Service Description for Microsoft Forefront Online Protection for Exchange
Published: March 2011
Summary: Microsoft offers fully hosted email protection and message management services to
enterprises worldwide. Microsoft® Forefront® Online Protection for Exchange runs on a globally
distributed network of data centers through which it provides managed anti-spam, antivirus, and
policy enforcement services to help create a secure, protected, and compliant message stream.
This technical overview provides information about the Forefront Online Protection for Exchange
service, along with the administrative controls and reporting capabilities that are built into the
hosted service system.
Copyright
This document is provided “as-is”. Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2011 Microsoft Corporation. All rights reserved.
2
Contents
Introduction ................................................................................................................................ 5
Global Network .......................................................................................................................... 5
Filtering Service ......................................................................................................................... 6
Service Level Agreements (SLAs) .......................................................................................... 7
Antivirus Service ........................................................................................................................ 7
Layered Defenses Against Viruses ......................................................................................... 7
Real-time Threat Response ................................................................................................ 8
Fast Antivirus Signature Deployment .................................................................................. 8
Anti-spam Service ...................................................................................................................... 8
Layered Defenses Against Junk Email ................................................................................... 8
IP Reputation Blocking ........................................................................................................ 9
Connection Analysis ........................................................................................................... 9
Reputation Analysis ............................................................................................................ 9
Junk Email Protection ............................................................................................................. 9
Additional Spam Filtering (ASF) Options ............................................................................. 9
IP-based Authentication .....................................................................................................10
Fingerprinting .....................................................................................................................10
Non-Delivery Receipt (NDR) Backscatter Mitigation ...........................................................10
Rules-based Scoring ..........................................................................................................11
Outbound Spam Filtering .......................................................................................................12
Accuracy and Effectiveness ...................................................................................................12
Accuracy ............................................................................................................................12
Effectiveness .....................................................................................................................13
Junk Mail Management..........................................................................................................13
Spam Quarantine ..................................................................................................................13
Reviewing Spam in Quarantine ..........................................................................................14
Policy Enforcement ...................................................................................................................15
Message Handling .................................................................................................................16
Phishing and Spoofing Prevention .....................................................................................16
Extension Blocking.............................................................................................................17
3
Custom Policy Rules Filters ...............................................................................................17
Directory-Based Edge Blocking Service ....................................................................................17
Message Reject .....................................................................................................................17
Reject Test ............................................................................................................................18
Pass Through ........................................................................................................................18
Passive ..................................................................................................................................18
Virtual and Parent Domains ...................................................................................................18
Group Filtering ...................................................................................................................19
Intelligent Routing ..............................................................................................................19
Inbound Address Rewrite ...................................................................................................19
Directory Synchronization Tool for Directory Services Automation ........................................19
Automatic Spooling ...................................................................................................................21
Service Experience ...................................................................................................................21
Deployment ...............................................................................................................................21
Administration ...........................................................................................................................22
System Requirements ...........................................................................................................23
Enhanced Email Routing Scenarios ..........................................................................................24
FOPE Administration Center Differences ..................................................................................25
Reporting and Analytics ............................................................................................................25
Message Trace .........................................................................................................................27
Audit Trail..................................................................................................................................28
Customer Support .....................................................................................................................29
Assistance at Your Fingertips ................................................................................................29
Announcements and Notifications .........................................................................................29
Customer Support for Exchange Online customers ...............................................................30
Customer Support for Standalone customers ........................................................................30
To Use the Get Help Now Option .......................................................................................30
Accelerate Time to Value with Implementation Project Managers (IPMs) ...........................30
Customer Support for Microsoft Premier Support Subscribers ...............................................31
Conclusion ................................................................................................................................31
4
Introduction
Electronic messaging is mission critical but remains vulnerable to a growing array of threats.
Viruses, worms, denial-of-service attacks, spam, and the need to satisfy a growing set of
regulatory requirements all make effective message management increasingly difficult.
Microsoft Forefront Online Protection for Exchange is a fully hosted service for inbound and
outbound emails that can provide your organization with a frontline defense against spam,
malware, and policy violations. Because it is a hosted solution, it also helps to simplify the
management of your email environment and alleviates the burdens of software and hardware
maintenance.
Forefront Online Protection for Exchange can be used in a stand-alone environment to protect
mail for customers using any SMTP mail transfer agent on their premises. Forefront Online
Protection for Exchange is also the default messaging security solution for Exchange Online
customers. Unless otherwise specified in the document, this document describes the features
of Forefront Online Protection for Exchange for both stand-alone and Exchange Online
customers.
Global Network
Forefront Online Protection for Exchange is powered by a global network of data centers based
on a fault-tolerant and redundant architecture and is load-balanced both site-to-site and within
each data center. These datacenters are physically located worldwide. If a data center suddenly
becomes unavailable, traffic is automatically routed to another data center without any
interruption in service. Thousands of email servers across the network of data centers can
accept email on your organization’s behalf, providing a layer of separation between your servers
and the Internet. Furthermore, Microsoft algorithms analyze and route message traffic between
data centers to ensure the most timely and efficient delivery. Through this highly available
network, Microsoft is able to deliver on its service level agreement of 99.999 percent uptime.
This approach, built on a distributed server and software model, has proven successful in
helping protect corporate networks and email servers from common threats, such as worms,
denial-of-service attacks, directory harvest attacks, dictionary attacks, and other forms of email
abuse.
All messages processed by Forefront Online Protection for Exchange are encrypted using
Transport Layer Security (TLS). To help ensure privacy and message integrity, the service
attempts to send and receive email using TLS but will automatically rollover to Simple Mail
Transfer Protocol (SMTP) if the sending or receiving email server is not configured to use TLS.
Organizations can also configure a secure mail flow with trusted partners using Forefront Online
Protection for Exchange connectors. Using connectors, you can configure forced inbound and
outbound TLS using self-signed or CA validated certificates.
5
Filtering Service
Forefront Online Protection for Exchange offers five services that apply a unique blend of
preventive and protective measures to help stop increasingly complex email–borne threats from
infiltrating your organization, enforce your organization’s email policies, and maintain a reliable
messaging environment:





Antivirus Service: Helps protect your organization from receiving email-borne viruses
and other malicious code by using multiple antivirus engines and heuristic detection to
minimize the window of vulnerability during emerging threats.
Anti-spam Service: Helps ensure that unsolicited email is automatically filtered before it
enters your organization’s messaging systems.
Policy Enforcement Service: Provides the ability to custom create highly flexible policy
rules to regulate email flow for compliance purposes.
Directory–Based Edge Blocking Service: Provides the ability to specify all valid users
on a domain or to configure different filtering settings for groups of users within a
domain.
Automatic Spooling: Helps ensure that no email is lost by instantly and automatically
queuing messages for later delivery if the receiving email server is unavailable.
Figure 2: Integrated email security and filtering solution provided by Forefront Online Protection
for Exchange
These services easily interoperate with one another as a package and require little to no
changes to be effective. Without any configuration, Forefront Online Protection for Exchange
blocks more than 98 percent of unwanted email and 100 percent of known viruses, reducing
message traffic and improving the efficiency of your messaging infrastructure. A virus is
6
considered “known” when a FOPE virus scanning engine can detect the virus and the detection
capability is available throughout the FOPE network. Additionally, you do not have to upload or
maintain safelists to achieve this level of accuracy. The network performance and spam and
virus filtering effectiveness of the Forefront Online Protection for Exchange service are
reinforced by financiall backed service level agreements (SLAs).
Service Level Agreements (SLAs)
Forefront Online Protection for Exchange provides comprehensive SLAs that back network
performance and the effectiveness of spam and virus filtering. The SLAs include:




Policy filtering accuracy
Virus detection and blocking: 100 percent protection against all known email viruses
Spam Effectiveness: Capture of at least 98 percent of all inbound spam messages
False positive commitment of fewer than 1 in 250,000 messages
For Forefront Online Protection for Exchange licensed as a standalone service, ECAL suite,
Forefront Protection Suite, or Exchange Enterprise CAL with Services, the following additional
SLAs apply:


Network uptime: 99.999 percent
Email delivery: average delivery commitment of less than one minute
For more information about how each of these SLAs is defined and calculated, visit Microsoft
Volume Licensing (http://go.microsoft.com/fwlink/?LinkId=138884).
The following sections provide an overview of each of the five services and how they work to
help secure your organization’s corporate messaging network.
Antivirus Service
Viruses, worms, and other forms of malware pose significant risk to your organization and can
spread very quickly. At such a rate, there is almost no time to update desktop and gateway
antivirus systems to ensure that your network and systems are protected. However, Forefront
Online Protection for Exchange offers multi-layered virus protection using multiple engines that
is designed to catch 100% of all known viruses.
For Exchange Online customers antivirus scanning is performed by Forefront Protection 2010
for Exchange Server (FPE) on the Exchange Online servers rather than by Forefront Online
Protection for Exchange. This ensures that all inbound, outbound, and internal messages for
Exchange Online customers are scanned for viruses in a consistent manner. The 100 percent
protection against all known email viruses SLA still applies to Exchange Online customers.
Layered Defenses Against Viruses
Forefront Online Protection for Exchange employs a layered approach to offer protection from
both known and unknown threats for inbound and outbound email. Taking advantage of
7
partnerships with many industry-leading providers of antivirus technologies, Forefront Online
Protection for Exchange uses multiple antivirus engines to help protect against viruses and
other email threats. The antivirus engines include powerful heuristic detection to provide
protection even during the early stages of a virus outbreak. The multi-engine approach has
been shown to provide significantly more protection than using only one antivirus engine.
Real-time Threat Response
During some virus outbreaks, the Forefront Online Protection for Exchange anti-malware team
will have enough information about the virus or other form of malware to write sophisticated
rules that detect the threat even before a signature is available from any of the antivirus engines
used by the service. These rules are published to the global network every 2 hours to provide
your organization with an extra layer of protection against attacks.
Fast Antivirus Signature Deployment
The Forefront Online Protection for Exchange team maintains close relationships with partners
who develop antivirus engines, integrating each engine at the application programming interface
(API) level. As a result, the service receives and integrates virus signatures and patches before
they are publicly released, often working directly with the antivirus partners to develop virus
remedies. The service checks for updated virus signatures for all antivirus engines every 15
minutes and applies them to the global filtering network within minutes.
Anti-spam Service
Left unchecked, spam can overwhelm your organization, destroying email productivity and the
benefits of this vital business communication tool. The sheer volume of spam, coupled with
spammer creativity, leaves businesses with no option but to turn to technology to combat this
ever-present threat.
Forefront Online Protection for Exchange defines an electronic message as spam if all of the
following apply:
1. The recipient’s personal identity and context are irrelevant because the message is
equally applicable to many other potential recipients.
2. The recipient has not verifiably granted deliberate, explicit, and still-revocable permission
for the message to be sent.
3. The transmission and reception of the message appears to give a disproportionate
benefit to the sender.
Layered Defenses Against Junk Email
Forefront Online Protection for Exchange achieves enhanced accuracy with proprietary,
multilayer spam technology that helps ensure that unsolicited email is automatically filtered
before it enters your organization’s messaging systems. There is no work or intervention
needed by your users or IT administrators to incorporate the anti-spam technology. This
technology is applied at the domain level or subdomain level; for example, XYZ.COM,
US.XYZ.COM, and UK.XYZ.COM.
8
IP Reputation Blocking
Forefront Online Protection for Exchange IP reputation blocking serves as the first line of
defense against unwanted email and blocks approximately 90 percent of inbound junk email
through connection analysis and reputation analysis.
Connection Analysis
Each connection to the Forefront Online Protection for Exchange network is monitored closely
and evaluated based on the SMTP commands issued by the connecting server. Nonstandard
connection requests that deviate significantly from Request for Comments (RFC) standards and
spoofed connection attempts are immediately dropped, thereby helping to shield your network
from these invalid connection attempts.
Reputation Analysis
Forefront Online Protection for Exchange reputation-based connection blocking employs a
proprietary list that, based on analysis and historical perspective, contains the addresses of the
most egregious spamming sources on the Internet. Through an ongoing partnership with
Windows Live Hotmail, Forefront Online Protection for Exchange aggregates both consumer
and corporate junk email data to populate a comprehensive reputation database. Forefront
Online Protection for Exchange also utilizes IP reputation information from other companies and
ISPs to provide enhanced protection from suspicious IP addresses and botnet attacks.
Spammers often create malicious websites which they use for phishing and to host malware;
Forefront Online Protection for Exchange leverages a variety of sources to quickly update lists
of known malicious URLs and update its content filters to block spam.
Junk Email Protection
If a message passes the Forefront Online Protection for Exchange edge blocking technologies,
it must then pass five additional layers of anti-spam technology: Additional Spam Filtering (ASF)
options, IP-based authentication, fingerprinting, non-delivery backscatter mitigation, and rulesbased scoring.
Additional Spam Filtering (ASF) Options
Many customers want more control over emails that may contain obscene graphics, affect
privacy, or attempt to trick users into disclosing sensitive information. Using filtering flags, ASF
enables you to quarantine messages that contain various kinds of active or suspicious content.
ASF filtering flags include:








9
Image links to remote sites
Numeric IP in URL
URL redirect to another port
URL to .biz or .info websites
Empty messages
JavaScript or VBScript in HTML
Frame or iFrame tags in HTML
Object tags in HTML







Embed tags in HTML
Form tags in HTML
Web Bugs in HTML
Apply Sensitive word list
Sender Policy Framework (SPF) record hard failure
From address authentication failure
Blocking all non-delivery receipts (NDRs) for non-outbound customers
Forefront Online Protection for Exchange uses a rules-based scoring system to add these and
other email characteristics to an overall score, which is used to determine if a message will be
classified as spam. ASF rules give you the ability to explicitly select various content attributes of
a message that either increase the message’s spam score or mark the message as spam if it
contains specific attributes. Each ASF filter can be engaged in test mode to measure its
effectiveness before going live. For more information, see Rules-based Scoring.
IP-based Authentication
Forefront Online Protection for Exchange authenticates the identity of the sender of each
message. If a message cannot be authenticated and the message is determined to be from a
spoofed sender, it is more likely to be scored as spam. The service uses Sender Policy
Framework (SPF), an industry standard that fights return-path address forgery by using SMTP
Mail From identity in email, making it easier to identify spoofs. SPF lookups help verify that the
entity listed as the sender did indeed send the email. For domains sending outbound email
through the filtering network, you can include “spf.messaging.microsoft.com” in your SPF record
as well as your individual outbound email server IP address.
Fingerprinting
When messages contain known spam characteristics, they are identified and “fingerprinted”;
that is, they are given a unique ID based on their content. The fingerprinting database
aggregates data from all spam blocked by the Forefront Online Protection for Exchange system,
which allows the fingerprinting process to become more intelligent and refined as more emails
are processed. If a message with a particular fingerprint passes through the system again, the
fingerprint is detected and the message is marked as spam. The system continually analyzes
incoming messages to determine new spamming methods (such as base64-encoded spam).
The Forefront Online Protection for Exchange spam analysis team updates the fingerprint layer
as new campaigns are detected.
Non-Delivery Receipt (NDR) Backscatter Mitigation
There are a number of causes for a surge in NDRs that might affect your email environment.
For example, one of the email addresses for a domain may be affected by a spoofing campaign
or be the source address for a directory harvest attack. Any of these issues could result in a
sudden increase in the number of NDRs delivered to end users. NDR backscatter, which refers
to the many messages received when an Email address is forged as the sender on spam, is a
side effect of spamming attacks carried out using a spoofed sender address. The forged SMTP
RFC2821 MAIL FROM: address points to a legitimate sender. In the event of a delivery failure,
10
the receiving MTA will send an NDR to the unsuspecting victim referenced on the spoofed Mail
From: address. NDR backscatter is more than an annoyance, because it can carry a malicious
payload and easily trick an unsuspecting recipient into opening it.
For outbound filtering customers, logic is used to help detect NDRs that are legitimate bounce
messages and these are delivered to the original sender without enabling the NDR Backscatter
option in Additional Spam Filtering options. For outbound customers, intelligent detection of
legitimate NDRs is enabled by default. The filter is implemented based on Bounce Address Tag
Validation (BATV) technology in a simple, flexible, and secure way.
Enabling the NDR Backscatter option in the Additional Spam Filtering Options in Forefront
Online Protection for Exchange will filter all inbound NDR messages regardless of whether the
customer is using outbound filtering, and regardless of whether the NDR is legitimate.
Rules-based Scoring
Forefront Online Protection for Exchange scores messages based on more than 20,000 rules
that embody and define characteristics of spam and legitimate emails. Points are added to the
score if a message contains characteristics of spam; points are subtracted if it contains
characteristics of legitimate emails. When a message’s score reaches a defined threshold, the
message is flagged as spam. Message characteristics that Forefront Online Protection for
Exchange evaluates and scores include:








