How To prevent unsolicited commercial e-mail in Exchange 2000 Server

This step-by-step article describes how to prevent unsolicited commercial e-mail messages and how to reduce the possibility that your server can be used to relay unsolicited commercial e-mail messages.

Unsolicited commercial e-mail messages, or junk e-mail messages ("spam"), is an annoyance of modern office and home e-mail message users. To delete these messages wastes time, but its effects can become far more troublesome if your Exchange Server computers are inadvertently being used as relays for mass-mailings.

Some of the recommended changes in this article only apply if your Internet service provider (ISP) provides store and forward services or a smart host for your domain. This is probably the situation if you have a dial-up connection to the Internet or if your ISP provides firewall, routing, or network address translation services for your organization.

Requirements

The following list outlines the recommended hardware, software, network infrastructure, and service packs that you need:

• Microsoft Windows 2000 Server with Service Pack 2 (SP2)
• Microsoft Windows 2000 Security Rollup Package 1 (SRP1)
• Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Security Update
• Microsoft Windows 2000 Security Patch: Simple Mail Transfer Protocol (SMTP) Rollup
• Active Directory
• Exchange 2000 Server with Service Pack 2 (SP2) or later
• Outlook Express 5.0 or later (for testing purposes)

Note For more information about how to obtain the service packs and the security updates, see the "References" section later in this article.

This article assumes that you are familiar with the following topics:

• Exchange System Manager
• Transmission Control Protocol and Internet Protocol (TCP/IP)
• Configuring SMTP connections
• Configuring and using Microsoft Network Monitor, which includes setting up capture filters

How to Plan and Implement the Level of Protection

When you plan and you implement the steps to prevent the transmission of unsolicited commercial e-mail messages, there are a number of factors that you must consider.

How to Prevent Relaying

Relaying is the action of an inbound connection to your SMTP server being used to send e-mail messages to external domains. With unsolicited commercial e-mail messages, sending a single e-mail message to your SMTP server with multiple recipients in domains external to your organization does this. Because the default setting for SMTP servers is to use anonymous authentication, the system being used to propagate the unsolicited commercial e-mail messages accepts the inbound message as typical. After the message is accepted, the SMTP server recognizes that the message recipients belong to external domains, and then the SMTP server delivers the messages. Therefore, the unauthorized users who send unsolicited commercial e-mail messages only have to send one inbound message to your SMTP server so that it can then be delivered to thousands of recipients, which slows down your Exchange Server computer's responsiveness, congests queues, and causes irritation and annoyance to the recipients when the messages arrive in their Inboxes.

The primary means of controlling relaying is by not granting relay permissions to any other hosts. However, there are times when relaying is required. For example, if you have Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP4) clients who rely on SMTP for message delivery and have legitimate reasons for sending e-mail messages to external domains. You can work around this issue by creating a second SMTP virtual server that is dedicated to receiving e-mail messages from POP3 and IMAP4 clients. This additional SMTP virtual server can use authentication combined with Secure Sockets Layer (SSL) based encryption and can be configured to allow relaying for authenticated clients.

Note If you have POP3 and IMAP4 clients, for additional information about how to encrypt SMTP message delivery, click the article number below to view the article in the Microsoft Knowledge Base:

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
3. Expand Protocols, and then expand SMTP.
4. Right-click Default SMTP Virtual Server, and then click Properties.
5. Click the Access tab to display the Access Control options.
6. Click the Relay button.
7. In the Relay Restrictions dialog box, make sure that the selection for which computers may relay is set to Only the list below and that the list is blank.
8. Unless you are using POP3 and IMAP4 clients with this virtual server, clear the Allow all computers which successfully authenticate to relay, regardless of the list above box, and then click OK.
9. In the SMTP Virtual Server Properties dialog box, click OK.

How to Configure IP Address Restrictions

Configuring Internet Protocol (IP) address restrictions allows you to specify IP addresses, IP ranges or Domain Name System (DNS) domains from which your SMTP server accepts inbound sessions. This technique is useful if your ISP accepts messages on your behalf, and then forwards messages to you, as it prevents other hosts from connecting to your SMTP connector.

Note For IP address restrictions to function, the mail exchange (MX) record on your domain's Internet DNS zone must point to your ISP's e-mail messaging server, not to your Exchange Server computer.

If you receive your external SMTP e-mail messages from your ISP's e-mail messaging server, you can configure IP address restrictions. IP address restrictions indicate that your SMTP virtual server only accepts connections from your ISP's e-mail messaging server.

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
3. Expand Protocols, and then expand SMTP.
4. Right-click Default SMTP Virtual Server, and then click Properties.
5. Click the Access tab to display the Access Control options.
6. To configure IP address restrictions, click the Connection button.
7. In the Connection dialog box, click Only the list below. This indicates that only the IP addresses and the domains in the list are allowed to connect to the SMTP virtual server. You can add several entries from the types listed:
   
   
   1. You can add a single IP address for your ISP's e-mail messaging server by typing the address in the IP address box. Alternatively, you can click the DNS Lookup button, type a host name (such as mail.example.com.), and then click OK.
   2. You can add a range of addresses, such as 131.107.2.0 with a subnet mask of 255.255.255.0. Microsoft recommends this procedure if your ISP has a tendency to change the IP address of their e-mail messaging server without warning.
   3. You can also set restrictions on a domain basis, by allowing only connections that come from *.example.com. However, note that this option requires a DNS reverse lookup on each incoming connection, which can adversely affect the Exchange Server computer's performance. For more information, see the "Troubleshooting" section later in this article.
8. Click OK.

How to Implement Authentication

Implementing user-based authentication provides the ability for external hosts or clients to present a username and password to log on to the SMTP virtual server. However, similar to IP address restrictions, configuring authentication is possible only if your ISP is acting as a message relay for your organization, and can provide authenticated connections to your SMTP virtual server. Your ISP must also support Transport Layer Security (TLS), which encrypts the whole authentication and message transfer session.

Note It is not probable that your ISP supports the option for Integrated Windows Authentication (NTLM authentication).

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
3. Expand Protocols, and then expand SMTP.
4. Right-click Default SMTP Virtual Server, and then click Properties.
5. To configure access control, click the Access tab, and then click the Authentication button.
6. In the Authentication dialog box, all of the authentication methods are all selected. Clear the Anonymous access and the Integrated Windows Authentication checkboxes.
7. If your ISP supports TLS, click the option for Requires TLS encryption under Basic authentication.
8. You must add a user account and a password to Active Directory, and then inform your ISP of these credentials. This account provides authentication of the inbound connection.
9. Click OK.

How to Set Message Limits

Setting message limits involves changing the default number of recipients per message. This procedure reduces the effect of unsolicited commercial e-mail messages by preventing the delivery of a single message to a large number of individuals. Additionally, you can reduce the maximum message size and the session size.

Note If you reduce the number of recipients per message this procedure can affect delivery to your internal recipients if you have very large distribution lists that receive their e-mail messages by means of SMTP. However, this is not an issue for Messaging Application Programming Interface (MAPI) recipients.

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
3. Expand Protocols, and then expand SMTP.
4. Right-click Default SMTP Virtual Server, and then click Properties.
5. On the SMTP Virtual Server Properties dialog box, click the Messages tab. You can now configure a number of message limits.
6. Click the Limit message size to (KB) box, and then type a smaller value such as 2048 in the Size box.
7. Click the Limit session size to (KB) box, and then type a value of 4096.
8. The default number of messages per connection is 20. You do not have to change this value.
9. The default setting for Limit number of recipients per message is 64,000. Change this setting to a value between 100 and 1000.NOTE: The value you select depends on the messaging needs of your organization and the size of your organization's external distribution lists. Any messages that are larger than this number of recipients is returned to the sender with a non-delivery report (NDR).
   
   
10. Click OK.

How to Use Reverse DNS Lookup

If you are receiving messages directly from other domains on the Internet, you can configure your SMTP virtual server to perform a reverse DNS lookup on the incoming e-mail messages. This configuration makes sure that the sending e-mail messages server's IP address (and its fully qualified domain name) matches the message sender's domain name. Reverse lookup helps to prevent address spoofing. However, reverse lookup adds an additional load on your Exchange Server computer. See the "Troubleshooting" section for more information. This technique also requires that your Exchange Server computer can contact the reverse lookup zones for the sending domain.

