Problem with RBLs in Exchange 2007
*Note we are using Exchange 2k7* As a small business right now we are just using the RBL lists to manage our spam filters. We currently filter through with barracuda and "dnsbl-1.uceprotect.net". If we get a false positive , every Microsoft site I have read
suggests to add that address to the white list via command line. I add both the domain and the address to the list using the "Set-ContentFilterConfig -BypassedSenders" command however, some of the emails are still getting block even after we have white
listed them. Am I missing a command?
Here is what the log is saying about the email. Please note both the domain and the address have been added to the bypassed senders list
"
P1FromAddress : Senderwhocantgetthrough
P2FromAddresses : {}
Recipients : {Recieving@address.com}
Agent : Connection Filtering Agent
Event : OnRcptCommand
Action : RejectCommand
SmtpResponse : 550 5.7.1 Recipient not authorized, your IP has been found on
a block list
Reason : BlockListProvider
ReasonData : uceprotect.net
Diagnostics : "
August 24th, 2011 11:59pm
On Wed, 24 Aug 2011 20:59:37 +0000, Noah_NSL wrote:
>
>
>*Note we are using Exchange 2k7* As a small business right now we are just using the RBL lists to manage our spam filters. We currently filter through with barracuda and "dnsbl-1.uceprotect.net". If we get a false positive , every Microsoft site I have
read suggests to add that address to the white list via command line. I add both the domain and the address to the list using the "Set-ContentFilterConfig -BypassedSenders" command however, some of the emails are still getting block even after we have white
listed them. Am I missing a command?
>
>
>
>Here is what the log is saying about the email. Please note both the domain and the address have been added to the bypassed senders list
>
>
>
>" P1FromAddress : Senderwhocantgetthrough P2FromAddresses : {} Recipients : {Recieving@address.com} Agent : Connection Filtering Agent Event : OnRcptCommand Action : RejectCommand SmtpResponse : 550 5.7.1 Recipient not authorized, your IP has been found
on a block list Reason : BlockListProvider ReasonData : uceprotect.net Diagnostics : "
If you run "Get-ContentFilterConfig | fl
BypassedSenders,BypassedSenderDomains" do you see those addresses
you've white listed?
Can you post an example of how you add a new a address to either one
of the BypassedSenders or BypassedSenderDomains properties? Without
seeing how you go about this, I'm guessing that you're simply
replacing the existing set of addresses with the new one you give in
the Set-ContentFilterConfig.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2011 4:38am
No problem.
When I add a user i use the following
"Set-ContentFilterConfig -BypassedSenders Newuser@contoso.com,olduser@contoso.com,olduser1@contoso.com"
I know that adding a new person to the list via command line will erase any names that were already there unless you add them in the new command as well.
When I run the "get-contentfilterconfig" I DO see the names and domains I wanted to white list.... However if I later that day run the
"Get-AgentLog -StartDate “8/24/2011" -EndDate “8/24/2011" | where {$_.Reason -eq “BlockListProvider”} > c:\"report.txt""
To see what was blocked. I see some of the white listed addresses blocked.
August 25th, 2011 3:25pm
On Thu, 25 Aug 2011 12:25:27 +0000, Noah_NSL wrote:
>
>
>No problem.
>
>
>
>When I add a user i use the following
>
>
>
>"Set-ContentFilterConfig -BypassedSenders Newuser@contoso.com,olduser@contoso.com,olduser1@contoso.com"
>
>
>
>I know that adding a new person to the list via command line will erase any names that were already there unless you add them in the new command as well.
>
>When I run the "get-contentfilterconfig" I DO see the names and domains I wanted to white list.... However if I later that day run the
>
>"Get-AgentLog -StartDate ?8/24/2011" -EndDate ?8/24/2011" | where {$_.Reason -eq ?BlockListProvider?} > c:\"report.txt""
>
>
>
>To see what was blocked. I see some of the white listed addresses blocked.
You understand that CONTENT filtering deals with the contents of the
message, and that CONNECTION filtering deals with whether or not a
connections will be allowed or denied, right?
A DNSBL just looks at the IP address of the sender, but it does so (on
Exchange 2007) at the RCPT TO commands so certain recipients (not
senders) can be excluded by adding them to an exclusion list.
I don't think there's a way to excude a sender's e-mail address or
domain from connection filtering. You'll have to manage that by
whitelisting the IP address of the sending organization on each of the
edge or hub transport servers.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 6:05am
Could you clarify something.... are you using the Barrcuda RBL? Or is all of your inbound mail coming in through a Barracuda appliance? Jim McBee - Blog - http://mostlyexchange.blogspot.com
August 26th, 2011 7:24am
We are using the barracuda RBL not a barracuda appliance.
I think I understand let me sum up and ask some questions to make sure im all clear. Correct me if I am going wrong anywhere.
-incoming mail is checked by the connection filter for its IP... exchange pulls that info from the RBL we have set up
- It then goes to the content filter where, even though I have it set up on a whitelist, (via the "Set-ContentFilterConfig BypassedSenders ) if its bad its already been blocked so the whitelist is useless (for my purposes atleast) .
- There is no way to white-list by address or domain on the connection filter. (we cant just add IP addresses cause they are from ISPs and that starts to make the whole RBL useless if you open every one of their email IP address)
Two quick questions
1. Is there a way using exchange to set up connection filtering to allow certain addresses through? Via edge server or TMG?
2. Is this a feature MS is looking into? It seems like a fairly basic feature that could help alot of people out.
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 6:46pm
Hi Noah_NSL,
For 1, please refer to below information:
http://technet.microsoft.com/en-us/library/bb123801(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb123554(EXCHG.80).aspx
You could add the ip address in to whitelist using add-ipallowlistentry.
If I misunderstand your issue, please fell free let me know.
Regards!
Gavin
August 31st, 2011 8:49am
After quite a bit of searching I landed here and have the exact same issue with Exchange 2010.
A message comes in and is rejected by the transport Anti-spam IP Block List Providers BEFORE any whitelisting is checked.
In this case, random valid email messages that come through domains hosted by GoDaddy will be rejected from the RBL lookup although they have been added either by domain or specific email address to the bypass lists on Exchange 2010.
I realize the order Exch is taking to process these messages, but this has got to be reviewed by MS and a better solution put into place.
The first few lines of the receive SMTP log show the senders address along with the IP address of the server before the rejection takes place. Why would it be so difficult to have Exchange process that email against the bypass list before rejecting the message?
This could simply be an option in the Org Config ->Hub Transport->IP Block List Providers (checkbox->process bypasslist before apply RBL response). This way it is an option for an organization to choose to accept mail from specific accounts
even if they are coming in from a hosting provider with questionable customers.
If that is a problem, how about an additional attribute in the bypass command in EMS to compare between the bypasslist address and the listed RDNS response matching a specified domain ? For example:
If bypass address / domain on list = myclient.com AND RDNS response domain was secureserver.net (GoDaddy example), then process mail and skip RBL.
This would cut way down on the chance someone could spoof the sender address to skip past your RBL. They would have to be trying to spam you with a spoofed address AND originate the message from within the correct email system's IP addresses to match
the reverse lookup.
Thoughts? Microsoft Guys?
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2012 7:28pm
Hi Eleska,
Sure, your understanding is right. And your idea also be very good, per my know, the different agent would be involved in different step during the whole mail flow.
So, in my opinion, would not be a easy way to switch it smoothly.
I would also expand the idea to others, thanks for your idea!
Regards!
Gavin
TechNet Community Support
April 15th, 2012 11:19pm