Announcement

Collapse
No announcement yet.

exchange 07 anti-spam question...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • exchange 07 anti-spam question...

    We'll I'm back into the world of Exchange again and instantly scratching my head with all the NASA config needs.

    This pertains to Exchange 2007 on a clean install of SBS 2008

    I think I've got SPAM control limping along but am scratching my head on content filtering. I'm trying to dial down the SCL value to a level that is quarantining spam well w/o getting HAM. Once I got down to SLC=4 or 5 I started to see HAM.

    But when I look the header info in the spam account there is no mention of the SLC or PLC values! Wouldn't it most helpful to know these things to see what exchange is tagging good HAM with a higher then expected value?

    I can see these values often when looking at header information on emails that do make it into mailboxes.

    IS it just me or does MS make it harder then it needs to be to work with SPAM!?!?! Prove me dumb please so I can just move on!

    Here is the info presented in my spam quarantine account and I see no values other then my AVG anti-spam (spamcatcher) stuff.
    [IMG]file:///Users/shawn/Library/Caches/TemporaryItems/moz-screenshot.png[/IMG]
    Original message headers:

    Received: from elasmtp-kukur.atl.sa.earthlink.net (209.86.89.65) by
    remote.snowtrails.com (10.0.0.2) with Microsoft SMTP Server id 8.2.254.0;
    Sat, 21 Aug 2010 06:32:26 -0400
    DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
    s=dk20050327; d=earthlink.net;
    b=B+yPL3DuWmvDnhpsxJUy03szuw9YWuqOuvqPWVZRtYYfvNpW kEQZGZQyLoxR8okg;
    h=Received:Message-ID:X-Priority:Reply-To:X-Mailer:From:To:Subjectate:MIME-Version:Content-Type:X-ELNK-Trace:X-Originating-IP;
    Received: from [71.244.140.98] (helo=earthlink.net) by
    elasmtp-kukur.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from
    <[email protected]>) id 1OmlN1-0004q5-Su; Sat, 21 Aug 2010
    06:32:20 -0400
    Message-ID: <[email protected]>
    X-Priority: 3
    Reply-To: <[email protected]>
    X-Mailer: EarthLink MailBox 2005.3.14.0 (Windows)
    From: Joyce Willson <[email protected]>
    To: Joyce Wilson <[email protected]>
    Subject: NAR certification
    Date: Sat, 21 Aug 2010 06:32:14 -0400
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_321741132129215103214140"
    X-ELNK-Trace: 1741cd07c395b5f463fbba0cb96f922894f5150ab1c16ac0f2 b12df0f75675a491e367e4f6387d0dec593714236d593e350b add9bab72f9c350badd9bab72f9c
    X-Originating-IP: 71.244.140.98
    Return-Path: [email protected]
    Received-SPF: None (SBS.snowtr.local: [email protected] does not
    designate permitted sender hosts)
    X-Antispam: NO; Spamcatcher 6.0.4. Score 1
    Attached Files

  • #2
    Re: exchange 07 anti-spam question...

    You shouldn't have to do anything to see the SCL value, it should be there - a screenshot of the headers is on this page:

    http://exchangepedia.com/blog/2006/0...es-scl-in.html

    If you use perfmon, are messages being marked with the relevant values? For most servers you should see a spread across most of the SCL values.

    However - I wonder if the third party product you are using is causing the problem. I haven't used that myself, so cannot know for sure.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: exchange 07 anti-spam question...

      Thanks for the comment, so you agree that the SCL and PCL value are not shown in my header as presented in the quarantine folder, correct?

      I looked at the screen shot your presented and that is what I see on all emails that are allowed into users email inboxes...the value is there as expected! But those that are forwarded by the rule to the [email protected] account have no value!

      I have read about the perfmon but I"m a low tech small business owner with just enough understanding to be dangerous (that is why we have SBS!) so I don't know advanced troubleshooting yet...so I'll do reading on how to use perfmon for this logging.

      I have turned off the anti-spam functionality in the 3rd party during testing with no different results. I actually think their product intercepts after the hub transport rules as I note another concern. I tag spam in the 3rd party program with "possible spam" and then try to get exchange to see that in the subject and filter out based on that...but it doesn't work which leads me to believe the 3rd party is after the exchange rules!

      Comment


      • #4
        Re: exchange 07 anti-spam question...

        If you are seeing the headers in the messages received by the users then the feature is working correctly.

        Have you setup the quarantine mailbox as per the instructions?

        http://technet.microsoft.com/en-us/l...EXCHG.80).aspx

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: exchange 07 anti-spam question...

          I do believe I got the quarantine setup properly, but I will run down your link again. Thanks again for taking time to repost those for me. I did the following...

          1. Enable content filtering.
          2. Create a spam quarantine mailbox.
          3. Specify the spam quarantine mailbox.
          4. Set the SCL quarantine threshold.
          5. Manage the spam quarantine mailbox.
          6. Adjust the SCL quarantine threshold as needed.

