Exchange Server 2003 Real-Time Block Lists
Topic Last Modified: 2006-01-11
In an earlier Exchange Insider article, Introduction to Exchange Server 2003 ESM Features - Part 2, there was mention of the real-time block list (RBL) feature. This article expands on the information, explaining what RBL is and why you might use it. Much of this information is adapted and taken from the Microsoft Exchange Server 2003 Getting Started Guide as well as from information in the references in the For More Information section.
Real-time block list (RBL) was introduced as a feature of Microsoft® Exchange Server 2003 and is a tool to stop the influx of unsolicited commercial e-mail (UCE) from arriving in user inboxes. Real-time block lists are provided by external sources that keep track of known UCE (also known as spam) sources and often include dial-up user accounts. Dial-up users should not be relaying Simple Mail Transfer Protocol (SMTP) traffic off your server. Often deployed on the edge or first hop of the incoming stream of SMTP traffic, RBL can be effective in stopping known UCE sources from sending UCE to your domain and therefore your users.
Consider the following frequently asked questions (FAQs).
RBL is one tool to combat UCE. When used with other tools such as content filtering, RBL can stop UCE from arriving in user inboxes. However, this technology protects your users by creating intentional loss of mail by refusing to accept mail from a reported UCE source.
How do these lists determine a domain to be a source of UCE or an open relay? The answer depends on many factors. Some lists will actively scan hosts by net block to determine if they can find an open relay. Mail Abuse Prevention System LLC (MAPS), a California-based company, among others, is known for doing proactive attacking. They additionally accept the word of Internet users who report a domain as a UCE source or open relay. Some lists do both, while others rely on user input, such as subscriber reporting or scanning only. This means that accuracy is often based on the opinions of people who maintain the lists, which can lead to problems.
Because mail will be denied by hosts that are specified by users on the Internet, somebody who is not happy with you or your domain can decide to report you as a UCE source or open relay, and have you block listed. This can lead to problems with mail flow between your company and valid business recipients. You need to use this feature carefully.
Each list provider has its own process to remove someone from the list, but it is not always as quick to be removed from a list as it is to be added. One example of how a server got on a block list is illustrated in Microsoft Knowledge Base article 304897, "SMTP relay behavior in Windows 2000, Windows XP, and Exchange Server."
With RBL having these previously listed problems, why should you use it? The reason is because it is so effective at combating UCE. RBL is one of the most effective vehicles for stopping the spread of UCE, and that makes it worth the risk for many to deploy it. At its foundation, RBL is a way for Internet users to report known UCE sources, and then keep a running database of those UCE sources.
Exchange Server 2003 supports connection filtering based on real-time block lists. This feature allows you to check an incoming Internet Protocol (IP) address against an RBL provider list for categories you want to filter. If a match is found on the RBL provider list, SMTP issues a 550 5.x.x error in response to the RCPT TO command, and a customized error response is issued to the sender. You can use several connection filters, and prioritize the order in which each filter is applied.
When you create a connection filter, you establish a rule that SMTP uses to perform a Domain Name System (DNS) lookup to a list provided by a third-party RBL service. The connection filter matches each incoming IP address against the block listed resources provided by the third party. The RBL provider issues one of two responses:
Host not found This indicates that the IP address is not present on its block list.
127.0.0.x This is a response status code, which indicates that a match for the IP address was found in the list of offenders. The x varies depending on your provider.
If the incoming IP address is found on the list, SMTP returns a 5.x.x error in response to the RCPT TO command, the SMTP command the connecting server issues to identify the intended message recipient.
You can customize the response returned to the sender. Additionally, because real-time block list providers usually contain different categories of offenders, you can specify what types of matches you want to reject. Most real-time block list providers screen for three types of offenders:
Sources of unsolicited commercial e-mail These are lists generated from scanning unsolicited commercial e-mail messages and adding the source address to the list.
Known open relay servers These lists are calculated by identifying open relay SMTP servers on the Internet. The most common reason for an open relay server is incorrect configuration by the system administrator.
Dial-up user lists These lists are built from source lists from Internet service providers (ISPs) of IP addresses with dial-up access or from inspection of addresses that indicate a probable dial-up connection.
Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
Expand the Global Settings container, right-click the Message Delivery object, and then click Properties.
Select the Connection Filtering tab.
To create a connection filter rule, click Add.
In Display Name, type a name for the connection filter.
In DNS Suffix of provider, enter the DNS suffix of the provider, for example, contoso.com.
In Custom Error Message to Return, if desired, type a custom error message to return to the sender. Leave this field blank to use the following default error message:
<IP address> has been blocked by <Connection Filter Rule Name>
A custom message can be generated using the following variables:
%0 – connecting IP address
%1 – rule name of the Connection Filter
%2 – the RBL provider
For example, if you want your custom message to read:
The IP address <IP address> has been blocked by the following RBL provider
<RBL provider name>
You would enter the following in the custom error message:
The IP address %0 was rejected by RBL provider %2.
Note: Exchange will replace %0 with the connecting IP address and %2 with the RBL provider.
To configure which return status codes received from the RBL provider you want to match in this connection filter, click Return Status Code.
Select one of the following options:
Click Match Filter Rule to Any Return Code. This connection filter rule is matched to any return status code received from the provider service. This sets the default value that matches the connection filter to any return status.
127.0.0.1 – Blocklist
127.0.0.2 – Known Open Relay
127.0.0.4 – DialUp IP Address
Click Match Connection Filter to the Following Mask. This connection filter rule is matched to return status codes received from the provider by using a mask to interpret them. Enter the mask you want to filter against according to the masks used by your providers.
0000 | 0001 – Blocklist
0000 | 0010 – Open Relay
0000 | 0011 – Open relay or Blocklist
0000 | 0100 – Dialup host
0000 | 0101 – Dialup or Blocklist
0000 | 0110 – Dialup or Openrelay
0000 | 0111 – Dialup, Openrelay, or Blocklist
Click Match Filter Rule to Any of the Following Responses. This connection filter rule is matched to returned status codes received from the provider by using the specific values of the return status codes.
After you create the recipient filter, you must apply it to the SMTP virtual servers that you want to use the filter. Use the following procedure to apply a recipient filter to an SMTP virtual server.Apply a connection filter to an SMTP virtual server
In Exchange System Manager, expand the Servers container, expand <server name>, expand Protocols, and then expand the SMTP container.
Right-click the SMTP virtual server on which you want to apply the filter, and then click Properties.
On the General tab, click the Advanced button.
From the Advanced dialog box, select the IP address for which you want to apply the filter, and then click Edit.
In the Identification dialog box, select the Apply Connection Filter check box to apply the filter that you previously set.
If you have multiple virtual servers, repeat step 3 through step 6 for each virtual server on which you want to apply the filter.
For more information, see the following Exchange Server resource and Microsoft Knowledge Base articles: