Using IP Block List Providers and the Connection Filter agent in Exchange 2007
5 Pages • 1,958 Words • PDF • 649.8 KB
Uploaded at 2021-09-24 17:56
This document was submitted by our user and they confirm that they have the consent to share it. Assuming that you are writer or own the copyright of this document, report to us by using this DMCA report button.
11/06/13
Using IP Block List Providers and the Connection Filter agent in Exchange 2007
Using IP Block List Providers and the Connection Filter agent in Exchange 2007 Written by Paul Cunningham on Decem ber 12, 2008 Me gusta
A 3 personas les gusta esto. Sé el primero de tus amigos.
Tw eet
0
Exchange Server 2007 includes integrated anti-spam features that run on Edge Transport servers and canemail optionally be enabled on Hub Transport servers. this blog post I willMailEssentials discuss the Connection Block threats before they reach yourInnetwork - GFI × Filter agent and how IP block list providers can be used to protect Exchange servers from spam.
Online Try it risk free for 30-days
What is the Connection Filter agent? The Connection Filter agent is a Transport server feature that performs filtering actions based on the IP address of the remote server that is making a connection to the Exchange server. The Connection Filter agent checks whether the remote IP address is on an IP Allow list, an IP Block list, or on neither and takes action based on the result. When the Connection Filter agent is enabled it is the first anti-spam agent that assesses any incoming SMTP communication.
All Spammed Up Me gusta
This preserves system resources on the Transport server by avoiding the need to accept the entirety of the email message data and perform more thorough content scanning of the message for spam. The Transport server simply assumes that an email coming from an IP address on an IP Block list is almost certainly going to be spam and terminates the SMTP session before the DATA command is issued.
A 122 personas les gusta All Spammed Up.
What is an IP Allow/Block list? An IP Allow/Block list can be made up of an administrator-defined list of IP addresses or it can come from a third party provider.
P lug-in social de F acebook
Administrator-defined lists typically are used when an Exchange administrator needs to explicitly allow or block a specific IP address, and are assessed first before any third party IP Allow/Block lists. For example, if a customer’s network has been blacklisted for some reason you can override that by adding their IP address to your IP Allow list. Similarly if you are receiving spam from an IP address that has not yet been blacklisted you can add the IP address to your IP Block list. Third party list providers such as SORBS and SpamHAUS provide a service that you can use to look up an IP address and determine whether it is on one of the IP Allow or IP Block lists. These providers maintain lists of IP addresses of known and suspect spam sources based on actual spam reports, proactive open relay scans, and other likely sources such as ISP customer IP ranges.
Using IP Allow/Block list providers with Exchange Server 2007 Exchange Server 2007 can be configured to query one or more of these lists when the Connection Filter agent is assessing an SMTP connection. In fact it is recommended to configure more than one
www.allspammedup.com/2008/12/using-ip-block-list-providers-and-the-connection-filter-agent-in-exchange-2007/
Fanbox.com Uses Members To Spam 2009-08-11 14:04:36 Spammers Choose GMail 2008-07-16 15:10:07 Google reCAPTCHA cracked
1/5
11/06/13
Using IP Block List Providers and the Connection Filter agent in Exchange 2007
provider to improve coverage and ensure that if a list provider is not responding to queries that another provider is checked. Using IP Block list providers has some disadvantages. The IP address of a legitimate email server may be inadvertently added to an IP Block list even though they are not sending spam. From time to time the Exchange administrator may need to explicitly allow one of these IP addresses so that email communication is not disrupted, or contact a list provider to get their own IP address removed from an IP Block list.
2011-01-05 10:20:58 Capitalizing on the Holidays: FedEx Malw are Spam 2012-12-17 16:00:32 Media overloads w ith fishing analogies in Operation Phish Phry reports 2009-10-13 17:52:28
Another disadvantage is that each new SMTP connection requires a query sent to the list provider. If the response is delayed for any reason it can slow down email traffic at the Transport server. To reduce the impact of this the Exchange server will cache the results of a query for a short period of time so that an IP can continue to be blocked on subsequent attempts without another query being sent to the list provider. IP Block lists are far more commonly used than IP Allow lists, but IP Allow lists are useful to prevent highly trusted IP addresses from being blocked.
How to configure an IP Block list with Exchange Server 2007 The Exchange anti-spam components are installed by default on Edge Transport servers but must be manually installed on Hub Transport servers by the administrator using the “installantiSpamAgents.ps1″ script that is included with Exchange Server 2007.
