Troubleshooting Exchange’s Built-In Anti-Spam Technologies: Pt. 4 Recipient Filtering

Written by Casper Manes on August 20, 2012

Microsoft Exchange 2010’s Recipient Filtering agent is one of the anti-spam agents that is designed to help reduce spam reaching users’ mailboxes. Recipient filtering works by examining the SMTP header of incoming messages, and looking at the RCPT TO property in the header. The recipient filtering agent will block messages sent to:

  • Nonexistent recipients
  • Restricted Distribution Lists
  • Internal-only mailboxes

When an Edge Transport server receives an email message from the Internet, the Recipient Filtering agent consults two potential sources of recipient information to determine if a message should be blocked. The recipient block list is a list of recipients created by the administrator that should not receive any messages from the Internet. The Recipient Filtering agent can also query Active Directory information (information copied by the EdgeSync service to AD LDS on the Edge Transport server) to determine whether or not a recipient exists.

Note: Recipient Filtering runs on Edge Transport servers, but it is also available on Hub Transport servers when you enable anti-spam agents on a Hub Transport server using the Install-AntispamAgents.ps1 script included with Exchange.

When an Edge Transport server receives a message that Recipient Filtering indicates should not be accepted, it will respond with a 550 5.1.1 User Unknown message. This message is the same whether the recipient is on the recipient block list, is restricted, or simply does not exist. This helps reduce the amount of information external users can obtain when attempting to perform directory harvest attacks.

Exchange 2010 Edge Transport servers can also tarpit connections, when they attempt to use multiple RCPT TO requests to probe for valid recipients. You can use the set-receiveconnector command to configure tarpitting and the tarpit interval.

Remember that when an email is rejected by Recipient Filtering, the response will be the same as when a user does not exist, 550 5.1.1. When you need to troubleshoot recipient filtering rejecting email that should not be rejected, the first step is to determine whether or not a recipient email address is valid. Use Active Directory Users and Computers or the Exchange Management Console to search for a user or group object that has the email address in question. Check the primary email address, or the proxyAddresses attribute to confirm that an SMTP address exists.

If a user or distribution list has the target email address, but mail to that address is still being rejected, next verify that the object is not on the Recipient Filtering Block List. You can use the Exchange Management Console to check, or parse the list in the Exchange Management Shell. In the EMC, browse to Edge Transport, Anti-spam, and view the properties of the Recipient Filtering agent. The Blocked Recipients tab will show the list of any users configured to block email from the outside.

If Recipient Filtering is not blocking messages for non-existent recipients (instead routing email to a catch all mailbox) it may not be enabled. Remember you can either perform Recipient Filtering for non-existent users, or you can have a catch-all mailbox, but not both. You can check on the status using the Exchange Management Shell command

Get-RecipientFilterConfig –RecipientValidationEnabled [enter]

to check the status, and if you need to enable it, use the EMS command

Set-RecipientFilterConfig –RecipientValidationEnabled $true [enter]

If email is being delivered to a user who should not receive email from the outside, consider the following.

  1. Email to distribution lists that a recipient belongs to will be delivered to the recipient. Recipient filtering does not take D/L memberships into account.
  2. Recipient filtering block lists have a maximum of 800 entries. If you have more than that, new additions to that list will fail.
  3. If a user has a primary SMTP address, and one or more aliases (smtp) addresses listed in the proxyAddresses attribute, and a message is sent to an alias that is not on the Block List, it will be delivered to the user’s mailbox.
  4. If a user is an alternate recipient, or there is a forwarding rule from another mailbox, again, messages from the outside will be delivered to the recipient even if they are on the Blocked Recipient list.

Troubleshooting Recipient Filtering can either involve why messages aren’t being delivered to someone they should be, or why messages are being delivered to someone they shouldn’t be. With aliases, D/L memberships, and forwarding, there are many ways a message can be delivered. If you don’t want messages delivered, ensuring that all of the user’s SMTP addresses are on the Block List is the best way to make sure no outside mail gets in.

Comments

Bernard Frommer August 28, 2012

Thank
you, thank you, thank you for this tutorial! I was having a hard time for the
past couple of days troubleshooting my MS Exchange 2010. I was supposed to
receive e-mails from my client abroad, but for some reason, his e-mails get
filtered out. He was calling me incessantly, and if it weren’t for this
tutorial, I could have been out of work now. Yes, this is pretty complex, and
it’s such a time-consuming process to un-filter an e-mail address. But it’s a
small price to pay compared to being bombarded by loads of e-mails you don’t
even want to have in the first place.

Samantha Chavez August 31, 2012

Hmm.. this is complicated than I thought it would
be. I’m not too geeky, so I don’t think I’ll be able to understand this one. But
I do appreciate this since this can be helpful to a friend of mine who’s
managing Microsoft Exchange. As for me, I love Gmail’s security feature. It’s
easy to use and yes it also filters out hardly read emails from the same
source, saving you a lot of time and effort. Maybe Microsoft can learn a thing
or two about simplicity with Google. I heard Microsoft is the biggest spammer
in the world. Ouch!

  • (required)
  • (required)