Sender Score Filter
The Sender Score filter allows message filtering using a sender reputation service which provides a numerical reputation score based on the source IP address. It works in a similar way to IP Block List Providers, but the return codes are analyzed differently. It is primarily intended for use with the Return Path Sender Score service.
A Sender Score threshold value can be defined which is the minimum score required for messages to be accepted. Messages with a lower score will be rejected. A list of Allowed Domains can also be defined to bypass sender score filtering for specific sender domains.
The Sender Score filter is an additional filter provided by QSS Exchange Anti-Spam Toolkit as Exchange does not support sender reputation services using any of the included anti-spam agents.
The score for each message will be appended to the custom header X-ReturnPathSenderScore.
We have found the Return Path Sender Score service to be a reliable and effective tool for filtering spam which is not detected through other means. Care is required in tuning the Minimum Sender Score value for your environment.
We recommend starting with a value of 60 or lower, which will result in relatively few false positives. By analyzing the log files after a reasonable volume of mail has been processed by the QSS Sender Score Agent, you can determine the impact on your environment of increasing the Minimum Sender Score value.
Sender domains added to the list of Sender Score Allowed Domains will be excluded from Sender Score processing. In contrast to built-in Exchange filters, Sender Score Allowed Domains is not a whitelist and it does not cause messages to skip any other types of anti-spam filtering.
The Sender Score filter also considers Allowed Senders and Allowed Sender Domains defined for the Content Filter. These senders will also be excluded from Sender Score processing.
Understanding Sender Reputation Services
It is useful to understand the process by which the QSS Sender Score Agent queries a sender reputation service.
In this example, the IP address being queried is 22.214.171.124 and the sender reputation service being queried is score.senderscore.com.
- The provider is queried by performing a special DNS query.
- A DNS lookup is performed for the address 126.96.36.199.score.senderscore.com (note that the IP address octets have been reversed).
The response to the DNS query from the sender reputation service determines provides the sender score for the message:
- If a DNS entry is not found (no response), then no score is available. This is usually because the domain does not send a high enough volume of mail to be given a sender score. No additional filtering will be performed on the message in this case.
- If a DNS entry is found, a response code will be returned in the format of an IP address.
- The responses are not normally valid IP addresses. They are usually special loopback IP addresses (such as 127.0.0.100) which provide a sender score. The last octet of the returned IP address is the sender score (100 in the above example).
- If the returned score is less than the specified minimum sender score value, QSS Sender Score Agent will reject the message.
- If the returned score is greater than or equal to the specified minimum sender score value, or no score is available, message processing will continue.
You can use the Windows command nslookup to manually query a specific sender reputation provider.
For example, the command nslookup 188.8.131.52.score.senderscore.com will perform the lookup in the example above. If the IP address 184.108.40.206 had a score of 99, the output would be similar to the following:
Setting the Sender Reputation Service (Lookup Domain)
By default, the Sender Score filter is pre-configured to work with the Return Path Sender Score service which uses a lookup domain of score.senderscore.com. It is also possible to use other sender reputation services which operate in the manner described above, by changing the Lookup Domain. An example of an alternative service is MailSpike which uses the lookup domain rep.mailspike.net.
Presently, only one sender reputation service can be configured.
The rejection response is automatically generated in the format shown below:
Message rejected due to very poor sender reputation at <lookup domain> (<score>/100).
Minimum Sender Score
If the Sender Score filter is enabled and the score of a message is less than the specified Minimum Sender Score value, QSS Sender Score Agent will reject the message during the SMTP session.
QSS Sender Score Agent generates logs of all messages for which a score is available, or when the message is excluded via any of the Allowed Senders or Allowed Sender Domains lists as explained above. The log files are in the same format as other Exchange logs and are stored in the TransportRoles\Logs folder.
By default, the path to the logs is %ProgramFiles%\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\SenderScoreAgent.