Has your organization ever experienced negative repercussions due to spam? Yes No Almost 380
Vote Now
The Anti-spam tab now appears in the Hub Transport section of the Exchange Management Console. Open the properties of IP Block List Providers and select the Providers tab.
Click Add to configure a new provider. Here we are configuring SpamHAUS as the IP Block list provider. Note that you should review the SpamHAUS usage guidelines to verify that your organisation qualifies for free use of this service.
You can configure as many IP Block list providers as you wish and they will be queried in the order that they are listed. You can also configure exceptions for email addresses within your organisation that you do not want to be filtered. For example you may choose not to filter email to your postmaster@ email address so that an organisation that is being blocked by your email servers can still report the problem to your Exchange administrator.
www.allspammedup.com/2008/12/using-ip-block-list-providers-and-the-connection-filter-agent-in-exchange-2007/
2/5
11/06/13
Using IP Block List Providers and the Connection Filter agent in Exchange 2007
Using IP Block list providers with internal Exchange servers IP address filtering is most commonly applied at the internet-facing Exchange servers, but in some cases your Exchange servers may have another email server that receives internet email first. The Exchange server must parse the email message headers to determine which IP address is the original source of the email message when performing IP Block list provider queries. To ensure that the Exchange server can do this you must specify the IP addresses of any email servers within your organisation that would receive internet email before it reaches the Exchange servers. This is configured in the Global Settings for your Exchange organisation.
Open the properties of the Transport Settings and select the Message Delivery tab. Select Add and enter the IP address or IP range of the email servers.
Is the Exchange Connection Filter agent enough protection? The Exchange Connection Filter agent does an acceptable job of blocking spam based on the sender’s IP address but it is by no means a complete anti-spam solution. Connection filtering is best used in combination with other forms of spam protection such as content filtering. An effective way to improve Exchange anti-spam protection is to combine inbuilt features of Exchange such as the Connection Filter agent with comprehensive third party email security products that include a greater degree of configurability and more advanced features such as detailed reporting.
Connection Filtering saves time and resources A correctly configured Connection Filter agent saves the Exchange administrator a lot of time by avoiding the need to manually maintain a large list of blocked and allowed IP addresses. The Connection Filter agent also reduces server load by rejecting likely spam before it has been transmitted to the Exchange server and without requiring resource-intensive content scanning of the email message. It is recommended that you always configure the Connection Filter agent on your internet-facing Exchange Transport servers, and consider enhancing your anti-spam protection with third party email security products.
You might like:
www.allspammedup.com/2008/12/using-ip-block-list-providers-and-the-connection-filter-agent-in-exchange-2007/
3/5
11/06/13
Using IP Block List Providers and the Connection Filter agent in Exchange 2007
The Dangers of Outbound Spam
How to set up IP Blocklist Providers in Exchange 2010
Best Practices for Throwaway Email Accounts
Should You Use More than One Blacklist to Prevent Spam? Recommended by
Related Posts Managing whitelists and blocklists for Exchange Server environments How to protect Exchange Server 2007 with Content Filtering Anti-spam reporting for Exchange Server 2007 Protecting Exchange Server 2007 from Directory Harvesting Attacks Go Beyond Encryption with a Tunnel Zemanta
Mario October 26, 2010
Hello Paul, We’re looking to implement spam blocking for quite a while now and have been looking into using Spamhause as RBL provider. What is unclear to me is how to check where we currently are with the number of SMTP connections and the DNSBL queries. Is there a way I can check this from our Exchange 2007 platform ? Thanks, Mario
Ed Fisher October 26, 2010
Hi Mario, There are a couple of ways you can determine how many SMTP connections your server is currently working with. The queue viewer is a graphical tool in the Exchange Management Console. Go to the toolbox, and you will see the queue viewer. Since you are probably more interested in the raw number of sessions (as opposed to the other side) you can also use Perfmon to view this. Look for the counters for “MSExchangeTransport SmtpReceive” and “MSExchangeTransport SmtpSend.” If you want to see how many DNS queries your server is running at any point in time, you can only use Perfmon counters if the DNS server service is installed on the machine. You probably don’t have that service installed on your Exchange server, and your DNS server is probably already processing a ton of queries for other clients, so I would take a network trace on UDP 53 and just gather statistics that way. If your server processes both inbound and outbound mail, you will need to do some guesstimating to eliminate the DNS queries generated from sending mail, but I already mentioned that counter above. Just remember that your Exchange server’s resolver cache will hold on to records resolved for the duration of the TTL, so round down to nearest random number unless clear your resolver cache frequently during the monitoring, or reduce the maximum TTL for caching to 1. · Start Registry Editor (Regedit.exe). · Locate the MaxCacheEntryTtlLimit value under the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters · On the Edit menu, click Modify. Type 1, and then click OK. · Quit Registry Editor. I don’t recommend doing that, and since most systems I have dealt with send multiple emails to the same destination domain, I usually just guestimate it based on 10% of the outbound. Since enabling DNS RBL is going to surge your DNS queries, you can probably just look at the number of inbound messages and figure that this will equal the number of new DNS queries generated. It’s more art than science here, so that is ‘good enough’ for me. Hope this helps, Ed
