Recipient Filtering

Recipient Filtering

Recipient Filtering

Applies to: Exchange Server 2007 SP1, Exchange Server 2007 Topic Last Modified: 2006-08-21

The Recipient Filter agent is an anti-spam agent that is enabled on computers that have the Microsoft Exchange Server 2007 Edge Transport server role installed. The Recipient Filter agent relies on the RCPT TO Simple Mail Transfer Protocol (SMTP) header to determine what action, if any, to take on an inbound message.

When you configure anti-spam agents on an Edge Transport server, the agents act on messages cumulatively to reduce the number of unsolicited messages that enter the organization. For more information about how to plan and deploy the anti-spam agents, see Anti-Spam and Antivirus Functionality.

The Recipient Filter agent blocks messages according to the characteristics of the intended recipient in the organization. The Recipient Filter agent can help you prevent the acceptance of messages in the following scenarios:

Nonexistent recipients You can prevent delivery to recipients that are not in the organization's address book. For example, you may want to stop delivery to frequently misused account names, such as administrator@contoso.com or support@contoso.com.
Restricted distribution lists You can prevent delivery of Internet mail to distribution lists that should be used only by internal users.
Mailboxes that should never receive messages from the Internet You can prevent delivery of Internet mail to a specific mailbox or alias that is typically used inside the organization, such as Helpdesk.

The Recipient Filter agent acts on recipients that are stored in one or both of the following data sources:

Recipient Block list An administrator-defined list of recipients for which inbound messages from the Internet should never be accepted.
Recipient Lookup Verification that the recipient is in the organization. Recipient Lookup requires access to Active Directory directory service information that is provided by EdgeSync to Active Directory Application Mode (ADAM).

For more information about Recipient Block lists and Recipient Lookup functionality, see "Recipient Data Sources" later in this topic.

When you enable the Recipient Filter agent, one of the following actions is taken on inbound messages according to the characteristics of the recipients. These recipients are indicated by the RCPT TO header.

If the inbound message contains a recipient that is on the Recipient Block list, the Edge Transport server sends a "550 5.1.1 User unknown" SMTP session error to the sending server.
If the inbound message contains a recipient that does not match any recipients in Recipient Lookup, the Edge Transport server sends a "550 5.1.1 User unknown" SMTP session error to the sending server.
If the recipient is not on the Recipient Block list and the recipient is in Recipient Lookup, the Edge Transport server sends a "250 2.1.5 Recipient OK" SMTP response to the sending server, and the next anti-spam agent in the chain processes the message.

Recipient Data Sources

As mentioned earlier, the Recipient Filter agent references two data sources when it compares recipients on inbound messages: the Recipient Block list and Recipient Lookup.

Recipient Block List

The Recipient Block list is a list that is maintained by the Edge Transport server administrators. The Recipient Block list data is stored in the Edge Transport server instance of ADAM. You must enter blocked recipients on each Edge Transport server computer.

You can enter the recipients that you want the Recipient Filter agent to block in the Exchange Management Console on the Blocked Recipients tab of the Recipient Filtering Properties page. You use the Set-RecipientFilterConfig command in the Exchange Management Shell to enter recipients. For more information about how to configure the Recipient Filter agent, see Configuring Recipient Filtering.

Recipient Lookup

One benefit of the Recipient Filter agent is the ability to verify that the recipients on an inbound message are in your organization before Exchange 2007 transmits the message into your organization. The ability to verify recipients in your organization relies on a recipient data source that is available to the Edge Transport server. Because the Edge Transport server is not an Active Directory domain-joined computer and could be segregated from the organization by a firewall, you must configure a Recipient Lookup data source for the Edge Transport server to use.

The Edge Transport server role uses ADAM for configuration and data storage. For more information, see Using an Edge Subscription to Populate ADAM with Active Directory Data.

Tarpitting Functionality

Recipient Lookup functionality enables the sending server to determine whether an e-mail address is valid or invalid. As mentioned earlier, when the recipient of an inbound message is a known recipient, the Edge Transport server sends back a "250 2.1.5 Recipient OK" SMTP response to the sending server. This functionality provides an ideal environment for a directory harvest attack.

A directory harvest attack is an attempt to collect valid e-mail addresses from a particular organization so that the e-mail addresses can be added to a spam database. Because all spam income relies on trying to make people open e-mail messages, addresses that are known to be active are a commodity that malicious users, or spammers, pay for. Because the SMTP protocol provides feedback for known senders and unknown senders, a spammer can write an automated program that uses common names or dictionary terms to construct e-mail addresses to a specific domain. The program collects all e-mail addresses that return a "250 2.1.5 Recipient OK" SMTP response and discards all e-mail addresses that return a "550 5.1.1 User unknown" SMTP session error. The spammer can then sell the valid e-mail addresses or use them as recipients for unsolicited messages.

To combat directory harvest attacks, Exchange 2007 includes tarpitting functionality. Tarpitting is the practice of artificially delaying server responses for specific SMTP communication patterns that indicate high volumes of spam or other unwelcome messages. The intent of tarpitting is to slow down the communication process for such e-mail traffic so that the cost of sending spam increases for the person or organization that is sending the spam. Tarpitting makes directory harvest attacks too costly to automate efficiently.

If tarpitting is not configured, Exchange Server immediately returns a "550 5.1.1 User unknown" SMTP session error to the sender when a recipient is not located in Recipient Lookup. Alternatively, if tarpitting is configured, SMTP waits a specified number of seconds before it returns the "550 5.1.1 User unknown" error. This pause in the SMTP session makes automating a directory harvest attack more difficult and less cost-effective for the spammer. By default, tarpitting is configured for 5 seconds on Receive connectors.

To configure the time before SMTP returns the "550 5.1.1 User unknown" error, use the Exchange Management Console or the Exchange Management Shell to set the TarpitInterval value on the Receive connector. For more information about how to administer and configure Receive connectors, see Receive Connectors.

Multiple Namespaces

Some organizations accept e-mail messages for multiple domains. For example, one organization may accept messages for both the Contoso.com and the Woodgrovebank.com domains. Sometimes organizations are authoritative for all the domains for which they accept messages. In the context of SMTP, the organization is authoritative for a domain if the organization hosts and manages the mailboxes for that domain. This relationship extends to the Edge Transport server. An Edge Transport server may accept messages for multiple domains, but it may not be authoritative for all the domains. For example, an Edge Transport server can be configured to be authoritative for all recipients in the Contoso.com domain, but the Edge Transport server still accepts and forwards messages for the Woodgrovebank.com domain.

When you enable the Recipient Filter agent, the Recipient Filter agent performs recipient lookups only for the domains that are specified as authoritative in the Transport Server configuration. If an Edge Transport server accepts and forwards messages on behalf of another domain, but the Edge Transport server is not configured as authoritative, the Recipient Filter agent does not perform a recipient lookup. However, if a non-authoritative recipient is specified in the Recipient Block list, the recipient will still be blocked.

For More Information

For more information, see the following topics: