How to Enable Anti-Spam Functionality on a Hub Transport Server

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

In some small organizations, it may make sense to run Microsoft Exchange Server 2007 anti-spam features on Hub Transport servers. For example, some small organizations may not have enough e-mail volume to justify the cost of installing and maintaining a full perimeter network together with an Edge Transport server. This article describes how to enable Microsoft Exchange anti-spam functionality on Hub Transport servers.


It is not a best practice to run anti-spam functionality on the Hub Transport server. We recommend that you run anti-spam features on the Edge Transport server at the perimeter of your organization. Only run anti-spam features on the Hub Transport server if you have not deployed Edge Transport server.

To install and enable the anti-spam features on a Hub Transport server, you must run the Install-AntispamAgents.ps1 script. This script is located in the %system drive%/Program Files/Microsoft/Exchange Server/Scripts folder that is installed when you run Exchange Setup. After you run the script, you must restart the Microsoft Exchange Transport service to finish the installation of the anti-spam features. The Install-AntispamAgents.ps1 script installs and enables the following anti-spam features:

  • Connection filtering

  • Content filtering

  • Sender ID

  • Sender filtering

  • Recipient filtering

  • Sender reputation


Attachment filtering is an antivirus feature that is not enabled or installed. Attachment filtering only runs on the Edge Transport server. However, the file filtering functionality that is provided by Microsoft Forefront Security for Exchange Server includes advanced features that are unavailable in the default Attachment Filter agent that is included with Microsoft Exchange Server 2007 Standard Edition. Forefront Security for Exchange is fully supported on the Hub Transport server role. For more information, see Microsoft Forefront Security for Exchange Server User Guide.

After you run the Install-AntispamAgents script, restart the Microsoft Exchange Transport service, and set the InternalSMTPServers parameter as described later in this topic, you can configure the anti-spam features as you would when they are installed on the Edge Transport server. The Anti-spam tab will appear in the Exchange Management Console. And you can run all anti-spam cmdlets in the Exchange Management Shell.


Most Exchange 2007 documentation does not refer to the anti-spam features in the context of the Hub Transport server. Therefore, as you read documentation about how to configure, manage, and maintain anti-spam features, remember that all functionality that is documented in the context of the Edge Transport server is also available on the Hub Transport server, unless specifically noted otherwise.

Before You Begin

To perform the following procedures, the account you use must be delegated the following:

  • Exchange Server Administrator role and local Administrators group for the target server

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

The Install-AntispamAgents.ps1 script is copied to the %system drive%/Program Files\Microsoft\Exchange Server\Scripts folder. You must run the script from this location.


To enable anti-spam functionality on a Hub Transport server

  1. Run the following command:

  2. After the script has run, restart the Microsoft Exchange Transport service by running the following command:

    Restart-Service MSExchangeTransport

Setting the InternalSMTPServers Parameter

In some organizations, the Hub Transport server role is installed on computers that don't process Simple Mail Transfer Protocol (SMTP) requests directly on the Internet. In this scenario, the Hub Transport server is behind another front-end SMTP server that processes inbound messages directly from the Internet. The Connection Filter agent must be able to extract the correct originating IP address from the message. To extract and evaluate the originating IP address, the Connection Filter agent must parse the Received headers from the message and compare those headers with the known SMTP server in the perimeter network.

When an RFC-compliant SMTP server receives a message, the server updates the message's Received header with the domain name and IP address of the sender. Therefore, for each SMTP server that is between the originating sender and the Hub Transport server, the SMTP server adds an additional Received header entry.

You must specify all internal SMTP servers on the transport configuration object in the Active Directory directory service forest before you run connection filtering. Specify the internal SMTP servers by using the InternalSMTPServers parameter on the Set-TransportConfig cmdlet. For more information about how to use the Set-TransportConfig cmdlet, see Set-TransportConfig.

When messages are received by the computer that runs connection filtering, the IP address in the Received header that does not match the IP address of an SMTP server in your perimeter network is assumed to be the originating IP address.


For all anti-spam features to work correctly, you must have at least one IP address of an internal SMTP server set on the InternalSMTPServers parameter on the Set-TransportConfig cmdlet. If the Hub Transport server on which you are running the anti-spam features is the only SMTP server in your organization, enter the IP address of that computer.

Using Exchange Hosted Services

Spam filtering is enhanced by or is also available as a service from Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted services:

  • Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware, including viruses and spam

  • Hosted Archive, which helps them satisfy retention requirements for compliance

  • Hosted Encryption, which helps them encrypt data to preserve confidentiality

  • Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations

These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.

For More Information

For more information about how to manage anti-spam and antivirus features in Exchange 2007, see Managing Anti-Spam and Antivirus Features.