Anti-Spam Provisions in Microsoft Exchange Version 5.5

This document is from the full release of Microsoft Exchange 5.5. It details the method by which you can stop unauthorized third party relaying of UCE (SPAM) messages through your server.

This page is intended to provide Microsoft Exchange 5.5 administrators answers on how to stop unauthorized (third party) relaying of UCE (spam) mail through their server.

The document below is an excerpt straight from the FULL RELEASE of Microsoft Exchange 5.5. It is the "README.DOC" 'release notes' document. For those that want the full document (Microsoft Word 7 format).

This page was created and is maintained by Chris Schroeder.

Features That Prevent Servers From Receiving or Being Used as Relay Points for Unsolicited Commercial E-mail (UCE)

A growing problem for Internet mail server administrators is the practice of users and organizations who send large quantities of unsolicited commercial e-mail (UCE) to as many recipients as possible across the Internet. Senders commonly relay messages through well-known, trusted Internet servers so that when they are delivered to their final destinations, they appear to originate from a trusted host.

Several features are included with the Internet Mail Service to protect your server from receiving and relaying nuisance messages.

You can configure the Internet Mail Service to abort delivery of messages addressed from specified Internet domains and users. Inbound Internet messages that originate from a domain or user on a specified list (TurfList), are moved to a directory on the server (TurfDir) and are not delivered to the intended recipients. The sender does not receive notification that the messages were not delivered to the intended recipients.

To prevent UCE messages from being delivered to local users, you must specify the directory where aborted messages are moved to and the messages that will be aborted. To do this, add the following values to the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeIMC\Parameters

Value Date Type Description

TurfDir REG_SZ Specifies the directory where aborted messages are moved to. It is recommended that you set it to Exchsrvr\Imcdata\Turfdir, where Exchsrvr is the directory where the Microsoft Exchange Server files are located.

TurfTable REG_MULTI_SZ Specifies the messages that are aborted.

If you configure the TurfTable registry setting and you do not specify a TurfDir value, aborted messages are permanently deleted.

Entries must be entered one per line with no extra spaces or delimiters. They are not case-sensitive. For example, a domain specified in the list using the following format prevents all messages addressed from domain.com from being delivered.

#@domain.com

A domain specified in the list using the following format prevents all messages addressed from domain.com and all of its subdomains from being delivered.

@domain.com

You can specify a specific user in the list using the following format.

[email protected]

To apply these registry settings after they have been created or modified, you must stop or restart the Internet Mail Service and the Information Store service using the Services application in Control Panel.

When a message is aborted using TurfTable, regardless of the Internet Mail Service diagnostics logging settings, an event is logged to the Application Event Log indicating the sender and message file name that was aborted. If you have enabled archiving for the Internet Mail Service using the Diagnostics Logging property page, you can use the message file name to locate the file in the Internet Mail Service archive directory (Exchsrvr\Imcdata\In\Archive) if you did not include TurfDir as described earlier.

For more information, see the Microsoft Knowledge Base article Q155683 available at the Microsoft Product Support Services Web site (http://www.microsoft.com/support.)

When the Internet Mail Service is configured to allow rerouting for POP3 or IMAP4 clients, it accepts and relays mail to non-local recipients. Message relaying occurs when a client or remote SMTP server connects to the Internet Mail Service and submits messages for non-local recipients. If your site does not restrict relaying, it may be used to relay UCE.

If your configuration prevents the client from relaying mail, RCPT commands specifying a non-local recipient are refused with a "550 relaying prohibited" response.

Relay restrictions are configured in the registry using values in the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\
MSExchangeIMC\Parameters.

Because these registry values are not created by default, you must set them to restrict relaying. By default, the Internet Mail Service relays mail as specified by the Reroute incoming SMTP mail option on the Routing property page.

Value Description

RelayFlags, REG_DWORD Defines which relay control rules are in effect.

RelayDenyList, REG_MULTI_SZ Specifies hosts that cannot relay messages through your server.

RelayAllowList, REG_MULTI_SZ Specifies hosts that can relay messages through your server.

