Search

All of Symantec All of Symantec Support Viruses & Risks Home & Home Office Small Business Enterprise Partners VERITAS

Question/Issue:
How do I improve spam detection on Windows Server 2008 Small Business Edition?

Symptoms:
E-mails that are clearly spam are not detected by Symantec Mail Security for Microsoft Exchange on Microsoft Small Business Server 2008. Many times these messages will be claiming to be coming from the recipient, i.e. if the recipient is "example@test.com", the sender field is filled out as "example@test.com". This is also known as "spoofing" the address of the sender. See this Wikipedia link under the heading "Deception and Fraud" for a detailed description of spoofing.

If you examine the headers of one of these messages by right clicking the message in Outlook and selecting "Message Options" and then scroll to the bottom of the "Internet headers" box, you will see an entry similar to "X-MS-Exchange-Organization-SCL: -1".

Cause:
Safelisting within the Exchange 2007 built-in anti-spam agents causes spoofed spam to bypass Symantec Mail Security for Microsoft Exchange Premium Anti-spam. These options are configured by default in Small Business Server 2008, but be aware that this can also affect other implementations of Exchange 2007, just not by default. In a default configuration, Exchange Small Business server 2008 uses a technology called "Safelist aggregation" (see references section for more information about Safelist Aggregation technology) to transfer client side safelists to the Exchange server, allowing control over safe senders by individual users. While a good idea in theory, this combines with the default setting to Safelist the users contact list, and having the members of this Exchange server in the contacts list by default (hidden), and causes all connections coming from senders claiming to be the recipient to be tagged with the X-MS-Exchange-Organization-SCL: -1 X header to bypass all spam detection.

Solution:
In the future, SMSMSE will include options to ignore Exchange safelisting but as of release 6.0.9 we have no such option.
For the time being, we must disable Safelisting within Exchange 2007. Unfortunately, the only way we've been able to find to accomplish this is to entirely disable the Exchange anti-spam agents, however, because of the effectiveness of Premium Anti-spam at identifying and eliminating spam, these changes should result in a decrease in spam across the board.

To disable Exchange anti-spam agents:

1. Open the Exchange Management console.
2. Navigate to Organization Configuration -> Hub Transport in the console tree at the left hand side.
3. Click the Anti-spam tab.
4. Right click the Content Filtering Feature and select Disable
5. Repeat step 4 for each of the rest of agents in the Anti-spam view.

You should notice an immediate decrease in the amount of spoofed spam bypassing the anti-spam scanner. If problems persist, examine the headers of the message to determine if the X-MS-Exchange-Organization-SCL: -1 is present on these messages. If so, please contact Microsoft Technical support for additional steps to alleviate the placement of this header.

References:
Microsoft Technet Safelist Aggregation link

Document ID: 2009102910285954
Last Modified: 10/30/2009
Date Created: 10/29/2009
Product(s): Symantec Mail Security 6.0 for Microsoft Exchange
Release(s): SMSMSE 6.0 [All Releases]

Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements