Using IP Block List Providers and the Connection Filter agent in Exchange 2007Written by Paul Cunningham on December 12, 2008
Exchange Server 2007 includes integrated anti-spam features that run on Edge Transport servers and can optionally be enabled on Hub Transport servers. In this blog post I will discuss the Connection Filter agent and how IP block list providers can be used to protect Exchange servers from spam.
What is the Connection Filter agent?
The Connection Filter agent is a Transport server feature that performs filtering actions based on the IP address of the remote server that is making a connection to the Exchange server. The Connection Filter agent checks whether the remote IP address is on an IP Allow list, an IP Block list, or on neither and takes action based on the result.
When the Connection Filter agent is enabled it is the first anti-spam agent that assesses any incoming SMTP communication.
This preserves system resources on the Transport server by avoiding the need to accept the entirety of the email message data and perform more thorough content scanning of the message for spam. The Transport server simply assumes that an email coming from an IP address on an IP Block list is almost certainly going to be spam and terminates the SMTP session before the DATA command is issued.
What is an IP Allow/Block list?
An IP Allow/Block list can be made up of an administrator-defined list of IP addresses or it can come from a third party provider.
Administrator-defined lists typically are used when an Exchange administrator needs to explicitly allow or block a specific IP address, and are assessed first before any third party IP Allow/Block lists. For example, if a customer’s network has been blacklisted for some reason you can override that by adding their IP address to your IP Allow list. Similarly if you are receiving spam from an IP address that has not yet been blacklisted you can add the IP address to your IP Block list.
Third party list providers such as SORBS and SpamHAUS provide a service that you can use to look up an IP address and determine whether it is on one of the IP Allow or IP Block lists. These providers maintain lists of IP addresses of known and suspect spam sources based on actual spam reports, proactive open relay scans, and other likely sources such as ISP customer IP ranges.
Using IP Allow/Block list providers with Exchange Server 2007
Exchange Server 2007 can be configured to query one or more of these lists when the Connection Filter agent is assessing an SMTP connection. In fact it is recommended to configure more than one provider to improve coverage and ensure that if a list provider is not responding to queries that another provider is checked.
Using IP Block list providers has some disadvantages. The IP address of a legitimate email server may be inadvertently added to an IP Block list even though they are not sending spam. From time to time the Exchange administrator may need to explicitly allow one of these IP addresses so that email communication is not disrupted, or contact a list provider to get their own IP address removed from an IP Block list.
Another disadvantage is that each new SMTP connection requires a query sent to the list provider. If the response is delayed for any reason it can slow down email traffic at the Transport server. To reduce the impact of this the Exchange server will cache the results of a query for a short period of time so that an IP can continue to be blocked on subsequent attempts without another query being sent to the list provider.
IP Block lists are far more commonly used than IP Allow lists, but IP Allow lists are useful to prevent highly trusted IP addresses from being blocked.
How to configure an IP Block list with Exchange Server 2007
The Exchange anti-spam components are installed by default on Edge Transport servers but must be manually installed on Hub Transport servers by the administrator using the “install-antiSpamAgents.ps1″ script that is included with Exchange Server 2007.
The Anti-spam tab now appears in the Hub Transport section of the Exchange Management Console. Open the properties of IP Block List Providers and select the Providers tab.
Click Add to configure a new provider. Here we are configuring SpamHAUS as the IP Block list provider. Note that you should review the SpamHAUS usage guidelines to verify that your organisation qualifies for free use of this service.
You can configure as many IP Block list providers as you wish and they will be queried in the order that they are listed. You can also configure exceptions for email addresses within your organisation that you do not want to be filtered. For example you may choose not to filter email to your postmaster@ email address so that an organisation that is being blocked by your email servers can still report the problem to your Exchange administrator.
Using IP Block list providers with internal Exchange servers
IP address filtering is most commonly applied at the internet-facing Exchange servers, but in some cases your Exchange servers may have another email server that receives internet email first. The Exchange server must parse the email message headers to determine which IP address is the original source of the email message when performing IP Block list provider queries.
To ensure that the Exchange server can do this you must specify the IP addresses of any email servers within your organisation that would receive internet email before it reaches the Exchange servers. This is configured in the Global Settings for your Exchange organisation.
Open the properties of the Transport Settings and select the Message Delivery tab. Select Add and enter the IP address or IP range of the email servers.
Is the Exchange Connection Filter agent enough protection?
The Exchange Connection Filter agent does an acceptable job of blocking spam based on the sender’s IP address but it is by no means a complete anti-spam solution. Connection filtering is best used in combination with other forms of spam protection such as content filtering. An effective way to improve Exchange anti-spam protection is to combine inbuilt features of Exchange such as the Connection Filter agent with comprehensive third party email security products that include a greater degree of configurability and more advanced features such as detailed reporting.
Connection Filtering saves time and resources
A correctly configured Connection Filter agent saves the Exchange administrator a lot of time by avoiding the need to manually maintain a large list of blocked and allowed IP addresses. The Connection Filter agent also reduces server load by rejecting likely spam before it has been transmitted to the Exchange server and without requiring resource-intensive content scanning of the email message. It is recommended that you always configure the Connection Filter agent on your internet-facing Exchange Transport servers, and consider enhancing your anti-spam protection with third party email security products.