RelayLocalIPList, REG_MULTI_SZ Specifies the local IP addresses of the server to which an SMTP client can connect and relay mail. This is useful for multi-homed servers that have internal and external interfaces. Enabling IP forwarding disables this feature.

RelayDenyList, RelayAllowList, and RelayLocalIPList consist of a net and optional mask per line. Order is not important in these lists. Each line is formed of two parts, the net and the mask, which are separated by a semicolon.

Net[;mask]

If the mask is omitted, it defaults to 255.255.255.255.

An IP address matches a rule if the bitwise-AND of the IP address and the mask equals the net.

(IP Address AND mask) = net

To add net 192.168.0.0 to a list, add the following line to the list.

192.168.0.0;255.255.0.0

To add the host 192.168.1.17 to a list, add the following line to the list.

192.168.1.17;255.255.255.255

192.168.1.17

because the default mask is all ones.

The logic used to determine if the client can relay mail follows. If none of these apply, the client will not be allowed to relay.

� If bit 1 of RelayFlags is set (decimal value 1) and the client’s IP address is matched by a pattern in RelayDenyList, the client will not be allowed to relay.

� If bit 2 of RelayFlags is set (decimal value 2) and the client’s IP address is matched by a pattern in RelayAllowList, the client will be allowed to relay.

� If bit 3 of RelayFlags is set (decimal value 4) and the client is connected to a local IP address that matches a pattern in RelayLocalIPList, the client will be allowed to relay.

� If bit 4 of RelayFlags is set (decimal value 8) and the client is authenticated, the client will be allowed to relay.

� If only bit 1 is set, the client will be allowed to relay.

Examples

All clients not explicitly denied can relay.

Set bit 1 of RelayFlags (by setting its decimal value to 1), and add a rule to RelayDenyList for each host or group of hosts to be denied. To prevent all hosts on the subnet 192.168.17.0 from relaying mail, add the following line to RelayDenyList.

192.168.17.0;255.255.255.0

All clients not explicitly allowed are denied.

Set bit 2 of RelayFlags (by setting its decimal value to 2), and add a rule to RelayAllowLists for each host or group of hosts to be allowed. To allow all hosts on subnet 192.168.1.0 to relay mail, add the following line to RelayAllowList. 192.168.1.0;255.255.255.0

Allow all hosts on a subnet except for a subset.

To allow all hosts on a subnet, set bit 2 of RelayFlags (by setting its decimal value to 2), and add a rule to RelayAllowList to match the subnet. For the subnet 192.168.1.0, the following rule works.

192.168.1.0;255.255.255.0

To prevent a subset of the hosts on subnet 192.168.1.0 from relaying mail, also set bit 1 in RelayFlags in addition to bit 2, which was set above (the net result is to set its decimal value to 3), and add the IP address of each host to RelayDenyList. If the subset of hosts is grouped together, you can add a single rule to match all of them. For example, if 192.168.1.1 through 192.168.1.7 are not allowed to relay, the following rule is adequate. Listing each address explicitly in RelayDenyList also works.

192.168.1.0;255.255.255.248

Allow clients connecting to the selected

This method is useful if the host has multiple network interfaces, and IP forwarding is not enabled. Set bit 3 of RelayFlags (by setting its decimal value to 4), and add the IP address(es) of the network interfaces that will relay mail to RelayLocalIPList.

Allow authenticated clients to relay.

Set bit 4 of RelayFlags (by setting its decimal value to 8) to allow clients that have authenticated (by using the AUTH command) to relay mail.

The Internet Mail Service must be stopped and restarted in the Services application in Control Panel for these registry settings to take effect after they are created or modified.

When a message is denied for relay through the Internet Mail Service, an event is logged to the Application Event Log if the SMTP Interface Events diagnostics logging category is set to minimum or a higher logging level using the Internet Mail Service Diagnostic Logging property page. The event will indicate the sender's IP address, sender's host name (if available), the sender's authentication account (if authentication was used), and the recipient address for the message.