How to configure and test RBLs in Exchange 2013 EMS?

Hello Experts,

I have an Exchange server with AntiSpam tools installed. I also configured Spamhaus as RBL provider:
[PS] C:\Windows\system32>Get-IPBlockListProvider spamhaus|fl

RunspaceId        : c643d126-7eef-4c63-9f0c-ac95345affc5
RejectionResponse :
LookupDomain      : zen.spamhaus.org
Enabled           : True
AnyMatch          : True
BitmaskMatch      :
IPAddressesMatch  : {}
Priority          : 3
AdminDisplayName  :
ExchangeVersion   : 0.1 (8.0.535.0)
Name              : Spamhaus
...

Open in new window

When I test it, I get no result, though at the moment of wrting this IP is listed in zen.spamhaus.org:
[PS] C:\Windows\system32>Test-IPBlockListProvider -IPAddress 186.128.36.149 -Identity spamhaus

RunspaceId     : c643d126-7eef-4c63-9f0c-ac95345affc5
Provider       : Spamhaus
ProviderResult : {}
Matched        : False

Open in new window

Since I just got mail from this IP, I figure the test is correct and RBLs are not working.
How can I get them to work?

Thanks!

PS: My Content filter config:
[PS] C:\Windows\system32>Get-ContentFilterConfig|fl


RunspaceId                            : c643d126-7eef-4c63-9f0c-ac95345affc5
Name                                  : ContentFilterConfig
RejectionResponse                     : Message rejected as spam by Content Filtering.
OutlookEmailPostmarkValidationEnabled : True
BypassedRecipients                    : {}
QuarantineMailbox                     :
SCLRejectThreshold                    : 7
SCLRejectEnabled                      : True
SCLDeleteThreshold                    : 9
SCLDeleteEnabled                      : False
SCLQuarantineThreshold                : 9
SCLQuarantineEnabled                  : False
BypassedSenders                       : {}
BypassedSenderDomains                 : {}
Enabled                               : True
ExternalMailEnabled                   : True
InternalMailEnabled                   : False
AdminDisplayName                      :

Open in new window

LVL 13
Daniel HelgenbergerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
The following are dnsbl test sites.


Mxtoolbox.com has an RBL test tool
RBL-check.com
Dnsbl.info


Run nslookup 186.128.36.149.zen.sapmhaus.org to see if it is or is not listed.
Test 127.0.0.2.zen.spamhaus.org to see how it works.
Then try test-ipblocklistprovider -ipaddress 127.0.0.2 -identity spamhaus to confirm the same result I.e. That it is listed.
0
Daniel HelgenbergerAuthor Commented:
Strange; I ran the exact command today and there you go, a match:
[PS] C:\Windows\system32>nslookup 127.0.0.2.zen.spamhaus.org

Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    127.0.0.2.zen.spamhaus.org
Address:  127.0.0.11

[PS] C:\Windows\system32>Test-IPBlockListProvider -IPAddress 186.128.36.14 -Identity spamhaus
Creating a new session for implicit remoting of "Test-IPBlockListProvider" command...

RunspaceId     : 7e599ce9-3c5f-415a-a92d-aae8fc7e327a
Provider       : Spamhaus
ProviderResult : {127.0.0.11}
Matched        : True

Open in new window


I think this may be spamhaus in the end?:

[PS] C:\Windows\system32>Get-IPBlockListProvider|Test-IPBlockListProvider -ip 127.0.0.2

RunspaceId     : 9fb0b5c1-7cb0-4ea6-9102-bef6709a5cb1
Provider       : Spamhaus
ProviderResult : {}
Matched        : False

RunspaceId     : 9fb0b5c1-7cb0-4ea6-9102-bef6709a5cb1
Provider       : UCE protect lvl 2
ProviderResult : {127.0.0.2}
Matched        : True

RunspaceId     : 9fb0b5c1-7cb0-4ea6-9102-bef6709a5cb1
Provider       : Sorbs
ProviderResult : {127.0.0.10, 127.0.0.5, 127.0.0.7, 127.0.0.2, 127.0.0.3, 127.0.0.9, 127.0.0.14, 127.0.0.4, 127.0.0.6,
                 127.0.0.8}
Matched        : True

RunspaceId     : 9fb0b5c1-7cb0-4ea6-9102-bef6709a5cb1
Provider       : UCE Protect backscatter
ProviderResult : {127.0.0.2}
Matched        : True

RunspaceId     : 9fb0b5c1-7cb0-4ea6-9102-bef6709a5cb1
Provider       : UCE protect lvl 1 konservativ
ProviderResult : {127.0.0.2}
Matched        : True

RunspaceId     : 9fb0b5c1-7cb0-4ea6-9102-bef6709a5cb1
Provider       : UCE protect lvl 3 superkrass
ProviderResult : {127.0.0.2}
Matched        : True

RunspaceId     : 9fb0b5c1-7cb0-4ea6-9102-bef6709a5cb1
Provider       : junkemailfilter.com
ProviderResult : {127.0.0.2, 127.0.0.1, 127.0.0.3, 127.0.0.4, 127.0.0.5, 127.0.1.1, 127.0.1.2, 127.0.1.3, 127.0.2.3}
Matched        : True

Open in new window

0
arnoldCommented:
The IP was listed on one of the referenced URLs while not listed on the others.

The issue might deal with one having negative cached DNS response that lasts for some time, while the other deals with a cached positive response.
The issue could also exists because of propagation issues within the DNS servers serving zen.spamhaus.org

nslookup -q=NS zen.spamhaus.org

Then you can if you want to identify the source of the error
nslookup -q=NS IP zen.spamhaus.org nameserver_from the earlier query.


Here you are looking for differing responses.
I.e. 3 server say listed, and one says not listed, or the other way around.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniel HelgenbergerAuthor Commented:
Arnold, thanks a lot.
Turns out to be Spamhaus; I lowered the priority of this Block List Provider in Exchange.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.