Is the built-in Anti-Spam and Malware protection in Exchange 2013 'good enough'?

Question

We have an Exchange 2013 server, and the company that we purchased it from did an offer to also filter our incoming e-mail prior to it reaching us (we also send out e-mail through them).

It has never really been that good, in that we still receive a lot of spam, and whenever I check the statistics on their anti-spam filtering there's only a handful of e-mails in there.

I have been reading up on the built-in Anti-Spam and Malware protection in Exchange 2013 and it seems like it's there to do the job and there shouldn't really be a need to use external filtering (unless you're extremely paranoid etc.).

Are there companies out there that do just deliver e-mail directly to their Exchange server and use the built-in Anti-Spam and Malware protection?

Basically we have around 1,000 users and each user costs us £1.50 per month in anti-spam filtering using this company, and I am trying to work out whether their service offers us anything that the built-in Anti-Spam and Malware protection can't, which would add a nice bit of cash back in to the budget.

Answer 1

So in my opinion, while the onboard Exchange 2013 antispam protection is ok, most don't deploy an "Edge server" in their smaller Exchange environments. The benefit that a 3rd party SMTP gateway (whether an in-house appliance or SaaS) is that mail doesn't hit your servers for processing and dealing with the "bad ones". Think of it in terms of having a bouncer at the club instead of making the bartender decide.

You end up exposing your Exchange server(s) to a much smaller potential of spam/viruses, and you usually get the added benefit of an easier to utilize message tracking dashboard to tell you why something was allowed or not, whitelisting/blacklisting/EUQ, etc.

That's not to say the on-board is bad, or at least not as bad as it was 2 or 3 iterations of Exchange ago, it can suffice, but if I were you I'd work with my vendor to see if you can clean up what they offer and if not there are plenty of others out there. Spamsoap is a cheap solution that works quite well for instance. Or you can utilize O365 if you want to go that route, etc.

Answer 2

Usually antispam product that you may rent will do the DNSBL/RBL checkup for you. Thus you change the MX to point at them, and they forward the email to you after the antispam check (and you usually block the SMTP forward on your router to only allow that external IP antispam to be allowed). You can save on bandwidth if you receive a lot of spam & the administration burden.

You can too enter the DNSBL check in your Exchange if you have an Edge' server for that part. An exemple below;

& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

Restart-Service MSExchangeTransport

Add-IPBlockListProvider -name bl.spamcop.net -lookupdomain bl.spamcop.net

Add-IPBlockListProvider -name zen.spamhaus.org -lookupdomain zen.spamhaus.org Set-SenderIDConfig -SpoofedDomainAction Delete

Set-SenderReputationConfig -SenderBlockingEnabled $true -SrlBlockThreshold 6 -SenderBlockingPeriod 36 Set-SenderFilterConfig -BlankSenderBlockingEnabled $true

Set-ContentFilterConfig -SCLQuarantineThreshold 6 Set-ContentFilterConfig -SCLDeleteEnabled $true Set-ContentFilterConfig -SCLQuarantineEnabled $true -QuarantineMailbox administrator@somedomain.com Set-ContentFilterConfig -SCLRejectEnabled $false

This script installs the anti-spam agents, adds in some basic DNSBL's, turns off email rejection and quarantines all mail instead, deletes email from domains that are spoofed, blocks mail with blank sender info.

From http://jjstellato.blogspot.ca/2013/01/exchange-2013-enable-antispam-and.html

Connection filtering is an anti-spam feature in Microsoft Exchange Server 2013 that allows or blocks email based on the message source. Connection filtering is performed by the Connection Filtering agent that's available only on Edge Transport servers. The Connection Filtering agent relies on the IP address of the connecting mail server to determine what action, if any, to take on an inbound message.

From : https://technet.microsoft.com/en-us/library/bb124320(v=exchg.150).aspx

For your question, it's good enough, as you can do the same checkup as a rented antispam product (but you need to tune it at your need and you need an Edge server for Exchange 2013)

Answer 3

Just to give you my experiences:

I tried to configure RBL's in Exchange 2013, but found they weren't actually filtering anything.

In the end I used a CentOS server as a relay for inbound SMTP connections and configured RBL's in postfix. I also used SpamAssassin for spam filtering.

We only have a small office so this solution works well. Larger organisations may find SpamAssassin consumes too much memory.

Answer 4

Several companies I have worked for have completely given up on the administration and bandwidth burden of running an in house mail server. One moved to Office 365 and the other to Google Apps for Business. Both support 20K users easily. In return you pay a nominal fee (Google used to charge < $45 per user per year ) for the whole suite including themed Gmail interface, google drive, G+, Hangouts (Video text and audio chat facilities).

And as an administrator I had very little to do to maintain the commnication system after paying and setting it up, but you do have to surrender control and accept your mail will be stored outside your network.

If you want to keep Spam/Virus filtering in your control consider - http://www.altn.com/Products/SecurityGateway-Email-Firewall/ I have not run it for 1000 users but I have run it for 250 -500 user organisations with great success.