Phrases in the body and subject of the message, including URLs
HTTP obfuscation
Malformed headers
Email client type
Formation of headers (i.e., Message-ID, Received, random characters)
Sending email server
Sending email agent
From and SMTP From address
The current rules are modified and new rules are added as needed many times a day, every
day, by the spam team.
Bulk Mail Filtering
Forefront Online Protection for Exchange (FOPE) identifies inbound bulk mail (such as
advertisements and marketing emails) by marking a stamp in the message headers. FOPE
inserts the X-Forefront-Antispam-Report header into each message it scans. If a message is
identified as a bulk mail message, FOPE inserts SRV:BULK into that header.
Users can create a rule in their local email client (such as Microsoft Outlook) that moves
unwanted mail to their Junk Mail Folder based upon this stamp in the message headers. To
learn how to create a rule in Outlook 2007, see Manage messages by using rules.
11
Administrators can create a rule on their mail server (such as Exchange Server 2007 or 2010)
that moves all mail for all their users to the Junk Mail folder based upon this stamp in the
message headers. To learn how to create Exchange transport rules, see How to Create a New
Transport Rule.
Outbound Spam Filtering
All outbound messages that exceed the spam threshold are delivered through a Higher Risk
Delivery Pool, which is a secondary outbound group of servers used to send messages that
may be of low quality. This secondary pool helps protect the rest of your network from sending
messages that are more likely to result in the sending IP address being blocked.
The use of a dedicated Higher Risk Delivery Pool helps ensure that the normal outbound pool is
only sending emails that are known to be of high quality. The possibility of the Higher Risk
Delivery Pool being placed on a third -party block list remains a risk. This is by design. The
secondary server pool helps reduce the probability of the normal outbound server pool being
added to a third-party block list.
In addition, some third-party email filtering agents will throttle mail where the sending domain
has no address record (A record) and no mail exchange record (MX record). Such outbound
mail, regardless of its spam disposition, is routed through the Higher Risk Delivery Pool.
Accuracy and Effectiveness
Ineffective spam filters frustrate users and expose your organization’s computing environment to
infection and possible data loss. Forefront Online Protection for Exchange simultaneously
delivers high accuracy and effectiveness by both identifying spam and keeping it from reaching
mailboxes on your network. As a result, you can help preserve the integrity of your
organization’s email environment and communications, boosting productivity and improving total
cost of ownership your email system.
Accuracy
False positives are legitimate messages that are incorrectly identified as spam. They can be
either legitimate bulk messages such as newsletters, person-to-person business
communication, or personal messages. Through extensive monitoring, Forefront Online
Protection for Exchange has found that its ratio of false positive messages is smaller than
approximately 1 in 250,000 (0.0004 percent).
Both end users and IT administrators can report false positives by submitting messages, with
full Internet headers, to false_positive@messaging.microsoft.com. They can also report email
abuse by submitting messages, with full Internet headers, to abuse@messaging.microsoft.com.
The spam analysis team examines each message and tunes the filters accordingly to prevent
future occurrences. As a result, the service is constantly updating and refining the spam
prevention and protection processes at a global service level. Any submitted items are
evaluated at the network-wide level.
12
The Microsoft Junk Email Reporting Add-in for Microsoft Office Outlook is an optional tool that
lets users easily report junk email to Microsoft for analysis to help reduce the number and
impact of future junk email messages. The tool is compatible with Microsoft Office Outlook
2007 SP2 and higher and Microsoft Office Outlook 2010. For more information information
about the Microsoft Junk Email Reporting Add-in for Microsoft Office Outlook tool see Junk
Email Reporting Add-in for Microsoft Office Outlook (http://technet.microsoft.com/enus/library/ff898338.aspx).
Effectiveness
Without tuning, Forefront Online Protection for Exchange can block 98 percent of spam directed
towards your domain. However, configuring the ASF options and using policy rules (discussed
in more depth in Policy Enforcement) can allow your organization to further customize spam
filtering according to your needs, which may increase effectiveness.
After the service identifies a message as spam, it manages the message in one of five ways,
depending on your domain settings:





Tags the message with an X-header
Tags the message through a subject line modification; e.g. inserting “<SPAM>” in the
subject line
Redirects the message to a SMTP mailbox
Quarantines and stores for review (default option for standalone customers)
Availble in Exchange Online: sends the messages to your Outlook Junk Email folder
(default option for Exchange Online customers)
Junk Mail Management
For Exchange Online customers, Forefront Online Protection for Exchange sends messages
identified as spam to the end users’ Outlook Junk Email folder by default. This option is
enabled by default because it provides an integrated end user experience in Outlook. End
users do not need to go to a separate web page to manage junk mail. From Outlook or Outlook
Web App, end users can also manage their junk mail and safe and block sender lists. This
option is unavailable for standalone customers.
Spam Quarantine
Spam Quarantine is the most widely used option for storing spam because it relieves corporate
Email servers of the need to process and store this type of Email. Additionally, the Spam
Quarantine option lets users avoid sorting through spam messages, a convenience that
ultimately improves employee productivity. You can also use policy settings to quarantine
messages, so that users can later access the messages if needed. Spam Quarantine is the
default option for standalone customers but is not enabled by default for Exchange Online
customers. Exchange Online customers can enable this option in the Administration Center.
Access to the quarantined emails can be enabled for all users or it can be limited to only
administrators.
13
Reviewing Spam in Quarantine
Forefront Online Protection for Exchange provides a web-based interface for end users to view
spam addressed to their email accounts. Through this interface, users can recover (or salvage)
spam they might want to read, as well as report false positives. Messages quarantined by
Forefront Online Protection for Exchange are stored for 15 days and then, unless an action is
taken on them, they are automatically deleted.
Administrators can enable notifications, which are emailed to users when they receive spam
messages. The format of the message can be one of the following:


Text notification: An email in text format that includes a URL and brief instructions
about how to log in to the spam quarantine and view messages.
HTML interface: An email with an HTML interface, as shown in Figure 3, that gives
users a snapshot of the new spam messages delivered to their spam quarantine
mailboxes. The email will display all new spam messages since either their last
notification or since they logged in to their spam quarantine account. Unlike the textbased email, users can directly manage messages from within this HTML notification
email without logging in to their account.
Figure 3: A sample spam quarantine reminder in HTML
14
Figure 4: The spam quarantine web interface
Policy Enforcement
The third service that Forefront Online Protection for Exchange offers is policy enforcement,
which gives your organization the ability to automatically monitor outbound and inbound email,
stop sensitive or inappropriate messages from leaving and entering the corporate network
based on the parameters you stet up, and allows specific senders to bypass spam filtering
completely. You can create and enforce custom policy rules that are triggered by one or more of
the following attributes:







Words and phrases in the subject and body
Message size
Attachment type
Number of recipients
Sender and recipient addresses and domains
IP address or domain name
Header name and value
You can create and edit policy rules in the Administration Center. You can specify the scope of
the rule, the action the rule takes on a message, and the parameters that trigger the rule. You
can also choose whether a rule will expire.
You can specify the parameters that trigger a policy rule using either comma-separated values
mixed with string-wildcard syntax (listed as “Basic Syntax” in the Administration Center and
product documentation) or you can use a subset of characters specified in the Regular
Expression syntax (listed as “RegEx Syntax”). Using RegEx syntax, you can specify more
complex expressions that match patterns of text, numbers, or special characters.
Additionally, you can create plain text or HTML footers to all outbound Email messages
(including reply messages). Examples of common footers include your company’s name,
15
address, and contact information, or a required legal disclaimer. You can apply this feature at
the domain level (Parent Domains or Virtual Domains).
Message Handling
Forefront Online Protection for Exchange offers many options for handling email that is flagged
by a policy rule, including:









