Solved

Exchange Anti-Spam RBL

Posted on 2011-03-14
4
2,512 Views
Last Modified: 2012-05-11
The setup is a Windows Server 2008 R2 with exchage 2010 installed.

Anti-Spam has been enabled and now gives the option to add Real Time Blacklist providers.

However once adding the RBL emails that should be blocked are still coming through.

As shown below is the location were the RBL has been added:

 Screenshot
Does anyone have any tips on how to get this working and/ or test this current setup?

Thanks.
0
Comment
Question by:patrickfreer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Expert Comment

by:viveksahu
ID: 35126811
Hi,

Here is the articel you need:
http://technet.microsoft.com/en-us/library/bb123943.aspx

When you configure connection filtering, you must follow these steps:

Enable connection filtering components.

Add IP addresses to the IP Allow lists and IP Block lists.

Configure IP Allow List providers and IP Block List providers.

Configure connection filtering for Edge Transport servers that are not the first Simple Mail Transfer Protocol (SMTP) entry point.

Test IP Block and IP Allow functionality.

Important:  
Configuration changes that you make to connection filtering by using the Exchange Management Console or the Exchange Management Shell are made only to the local computer that has the Edge Transport server role installed. If you have multiple instances of the Edge Transport server role running in your organization, you must apply connection filtering configuration changes to each computer.  

 Enabling Connection Filtering Components
By default, connection filtering is enabled on the Edge Transport server for inbound messages that come from the Internet but are not authenticated. These messages are handled as external messages. You can disable the filter in individual computer configurations by using the Exchange Management Console or the Exchange Management Shell.

When connection filtering is enabled on a computer, the Connection Filter agent filters all messages that come through all Receive connectors on that computer. As noted earlier in this topic, only messages that come from external sources are filtered. External sources are defined as non-authenticated sources. These are considered anonymous Internet sources.

For more information about how to configure Receive connectors and how message source categories are determined, see Receive Connectors.

As a best practice, you should not filter messages from trusted partners or from inside your organization. When you run anti-spam filters, there is always a chance that the filters will detect false positives. To reduce the chance of mishandling legitimate e-mail messages, you should enable anti-spam agents to run only on messages from potentially untrusted and unknown sources. You can enable and disable connection filtering on messages from any source by using the Exchange Management Shell.

For more information about how to enable connection filtering, see How to Enable Connection Filtering.

 Adding IP Addresses to the Block and Allow Lists
As explained in Connection Filtering, IP Block lists and IP Allow lists are administrator-defined lists that specify IP addresses and IP address ranges that are acted on by connection filtering. If an originating IP address matches an IP address or IP address range on the IP Block list, the Connection Filter agent processes all RCPT TO: headers in the message and then denies the message after the MAIL FROM command. When an originating IP address matches an IP address or IP address range on the IP Allow list, the Connection Filter agent sends the message to the destination without additional processing by other anti-spam agents. For more information about how the anti-spam agents work together and the order in which they are applied, see Anti-Spam and Antivirus Functionality.

Note:  
The use of Internet Protocol Version 6 (IPv6) addresses and IP address ranges is supported only when Microsoft Exchange Server 2007 Service Pack 1 (SP1) is deployed on a computer that is running Windows Server 2008, both IPv6 and Internet Protocol Version 4 (IPv4) are enabled on that computer, and the network supports both IP address versions. If Exchange 2007 SP1 is deployed in this configuration, all server roles can send data to and receive data from devices, servers, and clients that use IPv6 addresses. A default installation of Windows Server 2008 enables support for IPv4 and IPv6. If Exchange 2007 SP1 is installed on Windows Server 2003, IPv6 addresses are not supported. For more information about Exchange 2007 SP1 support for IPv6 addresses, see IPv6 Support in Exchange 2007 SP1.  

For more information about how to add IP addresses to the IP Block list and IP Allow list, see How to Add IP Addresses to the IP Allow List and IP Block List.

 Configuring IP Block List Providers and IP Allow List Providers
IP Block list and IP Allow list provider services can help you reduce spam and increase overall message processing on your Edge Transport server. You should consider configuring multiple IP Block List provider services and IP Allow List provider services.

Note:  
Multiple IP Block List provider services are sometimes referred to as real-time block list (RBL) services. IP Allow List provider services are sometimes referred to as safe list services.  

For each IP Block List provider service that you configure, you can customize the SMTP 550 error that is returned to the sender when the sender IP address is matched to an IP Block List provider service and is subsequently blocked by the Connection Filter agent. It is a best practice to customize the SMTP 550 error to identify the IP Block List provider service that identifies the sender as a blocked IP address. This best practice enables legitimate senders to contact the IP Block List provider service so that they can be removed from the IP Block List provider service's IP Block list.

Different IP Block List provider services may return different codes when the IP address of a remote server that is sending a message matches an IP address on an IP Block List provider service's IP Block list. Most IP Block List provider services return one of the following data types: bitmask or absolute value. Within these data types, there may be multiple values that indicate the type of list that the submitted IP address is on.

Bitmask Example
This section shows an example of the status codes returned by most Block List providers. See the documentation from the specific provider on the status codes that the provider returns.

For bitmask data types, the IP Block List provider service returns a status code of 127.0.0.x, where the integer x is any one of the values that are listed in the following table.

Values and status codes for bitmask data types
Value  Status Code  
1
 The IP address is on an IP Block list.
 
2
 The SMTP server is configured to act as an open relay.
 
4
 The IP address supports a dial-up IP address.
 

For absolute value types, the IP Block List provider service returns explicit responses based on the cause of the block of the IP address. The following table shows some examples of absolute values and the explicit responses.

Values and status codes for absolute value data types
Value  Explicit Response  
127.0.0.2
 The IP address is a direct spam source.
 
127.0.0.4
 The IP address is a bulk mailer.
 
127.0.0.5
 The remote server that is sending the message is known to support multistage open relays.
 

For more information about how to configure IP Allow List providers and IP Block List providers, see How to Configure IP Allow List and IP Block List Providers.

 Configuring Connection Filtering for Edge Transport Servers That Are Not the First SMTP Entry Point
In some organizations, the Edge Transport server role is installed on computers that do not process SMTP requests directly on the Internet. In this scenario, the Edge Transport server is behind another front-end SMTP server that processes inbound messages directly from the Internet. In this scenario, the Connection Filter agent must be able to extract the correct originating IP address from the message. To extract and evaluate the originating IP address, the Connection Filter agent must parse the Received headers from the message and compare those headers to the known SMTP server in the perimeter network.

When an RFC-compliant SMTP server receives a message, the server updates the message's Received header with the domain name and IP address of the sender. Therefore, for each SMTP server that is between the originating sender and the Edge Transport server, the SMTP server adds an additional Received header entry.

When you configure your perimeter network to support Microsoft Exchange Server 2007, you must specify all the IP addresses for the SMTP servers in your perimeter network. The IP address data is replicated to Edge Transport servers by EdgeSync. When messages are received by the computer that runs the Connection Filter agent, the IP address in the Received header that does not match an SMTP server IP address in your perimeter network is assumed to be the originating IP address.

You must specify all internal SMTP servers on the transport configuration object in the Active Directory forest before you run connection filtering. Specify the internal SMTP servers by using the InternalSMTPServers parameter on the Set-TransportConfig cmdlet.

 Testing IP Block List and IP Allow List Functionality
After you configure an IP Block List provider service or IP Allow List provider service, you can test to make sure that connection filtering is configured correctly for the particular service. Most IP Block List provider services or IP Allow List provider services provide test IP addresses that you can use to test their services. When you run a test against an IP Block List provider service or an IP Allow List provider service, the Connection Filter agent issues a Domain Name System (DNS) query that is based on the real-time block list (RBL) IP address that should respond with a specific response. For more information about RBL services, see Connection Filtering. For more information about how to test IP addresses against an IP Block List provider service or an IP Allow List provider service, see Test-IPAllowListProvider and Test-IPBlockListProvider.
0
 
LVL 1

Author Comment

by:patrickfreer
ID: 35126846
This exchange server is not running the Edge Transport service. Just the Hub Transport service with anti-spam enabled.

Is it possible to still set up RBLs on a normal Hub Transport Server?
0
 
LVL 7

Expert Comment

by:viveksahu
ID: 35136225
Yes it is very much possible.
0
 
LVL 7

Accepted Solution

by:
bitMASTERS earned 500 total points
ID: 35136429
You can test to see if the blocking is working by sending an email (any email) to: nelson-sbl-test@crynwr.com (you must send the email from the mail server which you wish to test). The Crynwr system robot will answer you to tell you if your server is correctly blocking
 IPs or not.

If they arent then You may want to restart your exchange services and/or the server. Also you may want to use these scripts to test effectiveness.  http://www.allspammedup.com/2009/01/anti-spam-reporting-for-exchange-server-2007/. (will work for exchange 2010 as well)
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question