Exchange Server 2007 includes anti-spam functionality that provides the capability to quarantine suspected spam that is received from the internet.
Quarantining spam is generally done only for email with a moderate likelihood of being spam as opposed to email that has a very high likelihood of being spam which would normally be rejected entirely. The use of quarantine allows false positives to be detected and addressed on a case by case basis, as well as allowing the email administrator to adjust the spam thresholds to minimise false positives.
Configuring spam quarantine with Exchange Server 2007
The decision to quarantine a suspected spam email is based on the Spam Confidence Level (SCL) that is calculated by the Exchange server’s Content Filter agent. Spam that meets or exceeds the quarantine threshold (without meeting any higher thresholds that would cause it to be rejected or blocked entirely) will be sent to the designated quarantine email address.
Although this quarantine feature is basically useful, the implementation suffers from some significant shortcomings when it is employed in a larger organization.
Disadvantages of the Exchange Server 2007 spam quarantine feature
Utilises an entire mailbox database
Microsoft recommends that the quarantine mailbox be placed on a dedicated mailbox database. Exchange Server 2007 Standard Edition is limited to 5 databases. When you allocate one to public folders and one to the spam quarantine, there is only 3 remaining databases that can be deployed for any organizational separation or system performance requirements on the server.
Furthermore although the spam processing load is performed by the Hub Transport server the quarantined emails are still delivered to a Mailbox server, which therefore does not relieve the Mailbox server of the load caused by delivery of spam into the organization.
Requires a special form for management
To properly manage the quarantined items in the mailbox a special Outlook form must be configured that exposes the correct information for email administrators to locate and take action on false positives.
Requires a dedicated Outlook profile
Email administrators cannot manage the quarantine mailbox as a secondary mailbox in their own Outlook profile. Instead they must configure a second Outlook profile, exit Outlook, and then launch the second Outlook profile to administer the messages.
Poor search capability
All spam is placed in the Inbox of the quarantine mailbox so the administrator is forced to use the Outlook search feature to locate specific messages. When the spam volume is in the tens or hundreds of thousands this search can take a lot of time, particularly as the mailbox is not the email administrator’s primary mailbox so cannot be configured to be indexed for faster searching.
No end user self service
The spam quarantine mailbox can only be managed using Microsoft Outlook and requires either the mailbox account password or full mailbox access permissions to be accessible. Once the mailbox is opened all quarantined items are visible, and cannot be secured to just a single user’s quarantined items. This makes it impractical to provide end users with self service access to the quarantine to release their own items, as all of the quarantined items for other users (which may be false positives and may contain sensitive information) will be available to them as well.
Limited reporting
Although it is possible to gather basic statistics on the number of items quarantined by the Content Filter agent there are no advanced reporting features available that would allow an organization to measure the performance of their anti-spam protection.
Desirable features of a spam quarantine product
An effective anti-spam solution should provide quarantine features that are easy to manage and do not create a burden on the end user or the email administrator.
The desirable features are:
No system performance impact – the anti-spam solution should decrease, not increase the load on Exchange servers within the organization.
Ease of administrative access – management of quarantined items should not be awkward or inconvenient for email administrators. A dedicated management console or application would be preferable over the use of a special Outlook profile.
Searchable quarantine – the quarantined items should be indexed for quick searching, and the search feature should have options for defining specific search parameters.
End user self service – email users should be provided the capability to access their own quarantined items and release them without requiring administrators to take action.
Advanced reporting – comprehensive and customizable reporting features should be made available to email administrators and to business stakeholders for measuring the performance of the anti-spam system.
Always consider the practicality of spam quarantine in an anti-spam solution
The built-in Exchange Server 2007 spam quarantine feature provides the most basic functionality for organizations that require suspect spam to be held in quarantine in case of false positives. Although it is available at no extra cost for Exchange environments it carries several disadvantages which are likely to increase administrative costs in medium to large organizations.
These additional costs should be considered thoroughly by any organization planning to implement an email anti-spam solution, and compared with the more comprehensive features of third party email security products.
The post Managing spam quarantine for Exchange Server 2007 appeared first on Email management, storage and security for business email admins.