Connection filtering combats spam by blocking and/or
allowing email messages from specific networks, IP addresses, and IP
ranges. Email that is routed through Receive Connectors is processed by
the Connection Filtering Agent. These messages are received from the
Internet and travel inbound to the Edge Transport server for delivery to
the recipient. The connection filtering agents (IP Block List, IP Allow
List, IP Block List Providers, and IP Allow List Providers) are all
enabled by default and can be configured using the Exchange Management
Console or Exchange Management Shell.
An IP Allow List is a
manual list of servers you trust to send email to your organization,
more specifically those for which email communication cannot be
disrupted. An IP Block List works in reverse, blocking email from
specific email servers without further processing or retaining copies of
the message. IP Block and Allow List Providers make it easier to stop
email from known malicious entities or ensure that communication
continues for others. This is usually a free service and allows
administrators to easily subscribe to these lists and benefit from them.
One example of a real-time block list provider is The Spamhaus Project at www.spamhaus.org.
Spamhaus maintains the Spamhaus Block List (SBL) and provides it as a
free service for anyone to use. Spamhaus records their block entries in
the SBL domain name system (DNS) zone, and that list is updated at
regular intervals and then mirrored to servers around the world with
direct hourly feeds to major Internet service providers (ISPs).
Note
If the message matches an
entry from the IP Allow List, the message is assigned a Spam Confidence
Level (SCL) rating of 0 regardless of any matches from the IP Block
List.
Note
Changes
described in this section are applied only to the local system. This is
important to know if you have more than one Edge Transport server in
your environment because the change will need to be made locally on all
other Edge Transport servers.
To disable the IP Block
List, IP Allow List, IP Block List Providers, and IP Allow List
Providers agents using the Exchange Management Console, right-click the
appropriate agent icon in the action pane and select Disable.
To disable these same agents using the Exchange Management Shell, run the set- < IPAllowListConfig, IPAllowListProvider, IPAllowListProvidersConfig, IPBlockListConfig, IPBlockListProvider, or IPBlockListProvidersConfig> command with the -Enabled $false parameter. For example:
"set-IPBlockListConfig -Enabled $false".
When configuring an IP
Block List or IP Allow List, entities to block must be entered manually
by the administrator because these lists are created and maintained
locally on the server. Unless specified otherwise by the organization,
reject email messages received from addresses on IP Block Lists to avoid
further processing, increased system overhead, and consumed disk space.
Tip
The IP Block List is
administered by and applies only to the organization the Edge server is
routing mail for. The IP Block List can be used to define IP addresses
that consistently send messages carrying a malicious payload or
unacceptable content to the organization, whereas an IP Block List
Provider might not identify these messages, which can occur for several
reasons.
Configuring an IP Allow List Using the Exchange Management Console
Email
administrators can configure Allow Lists on an Edge Transport server to
ensure messages from desired source mail senders or organizations are
not filtered and blocked at the Edge server. Administrators can define
single IP addresses, IP addresses and subnet masks, and/or IP ranges
from which to allow email messages.
Tip
In addition to IP v4, Exchange Server 2010’s Edge Transport role supports filtering using IP v6 addresses and ranges.
Note
In some
organizations, the Edge Transport server might sit behind another Simple
Mail Transfer Protocol (SMTP) server that receives email from the
Internet. In scenarios like this, the SMTP address of each upstream
email server must be added to the Transport Configuration object in an
Active Directory forest before connection filtering can be used. The
SMTP addresses listed in the Transport Configuration object in Active
Directory are replicated to the Edge Transport servers via EdgeSync.
To configure an IP Allow List using the Exchange Management Console, do the following:
1. | Launch the Exchange Management Console.
|
2. | Select Edge Transport in the console tree.
|
3. | Double-click the IP Allow List item in the action pane.
|
4. | In the IP Allow List Properties window, select the Allowed Addresses tab.
|
5. | Click
the Add button or the down arrow and choose the IP address option to
add a Classless Internet Domain Routing (CIDR) IP v4 or v6 address or
range (for example, 192.168.1.10, 192.168.1.10/24, or
2001:DB8:0:C000::/54).
|
6. | Click OK to add the IP address or address range.
|
7. | The
IP addresses or address ranges are shown in the IP Address(es) section
of the Allowed Addresses tab in the IP Allow List Properties window.
