The Exchange 2007 Anti-Spam Content Filter relies on regular updates to stay up-to-date with the ever changing spamming trends. This is nothing new. The Exchange 2003 Intelligent Message Filter (IMF) has been receiving updates for almost 3 years now. However as we shall see the update system for Exchange 2007 changed in a number of ways.
Updates, Updates and more Updates
The Exchange 2003 IMF has access to one update type that is made available twice a month. On the other hand Exchange 2007 has a choice of three update types. However these are not for everyone. Access to the different update types depends on licensing.
Exchange 2007 Standard, just like its predecessor, can only tap to one of the update types. All three update types are available if running Exchange 2007 Enterprise or Microsoft Forefront Security for Exchange. Having clarified this point let's see what the update types are:
|
| Type | Enterprise/
Forefront | Standard | Details |
| Content filter updates | Yes | Yes | Similar to what we have in Exchange 2003 IMF. Updates the SmartScreen Spam heuristics. |
| IP Reputation Service | Yes | No | An IP Block list exclusive to Exchange 2007. |
| Spam signature | Yes | No | Signatures of the latest spam campaigns. Used together with Content Filter updates. Enhance the Content Filter SCL rating logic. |
The IP Reputation and Spam Signature updates are more time critical than the Content Filter updates. The IP Block list needs to be refreshed as soon as a new host starts distributing spam. Spam signatures are meant to immediately identify new spam waves and again responsiveness makes all the difference. Thus everyday Microsoft releases multiple updates for these.
To satisfy the need to quickly pick updates Exchange 2007 includes the Microsoft Exchange anti-spam update service. This acts as a client to Microsoft Update, polling exclusively anti-spam updates once every hour.
Finally note that updates are not available to the 32-bit Exchange 2007 build. This build is not supported and is only meant for basic product evaluation. Thus if planning to test anti-spam as part of your Exchange 2007 evaluation, make sure to run the 64-bit build.
Enabling Updates
Just like in Exchange 2003, filter updates continue to be distributed through the Microsoft Update service (not Windows Update).
To start receiving the updates, enablement is required for each Exchange server. Here we find a welcome improvement. Exchange 2003 IMF update enablement required the manual setting of a registry value. This unintuitive switch used to be a hurdle, especially for newcomers. Exchange 2007 has made up for this, providing control both through the Management Console and the Shell. Furthermore the Exchange 2007 SP1 installation will immediately enable update reception.
At the Console select the server under Edge Transport. Here we find the enable/disable updates switch.
On a Hub Transport server we first need to make sure the anti-spam agents are installed otherwise the updates switch won't show up. For details please refer to The Exchange 2007 Content Filter Agent. Next we control enablement by selecting the server under Server Configuration | Hub Transport.
Clicking Disable Anti-spam Updates will immediately disable reception of all updates and at the console the Enable Anti-spam Updates link is displayed. Clicking the Enablement link to turn it back on will launch a wizard that allows us to select which updates to retrieve.
The Wizard is really mostly relevant to users running Exchange 2007 Enterprise or Forefront Server. If we look at the bottom of the dialog we can see the notice alerting us of this. So if running Exchange 2007 Standard we might as well select the Manual Update mode and complete the wizard. Exchange Enterprise users here can choose between Manual and Automatic updates and whether to also retrieve the IP Reputation and Spam Signatures in addition to the Content Filter updates.
Anti-Spam Updates Cmdlets
The Exchange 2007 command shell supports three cmdlets for managing updates.
Get-AntispamUpdates is the one you will be using most often. It shows which updates are enabled and the currently installed update versions.
Enable-AntispamUpdates/Disable-AntispamUpdates allows us to enable/disable the reception of anti-spam updates.
The Enable/Disable cmdlets provide similar functionality to that provided by the console with a little more flexibility. However here I won't discuss the cmdlet parameters, for details on this refer to the TechNet documentation linked at the References section. Just keep in mind that in case you are running Exchange 2007 Standard most of the options do not apply.
Let's have a look at Get-AntispamUpdates. Here is what we get by running the cmdlet immediately after installing Exchange 2007 SP1 without ever receiving any updates.
Note how for each of the three update types we have the installed update version. We will be using that in a moment. However before that, we have to deal with a problem. Have a look at this value:
MicrosoftUpdate: NotConfigured
This means Microsoft Updates are not enabled on this server. Thus we won't receive anything even though the Exchange Management Console shows that updates are enabled. All we need, to resolve this issue, is to visit Microsoft Updates and allow it to install. Once ready, re-running Get-AntispamUpdates returns MicrosoftUpdate as Configured:
Getting the Latest Updates
It is now time to return to the update versions that Get-AntispamUpdates supplies us. This is what we need when checking if the latest updates are in place. MS is conveniently providing an RSS feed listing all the released updates and their version. Here are the links, just subscribe the relevant feed at your RSS reader:
Exchange 2007 Content Filter Updates Feed
Exchange 2003 IMF Updates Feed
And here is how the feed looks like in RSS Bandit.
If we look closely, we can see a number of IP Block List and Anti-spam Signature updates on the same day. Also note how each update specifies exactly whether it is meant for Exchange Enterprise or Exchange Standard. Indeed, even though both receive the Content Filter updates, separate releases are made for the two Exchange flavours. Lastly each entry of course includes the update version and the release date.
As expected we don't have the latest updates since this is a fresh Exchange install. So here I manually check Microsoft Updates:
Completing the install we confirm that Get-AntispamUpdates now shows the latest version for the Content Filter update.
Final Tips
Updates in Exchange 2007 continue to be important for obtaining good filtering results. The system now supports three update types. However if running Exchange 2007 Standard we can only benefit from the Content Filter updates.
Better support is available for enabling and managing updates through the Management Console and Shell.
References
The Exchange 2007 Content Filter Agent
TechNet: How to Configure Anti-Spam Automatic Updates
TechNet: Anti-Spam Updates
Get-AntispamUpdates
Enable-AntispamUpdates
Disable-AntispamUpdates