How to prevent unsolicited commercial e-mail in Exchange 2003 (821746)



The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition

INTRODUCTION

This article contains information about how to help prevent unsolicited commercial e-mail messages and how to help reduce the risk that your Exchange Server 2003 computer could be used to relay unsolicited commercial e-mail messages.

Unsolicited commercial e-mail messages, or junk e-mail messages, are an annoyance to office and home e-mail message users. To delete these messages wastes time, but if your Exchange Server computers are inadvertently being used as relays for mass-mailings, the effects can be far more troublesome.

Note that some of the recommended settings that are discussed in this article only apply if your Internet service provider (ISP) provides store and forward services or a smart host for your domain. This is probably the situation if you have a dial-up connection to the Internet or if your ISP provides firewall, routing, or network address translation services for your organization.

MORE INFORMATION

To help prevent the relay of unsolicited commercial e-mail messages

When you plan and implement the steps to prevent the transmission of unsolicited commercial e-mail messages, there are a number of factors that you must consider.

To prevent relaying

Relaying occurs when there is an inbound connection to your Simple Mail Transfer Protocol (SMTP) server that is used to send e-mail messages to external domains. With unsolicited commercial e-mail messages, a single e-mail message that is sent to your SMTP server with multiple recipients in domains that are external to your organization is an example of relaying. When the SMTP server is configured to use anonymous authentication, the messaging system that is used to propagate the unsolicited commercial e-mail messages accepts the inbound message as typical. After the message is accepted, the SMTP server recognizes that the message recipients belong to external domains, and then the SMTP server delivers the messages. The unauthorized users who send unsolicited commercial e-mail messages only have to send one inbound message to your SMTP server for it to be delivered to thousands of recipients. This may result in decreased performance and congested queues. Additionally, this may annoy the recipients when the messages arrive.

To prevent relaying, do not grant relay permissions to other hosts. However, there are situations when relaying is required. You may have Post Office Protocol 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) clients who rely on SMTP for message delivery. These clients may have legitimate reasons for sending e-mail messages to external domains. To work around this issue, create a second SMTP virtual server that is dedicated to receiving e-mail messages from POP3 and from IMAP4 clients. You can configure this additional SMTP virtual server to use authentication that is combined with Secure Sockets Layer (SSL) based encryption, and then configure it to permit relaying for authenticated clients.

Note By default, the Default SMTP Virtual Server in Exchange 2003 is configured to prevent relaying of e-mail messages through the virtual server.

To prevent computers from relaying messages through the SMTP virtual server:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
  4. Click the Access tab, and then click Relay.
  5. In the Relay Restrictions dialog box, click Only the list below (if it is not already selected), and then make sure that the Computers list is empty.

    If you are not using any POP3 and IMAP4 clients with this virtual server, click to clear the Allow all computers which successfully authenticate to relay, regardless of the list above check box, and then click OK.
  6. Click OK.

To configure connection filtering

Global connection filtering always supersedes the settings on an individual SMTP virtual server. For example, if you set your SMTP virtual server to only accept connections from a particular IP address, and you then deny that same IP address on your global connection filter, the Exchange computer will not accept e-mail messages from that address.

To enable global connection filtering, follow these steps:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Global Settings, right-click Message Delivery, and then click Properties.
  3. Click the Connection Filtering tab, and then click Add.
  4. In the Display Name box, type the name for the connection filter.
  5. In the DNS Suffix of Provider box, type the DNS suffix that your ISP appends to the IP address.
  6. If you want to specify a custom error message, type the message that you want in the Custom Error Message to Return box.
  7. To specify a return status code, click Custom Error Message to Return, and then specify the status code that you want to use.
  8. Click OK.
To enable connection filtering:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
  4. Click the General tab, and then click Advanced.
  5. In the Address list, click the IP address where you want to apply connection filtering, and then click Edit.
  6. Click to select the Apply Connection Filter check box, click OK, and then click OK.

To configure sender filtering

When you enable sender filtering on the SMTP virtual server, e-mail messages that are received from anyone on the sender filter are not accepted. Sender filtering is set globally, but you enable it on a per-IP address basis on the SMTP virtual server.

To create a sender filter:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Global Settings, right-click Message Delivery, and then click Properties.
  3. Click the Sender Filtering tab, and then click Add.
  4. Type the name of the sender whose messages you want to filter in SMTP address format, and then click OK.
  5. Specify any additional filter options that you want to configure, and then click OK.
To enable sender filtering on the SMTP virtual server:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
  4. Click the General tab, and then click Advanced.
  5. In the Address list, click the IP address where you want to apply the sender filter, and then click Edit.
  6. Click to select the Apply Sender Filter check box, click OK, and then click OK.

To configure IP address restrictions

When you configure IP address restrictions, you can specify the IP addresses, the IP ranges, or the Domain Name System (DNS) domains that your SMTP server accepts inbound sessions from. This is useful if your ISP accepts messages on your behalf and then forwards the messages to you, because it prevents other hosts from connecting to your SMTP connector.

Note For IP address restrictions to function, the mail exchanger (MX) record on your domain's Internet DNS zone must point to the e-mail messaging server of your ISP, not to your Exchange 2003 computer. If you receive your external SMTP e-mail messages from the e-mail messaging server of your ISP, you can configure IP address restrictions. IP address restrictions indicate that your SMTP virtual server only accepts connections from the e-mail messaging server of your ISP.

To configure IP address restrictions:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
  4. Click the Access tab, and then click Connection.
  5. In the Connection dialog box, click Only the list below.

    This indicates that only the IP addresses and the domains that are in the list are permitted to connect to the SMTP virtual server.
  6. Click Add, and then do one of the following to add a single computer, group of computers, or a domain, as appropriate to your situation:
    • To add a single computer, click Single Computer, type the IP address of the e-mail messaging server of your ISP in the IP address box, and then click OK.

      Alternatively, click DNS Lookup, type a host name, and then click OK.
    • To add a group of computers, click Group of computers, type the subnet address and the subnet mask of the group in the corresponding boxes, and then click OK.

      Microsoft recommends this option if your ISP has a tendency to change the IP address of its e-mail messaging server without warning.
    • To add a domain, click Domain, type the domain name that you want in the Name box, and then click OK.

      Note that this option requires a DNS reverse lookup on each incoming connection. This requirement may adversely affect the performance of the Exchange server. For more information, see the Troubleshoot section later in this article.

To configure authentication

When you configure user-based authentication, external hosts or clients must use a user name and a password to log on to the SMTP virtual server. Similar to IP address restrictions, you can configure authentication if your ISP acts as a message relay for your organization, and the ISP can provide authenticated connections to your SMTP virtual server. Your ISP must also support Transport Layer Security. Transport Layer Security encrypts the authentication and the message transfer session.

Note Your ISP may not support the Integrated Windows Authentication option (formerly named NTLM or Windows NT Challenge/Response authentication).

To configure authentication:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
  4. Click the Access tab, and then click Authentication.
  5. In the Authentication dialog box, click to clear the Anonymous access and the Integrated Windows Authentication check boxes.

    Make sure that the Basic authentication (password is sent in clear text) check box is selected.
  6. If your ISP supports Transport Layer Security, click to select the Requires TLS encryption check box.
  7. Click OK.
  8. Add a user account and password to Active Directory, and then notify your ISP of these credentials. This account provides authentication for the inbound connection.

To set message limits

Setting message limits involves changing the default number of recipients per message. This procedure reduces the effect of unsolicited commercial e-mail messages by preventing the delivery of a single message to many individuals. Additionally, you can reduce the maximum message size and the maximum session size.

Note If you reduce the number of recipients per message, this procedure can affect delivery to your internal recipients if you have large distribution lists that receive e-mail messages by means of SMTP. However, this is not an issue for MAPI recipients.

To set message limits:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
  4. Click the Messages tab.
  5. To configure message limits:
    1. Click to select the Limit message size to (KB) check box, and then specify a value that is smaller than the current value.

      For example, type 2048.
    2. Click to select the Limit session size to (KB) check box, and then type 4096.
    3. Leave the default value for Limit number of messages per connection to set to 20.

      You do not have to change this value.
    4. Change the value of Limit number of recipients per message to to a value between 100 and 1000.

      The default setting is 64,000.

      Note The value that you specify depends on the messaging requirements of your organization and on the size of your organization's external distribution lists. Any messages that are larger than this number of recipients are returned to the sender with a non-delivery report (NDR).
  6. Click OK.

To configure the SMTP connector

You may have already created an SMTP connector on your Exchange 2003 computer to make outbound connections and to accept inbound connections to and from other SMTP servers on the Internet. This SMTP connector must be associated with at least one SMTP virtual server to operate. You must verify that the SMTP connector is correctly configured to reduce the risk of relaying unsolicited commercial e-mail messages.
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Servers, expand Routing Group, and then expand Connectors.
  3. Right-click the SMTP connector that you use for inbound and for outbound e-mail messages to the Internet, and then click Properties.
  4. If your ISP provides store and forward facilities for your incoming e-mail messages, it is likely that your ISP also provides a smart host for your outgoing e-mail messages. If this is the situation, click Forward all mail through this connector to the following smart hosts, and then type the IP address or the fully qualified domain name (FQDN) of the e-mail messaging server of your ISP.
  5. Click the Address Space tab, and then click to clear the Allow messages to be relayed to these domains check box if it is selected.

    Note The SMTP connector that delivers e-mail messages to the Internet typically uses an asterisk (*) (that indicates all domains) as its address space. If you click to select the Allow messages to be relayed to these domains check box, relaying to all external domains is enabled. If you use a smart host for outbound e-mail messages, contact your ISP for more information about how to configure security for e-mail message delivery.
  6. Click the Advanced tab, and then click Outbound Security. If your ISP supports authentication and encryption, click Basic authentication (password is sent in clear text), click Modify, add the user account and the password to use for access to the smart host of your ISP, and then click OK.
  7. Click to select the TLS encryption check box, click OK, and then click OK.

To confirm that the SMTP virtual server settings that you configured work correctly

To confirm that the SMTP virtual server settings that you configured work correctly:
  1. To confirm that the IP restrictions work correctly, use a POP3 and an IMAP4 client to try to connect to the server from an excluded IP address. If the IP restrictions are configured correctly, you receive a message that notifies you that a connection to the server is declined.
  2. To confirm that the relay restrictions work correctly, connect to the server by using a POP3 and an IMAP4 client from a non-excluded IP address, and then send an e-mail message to an external domain. If the relay restrictions are configured correctly, you receive a message that notifies you that the delivery to the external domain is refused because of relay restrictions.
  3. To verify Transport Level Security authentication and encryption, confirm that you can receive e-mail messages from the e-mail messaging server of the ISP that provides store and forward services for your domain. Run Network Monitor on your Exchange Server computer and capture packets coming from the IP address of the ISP's e-mail messaging server on port 25 (0019h). These packets contain encrypted data. You cannot view the user name or the password credentials.
  4. To confirm reverse DNS lookup, send a message to your domain from an address that does not match the domain that sent it. If reverse DNS lookup works correctly, this message appears in the Badmail folder.

Troubleshoot

Any restrictions that are based on DNS lookup can adversely affect the performance of the Exchange 2003-based computer. Because the server performs a reverse DNS lookup on each inbound connection, a DNS reverse lookup zone must be available and the sending host must be registered with that zone.

REFERENCES

For more information about Exchange Server 2003, visit the following Microsoft Web site: back to the top

Modification Type:MinorLast Reviewed:11/7/2005
Keywords:kbHOWTOmaster KB821746 kbAudITPRO