Note
You must first
obtain the IP address or address ranges of the email server or servers
for those you want included in the IP Allow List.
|
8. | Click Apply to save changes or click OK to save changes and close the window.
Note
Entries in an IP Allow List cannot be scheduled to expire.
|
Alternatively, an IP
address and subnet mask, or IP address range can be defined for
filtering. To define an allowed IP address and subnet mask, do the
following:
1. | In the IP Allow List Properties window, select the Allowed Addresses tab.
|
2. | Click the down arrow and select IP and Mask.
|
3. | In the Add Allowed IP Address – IP and Mask window, enter the IP address in the IP Address field (for example, 192.168.1.10).
|
4. | Enter the subnet mask of the IP address in the IP Mask field (for example, 255.255.255.0).
|
5. | Click OK to add the IP address and IP mask.
|
To define an allowed IP address range, do the following:
1. | In the IP Allow List Properties window, select the Allowed Addresses tab.
|
2. | Click the down arrow and select IP Range.
|
3. | In
the Add Allowed IP Address – IP Range window, enter the first IP
address in the Start Address field (for example, 192.168.1.1).
|
4. | Enter the last IP address in the address range in the End Address field (for example, 192.168.255.255).
|
5. | Click OK to add the IP address range.
|
Any defined IP
addresses, IP addresses and subnet masks, and/or IP address ranges are
shown in the IP Address(es) section of the Allowed Addresses tab of the
IP Allow List Properties window.
Several list
providers are available; the criteria for being added to or removed from
their databases along with how often those databases are updated is
different. For example, Microsoft provides updates twice per week for
their Intelligent Message Filter, which is used with content filtering
and the heuristics rules specific to phishing attempts. To configure an
IP Allow List Providers using the Exchange Management Console, complete
the following steps:
1. | Launch the Exchange Management Console.
|
2. | Select Edge Transport in the console tree.
|
3. | Double-click the IP Allow List Providers item in the action pane.
|
4. | In the IP Allow List Providers Properties window, select the Providers tab.
|
5. | Click the Add button to define an IP Allow List Provider.
|
6. | Enter the name of the provider in the Provider Name field.
|
7. | Enter the IP address or fully qualified domain name (FQDN) in the Lookup Domain field.
|
8. | Select Match Any Return Code to identify all delivery status notifications (DSN) and respond to them accordingly.
|
9. | Select
Match Specific Mask and Reponses to specify an IP address or subnet
mask and respond accordingly or to list multiple IP addresses or subnet
masks and respond accordingly.
|
10. | Click
OK when you are finished; the newly created provider entry will be
displayed in the IP Allow List Providers Properties window.
|
Configuring an IP Block List Using the Exchange Management Console
The IP Block List is
configured using the same procedures as the IP Allow List; however, an
entry made in the IP Block List can be scheduled to expire, whereas an
entry in the IP Allow List cannot. By default, new entries are set to
never expire.
Note
You
must first obtain the IP address or address ranges of the email server
or servers that you want included in the IP Block List.
To configure an IP Block List using the Exchange Management Console, do the following:
1. | Launch the Exchange Management Console.
|
2. | Select Edge Transport in the console tree.
|
3. | Double-click the IP Block List item in the action pane.
|
4. | In the IP Block List Properties window, select the Blocked Addresses tab.
|
5. | Click Add to make a new entry.
|
6. | In the Add Blocked IP Address window, enter the CIDR information for the blocked addresses and select Block Until Date and Time.
|
7. | Specify a date and time to expire the entry, and click OK.
|
Known spam servers
and IP addresses sending malicious email should be double-checked for
compliance before the expiration date comes due. Consider keeping
maintenance logs or check entries frequently to avoid letting unwanted
and previously blocked email messages (back) into your organization.