Reject the message
Allow the message
Quarantine the message for review
Redirect the message to an alternate recipient or mailbox
Deliver the message with BCC
Force the use of TLS to deliver the message
Test individual policy rules
Encrypt the message using Exchange Hosted Encryption (available only for EHE
subscribers)
Decrypt the message using Exchange Hosted Encryption (available only for EHE
subscribers)
After a policy rule is enabled, messages that trigger the rule are handled according to the rule
specifications. If you choose to quarantine messages for review, Forefront Online Protection for
Exchange allows either users or administrators to review and release quarantined items at their
discretion.
The service also includes standard bounce options. If an email is rejected or quarantined for not
complying with content and policy rules, you can configure separate custom bounce messages
for the sender, recipient, and administrator.
The service also allows administrators to create policy rules that allow all inbound email from
specified IP addresses (safelists), even if those IP addresses are listed on the Reputation Block
Lists (RBLs) that are used by the service. Multiple IP addresses can be added to a single policy
rule as long as the IP addresses are separated by commas. IP address ranges or Classless
Inter-Domain Routing (CIDR) formatted IP ranges are also supported for this feature.
Phishing and Spoofing Prevention
Policy filtering may be used to defend corporate networks from email attacks and protect end
users’ confidential information. For example, by detecting potential personal information in
emails exiting the organization, you can provide additional anti-phishing protection. The
following regular expressions can be used as parameters that detect the transmission of
personal financial data or information that may compromise privacy:



16
\d\d\d\d\ \d\d\d\d\ \d\d\d\d \d\d\d\d (MasterCard, Visa)
\d\d\d\d \d\d\d\d\d\d \d\d\d\d\d\d (American Express)
\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d (Any 16-digit number)

