Troubleshooting Exchange’s Built-In Anti-Spam Technologies: Pt. 4 Recipient FilteringWritten by Casper Manes on August 20, 2012
Microsoft Exchange 2010’s Recipient Filtering agent is one of the anti-spam agents that is designed to help reduce spam reaching users’ mailboxes. Recipient filtering works by examining the SMTP header of incoming messages, and looking at the RCPT TO property in the header. The recipient filtering agent will block messages sent to:
- Nonexistent recipients
- Restricted Distribution Lists
- Internal-only mailboxes
When an Edge Transport server receives an email message from the Internet, the Recipient Filtering agent consults two potential sources of recipient information to determine if a message should be blocked. The recipient block list is a list of recipients created by the administrator that should not receive any messages from the Internet. The Recipient Filtering agent can also query Active Directory information (information copied by the EdgeSync service to AD LDS on the Edge Transport server) to determine whether or not a recipient exists.
Note: Recipient Filtering runs on Edge Transport servers, but it is also available on Hub Transport servers when you enable anti-spam agents on a Hub Transport server using the Install-AntispamAgents.ps1 script included with Exchange.
When an Edge Transport server receives a message that Recipient Filtering indicates should not be accepted, it will respond with a 550 5.1.1 User Unknown message. This message is the same whether the recipient is on the recipient block list, is restricted, or simply does not exist. This helps reduce the amount of information external users can obtain when attempting to perform directory harvest attacks.
Exchange 2010 Edge Transport servers can also tarpit connections, when they attempt to use multiple RCPT TO requests to probe for valid recipients. You can use the set-receiveconnector command to configure tarpitting and the tarpit interval.
Remember that when an email is rejected by Recipient Filtering, the response will be the same as when a user does not exist, 550 5.1.1. When you need to troubleshoot recipient filtering rejecting email that should not be rejected, the first step is to determine whether or not a recipient email address is valid. Use Active Directory Users and Computers or the Exchange Management Console to search for a user or group object that has the email address in question. Check the primary email address, or the proxyAddresses attribute to confirm that an SMTP address exists.
If a user or distribution list has the target email address, but mail to that address is still being rejected, next verify that the object is not on the Recipient Filtering Block List. You can use the Exchange Management Console to check, or parse the list in the Exchange Management Shell. In the EMC, browse to Edge Transport, Anti-spam, and view the properties of the Recipient Filtering agent. The Blocked Recipients tab will show the list of any users configured to block email from the outside.
If Recipient Filtering is not blocking messages for non-existent recipients (instead routing email to a catch all mailbox) it may not be enabled. Remember you can either perform Recipient Filtering for non-existent users, or you can have a catch-all mailbox, but not both. You can check on the status using the Exchange Management Shell command
Get-RecipientFilterConfig –RecipientValidationEnabled [enter]
to check the status, and if you need to enable it, use the EMS command
Set-RecipientFilterConfig –RecipientValidationEnabled $true [enter]
If email is being delivered to a user who should not receive email from the outside, consider the following.
- Email to distribution lists that a recipient belongs to will be delivered to the recipient. Recipient filtering does not take D/L memberships into account.
- Recipient filtering block lists have a maximum of 800 entries. If you have more than that, new additions to that list will fail.
- If a user has a primary SMTP address, and one or more aliases (smtp) addresses listed in the proxyAddresses attribute, and a message is sent to an alias that is not on the Block List, it will be delivered to the user’s mailbox.
- If a user is an alternate recipient, or there is a forwarding rule from another mailbox, again, messages from the outside will be delivered to the recipient even if they are on the Blocked Recipient list.
Troubleshooting Recipient Filtering can either involve why messages aren’t being delivered to someone they should be, or why messages are being delivered to someone they shouldn’t be. With aliases, D/L memberships, and forwarding, there are many ways a message can be delivered. If you don’t want messages delivered, ensuring that all of the user’s SMTP addresses are on the Block List is the best way to make sure no outside mail gets in.