          The only think I have not done yet is setup an instance of the quarantine user on an outlook client for proper release of items...I've been viewing via OWA or via my Mac with mail.app and exchange client.

          I just don't understand on those that are quarantined why I cannot see the SCL value...it would helpful to know!

          I am having issues find the post I saw last night showing how to setup perfmon for SCL value observations...do you have a solution for setup?

          Comment


          • #6
            Re: exchange 07 anti-spam question...

            All perfmon does is show you how many messages were being flagged at what levels, nothing more. As you have reported that the messages are being tagged correctly, then there is no point pursuing that option. Perfmon configuration is nothing new though, so a Google search will tell you how to configure it.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: exchange 07 anti-spam question...

              Actually a "google search" for me proved painful on an basic understanding of perfmon and how to use it for exchange SCL coding but I did figure out it that these data points were built into the system after several hours of working with perfmon.

              It was useful in seeing where the SCL levels were being setup...but it's just a shame out poor a MS implementation of quarantine management and setting viewable SCL values when the emails are in fact forwarded there. How is an admin to know what value was assigned to an important email that was tagged spam...especially when there is no whitelist (by account user) functionality in exchange!

              Comment


              • #8
                Re: exchange 07 anti-spam question...

                The built in antispam is like it is pretty much on purpose.

                If you want something more advanced then you are expected to upgrade. Microsoft have their Forefront product and hosted services, and then there are any number of third party tools.
                It is a basic product with poor management. For some people it works well, for others it does not. I don't use the built in antispam on any of my large sites because its management for a site with major traffic is very poor.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: exchange 07 anti-spam question...

                  Originally posted by Sembee View Post
                  The built in antispam is like it is pretty much on purpose.

                  If you want something more advanced then you are expected to upgrade. Microsoft have their Forefront product and hosted services, and then there are any number of third party tools.
                  It is a basic product with poor management. For some people it works well, for others it does not. I don't use the built in antispam on any of my large sites because its management for a site with major traffic is very poor.

                  Simon.
                  Not sure what you mean "on purpose"...on purpose bad? Upgrade to what within the AVG product suite...I've got their top of the line product!

                  As a small business owner who knows just enough to install SBS 2008 I found Forefront very confusing and didn't even try. The "other" thing they offered isn't even around anymore...I tried Kaspersky (train wreck on the server side) with remote installs with the default firewall in SBS.

                  It's a shame MS just cannot include some solution as expensive as Exchange is! As a SBS buyer I want a simple solution...neither is provided by MS or AVG in my opinion...

                  Comment


                  • #10
                    Re: exchange 07 anti-spam question...

                    On purpose poor.
                    There is no single answer when it comes to antispam. I have tried every product on the market with my clients and every product will work well for some and work poorly for others. You have to evaluate to see what works for you and the type of spam that you receive.

                    If you bought Exchange as part of SBS and you think it is expensive then you probably don't want to look at the price of the full product!

                    Alas Microsoft have to protect not only their own revenues but also those of their partners. One of the best things about the Exchange ecosystem is that third parties can provides tools and services that are different to what Microsoft can provide.

                    The other product I presume you mean is OneCare. That was an AV product, nothing to do with Antispam. Rather unfortunate that it was pulled shortly after the release of SBS 2008, but SBS 2008 is a combination of products from within different groups inside Microsoft and as with all large companies, internal communication isn't always that great.

                    I also have to say that while Microsoft market SBS as something that someone without massive technical knowledge can configure, it is not something that I agree with. SBS, even back as far as the original versions based on Exchange 2000 is really best handled by an experienced VAR. If setup correctly with the correct combinations of built in and third party tools it does provide a trouble-free existence. I have lots of SBS systems out there that I have deployed that just sit there and get on with it. No disrespect to you, but most of the systems I see with problems have been self deployed. SBS requires some handholding because of the way it works with everything on one system, and get it wrong and it can cause problems.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Re: exchange 07 anti-spam question...

                      Thanks for the comments, always good to read. I understand anti-spam needs but it really shouldn't be that difficult. If I have SBS and under 75 years...there should be an obvious choice for a low tech admin (most SBS buyer are w/o IT or limited IT) for admining anti-spam, anti-virus and quarantine management/release.

                      I do get lots of crap on these tech forums that SBS is still supposed to be installed but "experts" but I have been wrenching on our small business servers for 15 years and know my way around...and very proficient in troubleshooting and understanding all problems...but am still disappointed that MS product with GUI interfaces still need so much powershell to do advanced things. There is still to much cryptic stuff. I always used stand alone servers but thought SBS would be the best solution since I wanted us to have an exchange system again...now that I'm 4 months into testing and 14 days live I know I made the wrong decisions in an attempt to solve needs for our users...but I digress. Bottom line, they don't need to make certain aspects of SBS so fragile and they DO need better admin of something as important as anti-spam and I'll try to find that via 3rd party.

