• 10 Comments

Written By Grid Member  Jorge Diaz - Planet

As everyone knows Office 365 protects its users from spam and viruses by the Forefront Online Protection for Exchange suite or FOPE. FOPE is also offered as a standalone option for customers looking to host their scanning in the Cloud. For those of you not familiar with FOPE and its features I’d like to review them at a very high level. After that I will review the differences in features and functionality between FOPE Standalone and the various O365 versions.

Virus Protection –

FOPE provides a layered virus protection system that uses multiple scanning engines on both the inbound and outbound messages for your organization. FOPE uses the Kaspersky, Symantec and Authentium AV engines and always uses ALL THREE when scanning messages. This is important because not all virus definitions are updated at the same time. FOPE servers query for virus definition updates every 15 minutes so if Symantec finds a new virus and releases a virus definition update against it but the other engines haven’t, FOPE customers don’t have to worry because their message will hit the Symantec scanner. In addition to the multi-level engine scanning, there are teams of FOPE engineers that are constantly monitoring virus outbreaks who write sophisticated policy rules that are applied to detect threats. These rules are published to the FOPE global network every 2 hours.

Another little nugget of information is related to the Microsoft Virus SLA with FOPE. It states they protect against 100% of known viruses!

Spam Protection –

Once again FOPE uses a layered Spam protection system that utilizes multiple scanning engines on both inbound and outbound messages. The edge (read, first line of defense) uses various methods such as:

• IP Reputation – Blocks about 90% of inbound junk
• Connection Analysis – This evaluates the server attempting to connect, any nonstandard connection requests that deviate from RFC standards is dropped
• Reputation Analysis – This pulls from Microsoft’s many partners a comprehensive list of abusive domains and blocks them from attacking

If the message makes it through the edge it is further evaluated on the following criteria:

• Custom spam filtering options – These are configured by the administrators for such things as obscene graphics or words, sensitive information such as SSN’s or CC information
• IP-Based Authentication – This process authenticates the sender of each message and uses SPF (Sender Policy Framework) to protect against domain spoofing
• Fingerprinting – This is the process of looking for known spam characteristics and fingerprinting those characteristics. The fingerprint database is an aggregate from the entire FOPE system and as messages are sent through the system they are marked as spam if they meet these fingerprint characteristics.
• Rule Based Scoring – This is the process of scoring each message based on its content. Legitimate characteristics lower the score while spam characteristics bring the score up. As the message is scored if it reaches a certain threshold it is marked as spam.
• NDR Backscatter Mitigation – NDR backscatter, which refers to the many messages received when an email address is forged as the sender of spam. FOPE ASF rules help block backscatter.

“That is all well and good, but how effective is it?”

I am glad you asked! Out of the box FOPE is 98% effective at blocking Spam which is a score that can be increased by tweaking the additional spam filtering capabilities within FOPE. FOPE also has a ratio of approximately 1 in 250,000 false positive tags or .0004% of spam messages are falsely tagged as spam.

Now that we covered what FOPE does let’s take a look at what administrators can do within the FOPE console.

FOPE can be accessed through the Office 365 Portal for enterprise customers or by directly accessinghttps://admin.messaging.microsoft.com. One key area to point out is directly off of the main page, if you click the ‘configuration’ tab you get a list of all the FOPE servers. If you are planning on a hybrid solution or migration from an on-premises organization you will need these IPs.

From the administration tab you have the option to configure your smart host connectors for inbound and outbound connections. The specific configuration of these connectors in a hybrid environment is covered in the Exchange Deployment Assistant guide. Another possible use for this is a scenario I have run into a few times. If you have an existing hosted spam appliance you can continue to use it, forward to FOPE and back out. Granted this is a ridiculous amount of spam protection, but I have run into the scenario where my client doesn’t want to immediately dump their hosted spam filter. If this is the case, it is a supported option.

The area you would spend most of your time is in the Policy tab. Here you can create custom policies by clicking ‘New Policy Rule’ and configuring the various options. If for example if you wanted to reject all inbound messages from a specific IP, or if you want to block all outbound messages with a SSN in the body this would be the place to do it.

Finally the filters tab allows you to import custom dictionaries. This is basically a CSV file that contains specific keywords, IP addresses, extensions, etc. you want to apply to a rule. This is commonly used in a scenario where you have a long list of blocked users or IP addresses from a previous host that you want to import into FOPE. First you export the list to CSV from your previous host, then come into the filter section and import the list, create a new rule in the policies tab and link it to your library.

The ‘My Reports’ tab allows you to create and schedule report delivery for various topics such as:

• E-mail traffic report
• Top Virus report
• Deferral report
• Top Users report

Finally the ‘tools’ tab allows you to do searches for any message by entering a source and destination recipient. One side can be vague by specifying a domain name, but the other side must be a specific email address.

Now, the Standalone version has much more control than the O365 offerings. One key area that is different is the user quarantine. In the standalone version users each have their own quarantine, messages that are tagged as possible spam go into these quarantines and a digest email is sent to the user notifying them to check their quarantine. However, in Office 365 this feature is NOT AVAILABLE. Rather than providing a quarantine all email is evaluated for a Spam Confidence Level, and based on that score it is processed by Forefront. There are three levels that messages are filtered on:

• Level 0 – This means the email is considered valid and is sent on without an X-Header
• Level 6 – This means that Forefront identified the email as spam during the scan, and assigned it a score of 6 as a result. FOPE then stamps the email with the header ‘X-Header: X-FOSE-spam‘ that tells your local copy of Outlook or OWA that this email is spam, and to filter it to the Junk E-Mail folder as a result.
• Level 9 – This is considered dangerous email, indicating that it likely contains a virus or is spam of a particularly harmful nature, like a phishing email. These messages are deleted by Forefront and is neither quarantined nor sent to your email (this actually applies to all messages with a spam score of 7 or higher).

In order for mail to end up in your junk filter your Outlook client must have junk filtering enabled. No additional configuration is required on the users’ side.

Now, not all the features are available for O365 customers, especially in the Small Business or ‘P’ plan. Below is a matrix of what features are, and more importantly, are not available depending on the version of Office 365 you purchase.

    

View original post (may link to a third-party site)

The Grid is full of Office 365 experts that are brimming with great information. The Grid User Post blog series will expose some of The Grid's best content to the entire Office 365 Community. Are you interested in contributing to The Grid? Click here to apply.