Note If you are only configuring your SMTP virtual server to perform DNS reverse lookups, you will not block the non-matching domain name / IP address. The DNS reverse lookup simply resolves the DNS name from the IP address and replaces the DNS name in the header with the name that resulted from the DNS reverse lookup.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
3. Expand Protocols, and then expand SMTP.
4. Right-click Default SMTP Virtual Server, and then click Properties.
5. To configure reverse DNS lookup on incoming messages, click the Delivery tab.
6. Click the Advanced button, and then click the Perform reverse DNS lookup on incoming messages check box.
7. Click OK, and then click OK.

How to Configure the SMTP Connector

You may have created an SMTP connector on your Exchange Server computer to make outbound connections and to accept inbound connections to and from other SMTP servers on the Internet. This SMTP connector must be associated with at least one SMTP virtual server to operate. You must verify that the SMTP connector is best configured to reduce your vulnerability to relaying unsolicited commercial e-mail messages.

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane of Exchange System Manager, double-click Connectors.
3. Right-click the SMTP connector that you use for inbound and outbound e-mail messages to the Internet, and then click Properties. This procedure displays the General tab for the SMTP connector's Properties dialog box.
   
   
4. If your ISP is providing store and forward facilities for your incoming e-mail messages, it is probable that your ISP also provides a smart host for your outgoing e-mail messages. If this is the situation, click Forward all mail through this connector to the following smart hosts, and then type the FQDN or IP address of your ISP's e-mail messaging server.
5. Click the Address Space tab and make sure that the Allow messages to be relayed to these domains check box is cleared.
   
   Note As the SMTP connector that delivers e-mail messages to the Internet typically has an asterisk (*) (which indicates all domains) as its address space, if you click the Allow messages to be relayed to these domains check box, it enables relaying to all external domains.
   
   
6. If you use a smart host for outbound e-mail messages, liaise with your ISP to configure security for e-mail message delivery. Click the Advanced tab, and then click the Outbound Security button.
7. If your ISP supports authentication and encryption, select Basic authentication, click the Modify button, add the user account and password for access to your ISP's smart host, click OK, and then click to select the TLS encryption check box.

How to Confirm that the IP Restrictions Function

1. To confirm that the IP restrictions function, use your POP3 and IMAP4 clients, and then try to connect from an excluded IP address. You receive a message that indicates that a connection to the server was declined.
2. To confirm that the relay restrictions function, connect with your POP3 and IMAP4 clients from a non-excluded IP address, and then try to send an e-mail message to an external domain. You receive a message that indicates that the delivery to the external domain was refused because of relay restrictions.
3. To verify TLS authentication and encryption, confirm that you can receive e-mail messages from your ISP's e-mail messaging server that provides store and forward services for your domain. Run Network Monitor on your Exchange Server computer and capture packets coming from your ISP's e-mail messaging server address on port 25 (0019h). These packets contain encrypted data. You cannot see the user name or password credentials.
4. To confirm reverse DNS lookup, you must send a message to your domain from an address that does not match the domain that sent it. This message appears in your Badmail folder.

Troubleshooting

Any restrictions based on DNS lookup can adversely affect the performance of the Exchange 2000 Server computer. Because the Exchange 2000 computer performs a reverse DNS lookup on each inbound connection, it requires a functioning DNS reverse lookup zone to be available and that the sending host is registered with that zone.

For additional information about how to configure reverse lookup zones, click the following article number to view the article in the Microsoft Knowledge Base:

For more information about how to prevent unsolicited commercial e-mail messages, see the Exchange Server 2000 Help and the Exchange 2000 Server Resource Kit. A list of resources about how to prevent unsolicited commercial e-mail messages is in the following Microsoft Knowledge Base article:

For additional information about how to encrypt SMTP message delivery, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about how to configure security for incoming POP3 connections to your Exchange 2000 computers, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about how to configure security for incoming IMAP4 connections to your Exchange 2000 computers, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about how to configure reverse lookup zones, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about the Window 2000 SRP1, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about the Windows 2000 SNMP Security Update, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about the Windows 2000 Security Patch, click the following article number to view the article in the Microsoft Knowledge Base: