Reduce Spam with Exchange 2007 Server Safe List Aggregation

As you probably know, Exchange server 2007 is designed to take a layered approach to message hygiene. Typically, when an SMTP message arrives, it passes through an edge transport server. The edge transport server typically checks the message for viruses, and make sure that the message isn’t spam.  Once these checks have been performed, the message is allowed to continue on to the mailbox server that hosts the recipient’s mailbox.  Depending on the way that Exchange Server is configured, the mailbox server may perform some additional screening of its own.

The recipient may also perform some screening of their own. Usually, server level screening is designed to get rid of viruses and remove the most obvious spam. Ultimately though, it is up to the end user to configure Outlook for the level of spam removal that the user wants.

One of the antispam features that the user can take advantage of is the safe senders list.  Although the safe senders list resides at the mailbox server level, it is something that the end user configures completely independently of settings implemented by the administrator or by other users.

Although the safe senders list is a nice feature, it can be a bit problematic in environments that take a multilevel approach to spam filtering. Think about it for a moment. The safe senders list allows users to create a list of senders that they consider to be safe. This allows the users to receive messages from those senders regardless of message content. The problem is though, that the edge transport server does some initial spam filtering before the safe senders list is ever processed.

Safe List Aggregation

To get around this problem, Microsoft created something called safe list aggregation. The basic idea behind safe list aggregation is that the edge transport server is made aware of each user’s safe sender list. Unfortunately, there isn’t a check box that you can select in order to enable safe list aggregation. It’s something that you will have to implement manually.

Before I show you how to implement safe list aggregation, there are two things that you need to know about it. First, the edge transport server does not distinguish between one user’s safe sender list and another’s. In a way this is OK though. After all, if a user trusts a particular user not to send them spam, then the user can probably trusts the sender not to spam anyone else in the organization either. Assuming that the user themselves is trustworthy, then a sender who is considered safe by a user should be considered to be safe by the entire organization.

The other thing that you need to know about safe list aggregation is that it can be very resource intensive. Fortunately, safe list aggregation is only resource intensive during updates. It is entirely up to you as to if or when you want to perform these updates. Updates do not occur automatically unless you configure them to do so.

With these things in mind, let’s take a look at how to implement safe list aggregation. Safe list aggregation is performed from the Exchange Management Shell, on a user by user basis. The command for performing safe list aggregation against a mailbox looks something like this:

​Update-Safelist –Identity username –DomainController –Type both

Obviously, running this type the command against every single mailbox is impractical. This is especially true when you consider that the aggregate safe list is not automatically kept up-to-date. Fortunately, there is an easy way to tell Exchange Server to perform safe list aggregation against every mailbox on the mailbox server. To do so, use this command:

​Get-Mailbox | Update-SafeList –Type SafeSenders

As you can see, the command’s syntax is very simple. It uses the Get-Mailbox command to gather names of the mailboxes in your organization. It then applies the Update-SafeList –Type SafeSenders list to the various mailbox names.

The problem is that you must run this command every time that you want to update the safe senders list. Fortunately, this is something that you can automate. To do so, just create a text file containing this command, and save the file using a file name with the .VBS extension.  For demonstration purposes, let’s call the file safe.VBS.

Once you’ve created a VBS file, you can use the AT command to schedule the .VBS file to run a specific times. For example, if you wanted your script to run at 11:00 p.m. every night, you could use the command below:

​at 23:00 /every:M,T,W,Th,F,S,Su cmd /c “C:'safe.vbs”


Although user’s safe lists usually get the job done, they are not completely reliable unless the edge transport server is made aware of them. In this article, I’ve shown you how to use safe list aggregation in order to propagate each user’s safe sender list to the edge transport server.

For more Exchange 2007 articles…

For more Exchange 2007 articles, please see the Petri Exchange 2007 Knowledgebase master index.