www.allspammedup.com/2008/12/using-ip-block-list-providers-and-the-connection-filter-agent-in-exchange-2007/
4/5
11/06/13
Using IP Block List Providers and the Connection Filter agent in Exchange 2007 Scott December 8, 2010
Thank you for posting this article. I was fairly confident where to add my blicklist provider but I was not entirely sure until I came across this article. Thank you again
Bob Herman May 29, 2013
Hi Paul: I already have zen.spamhaus.org configured as an IP Block List Provider in my Exchange server. But how do I configure Exchange to use the dbl.spamhaus.org that expects domains, not IPs? If I enter dbl.spamhaus.org as an IP Block List Provider, will Exchange properly send the domain, not the IP, for the query? Thank you!
Name (required) Email (required) Website Comment
Copyright © 2012 AllSpammedUp.com
www.allspammedup.com/2008/12/using-ip-block-list-providers-and-the-connection-filter-agent-in-exchange-2007/
5/5
Using IP Block List Providers and the Connection Filter agent in Exchange 2007
Using IP Block List Providers and the Connection Filter agent in Exchange 2007 Written by Paul Cunningham on Decem ber 12, 2008 Me gusta
A 3 personas les gusta esto. Sé el primero de tus amigos.
Tw eet
0
Exchange Server 2007 includes integrated anti-spam features that run on Edge Transport servers and canemail optionally be enabled on Hub Transport servers. this blog post I willMailEssentials discuss the Connection Block threats before they reach yourInnetwork - GFI × Filter agent and how IP block list providers can be used to protect Exchange servers from spam.
Online Try it risk free for 30-days
What is the Connection Filter agent? The Connection Filter agent is a Transport server feature that performs filtering actions based on the IP address of the remote server that is making a connection to the Exchange server. The Connection Filter agent checks whether the remote IP address is on an IP Allow list, an IP Block list, or on neither and takes action based on the result. When the Connection Filter agent is enabled it is the first anti-spam agent that assesses any incoming SMTP communication.
All Spammed Up Me gusta
This preserves system resources on the Transport server by avoiding the need to accept the entirety of the email message data and perform more thorough content scanning of the message for spam. The Transport server simply assumes that an email coming from an IP address on an IP Block list is almost certainly going to be spam and terminates the SMTP session before the DATA command is issued.
A 122 personas les gusta All Spammed Up.
What is an IP Allow/Block list? An IP Allow/Block list can be made up of an administrator-defined list of IP addresses or it can come from a third party provider.
P lug-in social de F acebook
Administrator-defined lists typically are used when an Exchange administrator needs to explicitly allow or block a specific IP address, and are assessed first before any third party IP Allow/Block lists. For example, if a customer’s network has been blacklisted for some reason you can override that by adding their IP address to your IP Allow list. Similarly if you are receiving spam from an IP address that has not yet been blacklisted you can add the IP address to your IP Block list. Third party list providers such as SORBS and SpamHAUS provide a service that you can use to look up an IP address and determine whether it is on one of the IP Allow or IP Block lists. These providers maintain lists of IP addresses of known and suspect spam sources based on actual spam reports, proactive open relay scans, and other likely sources such as ISP customer IP ranges.
Using IP Allow/Block list providers with Exchange Server 2007 Exchange Server 2007 can be configured to query one or more of these lists when the Connection Filter agent is assessing an SMTP connection. In fact it is recommended to configure more than one
www.allspammedup.com/2008/12/using-ip-block-list-providers-and-the-connection-filter-agent-in-exchange-2007/
Fanbox.com Uses Members To Spam 2009-08-11 14:04:36 Spammers Choose GMail 2008-07-16 15:10:07 Google reCAPTCHA cracked
1/5
11/06/13
Using IP Block List Providers and the Connection Filter agent in Exchange 2007
provider to improve coverage and ensure that if a list provider is not responding to queries that another provider is checked. Using IP Block list providers has some disadvantages. The IP address of a legitimate email server may be inadvertently added to an IP Block list even though they are not sending spam. From time to time the Exchange administrator may need to explicitly allow one of these IP addresses so that email communication is not disrupted, or contact a list provider to get their own IP address removed from an IP Block list.