                      I would have gone with Forefront if they had not canceled the other product but I needed cost effective of both anti-virus and spam in one product and thus looked at third party...especially when most are combined. Woould have seemed silly to get forefront at X dollars per user and then double my cost with a 3rd party at equal X per user.

                      We used to have an Astaro firewall server that caught everything and we really didn't need anti-virus or anti-spam at the server or client level...I should have stayed with that solution...the net cost would have been cheapest in $$ and time.

                      thanks again.

                      Comment


                      • #12
                        Re: exchange 07 anti-spam question...

                        I think you have made an error in wanting AV and Antispam from the same vendor. In my experience the Antispam solutions from the AV vendors are very poor. By splitting the tasks it gives you a much wider choice in the market.
                        I am also a fan of having something different protecting Exchange for AV than is on the desktops. While this is something the AV vendors try to say isn't required (as they want to sell you their product) it provides defence in depth.

                        I wouldn't call SBS 2008 fragile, but it is a complex product and therefore requires care to get working correctly. This is where a good VAR or consultant is helpful because they have the experience. With the way that the Microsoft products, in particular Exchange, are now moving in their setup, and the unique skills that are required for that process, self installation is something I would discourage. you learn a lot of things that are simply not required for day to day operation.

                        As for command line, that isn't going to change. Everything Microsoft does server side is going command line with a GUI on top and creating a GUI for tasks that are rarely carried out (in Microsoft's opinion at least) isn't going to happen.
                        Microsoft, like most other vendors now want the small business to give up having the major applications like Exchange local, and want you in the cloud. Look at the new aurora product which is getting all of the attention in the technical press at the moment (and how the new version of SBS that was announced next to it is being ignored).

                        Simon.
                        --
                        Simon Butler
                        Exchange MVP

                        Blog: http://blog.sembee.co.uk/
                        More Exchange Content: http://exchange.sembee.info/
                        Exchange Resources List: http://exbpa.com/
                        In the UK? Hire me: http://www.sembee.co.uk/

                        Sembee is a registered trademark, used here with permission.

                        Comment


                        • #13
                          Re: exchange 07 anti-spam question...

                          We'll that sucks to get that opinion now as in the last 6 months of research I've done I have never read anyone on a dozen different forums give that view point about different vendors for anti-spam and anti-virus...and most major products that are recommended again and again have both!

                          As far as VAR goes the last time I had an exchange server problem (6 years ago) and a "so called" expert in here he destroyed our exchange install, lost all our data, couldn't get a backup to work and then had the balls to charge me $3000 for a weeks worth of work that ended with us scraping our exchange server and rebuilding it from scratch that didn't run well for another two years before I pulled the plug...that was the last time I used a VAR in our area. The $3000 we spend was my annual IT budget for our small business, it's a fact regardless of others oppinions. Since then I've worked some trade with a resource in a large city who can remotely check on things (from an hour away) but they have proved to be slow too and make bad decisions. So I jumped on the job as I do with everything at our business and to be honest know an insane amount about running our complicated but small IT structure. I wouldn't mind having someone I can trust help but they simply are not in our area and in competent. I"m actually know as one of the most proficient IT guys in a town of 50,000...which is sad. I've had other "so called" pros from local BIG business stop down to help to only find that EVERYONE is a expert on a single item and not a big picture generalist like me. In IT few are a "jack of all trades"...everyone is a well paid master of some obscure system, technology or software.

                          When we paid we got little...so I guess we are now getting what we paid for which is little and I only have myself to blame. It works and I'm proud of myself recreating our network from scratch in several months and going live with little problems but as an average Joe who knows enough to get in trouble I'm simply unimpressed with the tools at my disposal. If Server 2008 can be used for fortune 500 companies one would thing something called SBS 2008 would be in fact for "small business" and although it's easy to install there is the same problems and BS that for the fortune 500 companies have to deal with.

                          So as you can from my rant my experience with professionals and VAR has been poor and I take things in my own hand...so an SBS 2008 install seemed the right thing to do for the size of our operation and limited resources. And yes it's fragile...I retested an install 6 times before going live and each time updates and configuration changes (only with wizards) have broke things that required extensive technet reading and tweaking which is BS. A clean install shouldn't have major issues from standard and required updates. I believe MS doesn't test or consider their SBS product in detail when doing updates. If I was running a stand alone Server 2008 install I'm not sure I would have had these same issues.

                          I miss Server 2003 now and forgot how much I hated Exchange servers! I'll come around on this topic but it's a shame that someone out there doesn't have simpler, cost effective and secure solutions. I spend the last year testing Mac servers, UNIX and due to the needs of our tech-less staff still came back to Exchange...boo!

                          I should have gone with the Mac server but their web mail interface was from 1997 and I heard their spam solutions suck too.

                          Thanks for your input, I'm done ranting.

                          Comment

                          Working...
                          X