Troubleshooting Exchange’s Built-In Anti-Spam Technologies: Pt. 2 The IP Block List

Written by Casper Manes on August 6, 2012

In our last post on AllSpammedUp, we looked at troubleshooting Exchange 2010’s IP Allow List, a part of the anti-spam technologies built in to Exchange 2010. In today’s post, let’s look at the IP Block List. The IP Block List allows you to maintain a list of IP addresses (hosts, subnets, or CIDR ranges) to which you want your Edge Transport server to refuse connections. These could be known spammers, source addresses that have been hammering your gateway with junk or directory harvest attacks, or other systems you simply don’t want to worry about, like residential ranges.

The IP Block List is where admins can manually add network addresses they want to block, and can work with IP Block List Providers, who maintain much broader lists of known spammers. We’ll look at those in a future post – we’re just looking at the lists we maintain on our own in this post.Exchange Management Shell

You can manage IP Blocklists through the Exchange Management Console, or the Exchange Management Shell. Let’s look at the commands admins use to manage IP Block Lists.

Add-IPBlockListEntry

Use the Add-IPBlockListEntry cmdlet to add an IP address or IP address range to the IP Block list configuration information for the Connection Filter agent on a computer that has the Hub Transport server role or Edge Transport server role installed.

Add-IPBlockListEntry -IPRange <IPRange> [-Comment <String>] [-Confirm [<SwitchParameter>]] [-ExpirationTime <DateTime>] [-Server <ServerIdParameter>] [-WhatIf [<SwitchParameter>]]

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they’re not included in the permissions assigned to you.

Remove-IPBlockListEntry

Use the Remove-IPBlockListEntry cmdlet to remove an IP address from the configuration information for the Connection Filter agent on the computer on which the cmdlet is run.

Remove-IPBlocklistEntry -Identity <IPListEntryIdentity> [-Confirm [<SwitchParameter>]] [-Server <ServerIdParameter>] [-WhatIf [<SwitchParameter>]]

You must specify the Identity parameter for an IP Block list entry when using the Remove-IPBlockListEntry command. The Identity parameter is an integer value automatically assigned when the IP Block list entry is first created. To remove a specific IP address or IP address range from the IP Block list, you can use the output of the Get-IPBlockListEntry command.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they’re not included in the permissions assigned to you.

Get-IPBlockListEntry

Use the Get-IPBlockListEntry cmdlet to obtain information about the IP address configuration for the Connection Filter agent for the computer on which the command is run.

Get-IPBlockListEntry [-Identity <IPListEntryIdentity>] [-ResultSize <Unlimited>] [-Server <ServerIdParameter>]

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they’re not included in the permissions assigned to you.

DNS Troubleshooting

Usually troubleshooting IP Blocklists will come down to either typoes in the entries, or adding ranges you don’t really want to block. Use the above commands to list out the entries in your blocklist, and then use the following two commands to lookup ranges to confirm whether or not they should be in your block lists.

Whois

The whois command can be used to query Whois servers for either domain names, or for IP ranges. To use whois to determine who owns a particular IP address, enter the command like this.

Whois –H 155.16.54.210 [enter]

You can download a Windows port of whois from this website http://members.shaw.ca/nicholas.fong/dig/ .

Dig

Dig can be used to query DNS servers for MX records and TXT records (like SPF records) amongst other things. It is in the same download link as whois above. To query for the SPF record for a company, enter the command like this.

dig @8.8.8.8 –t TXT allspammedup.com [enter]

To query for the MX records, try this.

dig @8.8.8.8 –t SRV allspammedup.com [enter]

From there, you can see whether or not a range is in your blocklist that you would prefer be permitted.

Troubleshooting IP Blocklists is usually a matter of making sure you don’t inadvertently block sources you want to allow. Knowing the ranges of your business partners, and checking a range twice before blocking it, are the best ways to avoid accidentally blocking a critical business partner.

  • (required)
  • (required)