Protecting Your Organization

Guarding Against Email Threats

Use an email authentication system to identify mail and help reduce domain spoofing. Popular approaches include Sender ID, DomainKeys Identified Mail, and the Sender Policy Framework.

Maintain a strong email scanning presence at the edge of the logical network perimeter.

How Microsoft IT Guards Against Email Threats

Microsoft IT’s messaging protection challenges are similar to those of other enterprise environments. Like most IT organizations, Microsoft IT faces an ever-escalating stream of spam, viruses, and unwanted message submission attempts to mailboxes, contacts, distribution groups, and public folders. These attacks waste resources, distract recipients, put assets at risk, and provide an avenue for social hacking and phishing scams, among other security issues. In addition to these common threats, Microsoft IT sees advanced attacks that exploit messaging systems, involving spy-ware, worms, botnets, and polymorphic malware.

Inbound mail to Microsoft goes through a three-tiered cleansing process—anti-mal­ware scanning, file removal, and spam filtering. In keeping with Microsoft IT’s goal of stopping harmful messages at the earliest possible point, Microsoft IT has deployed Forefront Security for Exchange Server on all mail servers, which uses five different antimalware engines to provide protection for incoming and outgoing email. On average, Microsoft filters between 5 and 10 million email messages a day that con­tain malware or spam and removes more than 100 different types of executable files from incoming messages.

For more information, see Messaging Hygiene at Microsoft: How Microsoft IT Defends Against Spam, Viruses, and Email Attacks.

Insist that your mail servers use both inbound and outbound authentication con­trols to protect your brand from being harmed by attackers (a tactic called reputation hijacking or brandjacking) and to keep your customers safe from email spoofing.

Use a mail client that actively blocks active content and the automatic opening of attachments. Current versions of Microsoft Outlook, Hotmail, Outlook Express, and Windows Live Mail, in conjunction with the security zone settings in Internet Explorer 8, can help deter IFrame attacks and prevent the unintentional opening of executable attachments.

The Messaging Anti-Abuse Working Group  recommends the following set of email transmission best practices for Internet and email service providers:

  • Provide email submission services on port 587, as described in RFC 2476.
  • Require SMTP authentication for email submissions, as described in RFC 2554.
  • Abstain from interfering with connectivity to port 587.
  • Configure email client software to use port 587 and authentication for email submission.
  • Block access to port 25 from all hosts on your network other than those you explicitly authorize to perform SMTP relay functions.
  • Monitor outbound email traffic patterns and look for deviations from normal behavior, such as abnormally large bursts of email traffic.
  • Disable computers or individual email accounts that have been compromised and are being used to send out spam.
  • When possible, process abuse complaints from third parties for email that originated from your mail servers. These complaints often point the way to a compromised computer.

For the complete list of recommendations from the Messaging Anti-Abuse Working Group, see “Managing Port 25 for Residential or Dynamic IP Space: Benefits of Adoption and Risks of Inaction”.

Top of page Top of Page

Managing Risk


United States Change All Microsoft Sites



Was the information in this article helpful?