Saturday, October 31, 2009

Dell PowerConnect 5448 Switch 100mbps?

I have a Dell PowerConnect 5448 Switch with random workstations connecting at 100mbps instead of 1gbps. This is a new internet cafe with brand new CAT6 cabling. 12 workstations have intel network cards, 28 have broadcom network cards.

If I do a show running config on the switch we can see that the speed is set to 1000 by default for all ports.



One of the PC's that is syncing at 100mbps is on port g33 of the switch. Below I manually configured g33 to force it to be 1gbps.



I then unplugged the CAT6 network cable out of port g33, then plugged it back in so it could re-negotiate speed. Again it came up as 100mbps. I then plugged the machine into a TPLink switch.. it negotiated at 1gbps straight away so it is not the cabling.

The firmware i'm running as of this writing is 2.0.0.41 on the PowerConnect 5448 switch which is the latest at this time.

Please note that this is a random occurrence. If I continue to unplug the network cable and plug it back in, it will eventually negotiate at 1gbps.

This is not the only problem I have found with the Dell PowerConnect 5448 switch. It also delays up to 10 seconds when passing on DHCP requests. Please see:

http://clintboessen.blogspot.com/2009/10/dell-powerconnect-5448-symantec-ghost.html

I believe the hardware in the Dell PowerConnect 5448 is fine... however I would avoid purchasing this switch until they release another firmware update resolving these problems.

Dell PowerConnect 5448 Symantec Ghost Problem

I am running a Dell PowerConnect 5448. I upgraded the firmware from 2.0.0.35 to 2.0.0.41 (the latest as of this writing). However when I try and PXE boot the ghost client I get the following error:

Application Error 19913

Unable to start TCP/IP
Can't find DHCP server
Possible Network setup Problem

If the problem persists, contact Symantec Technical Support at http://service.symantec.com.

This is because the Dell PowerConnect 5448 for some reason takes up to 9 seconds to relay a DHCP request from the switch to the DHCP server. The problem could not be resolved, the only resolution was replace the switch.

Configure Dell PowerConnect Switches

I had to configure a Dell PowerEdge 5448 switch the other day... the syntax is a little different to that of a Cisco. First lets give the switch an IP address by using a console cable on the main vlan:

enable
configure
interface vlan 1
ip address 100.1.1.1 255.255.255.0
exit

Easy enough? Now lets configure a console and telnet password... because you cannot access the switch over telnet without a password:

Console Password:

enable
configure
aaa authentication login default line
aaa authentication enable default line
line console
login authentication default
enable authentication default
password yourpassword

Telnet Password:

enable
configure
aaa authentication login default line
aaa authentication enable default line
line telnet
login authentication default
enable authentication default
password yourpassword

Once this is done you can now walk away and configure the switch from the comfort of your desk. One site I found very useful while configuring the dell switch was:

http://systems.cs.colorado.edu/Manuals/Dell/Dell%20Power%20Connect%206024/Dell%20Power%20Connect%206024%20Users%20Guide/configur.htm

It contains most of the every day switch configuration options you will need when setting up a dell switch.

Tuesday, October 27, 2009

Ubuntu Jaunty 9.04 ppp connect on boot problem

I'm running Ubuntu Jaunty 9.04 and I noticed a bug with it.

cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=9.04
DISTRIB_CODENAME=jaunty
DISTRIB_DESCRIPTION="Ubuntu 9.04"

I setup my adsl connection with pppoeconf... in the pppoeconf wizard I specify to connect automatically on boot. This adds the following to my /etc/network/interfaces file:

auto dsl-provider
iface dsl-provider inet ppp
provider dsl-provider
# please do not modify the following line
pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf

This ususally automatically connects the adsl connection on boot however for some reason in jaunty it doesnt work. To get around this I just added it to the bottom of my rc.local file in /etc/init.d. I told it to sleep for 10 seconds before trying to connect:



If anyone knows the proper fix please let me know... this is just a handy work around.

Monday, October 26, 2009

NDIS2 Intel 82567 LM-3 Gigabit Adapter

I needed the NDIS2 Driver for the Intel 82567 Network Adapters... After surfing the internet for 45 minutes I finally found it. Intel website is so hard to navigate and their search functionality is useless... broadcom is so much easier!

