Exchange Server 2003 Fights Spam, Email Viruses

Last January, I wrote about the escalating problem with spam and wondered how Microsoft could release major new versions of Microsoft Exchange Server 2003 and Microsoft Office Outlook 2003 this year without including antispam features. Later, I discussed this matter with a member of the Exchange development team and learned that Microsoft will address junk mail in both Exchange 2003 and Outlook 2003, although the details weren't forthcoming. This week, Microsoft is discussing Exchange 2003's security features, which include tools for fighting email viruses and junk mail.

Spam is a huge and growing problem. Microsoft cites a November 2003 Gartner report that spam is increasing at a rate of 1000 percent per year, and the report predicts that by 2004, more than 50 percent of all email-message traffic will be spam unless organizations take steps now to stem the growing tide. Exchange 2003 works to stop spam at the edge of the network, before the spam reaches users' Inboxes. In keeping with past policy, however, the Microsoft antispam tool isn't a full-featured solution. Instead, the company encourages third-party developers to create solutions that plug into Exchange and scan incoming email messages. The tool attaches a numeric score, or Spam Confidence Level (SCL), to each message that indicates the probability that the message is spam. Based on a threshold that the Exchange administrator sets, Exchange 2003 forwards the message to either the recipient's Inbox or junk-mail folder.

Naturally, Microsoft would prefer that users install the latest version of its messaging client, Outlook 2003, in tandem with Exchange 2003. Those users who do so will benefit from an integrated solution that combines antispam features on the server with antispam features on the client. As a standalone application, Outlook 2003 already includes a serviceable junk-mail filter that uses Bayesian-like filtering technology. However, Outlook combined with Exchange offers a solution that prefilters spam, thus reducing network traffic. Users can also integrate their Outlook-based blacklists and accepted senders lists with the server so that their settings are available from any PC or mobile device. Likewise, users who move between Outlook Web Access (OWA) and the Outlook client will always have access to their antispam settings.

To help battle email-borne viruses, Microsoft introduced its Virus Scanning API (VS API) for Exchange 2000 Server and later, which will let third-party vendors provide integrated antivirus tools. With Exchange 2003, Microsoft has updated VS API to version 2.5, which supports new functionality. For example, VS API 2.5-enabled tools can scan outgoing and incoming email for viruses. And VS API makes deleting infected messages easier and sends warning messages to those who send and receive infected email messages, which could stem the spread of virus-encoded email.

Also, Exchange 2003 will ship in locked-down mode, making this Microsoft's first full-fledged server product to take advantage of the security ideals behind the company's Trustworthy Computing initiative. In Microsoft parlance, Exchange 2003 will be "secure by design, secure by default, and secure in deployment." We'll have to wait and see how Exchange 2003 fares in the real world before delivering a verdict, but clearly, Microsoft is more serious about security now that its customers are demanding it. Certainly, Exchange 2003 should prove to be a more secure product than its predecessors.

Not coincidentally, the company is also touting the security benefits of Windows Server 2003 this week, and because many enterprises will choose to run Exchange 2003 on top of Windows 2003, I want to quickly examine some of the relevant security features in this product as well. Certain components of Windows 2003, such as Microsoft IIS and Internet Explorer (IE), are locked down, not installed by default, or otherwise configured in the most secure setting possible. One of the more interesting aspects of security in Windows 2003, however, is the revelation that misconfigurations cause 95 percent of security problems. So Microsoft is working on ways to simplify configuring Windows security. In mid-2003, the company will issue a tool called the Security Configuration Wizard for Windows 2003. The tool will help manage security by server role, in keeping with the product's new roles-based management scheme.

And finally, on a related note, I came across a fascinating report about junk mail that will interest many Windows & .NET Magazine UPDATE readers. According to the Center for Democracy & Technology (CDT), most junk mail comes from displaying email addresses on public Web sites, but ways exist to avoid spam even after your email address has been made public. It's a great report and well worth reading. http://www.cdt.org/speech/spam/030319spamreport.shtml