Using IP Block List Providers and the Connection Filter agent in Exchange 2007

Written by Paul Cunningham on December 12, 2008

Exchange Server 2007 includes integrated anti-spam features that run on Edge Transport servers and can optionally be enabled on Hub Transport servers.  In this blog post I will discuss the Connection Filter agent and how IP block list providers can be used to protect Exchange servers from spam.

Connection Filtering

What is the Connection Filter agent?

The Connection Filter agent is a Transport server feature that performs filtering actions based on the IP address of the remote server that is making a connection to the Exchange server.  The Connection Filter agent checks whether the remote IP address is on an IP Allow list, an IP Block list, or on neither and takes action based on the result.

When the Connection Filter agent is enabled it is the first anti-spam agent that assesses any incoming SMTP communication.

Connection Filtering Agent

This preserves system resources on the Transport server by avoiding the need to accept the entirety of the email message data and perform more thorough content scanning of the message for spam.  The Transport server simply assumes that an email coming from an IP address on an IP Block list is almost certainly going to be spam and terminates the SMTP session before the DATA command is issued.

What is an IP Allow/Block list?

An IP Allow/Block list can be made up of an administrator-defined list of IP addresses or it can come from a third party provider.

Administrator-defined lists typically are used when an Exchange administrator needs to explicitly allow or block a specific IP address, and are assessed first before any third party IP Allow/Block lists.  For example, if a customer’s network has been blacklisted for some reason you can override that by adding their IP address to your IP Allow list.  Similarly if you are receiving spam from an IP address that has not yet been blacklisted you can add the IP address to your IP Block list.

Third party list providers such as SORBS and SpamHAUS provide a service that you can use to look up an IP address and determine whether it is on one of the IP Allow or IP Block lists.  These providers maintain lists of IP addresses of known and suspect spam sources based on actual spam reports, proactive open relay scans, and other likely sources such as ISP customer IP ranges.

Using IP Allow/Block list providers with Exchange Server 2007

Exchange Server 2007 can be configured to query one or more of these lists when the Connection Filter agent is assessing an SMTP connection.  In fact it is recommended to configure more than one provider to improve coverage and ensure that if a list provider is not responding to queries that another provider is checked.

Using IP Block list providers has some disadvantages.  The IP address of a legitimate email server may be inadvertently added to an IP Block list even though they are not sending spam.  From time to time the Exchange administrator may need to explicitly allow one of these IP addresses so that email communication is not disrupted, or contact a list provider to get their own IP address removed from an IP Block list.

Another disadvantage is that each new SMTP connection requires a query sent to the list provider.  If the response is delayed for any reason it can slow down email traffic at the Transport server.  To reduce the impact of this the Exchange server will cache the results of a query for a short period of time so that an IP can continue to be blocked on subsequent attempts without another query being sent to the list provider.

IP Block lists are far more commonly used than IP Allow lists, but IP Allow lists are useful to prevent highly trusted IP addresses from being blocked.

How to configure an IP Block list with Exchange Server 2007

The Exchange anti-spam components are installed by default on Edge Transport servers but must be manually installed on Hub Transport servers by the administrator using the “install-antiSpamAgents.ps1″ script that is included with Exchange Server 2007.

Install anti-spam agents script

The Anti-spam tab now appears in the Hub Transport section of the Exchange Management Console.  Open the properties of IP Block List Providers and select the Providers tab.

IP Block List Providers

Click Add to configure a new provider.  Here we are configuring SpamHAUS as the IP Block list provider.  Note that you should review the SpamHAUS usage guidelines to verify that your organisation qualifies for free use of this service.

IP Block List Provider Properties

Add IP Block List Provider

You can configure as many IP Block list providers as you wish and they will be queried in the order that they are listed.  You can also configure exceptions for email addresses within your organisation that you do not want to be filtered.  For example you may choose not to filter email to your postmaster@ email address so that an organisation that is being blocked by your email servers can still report the problem to your Exchange administrator.

Using IP Block list providers with internal Exchange servers

IP address filtering is most commonly applied at the internet-facing Exchange servers, but in some cases your Exchange servers may have another email server that receives internet email first.  The Exchange server must parse the email message headers to determine which IP address is the original source of the email message when performing IP Block list provider queries.