NDIS2 Intel 82567 LM-3 Gigabit Adapter is used in Dell Optiplex 760 PC's.

82567 LM-3 has a vendor ID of 8086 and Device ID of 10DE.

Here is the link to download it:

http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProductID=2775&DwnldID=4239&strOSs=All&OSFullName=All%20Operating%20Systems&lang=eng

Hopefully I saved you 45 minutes!

Sunday, October 25, 2009

OpenVPN Issue on Ubuntu Jaunty 9.04

I have a bunch of linux routers all meshed together running Ubuntu 8.04.3 with OpenVPN. I added a new Ubuntu Jaunty 9.04 router into the mix today, copied my generated private key via scp to the new box and setup a new connector back to another site. When I the VPN using my firewall script I wrote I was getting the following error:

/usr/sbin/openvpn-vulnkey:22: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5



In the daemon.log file under /var/log I was getting the following:

Oct 25 19:52:42 bunbline1 ovpn-bunbury-dunsborough[8871]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 10.5.15.1 10.5.15.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Oct 25 19:52:42 bunbline1 ovpn-bunbury-dunsborough[8871]: Local Options hash (VER=V4): 'bd07f87b'
Oct 25 19:52:42 bunbline1 ovpn-bunbury-dunsborough[8871]: Expected Remote Options hash (VER=V4): '47793853'
Oct 25 19:52:42 bunbline1 ovpn-bunbury-dunsborough[8871]: failed to find GID for group nobody
Oct 25 19:52:42 bunbline1 ovpn-bunbury-dunsborough[8871]: Exiting



In previous versions of ubuntu there was a group called nobody, now in ubuntu 9 there is just a group called nogroup with a GID of 65534. In previous versions of ubuntu the group nobody had a GID of 1002 so I recreated it with the same GID.

groupadd -g 1002 nobody

OpenVPN failed again, this time I got the following error in the daemon.log file upon restarting it:

Oct 25 20:04:10 bunbline1 ovpn-bunbury-dunsborough[9176]: chroot to '/var/empty' failed: No such file or directory (errno=2)

In previous versions of ubuntu yes you may have guessed their was a directory called /var/empty. Make this directory with

mkdir /var/empty

Now when I start the VPN I get the following:



However its no longer saying failed... it is coming up as OK and data is passing through the VPN perfectly fine. However it is not liking the key I generated on ubuntu 8 by the looks of it... however it is accepting it. I got it working but if anyone has more information on this, please do leave a comment.

Wednesday, October 21, 2009

LDAP Queries for Group Scope

Suppose you want to view all Global Groups in your domain? How would you do this? LDAP Queries! LDAP queries for group scope are a little weird... however here is the commands you need:

All Security Groups with a type of Global
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650))

All Security Groups with a type of Domain Local
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483652))

All Security Groups with a type of Universal
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656))

All Distribution Groups with a type of Global:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

All Distribution Groups with type of Domain Local:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=4)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

All Distribution Groups with type of Universal:
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=8)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

How do you use them? AD Users and computers under queries.



Click Define Query:



Choose Custom Search from the drop down box:



Click the advanced tab then enter your query:




You can also run these queries through dsquery.

All Security Groups with a type of Global:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650))" -limit 0

All Security Groups with a type of Domain Local:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483652))" -limit 0

All Security Groups with a type of Universal:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656))" -limit 0

All Distribution Groups with type of Global:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))" -limit 0

All Distribution Groups with type of Domain Local:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=4)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))" -limit 0

All Distribution Groups with type of Universal:
dsquery * dc=domain,dc=local -filter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=8)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))" -limit 0


Here are the values used to calculate these queries:

Global = +2
Domain Local = +4
Universal = +8
Security Group = +2147483648
Distribution Group = 0

Tuesday, October 20, 2009

Replaced Router and recieved LsaSrv error 40960 and 40961

We replaced a CISCO router out at remote branch for one of our clients. After doing this network connectivity was there however certain types of traffic were not getting through, kerberos authentication being one of them. The windows boxes on the network were receiving the following LsaSrv errors:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 15/10/2009
Time: 12:58:53 PM
User: N/A
Computer: XP1402334
Description:
The Security System detected an attempted downgrade attack for server cifs/domaincontroller.domain.local. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".



Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 15/10/2009
Time: 12:58:53 PM
User: N/A
Computer: XP1402334
Description:
The Security System could not establish a secured connection with the server cifs/domaincontroller.domain.local. No authentication protocol was available.



My colleague Jason resolved the problem by enabling ip proxy-arp on the VLAN 1 interface on the new router. Usually under Cisco best practices you need to disable ip proxy-arp. Here was the config that was causing the errors:

!
Interface vlan 1
ip address X.X.X.X 255.255.255.0
no ip proxy-arp
no ip redirects
no ip unreachables
!

To enable IP proxy-arp on VLAN1 use the following commands:
!
Interface vlan 1
ip proxy-arp
!

You will need to be in enable, conf t mode on the Cisco router.

For more information on proxy-arp see:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

Friday, October 16, 2009

Exchange 2000 error 0x8000FFFF: An unexpected error occurred

When uninstalling Exchange 2000 I got the following prompt appear:



Every I clicked on in the showed the following error:

Setup failed while (error 0x8000FFFF: An unexpected error occurred.) .

Additional information:
An unexpected error occurred.

ID no: 8000ffff
Microsoft Exchange Setup


Function:
CComExchSetupComponent::HrPromptForCDIfNecessary
CComExchSetupComponent::Install


I have uninstalled Exchange 2000 many times through Add and Remove programs and never had this before - really weird. The fix for this was to run the exchange setup application of the exchange 2000 CD under D:\Setup\i386\setup.exe, and selecting remove for all exchange components. Maybe the installation files on drive c: were corrupt?

Thursday, October 15, 2009

Exchange 2000 Uninstallation Error

When uninstalling exchange 2000 I received the following error:

Setup encountered an error while checking prerequisites for the component "Microsoft Exchange 2000": 0x80072030 (8240): There is no such object on the server



This error occurs if the Exchange Domain Servers or Exchange Enterprise Servers security groups have been moved or renamed out of the default Users container.



This also applies to Exchange 2003.

Wednesday, October 14, 2009

Windows Server 2008 ADMT 3.1 PES Password Issue

When installing the Password Export Server on a Server 2008 Domain Controller in the destination forest, the following error was encountered entering the password for the .pes file security key that was generated in the source forest:

The supplied password does not match this encryption key's password. ADMT's Password Migration Filter DLL will not install without a valid encryption key.





The error that was being generated "the password does not match this encryption key" is bogus, as the password did match. This error was actually being generated by a permission problem to the SAM database caused by UAC (user account control).

To get around this run a command prompt as administrator and launch pwdmig.msi from there. Ensure the command prompt is running as administrator!

Monday, October 12, 2009

Exchange 2010 Dumpster 2.0

In this post I will be going over Dumpster 1.0 which was around in Exchange 2003 and 2007 and how it worked. I will then be covering Dumpster 2.0 in Exchange 2010 and the differences between the two.

What is the Dumpster?

The dumpster is a location that deleted email go after a user has removed them from their mailbox completely. These deleted emails hang around for a retention period of of x amount of days which is configured by the exchange administrator. This is not the deleted items container in outlook or OWA, it is a special place for emails removed entirely from the outlook interface.

Provided the administrator has a retention period setup in place for deleted items, an end user can use Outlook or OWA to recover items out of the exchange mailbox dumpster by using Recover Deleted Items. If there is no retention set, when emails are deleted from a mailbox they are gone forever.



By default permanently deleted emails are retained for 7 days in 2003 and 14 days in 2007.

Dumpster 1.0

Dumpster 1.0 worked by marking items that are permanently deleted with a ptagDeletedOnFlag flag attribute. Items permanently deleted remain in the place they where deleted. If you were to delete an email from outlook or OWA it would normally go to your deleted items. If you were to then delete it from your deleted items it would be marked with the ptagDeletedOnFlag flag attribute.

