Exchange 2007 Anti Spam Migration Tool

How to use the Anti Spam Migration Tool to migrate anti-spam settings from Exchange 2003 to Exchange 2007.
Rui Silva photo

Introduction

Exchange Server 2003 introduced some native anti-spam capabilities that helped Systems Administrators to reduce unwanted commercial email (UCE), viruses and malware in general. These features included:

  • Real-Time Block List Service Provider Support
  • Global Deny and Accept Lists
  • Sender Filtering
  • Inbound Recipient Filtering
  • Improved Ability to Restrict Submissions to and Relaying on an SMTP Virtual Server
  • Integration with Outlook 2003 and Outlook Web Access Block and Safe Lists
  • Exchange Intelligent Message Filter (SP2)

Although these configuration settings are stored in Active Directory, they aren’t directly migrated to Exchange Server 2007 if you decide to implement this new version. But worry not, the Anti Spam Migration Tool can deal with this fairly huge amount of information. It reads these settings from Active Directory and converts them to the equivalent Windows PowerShell script, consisting of Exchange 2007 tasks, which can then be run on the Edge Transport or Hub Transport roles of Exchange Server 2007.

Read the following table for a list of the migration settings the tool supports.

Connection Filtering
  • Global Accept and Deny List Configuration - The tool converts accept and deny list entries to corresponding Exchange 2007 IPAllowListEntry and IPBlockListEntry tasks respectively. For each accept or deny list entry, there is an Add-IPAllowListEntry or Add-IPBlockListEntry task written to the output script.
  • Block List Service Configuration - The tool converts each block list service to corresponding Exchange 2007 Add-IPBlockListProvider task
  • Exception list to block list service rules – This is converted to BypassedRecipients parameter on the IPBlockListProvidersConfig object using Set-IPBlockListProvidersConfig task

Recipient Filtering
  • Filter recipients who are not in the directory - This is converted to RecipientValidationEnabled parameter on RecipientFilterConfig object using Set-RecipientFilterConfig task
  • Block messages that are sent to recipients – This is converted to BlockListEnabled and BlockedRecipients parameter on RecipientFilterConfig object using Set-RecipientFilterConfig task

Sender Filtering
  • Filter messages with blank sender - This is converted to BlankSenderBlockingEnabled parameter on SenderFilterConfig object
  • Drop connection if address matches filter - This is not converted as it is not supported in Exchange Server 2007
  • Archive filtered messages - This is not converted as it is not supported in Exchange Server 2007
  • Accept messages without notifying sender of filtering - This is not converted as it is not supported in Exchange Server 2007
  • Block messages from senders - This is converted to BlockedSenders, BlockedDomains, BlockedDomainsAndSubdomains and Action parameters on SenderFilterConfig object using Set-SenderFitlerConfig task.

Sender ID Filtering
  • Sender ID validation failure action - This is converted to SpoofedDomainAction parameter on SenderIdConfig object using Set-SenderIDConfig task

Intelligent Message Filtering
  • Gateway Blocking Configuration - This is converted to one of the three SCL thresholds and one of the three SCL enabled parameters on ContentFilterConfig object using Set-ContentFilterConfig task. For example, if the SCL threshold is set to 6 and the action is set to Delete, then the corresponding task is
    Set-ContentFilterConfig -SCLDeleteThreshold:6 -SCLDeleteEnabled:$true -SCLQuarantineEnabled:$false -SCLRejectEnabled:$false
  • Custom Weight Entries - In Exchange Server 2003, these entries are specified in an XML file MSExchange.UceContentFilter.xml which resides where the Intelligent Message Filter DAT file resides. In order to migrate these entries, the tool can be invoked with a switch that allows you to specify the location of this file. It then reads these entries and converts each of them to Add-ContentFilterPhrase task. 

General settings
  • Perimeter IP List and Internal IP Range Configuration - This is converted to InternalSMTPServers parameter on the TransportConfig object using Set-TransportConfig task
Table 1

Installation

Before installing the tool, ensure that you meet all the requirements:

  • Supported Operating Systems: Windows Server 2000, Windows Server 2003;
  • Microsoft .NET Framework 1.1 or higher;
  • The account under which this tool is run needs to have read rights to AD configuration container and read access to MSExchange.UCEContentFilter.xml.