To ensure that the Exchange server can do this you must specify the IP addresses of any email servers within your organisation that would receive internet email before it reaches the Exchange servers.  This is configured in the Global Settings for your Exchange organisation.

Open the properties of the Transport Settings and select the Message Delivery tab.  Select Add and enter the IP address or IP range of the email servers.

Transport Settings Properties

Is the Exchange Connection Filter agent enough protection?

The Exchange Connection Filter agent does an acceptable job of blocking spam based on the sender’s IP address but it is by no means a complete anti-spam solution.  Connection filtering is best used in combination with other forms of spam protection such as content filtering.  An effective way to improve Exchange anti-spam protection is to combine inbuilt features of Exchange such as the Connection Filter agent with comprehensive third party email security products that include a greater degree of configurability and more advanced features such as detailed reporting.

Connection Filtering saves time and resources

A correctly configured Connection Filter agent saves the Exchange administrator a lot of time by avoiding the need to manually maintain a large list of blocked and allowed IP addresses.  The Connection Filter agent also reduces server load by rejecting likely spam before it has been transmitted to the Exchange server and without requiring resource-intensive content scanning of the email message.  It is recommended that you always configure the Connection Filter agent on your internet-facing Exchange Transport servers, and consider enhancing your anti-spam protection with third party email security products.

Comments

Mario October 26, 2010

Hello Paul,

We’re looking to implement spam blocking for quite a while now and have been looking into using Spamhause as RBL provider.
What is unclear to me is how to check where we currently are with the number of SMTP connections and the DNSBL queries. Is there a way I can check this from our Exchange 2007 platform ?

Thanks,
Mario

Ed Fisher October 26, 2010

Hi Mario,

There are a couple of ways you can determine how many SMTP connections your server is currently working with. The queue viewer is a graphical tool in the Exchange Management Console. Go to the toolbox, and you will see the queue viewer. Since you are probably more interested in the raw number of sessions (as opposed to the other side) you can also use Perfmon to view this. Look for the counters for “MSExchangeTransport SmtpReceive” and “MSExchangeTransport SmtpSend.”

If you want to see how many DNS queries your server is running at any point in time, you can only use Perfmon counters if the DNS server service is installed on the machine. You probably don’t have that service installed on your Exchange server, and your DNS server is probably already processing a ton of queries for other clients, so I would take a network trace on UDP 53 and just gather statistics that way. If your server processes both inbound and outbound mail, you will need to do some guesstimating to eliminate the DNS queries generated from sending mail, but I already mentioned that counter above. Just remember that your Exchange server’s resolver cache will hold on to records resolved for the duration of the TTL, so round down to nearest random number unless clear your resolver cache frequently during the monitoring, or reduce the maximum TTL for caching to 1.

· Start Registry Editor (Regedit.exe).
· Locate the MaxCacheEntryTtlLimit value under the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
· On the Edit menu, click Modify. Type 1, and then click OK.
· Quit Registry Editor.

I don’t recommend doing that, and since most systems I have dealt with send multiple emails to the same destination domain, I usually just guestimate it based on 10% of the outbound. Since enabling DNS RBL is going to surge your DNS queries, you can probably just look at the number of inbound messages and figure that this will equal the number of new DNS queries generated.
It’s more art than science here, so that is ‘good enough’ for me.

Hope this helps,
Ed

Scott December 8, 2010

Thank you for posting this article. I was fairly confident where to add my blicklist provider but I was not entirely sure until I came across this article. Thank you again

Bob Herman May 29, 2013

Hi Paul:

I already have zen.spamhaus.org configured as an IP Block List Provider in my Exchange server. But how do I configure Exchange to use the dbl.spamhaus.org that expects domains, not IPs? If I enter dbl.spamhaus.org as an IP Block List Provider, will Exchange properly send the domain, not the IP, for the query?

Thank you!

Dean Collins July 10, 2013

hmmm zen.spamhaus.org is no longer resolving ….oops yes I set it up last night and didn’t bother to check so bounced all my emails for 7 hours.

  • (required)
  • (required)