 mailboxes, there are 3 or 4 heavy email users, and about 10 very heavily spammed addresses.

eManager filtered out 392 emails.
Scanmail scanned 1341 emails, 19 had viruses and were deleted.

Presently, I’m happy with the tools I have ;-).


Les Connor [SBS MVP]
————————————-
SBS Rocks !

5 thoughts on “Configuring Exchange & Trend for spam/filtering

  1. I use Trend C/S/M for smb. Auto updates were a pain, but I think it was my Fortinet firewall. All seems well now.

    I exempt smex-p.activeupdate.trendmicro.com, officescan-p.activeupdate.trendmicro.com, pc-cillin-p.activeupdate.trendmicro.com from any filtering or spam detection on the firewall.

    Regards,

    Roger.

  2. This should be documented in an SBS Whitepaper on Trend and Microsoft Site. 100 spams an hour per user. Now down to none. Only a few false positives.

  3. This is a fantastic setup! After searching for the best way to setup Trend Micro SPAM engine/filter I came across your site. I have had great sucess with similar settings and I am only getting 1-3 spams per day in my inbox. These settings combined with IMF for Exchange are even better.

Leave a Reply

Your email address will not be published. Required fields are marked *