ENTERPRISE

Microsoft Exchange Server 2010 : Configuring Anti-Spam and Message Filtering Options (part 2) - Filtering Connections with IP Block Lists

7/22/2014 4:00:33 AM

Filtering Connections with IP Block Lists

If you find that sender and recipient filtering isn't enough to stem the flow of spam into your organization, you might want to consider subscribing to an IP block list service. Here's how this works:

  • You subscribe to an IP block list service. Although there are free services available, you might have to pay a monthly service fee. In return, the service lets you query its servers for known sources of unsolicited e-mail and known relay servers.

  • The service provides you with domains you can use for validation and a list of status codes to watch for. You configure Exchange to use the specified domains and enter connection filtering rules to match the return codes. Then you configure any exceptions for recipient e-mail addresses or sender IP addresses.

  • Each time an incoming connection is made, Exchange performs a lookup of the source IP address in the block list domain. A "host not found" error is returned to indicate the IP address is not on the block list and that there is no match. If there is a match, the block list service returns a status code that indicates the suspected activity. For example, a status code of 127.0.0.3 might mean that the IP address is from a known source of unsolicited e-mail.

  • If there is a match between the status code returned and the filtering rules you've configured, Exchange returns an error message to the user or server attempting to make the connection. The default error message says that the IP address has been blocked by a connection filter rule, but you can specify a custom error message to return instead.

The sections that follow discuss applying IP block lists, setting provider priority, defining custom error messages to return, and configuring block list exceptions. These are all tasks you'll perform when you work with IP block lists.

Applying IP Block Lists

Before you get started, you need to know the domain of the block list service provider, and you should also consider how you want to handle the status codes the provider returns. Exchange allows you to specify that any return status code is a match, that only a specific code matched to a bit mask is a match, or that any of several status codes that you designate can match.

Table 1 shows a list of typical status codes that might be returned by a provider service. Rather than filter all return codes, in most cases, you'll want to be as specific as possible about the types of status codes that match. This ensures that you don't accidentally filter valid e-mail. For example, based on the list of status codes of the provider, you might decide that you want to filter known sources of unsolicited e-mail and known relay servers but not filter known sources of dial-up user accounts, which might or might not be sources of unsolicited e-mail.

Table 1. Typical Status Codes Returned by Block List Provider Services

RETURN STATUS CODE

CODE DESCRIPTION

CODE BIT MASK

127.0.0.1

Trusted nonspam (on the "white" list)

0.0.0.1

127.0.0.2

Known source of unsolicited e-mail/spam (on the "black" list)

0.0.0.2

127.0.0.3

Possible spam, like a mix of spam and nonspam (on the "yellow" list)

0.0.0.3

127.0.0.4

Known source of unsolicited e-mail/spam, but not yet blocked (on the "brown" list)

0.0.0.4

127.0.0.5

Not a spam-only source, and not on the "black" list

0.0.0.5

You can filter connections using IP block lists by completing the following steps:

  1. Start the Exchange Management Console. On an Edge Transport server, select Edge Transport, click the server you want to work with and then click the Anti-Spam tab in the details pane. On a Hub Transport server for which you've enabled spam filtering, expand the Organization Configuration node, select Hub Transport, and then click the Anti-Spam tab in the details pane.

  2. Right-click IP Block List Providers, and then select Properties. The IP Block List Providers Properties dialog box appears.

  3. Click the Providers tab. The Block List Providers list box shows the current Block List providers, if any.

  4. Click Add to add a Block List provider. The Add IP Block List Provider dialog box appears, shown in Figure 3.

    Configure the Block List provider.

    Figure 3. Configure the Block List provider.

  5. Type the name of the provider in the Provider Name text box.

  6. In the Lookup Domain text box, type the domain name of the block list provider service, such as proseware.com.

  7. Under Return Status Codes, select Match Any Return Code to match any return code (other than an error) received from the provider service or select one or more of the following options:

    • Match Specific Mask And Responses Select this option to match a specific mask and return codes from the provider service.

    • Match To The Following Mask Select this option to match a specific return code from the provider service. For example, if the return code for a known relay server is 127.0.0.4 and you want to match this specific code, you type the mask 0.0.0.4.

    • Match Any Of The Following Responses Select this option to match specific values in the return status codes. Type a return status code to match, and then click Add. Repeat as necessary for each return code that you want to add.

  8. Click OK to start using IP block lists from the block list provider.

Setting Priority and Enabling Block List Providers

You can configure multiple block list providers. Each provider is listed in priority order, and if Exchange makes a match using a particular provider, the other providers are not checked for possible matches. In addition to being prioritized, providers can also be enabled or disabled. If you disable a provider, it is ignored when looking for possible status code matches.