2011-01-05 10:20:58 Capitalizing on the Holidays: FedEx Malw are Spam 2012-12-17 16:00:32 Media overloads w ith fishing analogies in Operation Phish Phry reports 2009-10-13 17:52:28
Another disadvantage is that each new SMTP connection requires a query sent to the list provider. If the response is delayed for any reason it can slow down email traffic at the Transport server. To reduce the impact of this the Exchange server will cache the results of a query for a short period of time so that an IP can continue to be blocked on subsequent attempts without another query being sent to the list provider. IP Block lists are far more commonly used than IP Allow lists, but IP Allow lists are useful to prevent highly trusted IP addresses from being blocked.
How to configure an IP Block list with Exchange Server 2007 The Exchange anti-spam components are installed by default on Edge Transport servers but must be manually installed on Hub Transport servers by the administrator using the “installantiSpamAgents.ps1″ script that is included with Exchange Server 2007.
Has your organization ever experienced negative repercussions due to spam? Yes No Almost 380
Vote Now
The Anti-spam tab now appears in the Hub Transport section of the Exchange Management Console. Open the properties of IP Block List Providers and select the Providers tab.
Click Add to configure a new provider. Here we are configuring SpamHAUS as the IP Block list provider. Note that you should review the SpamHAUS usage guidelines to verify that your organisation qualifies for free use of this service.
You can configure as many IP Block list providers as you wish and they will be queried in the order that they are listed. You can also configure exceptions for email addresses within your organisation that you do not want to be filtered. For example you may choose not to filter email to your postmaster@ email address so that an organisation that is being blocked by your email servers can still report the problem to your Exchange administrator.
www.allspammedup.com/2008/12/using-ip-block-list-providers-and-the-connection-filter-agent-in-exchange-2007/
2/5
11/06/13
Using IP Block List Providers and the Connection Filter agent in Exchange 2007
Using IP Block list providers with internal Exchange servers IP address filtering is most commonly applied at the internet-facing Exchange servers, but in some cases your Exchange servers may have another email server that receives internet email first. The Exchange server must parse the email message headers to determine which IP address is the original source of the email message when performing IP Block list provider queries. To ensure that the Exchange server can do this you must specify the IP addresses of any email servers within your organisation that would receive internet email before it reaches the Exchange servers. This is configured in the Global Settings for your Exchange organisation.
Open the properties of the Transport Settings and select the Message Delivery tab. Select Add and enter the IP address or IP range of the email servers.
Is the Exchange Connection Filter agent enough protection? The Exchange Connection Filter agent does an acceptable job of blocking spam based on the sender’s IP address but it is by no means a complete anti-spam solution. Connection filtering is best used in combination with other forms of spam protection such as content filtering. An effective way to improve Exchange anti-spam protection is to combine inbuilt features of Exchange such as the Connection Filter agent with comprehensive third party email security products that include a greater degree of configurability and more advanced features such as detailed reporting.
Connection Filtering saves time and resources A correctly configured Connection Filter agent saves the Exchange administrator a lot of time by avoiding the need to manually maintain a large list of blocked and allowed IP addresses. The Connection Filter agent also reduces server load by rejecting likely spam before it has been transmitted to the Exchange server and without requiring resource-intensive content scanning of the email message. It is recommended that you always configure the Connection Filter agent on your internet-facing Exchange Transport servers, and consider enhancing your anti-spam protection with third party email security products.
