Filter for Microsoft Exchange

Although the default Microsoft Exchange spam filter already has a selection of functions to help block spam and shield businesses from email-based threats like phishing, malware and ransomware, very little people speak highly of this default system.

A common criticism is that the default Exchange anti-spam mechanisms are not as effective at detecting spam as a third party solution and many threats infiltrate Microsoft’s systems and are delivered to inboxes. It only takes one employee to respond to a phishing email, so protection from these threats is vital.

A reason for this is the way third party solutions handle spam detection – by using Greylisting to block spam from a previously unknown source, and SUBRL filters to locate harmful URLs within your emails. More features that can increase Exchange email security are also absent from Microsoft’s default Exchange spam filter – Exchange Online Protection (EOP), or you may have to pay separately by upgrading to Advanced Threat Protection (APT). For lots of businesses, APT is extremely expensive, especially when third party solutions are undeniably less in cost and provide equal if not better protection.

SUBRL filtering works in a similar way to RBLs; but rather than compare the IP addresses of incoming emails against an already known list of spam sources, the filters compare links in emails against a list of URLs known to be threatening. This prevents a user unknowingly clicking a malicious link that involves malware or ransomware.

One of the “absent” or “paid for” features is anti-spam Exchange outbound scanning. Outbound scanning is particularly important for Office 365 users following the new “IP Reputation” marking system, as any business considered to be sending spam or other threatening mail might get its name on Microsoft’s Real-time Blackhole List. This wouldn’t just affect business-critical communication channels but could also possibly result in the businesses website being blacklisted.

Once you combine anti-spam for Exchange with Office 365 and Exchange Online Protection (or Forefront Protection for Exchange 2010), the complicated nature of anti-spam for exchange multiplies. This means businesses that want to use the Directory Synchronization feature to help better manage their email accounts have to subscribe to an Advanced Threat Protection package. Third party email filtering solutions eliminate this complexity and messiness, which is another reason why they are so often favoured over Microsoft Exchange spam filter.

Anti-spam Exchange outbound filtering will monitor outbound emails for any signs of spam which could indicate an email account has been subject to a phishing attack. Anti-Spam Exchange outbound filtering is important, but Office 365 users only get access to this useful feature if they pay for it via an Advanced Threat Protection package.

Greylisting and SUBRL filtering could significantly increase email security – if they were present. When third party anti-spam solutions are brought in, these two functions work independently of Microsoft’s Real-time Blackhole Lists (RBLs) to enhance spam detection rates and block phishing emails from reaching their intended target. Greylisting increases spam detection rates from Microsoft’s 99% to 99.97% with absolutely no false positives. Greylisting involves rejecting a message and requesting it be resent to its original server. A spammer’s server is usually too focused on huge spam campaigns to respond. This delay tells the system that the message has come from a new spamming source.

While highly recommended, having Greylisting enabled causes a small delay in the messaging process by just a few minutes. When used in tandem with whitelisting for trusted senders, important emails will not be delayed.

Another common criticism of the Microsoft Exchange spam filter is it is far too complicated. Of course, the aim of an anti-spam for Exchange is spam detection and reporting. However, due to the complex nature of anti-spam for exchange, Spam Confidence levels can be set too low with the outcome that the system as a whole is ineffective at this task. However, if it is too high it could result in safe emails being quarantined because of marginally spam-like content.