In-Depth
What’s New in Exchange 2003
Spam-stopping features are included in this new version.
So, what has Microsoft been up to while the spam tsunami was breaking over our heads? Working on Exchange 2003, for one thing. Although Exchange 2000 offers no real protection from spam, Exchange 2003 incorporates several features designed to either stop spam or make it easier for add-in products to stop spam. I had a conversation with one of the program managers on the Exchange team about these new features.
First, there are some anti-spam features “in the box.” Exchange now has the concept of global accept and deny lists. These are lists of SMTP addresses from which you wish to always accept or always refuse mail, sometimes called whitelists and blacklists. Exchange also supports using DNSBL servers for filtering. You can configure multiple DNSBL rules on a single Exchange server. These rules support exception lists, so you can make sure that your trusted partners don’t get accidentally blocked by a DNSBL.
Exchange can now be set up to refuse messages for nonexistent users, and you can choose not to send a non-delivery receipt (NDR) when a message arrives for a nonexistent user. This prevents the common dictionary attack where a spammer tries to determine which e-mail addresses are valid in your domain by sending test e-mails to thousands of names and watching for NDRs.
Exchange 2003 also implements a new anti-spam API that can be used in partner solutions to analyze incoming messages. Similar to the existing anti-virus API, the anti-spam API lets an external program look at each message and assign it a “Spam Confidence Level”—a number from zero (definitely not spam) to nine (almost certainly spam). The system administrator can choose the threshold confidence level at which they wish to start deleting or quarantining mail. All of the major vendors are working on products that will use the new API to integrate more tightly with Exchange. The API is private, but Microsoft is sharing it widely with interested ISVs.
Outlook 2003 also includes some features designed to work well with Exchange
2003 in fighting spam. In addition to its own anti-spam engine, Outlook
2003 lets the user maintain a whitelist and blacklist. These lists can
be maintained on the client, but users can upload them to the Exchange
server so that the messages never reach the client at all. Outlook Web
Access can also work with these lists. Finally, Outlook also strips out
HTML content such as Web beacons to prevent spammers from phoning home
if they do manage to slip a message through.
If you’re considering whether to upgrade an existing Exchange 2000 organization
to Exchange 2003, you might find that these new features help tilt the
scales toward upgrading. The release over the next few months of partner
solutions designed to integrate with the new anti-spam API should continue
to make Exchange 2003 even more attractive and lower the cost of fighting
spam even more.
About the Author
Mike Gunderloy, MCSE, MCSD, MCDBA, is a former MCP columnist and the author of numerous development books.