\d\d\d\-\d\d-d\d\d\d (Social Security Numbers)
Spam and anti-phishing can be prevented by blocking inbound messages that appear to have
been sent from your own domain. You can create a policy rule to reject messages from
yourdomain.com sent to yourdomain.com to block this type of sender forgery.
Important: Create this rule only if you are certain that no legitimate email from your domain is
sent from the Internet to your email server.
Extension Blocking
The policy filter can be used to block or allow different attachment types.
At a minimum, the following extensions should be blocked: EXE, PIF, SCR, and VBS.
For increased protection, we recommend blocking some or all of the following extensions: ade,
adp, ani, bas, bat, chm, cmd, com, cpl, crt, exe, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda,
mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, and
wsh.
Custom Policy Rules Filters
By using the Filters repository, you can add and manage large lists of values for multiple policy
rules. These lists of values are called Dictionaries and they can contain IP addresses, domains,
Email addresses, keywords, and file names and extensions that you want to quickly use in
various policy rules. Utilizing these lists can be faster than manually entering hundreds of
keywords or Email addresses in the policy rule editor.
These dictionary files can be imported to the Administration Center in .txt or .csv format. They
can then be associated with a policy rule.
Directory-Based Edge Blocking Service
The fourth service in Forefront Online Protection for Exchange is Directory-Based Edge
Blocking, which is a multifunctional service that improves message handling and routing for
inbound message traffic. Directory-Based Edge Blocking is enabled by default for Exchange
Online customers. For standalone customers the Forefront Online Protection for Exchange
Filtering service normally processes all of the messages that are sent to any SMTP address
within your domain. However, when you enable Directory-Based Edge Blocking and create a list
of legitmate users, the service can block all Email, even messages that appear to be legitimate,
but is sent to Email addresses that are not in your user list.
Directory-Based Edge Blocking can be set to message reject, reject test, pass through, and
passive.
Message Reject
The Message Reject feature rejects all email, including spam and legitimate email, at the
network perimeter for any recipients not on the domain’s user list. Therefore, if a message is
17
received for a recipient that is included on the user list, the message is processed according to
the domain’s settings. If however, a message is received for a recipient who is not included on
the user list, then Forefront Online Protection for Exchange responds with a 554 error message,
which reads as follows:
smtp;554 <badaddress@contoso.com>: Recipient address rejected: Access
denied).
Reject Test
The Reject Test feature validates the accuracy of a user list and is meant to be used for short
periods of time. All email for recipients not on a domain’s user list is redirected to a specific
email address after filtering. Therefore, if a message is received for a recipient on the user list,
the message is processed according to the domain’s settings. If however, a message is
received for someone not on the user list, that message is processed according to the domain’s
settings and delivered to the final email address listed for the domain.
Pass Through
The Pass Through feature makes it possible to define a subset of users who are “opted in” for
service evaluation purposes, while all others by default are “opted out” of all filtering services,
even if all users share the same domain. Therefore, if a message is received for someone
whose name is included on the user list (that is, the end user is “opted in”), the message is
processed according to the domain’s settings. If, however, a message is received for someone
not on the user list (that is, the end user is “opted out”), the message bypasses spam, virus, and
policy filters and is delivered to your organization’s email server directly.
Note: The messages for users who are not present in the Pass Through list do not bypass the
IP Reputation Blocks on the network edge
Passive
Passive mode on a domain allows you to configure Virtual Domains for that domain without
needing to provide a user list for the Parent Domain.
Virtual and Parent Domains
Virtual Domains can be configured in order to provide group filtering, intelligent routing, or
inbound address rewrite. A Virtual Domain is formatted like a subdomain, and can have its own
filtering settings and configurations; however it is not an actual DNS mail domain. Virtual
Domains allow you to apply different configuration settings to users who belong to the same
domain.
The domain to which the Virtual Domain belongs is called its Parent Domain. For example, for a
Parent Domain called contoso.com, you can create a Virtual Domain called
marketing.contoso.com. After creating a Virtual Domain, you can upload a subset of users who
belong to the Parent Domain and then associate them to the Virtual Domain in order to
customize service settings for that group of users. Users who have been assigned to the Virtual
Domain will adhere to the domain settings that are set for the Virtual Domain.
18
Edge blocking options are not available for Virtual Domains. Email for a particular Virtual
Domain is processed for all email addresses that are included in an upload list for that Virtual
Domain, as specified by the settings in the Administration Center. If email is received for an
address that is not listed in the upload list for the given Virtual Domain, it is processed according
to the edge blocking settings for the Parent Domain.
Group Filtering
The Group Filtering feature provides the ability for different groups of users to have their own
set of filtering rules, even if all users share the same domain. For example, your Human
Resources department can have different filtering rules than the IT department. Each user
included in the user list upload is associated with a group name. You can then create a Virtual
Domain and configure it for each group name in the user list.
Intelligent Routing
The Intelligent Routing feature sends SMTP addresses to specific delivery locations based on
group name and association, even if users all share the same domain. For example, the UK
office can receive all mail for UK users at a specific location, one that is different than the
destination for mail sent to U.S. users. As with Group Filtering, each user is associated with a
group, and each group is associated with a Virtual Domain. Each Virtual Domain is then
configured to redirect email to specific servers within the organization.
Inbound Address Rewrite
The Inbound Address Rewrite feature rewrites the recipient addresses for specific users and
delivers messages for those recipients based on the Virtual Domain IP Address Settings. For
example, the HR department at Contoso needs to receive email at hr.contoso.com, even though
the delivery location may be the same as the main contoso.com domain. As in Group Filtering,
each user is associated with a Virtual Domain. Each Virtual Domain is then configured to deliver
email to specific servers within the organization.
Directory Synchronization Tool for Directory Services Automation
The different Microsoft email hosting products use different Directory Synchronization methods.
The following describes the different synchronization methods for each product:
Microsoft Office 365 Beta for enterprises: Use the Office 365 Directory Synchronization Tool.
For more information about the Office 365 Directoy Synchronization Tool see Install the
Microsoft Online Services Directory Synchronization tool (http://onlinehelp.microsoft.com/enus/office365-enterprises/ff652545.aspx).
Live@edu: Use the Outlook Live Directory Synchronization Tool. For more information about
the Outlook Live Directory Synchronization Tool see Implement Outlook Live Directory Sync
(http://help.outlook.com/en-us/140/dd575560.aspx).
Business Productivity Online Suite – Standard and Dedicated: Use the Exchange Online
Directory Synchronization Tool. For more information about the Exchange Online Directory
Synchronization Tool see About Directory Synchronization
19
(http://www.microsoft.com/online/help/en-us/helphowto/56866ae2-a4f9-4c53-8c4c47855951f7b7.htm).
Stand-alone: Use the FOPE Directory Synchronization Tool. For more information about the
FOPE Directory Synchronization, see below.
The FOPE Directory Synchronization Tool is an optional, lightweight application installed in your
on-premises environment with access to your Microsoft Exchange Server. It simplifies the
process of adding users to the service by collecting all valid email addresses from your
organization’s Active Directory and Microsoft Exchange Server messaging environment and
sharing them with Forefront Online Protection for Exchange.
The tool also collects and shares safe senders as defined by end users. Using this feature helps
to even further reduce the possibility of false positives and ensure minimal impact to legitimate
email communication.
Figure 6 shows the components of the directory synchronization process and how it
interoperates with Forefront Online Protection for Exchange.
Figure 6: Flow and component details of the FOPE Directory Synchronization Tool
The synchronization service reads the configuration file (in XML) at the interval specified,
retrieves all SMTP addresses from Active Directory Domain Services (AD DS) for the specified
domains, and sends the list to Forefront Online Protection for Exchange through Secure
Sockets Layers (SSL). Transfer of the address list is contingent upon successful authentication,
which uses the same administrative credentials used to log into the Administration Center. A
web service running on the hosted network accepts the list and feeds the data to the Directory
Services infrastructure, which distributes the list to the service’s data center network every 15
minutes.
20
Automatic Spooling
If your email server becomes unavailable for any reason, Forefront Online Protection for
Exchange helps ensure that no email is lost or bounced. Forefront Online Protection for
Exchange servers spool and queue email for up to five days. After your email server is restored,
all queued email is automatically forwarded in a “flow-controlled” fashion. In cases of extended
downtime, email can be rerouted to another server or made available through a web-based
interface.
The system can be set up to provide deferral threshold notifications in the event that email
cannot be delivered. For each domain in your company, you can set up multiple SMTP
addresses to receive email notifications of delivery delays for email destined for your domain.
Each entry can have its own individual threshold settings. These SMTP addresses must be for
domains outside of the domain being configured.
Figure 7:
Service Experience
Forefront Online Protection for Exchange is simple to deploy, easy to configure, and backed by
experienced support organizations. The service, by default, is highly accurate and requires little
tuning or optimization to enhance protection from spam and viruses. If you want to customize
the filtering settings, you will find that the web-based administration console accommodates
most filtering preferences. Around-the-clock technical support staff are available to assist in
answering questions and helping with configuration settings.
Also, implementation project managers (IPMs) are available for qualifying Forefront Online
Protection for Exchange standalone accounts for the first 90 days to answer complex questions.
Deployment
Forefront Online Protection for Exchange is easy to deploy. You do not have to change your
organization’s existing email infrastructure, or install and maintain any new hardware or
software. Standalone customers can typically begin using hosted filtering services within 7 to 10
days from initial sign-up with a simple configuration change to DNS. Exchange Online
customers are automatically provisioned with Forefront Online Protection for Exchange with
their Exchange Online subscription. There is no hardware to provision; no software to buy,
install, or configure; and no expensive training required for IT staff or end users.
21
Forefront Online Protection for Exchange requires only one MX record, which resolves to the
service’s network, allowing the IP address of the corporate email server to remain hidden from
DNS lookups. Your organization becomes invisible to spammers, because the DNS lookup
points are located on the service’s network instead of your organization’s network. Therefore,
you only accept inbound SMTP traffic from Forefront Online Protection for Exchange, which can
help close a remaining vulnerability in your network firewall.
In most scenarios, standalone customers can deploy Forefront Online Protection for Exchange
in three steps:
1. After activation, add and configure your email domains using the Administration Center.
2. Make a simple change to your MX record without the use of additional hardware and
software. Your original MX record (such as mail.customer.com) is replaced with a pointer
to the Forefront Online Protection for Exchange network. Over the following 24 hours,
this change is propagated throughout the Internet and mail begins to flow through the
Forefront Online Protection for Exchange network to your organization’s email servers.
3. 72 hours after the MX record change, your organization’s firewall is configured to accept
inbound SMTP connections only from the Forefront Online Protection for Exchange data
centers’ IP addresses. If the customer is using outbound services, its servers are
configured to send all outgoing mail to the Forefront Online Protection for Exchange
network.
After your firewall rules have been restricted to only allow inbound SMTP connections from the
IP addresses used by the Hosted Filtering service, we recommend that the SMTP server be
configured to accept the highest number of concurrent inbound connections from the service
that you feel comfortable with.
If the server is sending outbound email through the Hosted Filtering service, we also
recommend that you configure the server to send no more than 50 messages per connection
and to use fewer than 50 concurrent connections. Under normal circumstances, these settings
will help ensure that the server has smooth and continuous data transfer to the service.
Administration
The Administration Center is a web-based console for defining and managing the settings and
configuration for customer domains for Forefront Online Protection for Exchange. Typically, no
configuration or oversight of the service is required; however, if you wish to customize the FOPE
service, you may do so in the Administration Center. Authorized users can access the
Administration Center at https://admin.messaging.microsoft.com where they must enter their
user name and password. Authorized Exchange Online users can access the Administration
Center from the Mail Control tab of the Exchange Control Panel using single sign-on.
During the implementation of Forefront Online Protection for Exchange, qualified customers are
introduced to a comprehensive tutorial by an implementation project manager designed to
familiarize administrators with the Administration Center console and tools. After the
22
walkthrough, you can access the Administration Center any time to define and edit a variety of
rules and settings.
Figure 8 shows the Information tab, which displays service announcements, network alerts,
virus alerts and important information, such as new services, system upgrades, virus outbreaks,
and patches. Additionally, the tab displays filtering reports at both the organization and network
level.
Figure 8: The Administration Center home page dashboard
Additionally, the Advanced tab offers a consolidated view of all the companies managed by an
administrator. This feature allows you to manage the filtering service of multiple organizations
using a single set of credentials. This feature is available for resellers, administrators of
organizations with a cross-premise scenario, and the delegated administrator of an organization
with a delegated administrator set up.
System Requirements
To use the FOPE Administration Center, you must use one of the following Internet browseres:




Windows Internet Explorer 7, Internet Explorer 8, or Internet Explorer 9
Mozilla Firefox 3.5+
Apple Safari 5+
Google Chrome 8.0.552+
The Administration Center may be viewed in the following languages:
23

















Simplified Chinese
Traditional Chinese
Danish
Dutch
English
Finnish
French
German
Italian
Japanese
Korean
Norweigan
Portuguese
Portuguese (Brazil)
Russian
Spanish
Swedish
Enhanced Email Routing Scenarios
The connectors feature in Forefront Online Protection for Exchange provides enhanced
functionality and flexibility to help you route messages in new ways depending on your
organization’s requirements. There are six different mail flow scenarios you can implement with
FOPE Connectors:





24
Outbound Smart Host Scenario – All or part of your outbound mail is routed through
an on-premises server that applies additional processing before delivering mail to its
final destination.
Forced TLS Scenario – Organizations can set up a secure mail flow channel with
connectors that require mail communications be secured with transport layer security
(TLS) or use a self-signed or CA-validated certificate.
Inbound Safe Listing Scenario – Add a partner organization’s IP addresses to a safe
list and mail from those specified IP addresses can be configured to skip FOPE’s spam
and policy filters.
Shared Address Space with On-Premises Relay Scenario – Email is hosted partially
in the cloud with Exchange Online and partially on-premises while mail flow is controlled
on-premise; MX record points to on-premises.
Shared Address Space with FOPE Relay Scenario – Email is hosted partially in the
cloud with Exchange Online and partially on-premises while mail flow is controlled onpremises; MX record points to FOPE.

Internal Mail Flow Scenario – Email is hosted partially in the cloud with Exchange
Online and partially on-premises and internal mail sent between cloud and on-premises
mailboxes skips FOPE filtering.
An organization may choose to implement multiple mail flow scenarios, depending on their
needs. Connectors are created and managed in the Administration Center.
FOPE Administration Center Differences
When accessing the Forefront Online Protection for Exchange Administration Center, certain
features and settings are different between a FOPE standalone domain and an Exchange
Online hosted domain. The following list describes those differences:
In the Company tab, if you have a hosted domain rather than a standalone domain, you can
view but you cannot change the value of the Outbound Mail Server IP Addresses setting.
In the Domains tab if you have a hosted domain rather than a standalone domain:




You cannot add, validate, enable, or delete domains. As a result, the Add Domains
option is not viewable in the Tasks pane, and the Disable button is not viewable from
Disabled Domains in the Views pane. This should be done in the Mail Control tab of
the Exchange Control Panel.
You can view but you cannot change the value of the Mail Delivery Settings (Mail
Server Addresses and Outbound Mail Server IP Addresses settings). This should be
done in the Exchange Control Panel.
The Catch-all domains, Outbound filtering, Spam filtering, and Virus filtering
settings are not configurable in the Domain Settings pane.
When transferring domain settings via the Transfer Domains dialog box, the IP
addresses and Virus filtering notifications options cannot be transferred because the
IP addresses point to Exchange Online and virus filtering notifications are sent by FPE
rather than by FOPE.
Reporting and Analytics
The Administration Center provides access to a set of comprehensive reports that provide
detailed statistics about your organization’s email traffic. Reporting on an email occurs near real
time after the email enters the Forefront Online Protection for Exchange network, usually within
15 minutes. Reports can be generated by domain or by organization (including all domains) and
provide information such as the percentage of inbound email flagged as spam, top users,
messages encrypted, viruses blocked, and overall email volumes. Figures 9 and 10 show some
sample reports that are available. Measured on a regular basis, these reports are a valuable
tool for gaining insight and control of any customer email system.
25
Figure 9: My Reports tab
Figure 10: Sample email traffic report
Forefront Online Protection for Exchange reports include:

26
Email Traffic Report: Returns the number and volume of messages for each traffic type
that you select. The available traffic types are:
o Inbound delivery: Legitimate messages that are delivered to your
organization or domain. Reports that include this traffic type do not include
messages that are allowed by policy filter rules.
o Spam: Inbound messages that are filtered as spam. This traffic type also
includes the requests that are sent to the email abuse and false-positive
submission email aliases, and, if applicable, any salvaged messages that are
requested from the Spam Quarantine or Spam Notification email messages.
o