You can set block list provider priority and enable or disable providers by completing the following steps:

  1. Start the Exchange Management Console. On an Edge Transport server, select Edge Transport, click the server you want to work with and then click the Anti-Spam tab in the details pane. On a Hub Transport server for which you've enabled spam filtering, expand the Organization Configuration node, select Hub Transport, and then click the Anti-Spam tab in the details pane.

  2. Right-click IP Block List Providers, and then select Properties. The IP Block List Providers Properties dialog box appears.

  3. Click the Providers tab. The Block List Providers list box shows the current block list providers in priority order.

  4. To change the priority of a provider, select it and then click the Move Up or Move Down button to change its order in the list.

  5. To disable a provider, select it and then click Disable.

  6. To enable a provider, select it and then click Enable. Click OK to close the Properties dialog box.

Specifying Custom Error Messages to Return

When a match is made between the status code returned and the filtering rules you've configured for block list providers, Exchange returns an error message to the user or server attempting to make the connection. The default error message says that the IP address has been blocked by a connection filter rule. If you want to override the default error message, you can specify a custom error message to return on a per-rule basis. The error message can contain the following substitution values:

  • %0 to insert the connecting IP address

  • %1 to insert the name of the connection filter rule

  • %2 to insert the domain name of the block list provider service

Some examples of custom error messages include the following:

  • The IP address (%0) was blocked and not allowed to connect.

  • %0 was rejected by %2 as a potential source of unsolicited e-mail.

Using the substitution values, you can create a custom error message for each block list provider by following these steps:

  1. Start the Exchange Management Console. On an Edge Transport server, select Edge Transport, click the server you want to work with and then click the Anti-Spam tab in the details pane. On a Hub Transport server for which you've enabled spam filtering, expand the Organization Configuration node, select Hub Transport, and then click the Anti-Spam tab in the details pane.

  2. Right-click IP Block List Providers, and then select Properties. The IP Block List Providers Properties dialog box appears.

  3. On the Providers tab, the Block List Providers list box shows the current Block List providers in priority order. Select the block list provider for which you want to create a custom error message, and then click Edit.

  4. In the Edit IP Block List Provider dialog box, click Error Messages.

  5. In the IP Block List Provider Error Message dialog box, select Custom Error Message, and then type the error message to return. Click OK twice.
Other  
  •  Microsoft Exchange Server 2010 : Creating and Managing Remote Domains (part 3) - Configuring Messaging Options for Remote Domains , Removing Remote Domains
    •
  •  Microsoft Exchange Server 2010 : Creating and Managing Remote Domains (part 2) - Creating Remote Domains
  •  Microsoft Exchange Server 2010 : Creating and Managing Remote Domains (part 1) - Viewing Remote Domains
    •
  •  Microsoft Exchange Server 2010 : Creating and Managing E-Mail Address Policies (part 3) - Editing and Applying E-Mail Address Policies , Removing E-Mail Address Policies
    •
  •  Microsoft Exchange Server 2010 : Creating and Managing E-Mail Address Policies (part 2) - Creating E-Mail Address Policies
  •  Microsoft Exchange Server 2010 : Creating and Managing E-Mail Address Policies (part 1) - Viewing E-Mail Address Policies
    •
  •  Windows 7 : Programming Multiple I/O Queues and Programming I/O - WatchDog Timer: Self-Managed I/O
    •
  •  Windows 7 : Programming Multiple I/O Queues and Programming I/O - Reading and Writing the Registry
    •
  •  Windows 7 : Programming Multiple I/O Queues and Programming I/O - Retrieving Requests from a Manual Queue
    •
  •  Windows 7 : Programming Multiple I/O Queues and Programming I/O - Handling Requests from a Parallel Queue
    •
     
    Most View
    Teufel Viton 51 - Simple Cinematic Six-Pack
    Nvidia GeForce GTX Titan 6GB - Gaming Supercomputer Graphics Card
    Preparing to Deploy Windows 7 : Gathering Upgrade Information - Compiling a Workstation Hardware Inventory
    1 Month With… Sphero
    Samyang T-S 24mm f/3.5 ED AS UMC Lens Review (Part 2)
    Fujifilm X-E1 - A Retro Camera That Inspires (Part 14)
    SQL Server 2008 : Common performance problems (part 2)
    System Center Configuration Manager 2007 : Integrating Virtual Applications (part 3) - Creating Adobe Reader as a Virtual Application in ConfigMgr R2
    Group Test - Mid-Range Maestros (Part 1) : Sony Xperia T
    All Newest Products - November 2012
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    Review : Acer Aspire R13
    Review : Microsoft Lumia 535
    Review : Olympus OM-D E-M5 Mark II
    TomTom Runner + MultiSport Cardio
    Timex Ironman Run Trainer 2.0
    Suunto Ambit3 Peak Sapphire HR
    Polar M400
    Garmin Forerunner 920XT
    Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
    Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs