Exchange Server spam and virus tool considerations

When you consider that the majority of email transmitted over the Internet is unsolicited, it’s negligent for an Exchange manager to implement an email system without adequate spam and virus protection. Organizations must evaluate the technologies that can help safeguard them against an onslaught of junk mail and malicious attacks.

While Exchange Server has come a long way in terms of wrapping spam and virus protection within the product, there is a long history of third-party spam and virus protection software and hardware technologies for the product, as well as a mature partner ecosystem. Shops considering how to best secure Exchange Server must weigh compatibility concerns against the possibility of more mature, third-party options.

As an Exchange admin, you’re under pressure to meet compliance, archiving and e-discovery requirements on top of basic system security dictates. Therefore, other considerations for native Exchange tools versus third-party ones include whether the product combines antivirus and antispam protection functionality, as well as whether it incorporates protection and compliance technologies.

As you weigh your options, note that third-party vendors tend to not only have more mature products, but also that their security suites feature higher consolidation levels to encompass a broader range of risk management solutions that integrate together. For example, you can purchase a third-party suite that encompasses email, Web, instant messaging and data-protection features.

In this guide, we examine some of these options and review the features available to prevent security hazards or email gluts from propagating throughout an Exchange Server-based organization. This is insight you need to make a sound buying decision.

Table of contents:

Protecting Exchange from spam and viruses: Justifying the need

Today, spam has become far more than a nuisance. It has become the “getaway vehicle” of sorts for cybercrime perpetrators. According to Norton’s “2011 Cybercrimes Report,” the top cybercrimes last year were the following:

1. Computer viruses and malware
2. Online scams
3. Phishing
4. “Smishing” (or phishing by SMS)

My clients often report that spam constitutes 98% of all inbound mail from the Internet for their companies. Massive botnets create this spam, and it is a constant battle for law enforcement and Exchange managers to keep up with these ever-proliferating issues.

As the capabilities of Exchange Server expand to encompass new sources and destinations for email, the need to protect users also expands. Email can come from a variety of sources within a company that relies on Exchange. The most common source is an email client like Outlook running on a user’s machine.

It’s also possible for email to originate from a line-of-business application such as a customer relationship management or a marketing application that transmits email through Exchange Server. Also, office automation devices such as multifunction printers can scan and email through Exchange Server. And increasingly, mobile devices and applications can connect to Exchange Server via ActiveSync and Web services to send and receive email.

Exchange Server spam and virus tools: Common feature considerations

While these tools may be offered as a consolidated product or suite of products, antispam and antivirus are distinctly different. Both should be assessed separately, as they bring two very different feature sets to the table. As you shop for an antispam solution, your choice should at minimum include these capabilities:

Identify spam with a verified catch rate or service-level agreement (SLA)

• Identify online scams and phishing attacks
• Enable administrators and users to identify false-positive results
• Provide multiple layers of protection, including the following:
  • Leverage existing real-time block lists (RBLs)
  • Create custom allow/block lists
  • Create custom keywords lists
• Keep spam definitions up to date

As you shop for antivirus solutions, consider products that can accomplish the following:

• Run multiple A/V scanning engines
• Quarantine email messages with viruses and malware
• Integrate with Exchange’s Virus Scanning API (VSAPI) and transport agents
• Integrate with client software
• Provide perimeter protection
• Keep virus definitions up-to-date

To secure users’ desktops, laptops and mobile devices, check out Microsoft’s full list of vendors with products that integrate and protect operating systems and Exchange clients from malware. Many of these vendors also specialize in technologies for Exchange Server.

It takes additional research to find Exchange Server-specific vendors. With Microsoft’s release of Forefront Protection for Exchange (FPE) and Microsoft Forefront Online Protection for Exchange (FPOE), it has been competing with vendors that offer Exchange-specific antivirus and spam software. For more, read this overview of FPE and FOPE.

These third-party vendors sell technologies specifically for Exchange Server:

• Avast Software
• GFI Software
• Hexamail Ltd.
• Kaspersky Lab
• McAfee Inc.
• Proland Software
• Sophos
• Symantec Corp.
• Trend Micro Inc.

Exchange Server perimeter protection: On-premises vs. hosted

When it comes to blocking spam and viruses, the most popular technologies today are perimeter-based solutions. These technologies reside in your network’s perimeter which is commonly called the DMZ (or demilitarized zone). These technologies eliminate threats before these risks can even make their way onto your Exchange servers.