Inbound virus: Inbound virus-infected mail and file attachments that are
scanned, as well as viruses that are blocked and cleaned. This report will not
show virus data for Exchange Online customers since antivirus scanning is
performed by Forefront Protection 2010 for Exchange Server on the
Exchange Online servers.
o Inbound policy filter: Inbound messages that are filtered by the policy filter.
(The report breaks down these messages into each different filter type.)
o Outbound delivery: All messages that are sent from this organization or
domain. This traffic type includes successfully sent outbound messages and
outbound messages that are blocked due to a policy filter.
o Outbound virus: Outbound virus-infected mail and file attachments that are
scanned, as well as viruses that are blocked and cleaned. This report will not
show virus data for Exchange Online customers since antivirus scanning is
performed by Forefront Protection 2010 for Exchange Server on the
Exchange Online servers.
o Outbound policy filtering: Outbound messages that are filtered by policy
filter. (The report breaks down these messages based on each different filter
type.)
Top Viruses Report: Returns a list of the top 10 viruses that have been caught by the
virus filters for your domain or set of domains. This report will not show virus data for
Exchange Online customers since antivirus scanning is performed by Forefront
Protection 2010 for Exchange Server on the Exchange Online servers.
Deferral Report: Returns a list of messages that have been deferred by the service. It
includes the message and the reason for deferral.
Top Users: Returns a list of the top 10 users of the service. Note that this report only
displays users that belong to domains that have directory-based edge blocking enabled.
This helps decrease the number of invalid user accounts from being recorded in this
report.
Message Trace
You can use the Message Trace tool to retrieve the status of an email processed by Forefront
Online Protection for Exchange in real-time. With basic information, such as the date, sender,
and recipient, you can retrieve filtering information for emails processed within the last 30 days.
The sender email address and recipient address information is required; at least one of them
must contain a full email address such as recipient@contoso.com and the other field can
contain a full email address or only a domain name such as @woodgrovebank.com. Optionally,
administrators can search using the message ID. The results will tell you when the message
was received by Forefront Online Protection for Exchange; whether it was scanned, blocked,
encrypted or deleted; or whether it was delivered successfully within the last month.
27
Figure 11: The Message Trace search input panel
Figure 12: Message Trace search results
Exchange Online subscribers should use the Exchange Control Panel rather than the FOPE
Administration Center to track messages sent to recipients within your organization.
Audit Trail
Using an audit trail such as the one shown in Figure 13, you can track important events that
have occurred in Forefront Online Protection for Exchange. User-related and service-related
events can be sorted by email address, company, domain, activity, or date and time. This allows
administrators to review changes that were made to settings as far back as January 2009, as
well as users who have accessed the Administration Center.
28
Figure 13: Audit trail events
Customer Support
The Forefront Online Protection for Exchange service offers comprehensive support, including
detailed online resources, around-the-clock call centers, and for qualifying accounts,
implementation project managers (IPMs).
Microsoft Online Services live technical support staff members are ready to deliver solutions
quickly and clearly and can be reached with ease. They are available by phone or web form 24
hours a day, 7 days a week.
Assistance at Your Fingertips
Forefront Online Protection for Exchange also provides online support tools, including frequently
asked questions (FAQs), step-by-step guides, and comprehensive tutorials that cover all
aspects of the service. These documents are available in various languages to ensure that IT
staff in your organization thoroughly understands the service.
Announcements and Notifications
As an enterprise-class service, Forefront Online Protection for Exchange helps ensure
proactive, detailed, and regular communications so you are well informed. Announcements,
alerts, and other notifications such as configuration updates are posted to the Information page
of the Administration Center and communicated through RSS feeds that you can subscribe to.
29
Customer Support for Exchange Online customers
Customer support for Exchange Online customers is handled through the Office 365 support
desk. For more information about Office 365 support see Get support for Office 365
(http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff637617.aspx).
Customer Support for Standalone customers
A Get Help Now link to the Microsoft Support request website now appears in the
Administration Center on both the Resources page and the shortcut menu below qualified users’
log on names. This link points to the Microsoft Support home page. Here, authorized users can
complete and submit support requests and track the progress of existing requests. Support
requests are typically responded to in less than 24 hours.
To Use the Get Help Now Option
1. Log on to the Forefront Online Protection for Exchange Administration Center home
page.
2. From the shortcut menu under your user name, click Get Help Now.
3. You can also go to the Resources page and click the Technical Support Web Portal
link.
4. Select the appropriate service subscription,for example, Exchange Hosted Archive.
5. Select the appropriate support topic and sub-topics, if necessary, and click Next.
6. Describe the details of your request, or the problem you’re experiencing, in the Describe
the Problem form.
7. After you have completed the required fields, click Submit.
Notes:




A confirmation page will appear with a confirmation number and the details of your
request, along with an option to print the request or save a copy of the submitted
request. You will also receive an email confirmation of your submitted request.
You may view the details of your submitted request by selecting the View Incidents link,
which points you to a page listing all the submitted incidents.
You will receive an email response within 24 hours of the time you submitted the
request.
The technical support team stays in close contact with you and provides regular updates
about issues until all your questions have been resolved. Microsoft Online Services
technical support will issue a support incident number if follow-up calls to technical
support are required. You can use translation services to receive phone support for the
following languages: French, German, Japanese, Korean, Mandarin and Spanish.
Accelerate Time to Value with Implementation Project Managers (IPMs)
Implementation Project Managers (IPMs) are product specialists who are available to answer
deployment, security, and configuration questions and generally ensure that you benefit from
the best service experience and successful implementation. IPMs are available for qualifying
Forefront Online Protection for Exchange standalone accounts for the first 90 days after service
30
purchase in order. IPMs work closely with you to manage the initial deployment of the service to
your organization and to generally represent your needs when coordinating with other Microsoft
resources. They provide an additional layer of strategic and critical planning, and can facilitate
one-on-one training for your IT staff.
Customer Support for Microsoft Premier Support Subscribers
Premier Support for Microsoft Online Services extends the Premier Support framework beyond
on-premises products to online services, providing you with a unified support experience across
all products and services. This service helps ensure that customers can resolve issues quickly
and simplifies the task of managing support for different components of an IT infrastructure.
If you are a Forefront Online Protection for Exchange customer and also have a Microsoft
Premier Support contract, you can also get support through the normal Microsoft Premier
Support channels. This allows you to receive access to all processes and resources available to
Premier Support customers, such as a Premier Technical Account Manager (TAM) and case
submission.
Conclusion
Forefront Online Protection for Exchange consists of layered technologies to actively help
protect inbound and outbound email from spam, viruses, phishing scams, and email policy
violations. Forefront Online Protection for Exchange is easy to deploy; it requires no hardware
or software to install, manage, and maintain, and help customers to satisfy company policy and
regulatory compliance requirements for email.
For more information:





31
Microsoft Forefront Online Protection for Exchange at http://www.microsoft.com/fope
Microsoft Exchange Server at http://www.microsoft.com/exchange
FOPE Privacy Statement at http://go.microsoft.com/fwlink/?LinkID=138500
FOPE SLA at http://go.microsoft.com/fwlink/?LinkId=138884
FOPE Acceptable Use Policy at http://go.microsoft.com/fwlink/?LinkId=79398