HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange 2000 Server

The information in this article applies to:
This article was previously published under Q319356

IN THIS TASK

SUMMARY

This step-by-step article describes how to prevent unsolicited commercial e-mail messages and how to reduce the possibility that your server can be used to relay unsolicited commercial e-mail messages.

Unsolicited commercial e-mail messages, or junk e-mail messages ("spam"), is an annoyance of modern office and home e-mail message users. To delete these messages wastes time, but its effects can become far more troublesome if your Exchange Server computers are inadvertently being used as relays for mass-mailings.

Some of the recommended changes in this article only apply if your Internet service provider (ISP) provides store and forward services or a smart host for your domain. This is probably the situation if you have a dial-up connection to the Internet or if your ISP provides firewall, routing, or network address translation services for your organization.

back to the top

Requirements

The following list outlines the recommended hardware, software, network infrastructure, and service packs that you need:

NOTE: For more information about how to obtain the service packs and the security updates, see the "References" section later in this article.

This article assumes that you are familiar with the following topics:

back to the top

How to Plan and Implement the Level of Protection

When you plan and you implement the steps to prevent the transmission of unsolicited commercial e-mail messages, there are a number of factors that you must consider.

back to the top

How to Prevent Relaying

Relaying is the action of an inbound connection to your SMTP server being used to send e-mail messages to external domains. With unsolicited commercial e-mail messages, sending a single e-mail message to your SMTP server with multiple recipients in domains external to your organization does this. Because the default setting for SMTP servers is to use anonymous authentication, the system being used to propagate the unsolicited commercial e-mail messages accepts the inbound message as typical. After the message is accepted, the SMTP server recognizes that the message recipients belong to external domains, and then the SMTP server delivers the messages. Therefore, the unauthorized users who send unsolicited commercial e-mail messages only have to send one inbound message to your SMTP server so that it can then be delivered to thousands of recipients, which slows down your Exchange Server computer's responsiveness, congests queues, and causes irritation and annoyance to the recipients when the messages arrive in their Inboxes.

The primary means of controlling relaying is by not granting relay permissions to any other hosts. However, there are times when relaying is required. For example, if you have Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP4) clients who rely on SMTP for message delivery and have legitimate reasons for sending e-mail messages to external domains. You can work around this issue by creating a second SMTP virtual server that is dedicated to receiving e-mail messages from POP3 and IMAP4 clients. This additional SMTP virtual server can use authentication combined with Secure Sockets Layer (SSL) based encryption and can be configured to allow relaying for authenticated clients.

NOTE: If you have POP3 and IMAP4 clients, for additional information about how to encrypt SMTP message delivery, click the article number below to view the article in the Microsoft Knowledge Base:

319267 HOW TO: Secure Simple Message Transfer Protocol Client Message Delivery in Exchange 2000

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
  3. Expand Protocols, and then expand SMTP.
  4. Right-click Default SMTP Virtual Server, and then click Properties.
  5. Click the Access tab to display the Access Control options.
  6. Click the Relay button.
  7. In the Relay Restrictions dialog box, make sure that the selection for which computers may relay is set to Only the list below and that the list is blank.
  8. Unless you are using POP3 and IMAP4 clients with this virtual server, clear the Allow all computers which successfully authenticate to relay, regardless of the list above box, and then click OK.
  9. In the SMTP Virtual Server Properties dialog box, click OK.

back to the top

How to Configure IP Address Restrictions

Configuring Internet Protocol (IP) address restrictions allows you to specify IP addresses, IP ranges or Domain Name System (DNS) domains from which your SMTP server accepts inbound sessions. This technique is useful if your ISP accepts messages on your behalf, and then forwards messages to you, as it prevents other hosts from connecting to your SMTP connector.

NOTE: For IP address restrictions to function, the mail exchange (MX) record on your domain's Internet DNS zone must point to your ISP's e-mail messaging server, not to your Exchange Server computer.

If you receive your external SMTP e-mail messages from your ISP's e-mail messaging server, you can configure IP address restrictions. IP address restrictions indicate that your SMTP virtual server only accepts connections from your ISP's e-mail messaging server.