These technologies can be hardware appliances, Exchange edge transport servers or hosted services. Perimeter technologies force us into a critical either/or decision: whether to deploy and manage the technology on-premises or to outsource management by subscribing to a hosted service. There are, of course, pros and cons to either choice.

Exchange Server security tools: Special feature considerations

In terms of integrating its technology with Exchange Server, Microsoft has a clear advantage over other vendors when it comes to compatibility. Three features stand out in FPE and FOPE:

DNSBL. This feature automates subscriptions to real-time block list services and enables configuration through a single mouse click.

Backscatter. This feature protects your organization from bogus non-delivery report (NDR) messages.

Cloudmark. You can license this best-of-breed antispam solution from Microsoft for FPE and FOPE. Once FPE is installed, it will replace the default antispam connection filter engine with Cloudmark, which has a 99.77% catch rate. Microsoft guarantees a 98% catch rate in its FOPE service-level agreement.

Microsoft says that four features in Forefront Protection 2010 for Exchange Server differentiate the product from third-party technologies:

Five simultaneous scanning engines to increase the likelihood of catching spam.

1. It uses multi-layer defense architecture, where email has to pass multiple scan of various natures.
2. FPE is easy to administer, monitor and report.
3. The solution supports a hybrid model that integrates both on-premises and online servers, as well a singular solution.

Despite these advantages, however, it isn’t everything for everyone. Sometimes you need a third-party antivirus or antispam solution. When it comes to choosing the best one for your enterprise, which factors should you consider?

The key aspects to look for in a third-party antivirus solution for Exchange Server 2010 are the following:

• Support for latest VSAPI
• Support for hub transport, edge transport and mailbox server roles
• Use of transport agents for scanning
• Support for antivirus stamping
• Support for multiple scanning engines
• Service-level agreement

Evaluating Exchange security products: Common oversights

As you evaluate email security products, it’s easy to lose sight of the big picture and focus on just one aspect of securing email. The most common mistake is to think that installing an appliance or subscribing to a hosted solution will provide all of your antivirus and antispam needs.

Of course, when it comes to protecting your email system, something is better than nothing, though many administrators and organizations have felt the sting of an inadequate solution. With the right strategy, you can eliminate the inherent limitations of a single technology and strive for broader-based email protection.

Consider a defense-in-depth strategy when purchasing spam and virus protection. This approach assumes that your system will be compromised. As a result, multiple layers of defense are set up to thwart the onslaught of spam, viruses and other malware. At a minimum, you should purchase the solutions for the following layers:

1. Gateway perimeter/hosted services. A perimeter/hosted solution blocks spam from coming in and can catch viruses and other malware from coming into or leaving your organization.
2. Exchange transport servers. Transport servers can scan all internal email before it is delivered.
3. Exchange mailbox servers. Mailbox servers can scan messages as they are stored or retrieved from each mailbox regardless of how they get there.
4. Exchange clients. As clients compose and send email, they are most susceptible to the phishing and malware attacks and therefore need the most protection. This layer of protection is arguably the most vital to protecting your organization.

Support is another area that usually isn’t considered until you need it. Despite the sophistication of various top-notch products, you may still have a virus outbreak and need to troubleshoot why the product hasn’t caught these viruses, even with the latest updates.

In that case, you need to know the response time. You may want to research the vendor’s customer support reputation as one of your deciding factors. Larger environments may benefit from a support agreement if one is available.

Securing Exchange Server: Next steps and alternatives

An in-depth strategy does not have to be accomplished all at once. The products you purchase will vary based on the size and type of environment you have. If you are a small company that runs Small Business Server with Exchange Server or a single standalone Exchange Server with all the Exchange server roles installed on a single box, you only have three layers to protect.

If your decision is limited due to budget, remember that you must have spam protection, or your users will lose a tremendous amount of productivity manually cleaning up mailboxes. Your client solution must protect your users from themselves (sending infected files) and others (receiving infected files).

Ultimately, you want to create a full in-depth protection solution. If you’ve already done a solid job of protecting your organization from spam and viruses, consider adding email encryption and nonrepudiation features as additional layers of defense as well.

ABOUT THE AUTHOR
Richard Luckett is the president of LITSG LLC and a consultant and instructor specializing in messaging and communications. Since 1996, Luckett has been a Microsoft Certified IT Professional and a Certified Trainer with more than 10 years of training experience. He is a three-time recipient of the Exchange MVP award, a co-author of Administering Exchange 2000 Server and Exchange Server 2007: The Complete Reference, the author of seven Microsoft Exchange courses, and an email security expert for SearchExchange.com. You can reach him at richard@litsg.com.