One thing to note here, you can delete an item from your inbox or another folder in outlook by using Shift + Delete. This will send it straight to the dumpster bypassing the deleted items folder. When you do this it gets marked with the ptagDeletedOnFlag attribute however by default you cannot use the recovered deleted items option in outlook. Recover Deleted Items only work if the item was permanently deleted when residing in the users deleted items out of the box. See below for Inbox the Recover Deleted Items is greyed out.



However for the Deleted Items container it is fine:



There is a registry key you can set on the workstations to allow users to recover items from the dumpster in any directory called DumpsterAlwaysOn, see Microsoft KB886205. I personally always create a custom ADM to enable this key on everyones workstation for dumpster 1.0. Flick me an email or leave a comment if you would like information on how to do this.

Dumpster 2.0

In Exchange 2010 the Dumpster has been redesigned to perform the following actions:
- Ensure Exchange Dumpster Data moves with the mailbox
- Dumpster data is indexed and discoverable by search
- Dumpster data must have a quota
- Ability to prevent purging data from a users dumpster
- Track editing of certain content (visioning in the dumpster)
- Dumpster should be per mailbox not per folder.

In Dumpster 2.0 it no longer flags emails users permanently delete with the ptagDeletedOnFlag attribute. Instead Dumpster 2.0 moves the emails to a new folder under the Non-IPM subtree in the users mailbox called Recoverable Items (note this section of the mailbox cannot be viewed by any client side mail clients, only using MAPI editing software such as MFCMAPI).

Inside the Recoverable Items folder there are three sub-folders, each with a different purpose which will be explained below:
- Deletions
- Purges
- Versions

The Deletions folder replaces the ptagDeletedOnFlag attribute, now emails are moved from their original location to the Deletions folder. If a user empties their Deleted Items folder or Shift Deletes an email, this is where it goes.

In Dumpster 1.0 users were able to delete items from the Recover Deleted Items folder in result permanently removing them. This allowed users to hide incriminating emails which presented a problem with legality issues and court cases. Now in Dumpster 2.0 if a user deletes an email from the Deletions folder using the recover deleted items tool, it simply moves it to the Purges folder. Once in this folder it cannot be recovered with client side exchange software, however in the case its needed an administrator can use MAPI editing software to pull the email out.

The Versions folder is used for whenever an item has changed, a copy-on-write is performed to preserve the original version of the item into this folder. This folder is not exposed to the end user. Copy on write will capture changes in the subject,t body, attachments, senders/recipients, and sent/received dates. Drafts are exempt from the copy-on-write.

Now with transport dumpster there are two types of modes you can enable:
- Short-term preservation of data
- Long-term preservation of data

Short-term preservation of data

Short-term preservation of data is similar to that of Exchange 2003/2007 just better. This just allows emails to be recovered after a set amount of days after being deleted.

In Exchange 2003/2007 this could only be enabled on a mailbox database level. Now in Exchange 2010 this can be set at a database or mailbox level. If you want to enable retention on a mailbox use:

Set-Mailbox <identity> -SingleItemRecoveryEnabled $true

If you dont run this command on a mailbox you will not be able to set deleted items retention against it on a mailbox leve. To set the retentions in exchange 2010 use the following commands:

Set-MailboxDatabase <identity> -DeletedItemsRetention <number of days>
Set-Mailbox <identity> -DeletedItemsRetention <number of days>


Please note that calendars items maintain the recoverable items folder structure for 120 days in short-term preservation regardless what retention setting you have in place.

Long-term preservation of data

Customers sometimes require mechanisms by which data is maintained for longer periods of time, say indefinitely. This may be required during a litigation hold that occurs when particular users or individuals are involved in undergoing lawsuits. With Exchange 2010 litigation hold can be enabled by using:

Set-Mailbox <identity> -LitigationHoldEnabled $true

Users may go into the the deleted items folder using the recover deleted items tool and delete them, sending them to the purge container. But there they will sit indefinitely with this option set.

Recoverable Items Quotas

Dumpster 2.0 allows you to configure Quota's by using the "RecoverableItemsWarningQuota" or the "RecoverableItemsQuota" policy.

RecoverableItemsWarningQuota provides warnings after the RecoverableItems has exceeded the quota.