 

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
  3. Expand Protocols, and then expand SMTP.
  4. Right-click Default SMTP Virtual Server, and then click Properties.
  5. Click the Access tab to display the Access Control options.
  6. To configure IP address restrictions, click the Connection button.
  7. In the Connection dialog box, click Only the list below. This indicates that only the IP addresses and the domains in the list are allowed to connect to the SMTP virtual server. You can add several entries from the types listed:

     
    1. You can add a single IP address for your ISP's e-mail messaging server by typing the address in the IP address box. Alternatively, you can click the DNS Lookup button, type a host name (such as mail.example.com.), and then click OK.
    2. You can add a range of addresses, such as 131.107.2.0 with a subnet mask of 255.255.255.0. Microsoft recommends this procedure if your ISP has a tendency to change the IP address of their e-mail messaging server without warning.
    3. You can also set restrictions on a domain basis, by allowing only connections that come from *.example.com. However, note that this option requires a DNS reverse lookup on each incoming connection, which can adversely affect the Exchange Server computer's performance. For more information, see the "Troubleshooting" section later in this article.
  8. Click OK.

back to the top

How to Implement Authentication

Implementing user-based authentication provides the ability for external hosts or clients to present a username and password to log on to the SMTP virtual server. However, similar to IP address restrictions, configuring authentication is possible only if your ISP is acting as a message relay for your organization, and can provide authenticated connections to your SMTP virtual server. Your ISP must also support Transport Layer Security (TLS), which encrypts the whole authentication and message transfer session.

NOTE: It is not probable that your ISP supports the option for Integrated Windows Authentication (NTLM authentication).

 

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
  3. Expand Protocols, and then expand SMTP.
  4. Right-click Default SMTP Virtual Server, and then click Properties.
  5. To configure access control, click the Access tab, and then click the Authentication button.
  6. In the Authentication dialog box, all of the authentication methods are all selected. Clear the Anonymous access and the Integrated Windows Authentication checkboxes.
  7. If your ISP supports TLS, click the option for Requires TLS encryption under Basic authentication.
  8. You must add a user account and a password to Active Directory, and then inform your ISP of these credentials. This account provides authentication of the inbound connection.
  9. Click OK.

back to the top

How to Set Message Limits

Setting message limits involves changing the default number of recipients per message. This procedure reduces the effect of unsolicited commercial e-mail messages by preventing the delivery of a single message to a large number of individuals. Additionally, you can reduce the maximum message size and the session size.

NOTE: If you reduce the number of recipients per message this procedure can affect delivery to your internal recipients if you have very large distribution lists that receive their e-mail messages by means of SMTP. However, this is not an issue for Messaging Application Programming Interface (MAPI) recipients.

 

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
  3. Expand Protocols, and then expand SMTP.
  4. Right-click Default SMTP Virtual Server, and then click Properties.
  5. On the SMTP Virtual Server Properties dialog box, click the Messages tab. You can now configure a number of message limits.
  6. Click the Limit message size to (KB) box, and then type a smaller value such as 2048 in the Size box.
  7. Click the Limit session size to (KB) box, and then type a value of 4096.
  8. The default number of messages per connection is 20. You do not have to change this value.
  9. The default setting for Limit number of recipients per message is 64,000. Change this setting to a value between 100 and 1000.NOTE: The value you select depends on the messaging needs of your organization and the size of your organization's external distribution lists. Any messages that are larger than this number of recipients is returned to the sender with a non-delivery report (NDR).

     
  10. Click OK.

back to the top

How to Use Reverse DNS Lookup

If you are receiving messages directly from other domains on the Internet, you can configure your SMTP virtual server to perform a reverse DNS lookup on the incoming e-mail messages. This configuration makes sure that the sending e-mail messages server's IP address (and its fully qualified domain name) matches the message sender's domain name. Reverse lookup helps to prevent address spoofing. However, reverse lookup adds an additional load on your Exchange Server computer. See the "Troubleshooting" section for more information. This technique also requires that your Exchange Server computer can contact the reverse lookup zones for the sending domain.

NOTE: If you only configuring your SMTP virtual server to perform DNS reverse lookup, you do not block the non-matching domainname/ipaddress messages. The DNS reverse lookup will resolve the DNS name from the IP address and will replace the DNS name in the header with the name that resulted from the DNS reverse lookup.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

297412 XCON: Perform Reverse DNS Lookup for Incoming Messages

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. In the left pane of Exchange System Manager, double-click Servers, and then expand the Exchange Server computer that you want to configure.
  3. Expand Protocols, and then expand SMTP.
  4. Right-click Default SMTP Virtual Server, and then click Properties.
  5. To configure reverse DNS lookup on incoming messages, click the Delivery tab.
  6. Click the Advanced button, and then click the Perform reverse DNS lookup on incoming messages check box.
  7. Click OK, and then click OK.

back to the top

How to Configure the SMTP Connector

You may have created an SMTP connector on your Exchange Server computer to make outbound connections and to accept inbound connections to and from other SMTP servers on the Internet. This SMTP connector must be associated with at least one SMTP virtual server to operate. You must verify that the SMTP connector is best configured to reduce your vulnerability to relaying unsolicited commercial e-mail messages.

