Spam is a scourge that continues to be a major concern for systems administrators. Although governments in the United States and elsewhere are attempting to address the problem through legislation, spammers will probably circumvent this obstacle by simply moving their operations to locations outside the jurisdiction of any laws. As an illustration of just how bad a problem spam has become for major corporations, HP bastion hosts deployed at the network perimeter to scan all messages arriving at hp.com dropped just 30 percent of messages in 2002 because they could be immediately identified as suspicious, perhaps because they contained "well-known" content or virus-ridden attachments. Today, the same hosts drop 70 percent of messages—some 21 million messages a month. The upsurge in spam activity accounts for the increase in dropped messages, and every company that hosts an email server is now a potential target for spammers, no matter which email server you run.
Most large organizations deploy various server-based tools to block as much spam as possible before it gets to users. Bastion hosts can catch a lot of spam, but deployed in isolation, they can't keep up with the ever-changing techniques that spammers employ to mask their activities, so administrators often deploy a second line of defense in the form of antispam software that integrates with the email server.
Microsoft added a spam confidence level (SCL) Store property to Exchange Server 2003 that antispam software can update with a value that indicates whether the software thinks a message is spam. The Store and email clients can then suppress messages with high SCL values. Server-based antispam software often combines spam checking with antivirus protection for Exchange servers, but even with two lines of defense (i.e., the bastion host and server-based antispam software), some spam gets through. In the past, if Microsoft Outlook users wanted maximum spam protection, they had to install add-on products. Microsoft has incorporated a Junk E-mail Filter into Microsoft Office Outlook 2003 that you can also deploy with Exchange Server 5.5 or later. My experience is that Outlook 2003 can block most spam that comes along, but you still need to deploy multiple lines of protection if you really want to fight spam.
Detecting Junk Email
Spam-detection software relies on a mixture of techniques to identify unwanted messages, with different software products using different technique combinations. One technique is looking at originator addresses to block messages from well-known spammers that appear on Realtime Blackhole Lists (RBLs); another is examining message properties (such as the message subject) and the content to pick up keywords such as Viagra and porn. (You can implement similar checks by using Outlook rules, but doing so slows down processing considerably because rules aren't designed for this purpose. Antispam products typically supply dictionaries of common words or phrases and use compiled code to check message content against the dictionaries, so they can process messages much faster.)
Detection software also analyzes message structure for patterns typical of junk mail messages. For example, spam authors seem to feel compelled to add emphasis to their messages with a lot of exclamation points. If a spam tool's scoring system finds 20 exclamation points in a message, that message could be spam. (However, it could be from an enthusiastic member of your marketing department.) Detection software might also look for fingerprints of known spam messages. Antispam-tool vendors track known spam and analyze the message content to create a fingerprint (typically included in their tools' dictionaries) that the filters can use to recognize similar messages.
Exchange 2003 includes upgraded connection-filtering features as well as the ability to block mail from anyone other than authorized senders. You can connect Exchange 2003's connection filters to an RBL subscription and perhaps avoid the need to purchase an additional antispam product for the server. This Exchange/RBL option is inexpensive, but you must keep your RBL subscription up-to-date to ensure that Exchange can recognize incoming email from newly registered spammers. In addition, if you have just one RBL subscription, you're relying on that RBL maintainer to keep up with new spamming techniques and indeed to resist Denial of Service (DoS) attacks on its own service. Subscribing to multiple RBLs lessens your risks, but you incur extra costs. Purchasing and deploying a commercial-quality antispam product is a lot easier, especially for any production server that supports more than a few hundred mailboxes.
The latest spam suppression tools deploy analytical techniques to spot spam attacks early. Network probes monitor traffic that passes along the Internet in an attempt to detect traffic surges from a mail server; such surges could be the result of a spammer generating hundreds of thousands of messages that contain similar content. The probes use algorithms similar to those that generate a hash value for an electronically signed message to create a digital signature based on the message content, then store the signature in a database. The tools then check new messages against the digital signatures in the database to determine whether a message is spam. This kind of technique is available only in server-based software today, not in client software. For a list of server-based antispam products, see Buyer's Guide, "Enterprise Spam Filters," April 2003, http://www.winnetmag.com, InstantDoc ID 38277.
All Outlook versions support rules processing to let you automate common tasks such as moving messages from a particular sender into a dedicated folder. Outlook 2002 and earlier versions attempt to use a set of standard rules to filter junk email messages, but the growing volume of spam and the more sophisticated techniques used by spammers to avoid detection have rendered the rules-based approach ineffective—plus this approach is slow. The Outlook 2003 Junk E-mail Filter doesn't use the old rules-based approach coupled with a static list of keywords and junk-email senders to detect junk mail. Instead, Outlook 2003 uses a combination of compiled code and a dictionary to detect spam—an approach that's the result of Microsoft Research's text analysis work. MAPILab, a small company that specializes in Outlook add-ons, recently performed an in-depth Outlook 2003 Junk E-mail Filter analysis that throws some light on the processing Outlook does behind the scenes. See http://www.mapilab.com/news/0042.html for more information. The dictionary is stored in \program files\microsoft office\office 11 dictionary\outlfltr.dat and is approximately 2MB. The dictionary's content and accuracy is crucial to the operation of the Junk E-mail Filter, and Microsoft has committed to issuing regular updates with the most recent information gathered about junk email messages. Microsoft issued the first update in December 2003, as described in the Microsoft article "Overview of the Outlook 2003 Junk E-mail Filter Update: December 16, 2003" (http://support.microsoft.com/?kbid=832333).
Note that because Outlook 2003's Junk E-mail Filter runs on the client, you can use the filter only if you configure Outlook 2003 in cached Exchange mode or connect to a server with POP3 or IMAP4 (protocols that always put messages in a local store for processing). You can also use the Junk E-mail Filter if you configure Outlook to download messages to a Personal Folders (.pst) file, but this kind of configuration is largely outdated by the advent of cached Exchange mode and is really useful only if you deploy Exchange with small mailbox quotas. Microsoft could have designed Outlook to connect to an Exchange mailbox in the traditional client-server manner and process messages online, but Outlook would need to fetch the message content from Exchange before the client could filter the messages. This approach would work for small messages, but the network communications overhead required to fetch messages for checking is excessive, so Outlook limits its processing to local content.
Previous
Register