Installing the tool is as easy as:

  1. Download Exchange 2007 Anti Spam Migration Tool
  2. Run Exchange2007AntiSpamMigration.msi, it will extract the tool and documentation to the target folder (by default C:\Program Files\Exchange2007AntiSpamMigration\)

The tool doesn’t add any icons to your start menu, so you’ll have to run it from the command line. The usage is as follows:

Exchange2007AntiSpamMigration [/f:<full path to custom words file>] [/o:<outputfile name>] [/?]

 /f:      Optional full path to MSExchange.UCEContentFilter.xml file. If not specified, custom words or phrases are not migrated.

 /o:      Optional output file name. If not specified, output is written to MigratedSettings.ps1 in current directory.

 /?       Displays usage.

Exporting Anti-Spam Settings

In order to test and run the tool, I had to populate the anti-spam settings of my Exchange 2003 environment, so I just added some values that could be migrated later. The next pictures illustrate the settings of the Exchange 2003 environment.


Figure 1: Perimeter IP List


Figure 2: Sender Filtering


Figure 3: Connection Filtering


Figure 4: Recipient Filtering


Figure 5: Intelligent Message Filtering


Figure 6: Sender ID Filtering

After filling the Exchange 2003 anti-spam settings with some random values, I just run the tool. The result is a PowerShell script as you can see in Figure 8.


Figure 7: Running the tool


Figure 8: Output file

In my test environment I only had one single Exchange Server 2007, with 3 roles: Client Access, Mailbox and Hub Transport.

Because Hub Transport servers only need to perform anti-spam functions when there is no Edge Transport server to perform this function, this is a feature that is not enabled by default (Figure 9). Adding this functionality to your Hub Transport servers is a pretty simple process. Just launch the Exchange Management Shell and in the Scripts folder that was created (C:\Program Files\Microsoft\Exchange Server\Scripts\install-AntispamAgents.ps1)), you will find a PowerShell script to install the Anti-spam agents.

Once you complete these steps, you will see the Anti-spam tab enabled in the Exchange Management Console (Figure 11).


Figure 9: Hub Transport without Anti-spam tab


Figure 10: Install Anti-spam Agents


Figure 11: Hub transport with Anti-spam tab

So, now that we have a Hub Transport server with anti spam agents enabled, we just have to run the output script from the Anti Spam Migration Tool (Figure 12). As you can see in the following figures, all the settings have been successfully imported.


Figure 12: Running the tool to import settings


Figure 13: Recipient Filtering


Figure 14: IP Block List Providers


Figure 15: Sender Filtering


Figure 16: Recipient Filtering

Conclusion

Exchange Server 2007 offers some advanced anti-spam features. If you’re transitioning from Exchange 2003 to the current version, you’ll find this tool of extreme value.

The output script in PowerShell will take into account most of the previous settings and it makes the migration a pretty straightforward process. As a curiosity, I can tell you that the Exchange organizations in the example I gave you weren’t even in the same forest, so one can assume that the tool will work for the most complex scenarios.

Related Links

A tool to migrate anti-spam settings from Exchange 2003 to Exchange 2007

Exchange 2007 Anti Spam Migration Tool

Approaches to Fighting Spam in an Exchange Server Environment

About Rui Silva

Rui Silva photo Rui Silva is a Senior Consultant, working mainly with Microsoft Technologies at Unisys Portugal. He is MCDBA / MCSA / MCSE:Messaging / MCSE:Security certified and has been recognized as a Microsoft MVP for Exchange Server, due to his contributions to several technical forums. Rui spends some of his (little) free time updating the Exchange dedicated blogs http://blogs.msexchange.org/silva, http://msmvps.com/ehlo (in English) and http://ehlo.blogspot.com (in Portuguese). But because he has a passion for writing, he authors some technical articles, as seen at this site, and he has a permanent work-in-progress project for a Portuguese Exchange Server book.

Click here for Rui Silva's section.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on MSExchange.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the MSExchange.org Monthly Newsletter, written by Exchange MVP Henrik Walther, containing news, the hottest tips, Exchange links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly MSExchange.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an MSExchange.org member!

Discuss your Exchange Server issues with thousands of other Exchange experts. Click here to join!

Solution Center

Readers' Choice

Which is your preferred Exchange Server Migration solution?