 

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. In the left pane of Exchange System Manager, double-click Connectors.
  3. Right-click the SMTP connector that you use for inbound and outbound e-mail messages to the Internet, and then click Properties. This procedure displays the General tab for the SMTP connector's Properties dialog box.

     
  4. If your ISP is providing store and forward facilities for your incoming e-mail messages, it is probable that your ISP also provides a smart host for your outgoing e-mail messages. If this is the situation, click Forward all mail through this connector to the following smart hosts, and then type the FQDN or IP address of your ISP's e-mail messaging server.
  5. Click the Address Space tab and make sure that the Allow messages to be relayed to these domains check box is cleared.NOTE: As the SMTP connector that delivers e-mail messages to the Internet typically has an asterisk (*) (which indicates all domains) as its address space, if you click the Allow messages to be relayed to these domains check box, it enables relaying to all external domains.

     
  6. If you use a smart host for outbound e-mail messages, liaise with your ISP to configure security for e-mail message delivery. Click the Advanced tab, and then click the Outbound Security button.
  7. If your ISP supports authentication and encryption, select Basic authentication, click the Modify button, add the user account and password for access to your ISP's smart host, click OK, and then click to select the TLS encryption check box.



back to the top

How to Confirm that the IP Restrictions Function

  1. To confirm that the IP restrictions function, use your POP3 and IMAP4 clients, and then try to connect from an excluded IP address. You receive a message that indicates that a connection to the server was declined.
  2. To confirm that the relay restrictions function, connect with your POP3 and IMAP4 clients from a non-excluded IP address, and then try to send an e-mail message to an external domain. You receive a message that indicates that the delivery to the external domain was refused because of relay restrictions.
  3. To verify TLS authentication and encryption, confirm that you can receive e-mail messages from your ISP's e-mail messaging server that provides store and forward services for your domain. Run Network Monitor on your Exchange Server computer and capture packets coming from your ISP's e-mail messaging server address on port 25 (0019h). These packets contain encrypted data. You cannot see the user name or password credentials.
  4. To confirm reverse DNS lookup, you must send a message to your domain from an address that does not match the domain that sent it. This message appears in your Badmail folder.

back to the top

Troubleshooting

Any restrictions based on DNS lookup can adversely affect the performance of the Exchange 2000 Server computer. Because the Exchange 2000 computer performs a reverse DNS lookup on each inbound connection, it requires a functioning DNS reverse lookup zone to be available and that the sending host is registered with that zone.

For additional information about how to configure reverse lookup zones, click the article number below to view the article in the Microsoft Knowledge Base:

251509 XFOR: Cannot Restrict Access by Domain Name if DNS Is Not Configured Correctly

back to the top

REFERENCES

For more information about how to prevent unsolicited commercial e-mail messages, see the Exchange Server 2000 Help and the Exchange 2000 Server Resource Kit. A list of resources about how to prevent unsolicited commercial e-mail messages is in the following Microsoft Knowledge Base article:

 

249266 XFOR: Online Resources for Spam Mail Testing and Information

For additional information about how to encrypt SMTP message delivery, click the article number below to view the article in the Microsoft Knowledge Base:

319267 HOW TO: Secure Simple Message Transfer Protocol Client Message Delivery in Exchange 2000

For additional information about how to configure security for incoming POP3 connections to your Exchange 2000 computers, click the article number below to view the article in the Microsoft Knowledge Base:

319273 HOW TO: Secure Post Office Protocol Client Access in Exchange 2000

For additional information about how to configure security for incoming IMAP4 connections to your Exchange 2000 computers, click the article number below to view the article in the Microsoft Knowledge Base:

319278 HOW TO: Secure Internet Message Access Protocol Client Access in Exchange 2000

For additional information about how to configure reverse lookup zones, click the article number below to view the article in the Microsoft Knowledge Base:

251509 XFOR: Cannot Restrict Access by Domain Name if DNS Is Not Configured Correctly

For additional information about the Window 2000 SRP1, click the article number below to view the article in the Microsoft Knowledge Base:

311401 Windows 2000 Security Rollup Package 1 (SRP1), January 2002

For additional information about the Windows 2000 SNMP Security Update, click the article number below to view the article in the Microsoft Knowledge Base:

314147 MS02-006: An Unchecked Buffer in the SNMP Service May Allow Code to Run

For additional information about the Windows 2000 Security Patch, click the article number below to view the article in the Microsoft Knowledge Base:

313450 MS02-012: A Malformed Data Transfer Request May Cause the Windows SMTP Service to Stop Working

back to the top

Last Reviewed: 6/5/2003
Keywords: kbhowto kbHOWTOmaster KB319356 kbAudITPro