If this isn't the right forum for this issue please advise. Exchange 2007 on SBS 2008 Using RBLs in my Hub Transport Antispam configuration: Spamcop, DNSBLSorbs and Zen Spamhaus. I have thought of trying to implement IP Allow List, but I am unfamiliar with using this and unsure of which IP address to add to the list. I'm assuming that I should ping (in this example) mail.msn.com and use that IP, but I'm not sure. I tried that ping and then compared it to the MX lookup results from MXToolBox and got something totally different, so I'm confused. Windows 7 Pro clients with Outlook 2010 A user submitted a support request after learning that he didn't receive an email that included him in the To field along with a list of other recipients. He discovered the problem because he did get an email reply (Reply All) from one of the other recipients. The original email was from an msn.com email account. I asked the original sender to forward the NDR to me and it was useless: "Delivery to the following recipients failed." Additionally, my user has successfully received emails from the same sender both prior to and since the blocked instance. There are other senders who have reported receiving NDRs when emailing individuals in this organization, but the NDRs are almost always unspecific about the reason (as above). Is there a way to get a more complete error message from Hotmail? I thought that I had narrowed down the problem by sending test emails with multiple recipients in the 'To:' field (which were rejected) and then with one recipient in the 'To:' field and the rest in the 'CC:' field (delivered). However, after testing this scenario several times, I found that my results were inconsistent. Most of the test emails with multiple 'To:'s got through. So, I'm starting to go through the steps of running the BPA tool and trying to eliminate all of the warnings and such (though some of this stuff is over my head), but if anyone can help me with a solid troubleshooting methodology that will save me some time (instead of floundering in my ignorance) I would be most appreciative. BTW - this server and Exchange organization is a Swing Migration from SBS 2003 and Exchange 2003...in case that sheds any more light on the problem for anyone. TIAWayne S. CompTIA A+ CompTIA Network+ Microsoft MCP www.centralcoastcomputing.com

On Mon, 20 Jun 2011 21:48:46 +0000, Wayniack wrote: > > >If this isn't the right forum for this issue please advise. > >Exchange 2007 on SBS 2008 > >Using RBLs in my Hub Transport Antispam configuration: Spamcop, DNSBLSorbs and Zen Spamhaus. I have thought of trying to implement IP Allow List, but I am unfamiliar with using this and unsure of which IP address to add to the list. I'm assuming that I should ping (in this example) mail.msn.com and use that IP, but I'm not sure. I tried that ping and then compared it to the MX lookup results from MXToolBox and got something totally different, so I'm confused. > >Windows 7 Pro clients with Outlook 2010 > >A user submitted a support request after learning that he didn't receive an email that included him in the To field along with a list of other recipients. He discovered the problem because he did get an email reply (Reply All) from one of the other recipients. The original email was from an msn.com email account. I asked the original sender to forward the NDR to me and it was useless: "Delivery to the following recipients failed." Additionally, my user has successfully received emails from the same sender both prior to and since the blocked instance. There are other senders who have reported receiving NDRs when emailing individuals in this organization, but the NDRs are almost always unspecific about the reason (as above). Is there a way to get a more complete error message from Hotmail? > >I thought that I had narrowed down the problem by sending test emails with multiple recipients in the 'To:' field (which were rejected) and then with one recipient in the 'To:' field and the rest in the 'CC:' field (delivered). However, after testing this scenario several times, I found that my results were inconsistent. Most of the test emails with multiple 'To:'s got through. > >So, I'm starting to go through the steps of running the BPA tool and trying to eliminate all of the warnings and such (though some of this stuff is over my head), but if anyone can help me with a solid troubleshooting methodology that will save me some time (instead of floundering in my ignorance) I would be most appreciative. Start with the SMTP receive protocol logs. Do you anything of the message (actually, you'll just see the sender's IP address, the HELO\EHLO, MAIL FROM, RCPT TO, and DATA commands)? Were all commands sent a 2XX status (the DATA should get a 3xx)? If you see a "success" status code on all the commands then you should see evidence of the message in the message tracking logs. If you see 4xx or 5xx status codes then the command was rejected. Depending on which command was rejected some, or none, of the recipients should have received the message -- unless it was dropped by an anti-spam or anti-virus software after it was received. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi Rich, Thanks for your response. Well, first of all, I discovered that the SMTP logs weren't enabled, so I think I took care of that by following the steps outlined here: http://exchangepedia.com/2007/05/exchange-server-2007-logging-smtp-protocol-activity.html. I'm really a rookie at this stuff, so I apologize in advance if I require more detail about the 'how to' than you would prefer. For example I was looking into how to even view the logs and I installed the Log Parser 2.2, but it's going to take me a full day to learn how to use it. In the mean time, since I enabled the logging, I still don't see any logs in the default location for the log files...do I need to restart a service or the server itself before it takes effect? Thanks!Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP www.centralcoastcomputing.com

On Tue, 21 Jun 2011 19:05:40 +0000, Wayniack wrote: >Thanks for your response. Well, first of all, I discovered that the SMTP logs weren't enabled, so I think I took care of that by following the steps outlined here: http://exchangepedia.com/2007/05/exchange-server-2007-logging-smtp-protocol-activity.html. That's good. You should see that "Verbose" on the Receive Connector in the EMC, too. >I'm really a rookie at this stuff, so I apologize in advance if I require more detail about the 'how to' than you would prefer. For example I was looking into how to even view the logs and I installed the Log Parser 2.2, but it's going to take me a full day to learn how to use it. You can use notepad.exe. They're just text files. :-) >In the mean time, since I enabled the logging, I still don't see any logs in the default location for the log files...do I need to restart a service or the server itself before it takes effect? No need to restart the transport service. This will tell you where the protocol log files are: get-transportserver <name> | fl *protocollogpath --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi Wayne, Any update for your issue? Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

OK...So I've got 3 RBLs configured, as I've mentioned, and it appears that some legitimate mail servers are getting blocked in addition to lots of real spam. Some of the blocked servers are actually Microsoft Hotmail servers (as well as Yahoo servers) which I checked using mxtoobox and confirmed that they actually are showing up on some of the spam reporting sites. I've got information about how to report those issues to MS, but in the meantime I need to make sure that I understand the correct way to use whitelists. I've found some information that seems good, but if anyone knows of a killer article that I can use, I'd be grateful. Is there a way to whitelist an email address instead of a server, because it seems like POP mail goes through a different IP each time...so that could get rediculous trying to whitelist every Microsoft or Yahoo mail server that gets blocked! At this point I'm going through the logs by searching for 'black list' and trying to determine which instances are actually false positives and then once I confirm with my recipients that I have a list of good IPs to whitelist, going into the receive connectors and whitelisting them. Seems pretty labor intensive, so is there a better way to accomplish my goal? Thanks!Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP www.centralcoastcomputing.com

On Mon, 20 Jun 2011 21:48:46 +0000, Wayniack wrote: > > >If this isn't the right forum for this issue please advise. > >Exchange 2007 on SBS 2008 > >Using RBLs in my Hub Transport Antispam configuration: Spamcop, DNSBLSorbs and Zen Spamhaus. I have thought of trying to implement IP Allow List, but I am unfamiliar with using this and unsure of which IP address to add to the list. I'm assuming that I should ping (in this example) mail.msn.com and use that IP, but I'm not sure. I tried that ping and then compared it to the MX lookup results from MXToolBox and got something totally different, so I'm confused. So which of the may DNS zones in SORBS are you using? I can't say that I've ever been a fan of DNSBLs, and SORBS is one that I've particularly disliked (I see they've changes their policy of charging $50 to get off the list). If you're not happy with the policy of the DNSBL then stop using it. You have zero (as in nil, nada, zip, zilch) control over what goes into those lists, but you do have control over which of them you use. The IP address that was blocked should be in the agent log file. See the get-agentlog cmdlet. The SMTP Receive log files should also have the details of the SMTP conversation. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi Rich, I'm using dnsbl.sorbs.net. I'm pretty OK with the job that my 3 RBLs are doing, though I'm open to suggestions for improvement. Most spam is getting caught and only a few legit senders are getting blocked. One thing is troubling me though about adding sender email addresses to the whitelist using: Set-ContentFilterConfig -BypassedSenders foo@somedomain.com It appears that if I use that command to enter a second email address, it overwrites the first. I'm assuming that's the case because when I issue the Get-ContentFilterConfig command it only shows me the last email address that I added. I invoked the help for that commandlet, but I don't see any 'append' switch. I'm assuming that I just have to create and save a text file with all of the addresses that I want to add and then when I need to add more addresses edit the list and run the entire list through again. Seems like a lame design if I'm understanding it correctly. Anyway, once I get confirmation on the above, I think this issue can be marked as 'Answered'. The 'intermittent' aspect of this issue is that these webmail providers use many different mail servers and some show up on blacklists and some don't...so it's 'luck of the draw' so to speak. TIAWayne S. CompTIA A+ CompTIA Network+ Microsoft MCP www.centralcoastcomputing.com

On Tue, 12 Jul 2011 18:01:21 +0000, Wayniack wrote: >I'm using dnsbl.sorbs.net. I'm pretty OK with the job that my 3 RBLs are doing, though I'm open to suggestions for improvement. Most spam is getting caught and only a few legit senders are getting blocked. That's a pretty big list. It's important to understand that a DNSBL doesn't "catch" spam, it just uses IP addresses. Put an IP address in a DNSBL and all email is refused regardless of its content. >One thing is troubling me though about adding sender email addresses to the whitelist using: > >Set-ContentFilterConfig -BypassedSenders foo@somedomain.com > >It appears that if I use that command to enter a second email address, it overwrites the first. I'm assuming that's the case because when I issue the Get-ContentFilterConfig command it only shows me the last email address that I added. I invoked the help for that commandlet, but I don't see any 'append' switch. I'm assuming that I just have to create and save a text file with all of the addresses that I want to add and then when I need to add more addresses edit the list and run the entire list through again. Seems like a lame design if I'm understanding it correctly. $x = get-contentfilterconfig $x.bypassedsenders += "foo@somedomain.com" $x | set-contentfilterconfig >Anyway, once I get confirmation on the above, I think this issue can be marked as 'Answered'. The 'intermittent' aspect of this issue is that these webmail providers use many different mail servers and some show up on blacklists and some don't...so it's 'luck of the draw' so to speak. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP