Sender filtering in Exchange Server

Sender filtering compares a list of blocked senders that's maintained by the Exchange administrator to the value of the MAIL FROM command in SMTP connections to determine what to do with inbound email messages from those blocked senders. Sender filtering in Exchange Server is provided by the Sender Filter agent, and is basically unchanged from Exchange Server 2010.

You can configure the Sender Filter agent block single senders (for example, kim@contoso.com), whole domains (contoso.com), or domains and all subdomains (*.contoso.com). You can control whether the agent inspects messages from internal sources, external sources, or both. You can also configure the action to take on messages from blocked senders:

  • Reject: The Sender Filter agent rejects the SMTP request with a 554 5.1.0 Sender Denied SMTP session error and closes the connection.

  • Stamp status: The Sender Filter agent accepts the message and updates the message to indicate that it came from a blocked sender. The Content Filter agent uses this information when it calculates the spam confidence level (SCL) of the message. For more information about content filtering and the Content Filter agent, see Content filtering.

By default, the Sender Filter agent is enabled on Edge Transport servers, but you can enable it on Mailbox servers. For more information, see Enable antispam functionality on Mailbox servers.

For more information about how to configure the Sender Filter agent, see Sender filtering procedures.

Important

The MAIL FROM: SMTP headers can be spoofed, so you shouldn't rely exclusively on the Sender Filter agent. Instead, you should use both the Sender Filter agent and the Sender ID agent. The Sender ID agent uses the originating IP address of the sending server to verify that the domain in the MAIL FROM: SMTP header matches the domain that's registered. For more information about the Sender ID agent, see Sender ID.

Using the Sender Filter agent to block messages

By default, the Sender Filter agent is configured to only inspect messages from external sources. External sources are defined as unauthenticated sources. You can configure the Sender Filter agent to inspect messages from internal (authenticated) sources. However, as best practice, you typically don't need to apply antispam filters to messages from trusted partners or from inside your organization.

You can also configure the Sender Filter agent to block inbound messages that don't specify a sender and domain in the MAIL FROM SMTP command. This setting helps to prevent NDR attacks on the Exchange server. Most legitimate SMTP messages come from SMTP servers that provide a sender and domain in the MAIL FROM command.

Specify the action for messages from blocked senders

After you've configured the blocked senders and the sources that are monitored by the Sender Filter agent, you need to configure the Sender Filter agent to reject or accept and stamp messages from those senders. We recommend that you reject the messages, because the chance of false positives based on the specific list of blocked senders is much less than other calculated message properties.

There are only two scenarios where a legitimate message might be rejected by the Sender Filter agent:

  • You mistype the blocked sender.

  • The domain in your Blocked Senders list is later re-registered to a legitimate company.