Understanding IP Allow List and IP Block List Providers

[This is pre-release documentation and subject to change in future releases. This topic's current status is: Writing Not Started.]

This topic explains how to use the Exchange Management Console or the Exchange Management Shell to configure IP Allow List providers and IP Block List providers for connection filtering.

The Connection Filter agent is an anti-spam agent that is enabled on computers that have the Microsoft Exchange Server 2007 Edge Transport server role installed. IP Block List and IP Allow List provider services can help you reduce spam and enhance overall message processing on your Edge Transport server. You should consider configuring multiple IP Block List provider services and IP Allow List provider services.

You can configure the priority rating that determines the order in which the Connection Filter agent queries IP Block List provider services. When the Connection Filter agent receives an IP Block list match, the Connection Filter agent stops querying other IP Block List provider services. For each IP Block List provider service that you configure, you can customize the Simple Mail Transfer Protocol (SMTP) 550 error message that is returned to the sender when the sender IP address is matched to an IP Block List provider service and is subsequently blocked by the Connection Filter agent.

Different IP Block List provider services may return different codes when the IP address of a remote server that sends a message matches an IP address on an IP Block List provider service's IP Block list. Most IP Block List provider services return either the bitmask or the absolute value data type. Within these data types, there may be multiple values that indicate the type of list that the submitted IP address is on.

If you want to restrict the type of IP Block List matches that your organization blocks, you can configure the Connection Filter agent to act on a specific bitmask or on a specific absolute value. For example, you may block only those IP addresses that come from a direct spam source. By restricting blocks to such an IP Block List match, you do not block IP addresses that your IP Block List provider service defines as open relays. Alternatively, you can set the IP Block List provider configuration to block all IP Block matches that are returned by the IP Block List provider. See your IP Block List provider's documentation about the status codes that they return.

Before You Begin

To perform the following procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

Also, before you perform these procedures, confirm the following:

• You have reviewed Anti-Spam and Antivirus Functionality to understand the general strategy for configuring all anti-spam agents so that they work together efficiently for your organization.
• You have read Configuring Connection Filtering.

Procedure

This section refers specifically to configuring IP Block List provider services. However, the concepts for configuring IP Block List provider services are the same for configuring IP Allow List provider services. Therefore, for the purposes of readability, this section explains configuration of both IP Block List and IP Allow List provider services by referencing IP Block List provider services only.

To use the Exchange Management console to configure IP Block List providers

1. In the Exchange Management Console, click Edge Transport.

2. In the work pane, click the Anti-Spam tab, and then select IP Block List Providers.

3. In the action pane, click Properties, and then click the Providers tab.

4. Click Add to add a new provider to the IP Block List providers.

5. Enter the following information:

   • Provider name   In this field, type the name of the IP Block List provider service. This name is for your own use to identify the provider.
   • Lookup domain   In this field, type the domain name that the Connection Filter agent queries for updated IP Block list information.
   • Match to any return code   When you select this option, the Connection Filter agent treats any IP Address status code that is returned by the IP Block List provider service as a match.
   • Match to the following mask   When you select this option, the Connection Filter agent acts only on messages that match the return status code of 127.0.0.x, where the integer x is any one of the following values:
     1   The IP address is on an IP Block list.
     2   The Simple Mail Transfer Protocol (SMTP) server is configured to act as an open relay.
     4   The IP address supports a dial-up IP address.
   • Match to any of the following responses   When you select this option, the Connection Filter agent acts only on messages that match the same IP address status code that is returned by the IP Block List provider service.

6. Click the Error Messages button to configure a custom error message that you want delivered in the SMTP session to senders whose messages are blocked by the Connection Filter agent when an IP Block List provider service matches the sender's IP address.

7. Select the Custom error message option, and then type the error message in the text box.

   Note

   We recommend that you specify the IP Block List provider service in the response so that legitimate senders can contact the provider service.

8. Click OK to close the Error Message dialog box.

9. Click OK to close the Add IP Block List Provider dialog box.

10. Click OK to close the dialog box and save your changes, or click Apply to save your changes without closing the dialog box.

To use the Exchange Management Shell to configure IP Block List Providers

• To add and configure a new IP Block List provider and include a rejection response, run the following command:

  Add-IPBlockListProvider -Name <String> -LookupDomain <SmtpDomain> [-BitmaskMatch <IPAddress>] [-Enabled <$true | $false>] [-IPAddressesMatch <IPAddress>] [-RejectionResponse <AsciiString>]
  

  For example, to configure Example.com as your IP Block List provider, run the following command:

  Add-IPBlockListProvider -Name:Example -LookupDomain:Contoso.com -BitmaskMatch 127.1.0.1 RejectionResponse "Originating IP addressed matched to Contoso.com's IP Block List provider service"
  

For detailed syntax and parameter information, see the following topics:

• Add-IPBlockListProvider
• Add-IPAllowListProvider
• Set-IPBlockListProvidersConfig
• Set-IPAllowListProvidersConfig
• Set-IPBlockListConfig
• Set-IPAllowListConfig

For More Information

For more information about connection filtering and how to add IP addresses to the IP Allow list and IP Block list, see the following topics:

• Configuring Connection Filtering
• Enable Connection Filtering
• Add IP Addresses to the IP Allow List and IP Block List