RecoverableItemsQuota removes the oldest items in the dumpster to make way for newer items once the quota has been breached.

Monday, October 5, 2009

How to Configure a Complete Memory Dump on Server 2008

In the 2008 GUI the option for Complete Memory dump has been removed - why I don't know.



To configure the complete memory dump you need to do it via the registry. Navigate to:

HKLM\SYSTEM\CurrentControlSet\Control\CrashControl

Modify CrashDumpEnabled to a decimal value of 1.



It now shows as a complete memory dump:

Thursday, October 1, 2009

Exchange 2007 Anti Spam Filtering

Many companies go out and buy expensive third party spam appliances that act as smart hosts in their DMZ before understanding what they have currently purchased when buying Exchange 2007 licenses. In this post I am going to highlight the full extent of Exchange 2007's new anti-spam technology and also provide better alternatives then spam appliances for companies that want to go beyond the functionality provided in Exchange Server. By reading this I hope you achieve a more strategic approach to your anti-spam technology and save money where possible.

People don't know that Exchange 2007 can do spam filtering because all the spam filtering functionality is disabled by default. To enable it you need to run a powershell script located in C:\Program Files\Microsoft\Exchange Server\Scripts called install-AntispamAgents.ps1. This can be enabled on a hub transport server or an edge transport server. Edge Transport is the ideal server to enable anti-spam on as this exchange server role is designed to sit out in the DMZ by itself and communicate with the outside world. For more information about enabling anti-spam agents see:

http://www.petri.co.il/install-anti-spam-exchange-2007.htm

Below we will be going through the various aspects of Exchange 2007's Anti Spam Technology:

Content filtering

Exchange 2007's Content Filter is called IMF (intelligent message filter). Content Filtering is the same principal regardless what anti-spam device your using. With content filtering, the anti-spam server downloads the entire email, then analyses the email and provides a SCL (Spam Confidence Level) rating from 0 to 9. A value of 9 is definitely spam, a value of 0 is not spam. Like any content filter you can make it stricter or looser... the stricter you make it the more false positives you get (emails that are legit but detected as spam).

You can configure the Content Filter agent to take the following actions on messages according to their SCL rating:

- Delete message
- Reject message
- Quarantine message

For example, you may determine that messages that have an SCL rating of 7 or higher must be deleted, messages that have an SCL rating of 6 must be rejected, and messages that have an SCL rating of 5 must be quarantined.

The Exchange 2007 intelligent message filter can customized configuring custom words or phrases to be either blocked or allowed to modify the SCL score by whatever value you seem fit.

Exchange 2007's content filter is more powerful than many others on the market including many spam appliances you need to pay for! When you finish reading this article you will understand why.

The Intelligent Message Filter gets updated every 2 weeks by a Microsoft update to ensure it keeps logic about all the new spam emails that are flying around the internet. If your IMF filter is missing lots of stuff, install your windows updates!

There is one disadvantage of IMF however, it cannot scan emails over 11MB in size. These emails will simply pass through unscanned. However the default maximum message size limit on Exchange is only 10MB so for many companies this will not be a problem. It is also very rare that spam emails are over 11MB in size, as spammers want to send as many out as possible to get their message out, they cannot do this if they are sending large emails.

For more on Content Filtering see:

http://technet.microsoft.com/en-us/library/bb124739.aspx

Connection filtering

Connection filters are the first thing that is used to check an incoming email. Connection filters look at the IP address of the sender. If the senders IP address is marked against a list, the connection is terminated before the server on the other end before it even gets to send its HELO or EHLO statement in result saving you on bandwidth and CPU by not having to download the spam email, analyses it with a content filter and then decide the action. If a IP is determined as bad the connection is simply dropped!

There are four types of Connection Filters you can configure:
- Administrator-defined IP Allow List
- Administrator-defined IP Block List
- IP Block List providers (Real-time Spam Black Lists (RBL))
- IP Allow List providers

In the real world you’re mainly going to just use the IP Block List providers. You can configure as many RBL's as you want. However keep in mind when an email comes in, before your exchange server starts receiving the content of the email it needs to query each IP Block List provider on the internet to see if the senders IP address exists in the list – and if so block it. You can find out if a company has too many RBL providers by telneting their SMTP server, if the connection hangs for a while with a black screen before you get the SMTP Banner, that is because they have a fair few RBL providers that their email server is busy checking before accepting communication.

