Registering You Spam Filter
In order for you spam
filter script to work you need to register it with the SMTP service as
an event. The script provided by Microsoft,
SMTPreg.vbs,
will be used to register your script. The first step is copy your spam
filter script and
SMTPreg.vbs
to your Exchange server(s) that excepts incoming SMTP mail, if you have
multiples this will need to be done on each one of them.
Once you have the scripts copied to your
Exchange server run the following command to register your script.
cscript SMTPreg.vbs /add 1
OnArrival SPAMFilter CDO.SS_SMTPOnArrivalSink "mail from=*"
This adds an
OnArrival
event sink to the first SMTP virtual server on the Exchange server when
any messages are received. The
SMTPFiler
is the display name of the sync we are registering, which can be changed
if you wish. The next parameter is the CDO class that will be used to
process the sink. The setting,
mail from=*,
is the rule for what mail to
process. If you run just
cscript
SMTPreg.vbs it will display the
usage and parameters of the script.
The event sink is now registered but we
need to set a few properties on it first before it will actually do
anything by running the following line.
cscript SMTPreg.vbs /setprop 1
OnArrival SPAMFilter Sink ScriptName "c:\Script\SMTPSPAMFilter.vbs
The
Sink
parameter is the ?PropertyBag? which is the where the properties for
this event will be stored. The next one,
ScriptName,
is the property name we will be setting and last is value for this
property.
Assuming you
registered you spam filter you should test it out immediately to
make sure valid e-mail is getting delivered still. Trying sending a
message from an external mail system, like hotmail.com, and make sure
you receive it. Then try sending a message with one of the keywords in
it. After you send the ?spam? message it should be in the
BadMail
directory, you can open the .BAD files in this directory with notepad to
view their content.
If you need to make
changes to your spam filter script you can do so ?on the fly? by just
opening it up and making the changes and then saving the file. I would
highly recommend that you re-test the script after each change to
make sure it is still working correctly.
The included script
includes additional features like logging, more extensive keyword
filtering, spam filtering levels, querying of blacklist servers, and all
environment specific variables and constants are set at the top of the
script.
The include script
generates four log files,
SMTP.log,
SPAM.log,
KeyWordSPAM.log and
NewSPAMHosts.log.
The
SMTP.log file contains limited
information from messages that aren?t flagged as spam. The
SPAM.log
contains the similar data but only for messages flagged as spam because
a contact was found in the AD.
KeyWordSPAM.log
is similar to
SPAM.log,
but only contains log data for messages that were filtered out due to a
keyword match. In addition, this log includes the keyword caused the
message to be flagged as spam. This should make it a lot easier to find
those false positives since the vast majority will be due to keyword
matches. The last log file,
NewSPAMHosts.log,
includes a list of any hosts that spam was detected based on a keyword
match or ?blacklist? match. This log file can be used as a source for
another script that tries to determine if the hosts in this log are spam
hosts or not. This addition script will be covered in Part 2 of
Managing Spam.
These logs will be
very valuable in adding new spam host to the AD and removing invalid
ones. Also because you now have a log of all incoming SMTP mail you can
inform your users to forward you any spam they receive. Then based on
the time the message was sent to them you can look in the
SMTP.log
file to find out the host that sent it and then create a contact to
filter out mail from this host in the future. In addition, these logs
will help you find valid messages that were filtered out by looking
though the
SPAM.log and
KeyWordSPAM.log
files. I would highly suggest that you monitor these files for a few
days very closely after setting up or making changes to your spam
filters, just to make sure valid e-mail isn?t being filtered out.
To help reduce the
number of spam messages received by my users I added in support to query
a handful of the public ?blacklist? servers. These servers act as a
regular DNS server and when queried return a 127.0.0.x address if the IP
queried on is in their ?list.? For environments that get a large amount
of incoming SMTP mail they may need to disable this check since it can
take a second or two to carry it out, which could cause an excessive
number of messaged to be queued up and delayed.
In Part 2 of Managing
Spam I will cover a client side script that can be used to populate your
spam host contacts in the AD. This script will look in an Outlook
folder to get the message header from the messages in this folder and
then try to determine if the host that sent the message is a spamer. If
it is it will then create a contact and set multiple properties on that
contact so you can find out why it was flagged as a spam host. This
same script will also read in values in the
NewSPAMHosts.log
file created by the attached spam filter script. In addition,
SMTP.log
includes support to log key information that can be copied into
NewSPAMHosts.log
to further simplify the creation of spam host contacts in the AD. With
this additional script all you need to do is copy a line from the
SMTP.log
into
NewSPAMHosts.log
and run the script to filter out a
host. |
