5. IP Block and Allow Lists
The IP Block List and IP Allow List features allow
you to specify individual IP addresses, subnets, or entire ranges of IP
addresses from which you will not accept or will always accept mail,
respectively. Block lists are configured on a per–Hub Transport or
per–Edge Transport basis. Figure 6 shows the interface for the IP Block List, but the interface for the IP Allow List is identical.
In the foreground of Figure 6,
you can see the interface for adding a single IP address. A nice
feature of this interface is that you can specify that you always want
to block an IP address, subnet, or address range or that you want to
automatically unblock the address after a date and time.
6. Recipient Filtering
When recipient filtering is enabled, the Edge
Transport is configured to reject mail intended for any SMTP address
that is not found in the Active Directory or to reject mail intended
for specific SMTP addresses. This will reduce a lot of the garbage
messages for which your Exchange server accepts and then has to issue a
nondelivery report. Figure 7 shows the Blocked Recipients list for the Recipient Filtering object.
We recommend that you select the Block Messages Sent
To Recipients Not Listed In The Directory check box. This will help
reduce the burden placed on your system by zombie networks of spammers.
However, by recommending that you enable this check box, we are
assuming that you have EdgeSync enabled and that all valid SMTP
addresses are replicated to the Edge Transport server's local AD LDS
database.
If you are performing recipient filtering, newly
created mailboxes may have their mail rejected by the Edge Transport
server until the replication runs again. You can force the
synchronization after new mailboxes are created by running the Start-EdgeSynchronization
cmdlet. Or just make sure that the users do not give anyone their email
address for at least four hours after the account is created.
7. Tarpitting
The Hub Transport and Edge Transport in Exchange
Server 2010 implement a feature called a tarpit. The tarpit feature
tells the SMTP server to wait a specified number of seconds (five
seconds by default) before responding to a request to send a message to
an invalid recipient. For example, if the recipient Luke@somorita.com
is an invalid recipient in your organization, but someone's mail server
sends a message to that address, your server will wait five seconds and
then respond with this error:
550 5.1.1 User unknown
Now, you may wonder why this feature is even worth
mentioning. Spammers often hijack people's home (or work) computers
with agents that send mail on their behalf. These "bots" can offer the
spammer an almost unlimited supply of SMTP clients, all sending email.
They can locate your domain and then go through a dictionary of common
names and try to send mail to each one for example, sending to alicia@somorita.com, then amelia@somorita.com, then anthony@somorita.com,
and so on. An Exchange server without a tarpit could send back dozens
of 550 error messages each second. This makes dictionary spamming more
practical.
Another evil part of the dictionary spamming attack
is that the spammer can note which addresses were valid and use them in
the future. This is called directory harvesting.
A five-second tarpit slows the spammer down by a
factor of maybe even 500 (depending on your server's speed and your
Internet connection speed) by rejecting all the invalid delivery
attempts. Most spammers' software programs can't handle the rejects,
and they disconnect after some period of time.
You can view your receive connector's tarpit interval by using the Get-ReceiveConnector
cmdlet. For example, if you want to change the HNLEX05 Default receive
connector's tarpit interval to 30 seconds, you would type this command:
Set-ReceiveConnector "HNLEX05 Default" -TarpitInterval 00:00:30
We recommend that you do not set this value
to more than about 30 seconds on any of your Hub Transport or Edge
Transport servers.