There are hundreds of RBL providers out there on the internet that you can use for free. My faverote RBL provider is spamhaus, its one of the large ones and has a huge list that is regulary kept up to date.

Spamhaus have 3 spam lists, SBL, XBL and PBL.

The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

If you want to use all three of these Spamhaus has a RBL list called ZEN that encompasses all three.

Microsoft has their own IP Reputation Service also exclusively to Exchange 2007/2010 customers that you may want to consider implementing as well.

For more about connection filtering see:

http://technet.microsoft.com/en-us/library/bb124320.aspx

Spam Quarantine

Spam Quarantine stores messages marked at spam by the Intelligence Message Filter. You can quarantine the email in a spam mailbox inside your organization, or deliver the spam email to the users junk email folder or both. For example you can have messages that are at a very high SCL rating to go straight to the spam quarantine which administrators have to review using an outlook client and release it to the user if necessary. You can then have messages that have a borderline SCL rating to get released to the users junk email folder in their outlook.

For more information about Spam Quarantine see:

http://technet.microsoft.com/en-us/library/aa997692.aspx

Recipient Filtering

This is required whenever you have an edge transport server out in your DMZ. The Edge Transport Server is a workgroup PC, it is not a member of your domain and does not have any direct access to active directory. When emails come in from the internet that are addressed to an internal recipient, the edge transport server needs to know if that recipient email address actually exists in the exchange organization. If it doesn’t know this, it may forward emails to your internal hub transport servers for addresses that do not actually exist inside your exchange organization.

Exchange 2007 sends this information to the Edge Transport server using EdgeSync. This is a subscription that is made between the hub transport servers and the edge transport servers that uses ADAM (Active Directory Application Mode) or AD LDS (Active Directory Lightweight Directory Services) is what its called now in server 2008. This is a portable copy of Active Directory. EdgeSync is one way replication and only replicates a couple of attributes that are required by the exchange 2007 edge transport server.

For more information about Recipient Filtering see:

http://technet.microsoft.com/en-us/library/bb123891.aspx

Sender Filtering

Sender filtering lets you block individual email addresses such as billy@hotmail.com. It also has an option to let you block any emails that come in that do not have a senders email address specified.

Sender ID

Sender ID varifys each email sent from a domain name such as @microsoft.com actually came from @microsoft.com by performing a reverse DNS lookup to ensure the address was not spoofed. It also goes further to verify if there is an SPF (Sender Policy Framework) record int he senders public DNS. SPF records are not defined by many companies when they should be as its part of the IEEE framework. SPF records are a type of custom DNS record such as an A record. You enter it into your public DNS zone file.

For more information about Sender ID see:

http://technet.microsoft.com/en-us/library/aa996295.aspx

Safelist Aggregation

Safelist Aggregation blows many anti-spam technologies out of the water as it integrates with the users Outlook client. This functionality collects data from the anti-spam Safe Recipients Lists or Safe Senders Lists and contact data that Outlook users configure and makes this data available to the anti-spam agents on the computer that has the Edge Transport server role installed using EdgeSync. Safelist aggregation can help reduce the instances of false-positives in anti-spam filtering that is performed by the Edge Transport server.

Safelist Aggregation is quite complex to setup and requires users to have entered data into their safe senders, or safe recipients list in outlook which no one ever does right? I find the best way to populate these fields is to enable by group policy "Automatically add people I send e-mail to the Safe Senders List". This enforces the option to be enabled on everyones outlook client for either Outlook 2003, 2007 or 2010.



The data in the Safe Senders is stored in Active Directory and is replicated via Edge Sync to the Edge Transport server. For exchange 2007 RTM you could have 1024 entries in AD for safe senders, with SP1 it went up to 3072. When these records get full, it starts removing the oldest records.

The information that Safelist Aggregation collects from outlook is:
- Safe Senders
- Safe Recipients
- Safe Domain
- External Contacts

This data is hashed using SHA-256 under the users attributes such as msExchangeSafeSenderHash and msExchangeSafeRecipientHash so its very secure.

When email comes in, the exchange content filter IMF looks to see if the sender is in the users safe senders list and if so greatly reduces the SCL rating applied to the email. This allows you to configure a very tight SCL quarantine rating on your organisation without recieving many false positives.

For more information on Safelist Aggregation see:

http://technet.microsoft.com/en-us/library/bb125168.aspx

Sender Reputation

Sender Reputation gathers statistical information about SMTP Sessions, IMF Content Filtering, Sender ID Verification and general sender behavior and creates a history of the sender’s characteristics. If the data gathered concludes that the sender is a spammer they are added to a block senders list. This means that the senders IP address will be blocked by the connection filter if the user tries repetitively tries to spam the domain. Because connection filters simply block the connection it also means that the Intelligence Message Filter doesn't have to rescan emails that are already going to be spam reducing server load.

You can also configure IP addresses blocked by Sender Reputation to be blocked temporarily for a time period such as 48 hours or whatever you want to define. This means you do not have to worry about removing blocked entries as they will automatically remove themselves. If the offender continues to send spam emails Sender Reputation will then automatically block them for another 48 hours and so on.

For more information on Sender Reputation see and to see how SRL calculates its statistics see:

http://technet.microsoft.com/en-us/library/bb124512.aspx

Virus Protection

Exchange 2007 has no built in virus filtering. However it has features such as attachment filtering where you can specify particular types of attachments that are not allowed through. This is known as Attachment Filtering, for more information see:

http://technet.microsoft.com/en-us/library/bb124399.aspx

Additionally using virus RBL lists such as Spamhaus's XBL list, you block all known IP's that have worms/viruses and are currently known to spam. Just with the integrated exchange filtering technology you can protect yourself against most virus threats.

If you do want to do a content level filtering of attachments using an antivirus engine you will need to install an exchange capable mail filtering solution on your edge transport server such as Microsoft Forefront Security or a third party vendor. Also with Forefront Security you get IMF updates every 24 hours instead of every 2 weeks like you do through the standard windows update process.

How does this go in the real world?

From my experiance Exchange 2007's anti-spam technology if setup correctly is extremely effective. Many companies do not use it due to it's complexity to setup.

On my home network I run Exchange 2007 spam filtering. To show you an example of how effective this spam filtering is... In the last 2 weeks I have not recieved any spam emails in my inbox. Looking on the my Exchange Server I have a total of 4263 emails blocked from my RBL providers. Notice I am only using the Spamhaus provider. I could add more in here if I wish. Please note that if an IP is detected by one RBL provider it does not check the others. This is why xbl has the biggest number. Many of these 4263 emails would have had viral attachments.



38 did make it through the connection filter, but IMF picked them up:



My email address is associated to a Microsoft .Net passport as well as being posted all over the internet. Out of all this spam sent to me in the past 2 weeks, not one hit my inbox, not one. This is not saying that the spam filter is bullet proof but it does a very effective job seeming its free technology that comes with exchange 2007 out of the box.

Going Beyond Exchange

If you do want to go beyond the capability integrated into Exchange Server and buy an appliance you need to make sure the appliance supports replication of data such as Safelist Aggregation and the internal Recipient list from Exchange, if you dont set this up correctly it could be less effective then an Edge Transport server.

However personally I would never buy an appliance, I would go to a third party such as messagelabs.com as I have had great success with them in the past or an Exchange Hosted Filtering provider. This requires you directing your company MX records to the filtering provider. The hosted provider then relays the clean emails to your organization. The benefit you get out of this is it reduces your internet bandwidth usage. If spam emails are sent directly to your organization, your servers process the request by checking your RBL providers - if negative, receive the email pass it through your content filter if positive then block it. For a large company this will consume a fair bit of bandwidth just dealing with "crap". Going through a hosted filtering provider eliminates this as they have to deal with spam emails internally.

Final Comments

I hope now you understand the full potential of Exchange 2007's spam filter and consider it before going and wasting money on expensive spam appliances that do pretty much the same thing.

Please provide me with any feedback either by leaving a comment or shooting me an email at clint@kbomb.com.au