Protocol Analysis Test

The Protocol Analysis / Sender Reputation agent is an anti-spam agent that is enabled on computers that are running Exchange 2007/2010 that have the Edge Transport server role installed. The Sender Reputation agent can block messages according to many characteristics of the sender. The Sender Reputation agent relies on persisted data about the sender to determine what action, if any, to take on an inbound message.

The Sender Reputation Level (SRL) is a number between 0 and 9 that predicts the probability that a specific sender is a spammer or malicious sender. A value of 0 indicates that the message is not likely to be spam. A value of 9 indicates that a message is likely to be spam. You can configure the threshold for sender blocking by SRL. This SRL block threshold defines the SRL value that must be exceeded for sender reputation to block a sender. If a message is equal to or greater than the SRL block threshold, that sender will be added to the IP Block list from 0 to 48 hours. The default is 24 hours.

This test monitors the activities of the Sender Reputation agent and reveals how many senders were blocked for what reason.

Target of the test : A server configured with the Edge Transport role

Agent deploying the test : An internal agent

Outputs of the test : One set of results for the Edge Transport server being monitored.

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

Indicates the IP address of the Edge Transport server.

Port

The port number of the Edge Transport server. By default, this is 50389.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

Senders processed

Indicates the number of senders who were scanned for reputation level during the last measurement period.

Number

 

Senders blocked due to a local open proxy

Indicates the number of senders who were blocked because of a open local proxy check during the last measurement period.

Number

One of the characteristics that sender reputation evaluates is the result of a test for open proxy servers. Frequently, spammers route messages through open proxy servers on the Internet. By routing spam through open proxy servers, spammers can send messages that appear to originate from a different server than their own.

A non-zero value for this measure indicates that that one/more senders were blocked because a local open proxy server was detected.

Senders blocked due to a remote open proxy

Indicates the number of senders who were blocked because of a remote open proxy check during the last measurement period.

Number

One of the characteristics that sender reputation evaluates is the result of a test for open proxy servers. Frequently, spammers route messages through open proxy servers on the Internet. By routing spam through open proxy servers, spammers can send messages that appear to originate from a different server than their own.

A non-zero value for this measure indicates that that one/more senders were blocked because a remote open proxy server was detected.

Senders blocked due to local sender reputation level

Indicates the number of senders who were blocked because of local sender reputation level (SRL) threshold violation during the last measurement period.

Number

A high value for this measure indicates that many local senders violated the reputation level threshold. If the number is unreasonably high, you might want to review your SRL block threshold configuration. By default, the SRL threshold value is 7. Use caution when you set the SRL threshold. A threshold that is too low may unintentionally block legitimate senders. A threshold that is too high may not block malicious senders or spammers.

Senders blocked due to remote sender reputation level

Indicates the number of senders who were blocked because of remote sender reputation level (SRL) threshold violation during the last measurement period.

Number

A high value for this measure indicates that many remote senders violated the reputation level threshold. If the number is unreasonably high, you might want to review your SRL block threshold configuration. By default, the SRL threshold value is 7. Use caution when you set the SRL threshold. A threshold that is too low may unintentionally block legitimate senders. A threshold that is too high may not block malicious senders or spammers.