Read time 4 minutes
Exchange Server receives a vast number of emails in business organizations, in addition to sending many emails outside the organization. An Exchange Administrator must secure its mail recipients from external threats like spamming, phishing, virus attacks, and hacking attempts. Microsoft has some inbuilt protection like anti-malware and anti-spam features, which you can configure to safeguard the data.
- Anti-spam protection is a feature available in several transport agents like Content Filter Agent, Sender Filter Agent, Sender ID Agent, and Protocol Analysis agent. You need to manually enable them at the mailbox server to activate anti-spam protection.
Note: These agents are by default ‘Enabled’ on Edge Transport Servers.
- Anti-malware protection was introduced with the Malware Agent since Exchange Server 2013 and is in ‘Enabled’ state by default on the Exchange Mailbox Servers. So, there is no need to enable it manually.
Let’s dig deep and learn how we can enable anti-spam and anti-malware protection using various transport agents. But first, we must understand how they work and protect the data.
Anti-spam agent for Mailbox Servers
In the typical condition, the Exchange Administrator must enable the anti-spam agents on Mailbox Servers when there is no Edge Transport server or a robust anti-spam protection application in the organization. These agents have a priority value, and a lower value indicates a higher priority. Based on the default priority value, here is the order of agents in which they are applied to the messages of the mailbox –
- Sender Filter Agent: It compares the sender server to a list of server domains that are blocked by your organization.
- Sender ID Agent: It checks the IP address of the sending Server and the Purported Responsible Address (PRA) to determine whether the sending message is clean or not.
- Content Filter Agent: It provides a particular spam confidence level (SCL) to every message to check its legitimacy. It also prevents a legitimate message from being recognized as a spam message.
- Protocol Analysis Agent: It checks and provides a sender’s reputation level to each sender who is sending the message. The sender’s reputation tells the Administrator about the type of incoming message and whether it is spam or not.
Note: It’s crucial to remember that the mailbox servers already have a Recipient Filter Agent. However, you must refrain from configuring it. If the recipient filter agent identifies any blocked or invalid receiver in the list of other receivers within a message, the entire message will be rejected. You only need to enable the Recipient Filter Agent with antispam agents enabled on the mailbox server without configuring it to block any recipients.
Installing anti-spam agents on mailbox servers
You can install all these agents using an Exchange Management Shell script only and here is its whole procedure in a stepwise manner.
- Start the Exchange Management Shell on Exchange Server and run the following script.
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
When the script runs successfully, it will ask you to restart the Exchange Server.
- Restart the Microsoft Exchange Transport services with the command.
Restart-Service MSExchangeTransport
- Now, mention the incoming SMTP servers that you want to ignore by the sender ID agent. You can specify multiple numbers of SMTP servers, but you need to specify at least one server necessarily.
Set-TransportConfig -InternalSMTPServers @{Add=”IP address1″,”IP address2”,}
Example
Set-TransportConfig -InternalSMTPServers @{Add=”10.0.21.21″,”10.0.21.22″, “10.0.21.23” }
To verify the presence of SMTP server in the configuration list, run the command –
Get-TransportConfig | Format-List InternalSMTPServers
- To verify if the agents are installed correctly, run this command:
Get-TransportAgent
Or this command:
Get-ContentFilterConfig | Format-Table Name,Enabled; Get-SenderFilterConfig | Format-Table Name,Enabled; Get-SenderIDConfig | Format-Table Name,Enabled; Get-SenderReputationConfig | Format-Table Name,Enabled
Check the status of each agent by running following commands one by one.
Get-ContentFilterConfig | Format-List *Enabled,RejectionResponse,*Postmark*,Bypassed*,Quarantine*;
Get-SenderFilterConfig | Format-List *Enabled,*Block*
Get-SenderIDConfig | Format-List *Enabled*,*Action,Bypassed*
Get-SenderReputationConfig | Format-List *Enabled*,*Proxy*,*Block*,*Ports*
Setting up the agents will protect you from various attacks, but they are not 100% effective. Sometimes, due to an internal issue or a large-scale ransomware attack, malware can bypass these filters and corrupt the data. In such a scenario, admin use the in-built utility called ESEUTIL to repair the Exchange Server database using soft and hard recovery. In most cases, hard recovery is required, but it deletes the database pages and user data along with it.
Therefore, as a safety net, modern Exchange admins prefer to use a professional Exchange database recovery tool that can easily remove any form of mailbox corruption and restore .edb file to a healthy state without data loss.
Installing anti-malware agents on mailbox servers
Run the following commands in the Exchange Management Shell on the Mailbox server to setup the anti-malware agents:
Step1: Create a malware filter policy
Use the following command to create a malware filter policy:
New-MalwareFilterPolicy -Name “
This will create a new malware filter policy with the following settings:
- Block malware-containing email messages.
- Do not send notifications to senders if malware is diagnosed in a message.
- Alert the administrator about malware that’s detected in the sent message by a sender within the organization.
Step2: Create malware filter rule
Execute the following command to create a malware filter rule:
New-MalwareFilterRule -Name “
A new malware filter rule is created with the given settings:
- The filter rule is applied to all recipients within a domain.
- The malware filter policy created above is related to this rule.
Step3: Verify the policy
Run the given command to verify that policies are successfully created:
Get-MalwareFilterPolicy -Identity “
What to do after setting up the anti-spam and anti-malware agents?
After configuring the protection for your Exchange Server, perform these tasks to avoid irregularities.
- Create a whitelist. List all your trusted email servers or endpoints that belong to your organization or your trusted partners.
- Verify logging is 100% functional and recording data without error. Monitor them for 3 to 4 days to know what type of malicious email your organization receives.
- Adjust aggressive email filtering. Don’t make it so strict that it starts blocking every new email from a new IP.
- Monitor your organization’s email delivery for at least 2 days. Sometimes, if anti-malware scanning encounters an issue, it can jam your emails in the queue.
- Take a complete server database backup. If a malware bypasses security and corrupts your database, you can restore Exchange database to a new server and avoid downtime.
Conclusion
With these basic steps and commands, one can set up anti-malware and anti-spam in Exchange Server. However, there can also be instances when data loss or breaches occur even after enabling them. In such a case, we recommend trying the Kernel for Exchange Server software. The software is a specialized data recovery software that can handle corruption, recover accidentally deleted messages from the Exchange database, and bring all the data back to you.
Frequently Asked Questions
Ans. To fix this, you must configure an InternalSMTPServers list and make sure your local mail server’s IP address is listed here.
Ans. It depends on your Spam Confidence Level (SCL) value. You can choose to delete the message, reject it, or put it in quarantine for review.
Ans. This mostly happens if you receive a malware variant that is not in the Exchange antimalware engine. In this case, I recommend you upload this file to the Microsoft Security Intelligence website and let Microsoft examine it.