You might like:
www.allspammedup.com/2008/12/using-ip-block-list-providers-and-the-connection-filter-agent-in-exchange-2007/
3/5
11/06/13
Using IP Block List Providers and the Connection Filter agent in Exchange 2007
The Dangers of Outbound Spam
How to set up IP Blocklist Providers in Exchange 2010
Best Practices for Throwaway Email Accounts
Should You Use More than One Blacklist to Prevent Spam? Recommended by
Related Posts Managing whitelists and blocklists for Exchange Server environments How to protect Exchange Server 2007 with Content Filtering Anti-spam reporting for Exchange Server 2007 Protecting Exchange Server 2007 from Directory Harvesting Attacks Go Beyond Encryption with a Tunnel Zemanta
Mario October 26, 2010
Hello Paul, We’re looking to implement spam blocking for quite a while now and have been looking into using Spamhause as RBL provider. What is unclear to me is how to check where we currently are with the number of SMTP connections and the DNSBL queries. Is there a way I can check this from our Exchange 2007 platform ? Thanks, Mario
Ed Fisher October 26, 2010
Hi Mario, There are a couple of ways you can determine how many SMTP connections your server is currently working with. The queue viewer is a graphical tool in the Exchange Management Console. Go to the toolbox, and you will see the queue viewer. Since you are probably more interested in the raw number of sessions (as opposed to the other side) you can also use Perfmon to view this. Look for the counters for “MSExchangeTransport SmtpReceive” and “MSExchangeTransport SmtpSend.” If you want to see how many DNS queries your server is running at any point in time, you can only use Perfmon counters if the DNS server service is installed on the machine. You probably don’t have that service installed on your Exchange server, and your DNS server is probably already processing a ton of queries for other clients, so I would take a network trace on UDP 53 and just gather statistics that way. If your server processes both inbound and outbound mail, you will need to do some guesstimating to eliminate the DNS queries generated from sending mail, but I already mentioned that counter above. Just remember that your Exchange server’s resolver cache will hold on to records resolved for the duration of the TTL, so round down to nearest random number unless clear your resolver cache frequently during the monitoring, or reduce the maximum TTL for caching to 1. · Start Registry Editor (Regedit.exe). · Locate the MaxCacheEntryTtlLimit value under the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters · On the Edit menu, click Modify. Type 1, and then click OK. · Quit Registry Editor. I don’t recommend doing that, and since most systems I have dealt with send multiple emails to the same destination domain, I usually just guestimate it based on 10% of the outbound. Since enabling DNS RBL is going to surge your DNS queries, you can probably just look at the number of inbound messages and figure that this will equal the number of new DNS queries generated. It’s more art than science here, so that is ‘good enough’ for me. Hope this helps, Ed
www.allspammedup.com/2008/12/using-ip-block-list-providers-and-the-connection-filter-agent-in-exchange-2007/
4/5
11/06/13
Using IP Block List Providers and the Connection Filter agent in Exchange 2007 Scott December 8, 2010
Thank you for posting this article. I was fairly confident where to add my blicklist provider but I was not entirely sure until I came across this article. Thank you again
Bob Herman May 29, 2013
Hi Paul: I already have zen.spamhaus.org configured as an IP Block List Provider in my Exchange server. But how do I configure Exchange to use the dbl.spamhaus.org that expects domains, not IPs? If I enter dbl.spamhaus.org as an IP Block List Provider, will Exchange properly send the domain, not the IP, for the query? Thank you!
Name (required) Email (required) Website Comment
Copyright © 2012 AllSpammedUp.com
www.allspammedup.com/2008/12/using-ip-block-list-providers-and-the-connection-filter-agent-in-exchange-2007/
5/5
Related documents
Using IP Block List Providers and the Connection Filter agent in Exchange 2007
5 Pages • 1,958 Words • PDF • 649.8 KB
The Story Template - Conquer Writer\'s Block Using the Universal Structure of Story - Amy Deardon
286 Pages • 48,981 Words • PDF • 1.4 MB
Haloween and Reformation day - the connection
2 Pages • 1,136 Words • PDF • 306.6 KB
matrix algebra - theory, computations, and applications in statistics (2007)
530 Pages • 209,583 Words • PDF • 3.8 MB
Holiday in handcuffs 2007 download torrent
1 Pages • 398 Words • PDF • 52.9 KB
73207295C IP
8 Pages • 3,112 Words • PDF • 141.2 KB
Pattern Block Cards Copy and Build
5 Pages • 705 Words • PDF • 378 KB
3.2.4.6 Packet Tracer - Investigating the TCP-IP and OSI Models in Action
6 Pages • 2,256 Words • PDF • 683.3 KB
Ward Alice - The List PL.pdf
259 Pages • 71,390 Words • PDF • 2.8 MB
Wireshark for Security Professionals - Using Wireshark and the Metasploit Framework/
348 Pages • 76,574 Words • PDF • 12.7 MB
Ward Alice - The List PL.pdf
259 Pages • 71,390 Words • PDF • 2.8 MB
A Comparison of Traditional and Block Periodized Strength Training Programs in Trained Athletes.
8 Pages • 5,132 Words • PDF • 351.8 KB