Exchange 2003 SP2 Promises Better Security, Alternative to SMS

by Alex Woodie

Organizations running Exchange Server 2003 can expect better protection against spam and phishing attacks, improvements to mobile e-mail, and advanced mailbox features with the next release of the e-mail and collaboration server, Exchange Server 2003 Service Pack 2 (SP2), which is due out later this year. Microsoft provided a peak at these features by posting a downloadable community technology preview (CTP) release of SP2 on its Web site last week.

Exchange Server 2003 SP2 should help administrators in their on-going battle against spam by incorporating an updated version of Microsoft's Intelligent Message Filter. This filter utilizes the "SmartScreen" technology, which was developed by Microsoft Research and tested on hundreds of thousands of MSN Hotmail accounts, to identify and block spam at the gateway or at the mailbox store. The updated version of the filter enables Exchange Server 2003 SP2 to better identify spam, reduce false positives, and identify suspected phishing attacks, Microsoft says. The Intelligent Message Filter was added with the first service pack last year (see Microsoft Takes on Spam with Exchange Server 2003 SP1").

Users will also be better equipped to thwart e-mail phishing and spoofing schemes through new support for the Sender ID e-mail authentication protocol in Exchange Server 2003. Sender ID works by verifying the IP address of the e-mail sender against the purported owner of the sending domain, Microsoft says. The result of the Sender ID check is used as input to the Exchange Intelligent Message Filter, which can then either block the message or let it go through.

While spam levels have dropped, phishing levels have risen, according to IBM's monthly "Global Business Security Index" for August. Based on the IBM index, the ratio of spam to legitimate e-mail decreased from 83 percent in January to 67 percent in June 2005. However, IBM has seen a resurgence of targeted phishing attacks for money laundering and identity fraud purposes.

The new wave of phishing attacks is "believed to be largely driven by criminal gangs that have become more astute in the creation and delivery of such attacks," IBM said in its report, a summary of which is available here. The most common targets of these attacks were the government, financial services, manufacturing, and healthcare industries, Big Blue says.

Exchange Server 2003 SP2 also brings non-security-related enhancements, including new ways to send e-mails and collaborate with mobile Outlook users. With this release, Microsoft introduces its new "Direct Push" technology as a way to send e-mail, calendar, contact, and task notifications from Exchange Server to mobile devices.

Direct Push relies on HTTP, will work over 802.11 Wi-Fi networks, and provides an alternative to the Short Message Service (SMS) protocol available on GSM cell phone networks, according to the Redmond, Washington, software behemoth. The technology will work with the mobile devices from manufacturers that have licensed the Exchange ActiveSync protocol, Microsoft says, including Palm, Motorola, Nokia, and Symbian).

Other areas Microsoft has worked on with Exchange Server 2003 SP2 include data compression, adding new Outlook properties such as task synchronization, new security and password policy settings, optional support for certificate-based authentication, support for Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption with mobile devices, and increasing the storage limit for Exchange Server 2003 Standard Edition with SP2 to 75GB.

However, not all of the new features in SP2 will be available right away. Some of the security features will only work with Outlook 2003 SP2, which is not expected to be released until later this year, or possibly until early 2006.

Microsoft is also reminding people that Exchange Server 2003 SP2 is just a CTP and should not be used in full production. For more information on the release and links to download the CTP, go to www.microsoft.com/exchange/downloads/2003/sp2/overview.mspx.