Connection filtering
When an email message reaches Forefront Protection 2010 for Exchange Server, the connection-filtering layer is the first layer to process the message. Connection filtering typically occurs at the network perimeter, on the Exchange Edge Transport server role. This layer filters the majority of spam coming into your organization.
Checks that occur at this level are based on the source IP address of the incoming message. The reputation of the connecting IP address is evaluated by means of lists from partners and third-party providers. Details are provided in subsequent sections.
IP allow list and IP block list
Each incoming message is checked against the IP block list. A message is rejected as spam if the message’s source IP address is found in the list, unless you set up a specific exception. An IP block list can be especially effective at stopping a spam attack from a single IP address.
In contrast to the IP block list, entering an IP address in the IP allow list allows all mail from that IP address to bypass protection layers and be delivered to its intended recipient.
For more details on setting up an IP block list or an IP allow list, see Using connection filtering.
DNS block list (DNSBL)
The DNS block list includes up-to-date block list information aggregated from several third-party block lists, such as Spamhaus, Forefront Online Protection for Exchange, and others (these are subject to change). The DNS block list is maintained by Microsoft, and no configuration is required. If the sender’s IP address is on the list, mail from that IP address is rejected, unless that sender has been specifically designated as safe.
If the connecting IP address has been listed on one of the vendor’s block lists, the returned query will contain the list where it appears and the proper instructions for how to implement corrective action. For example, if a message is blocked for an IP address because it appears, for example, on the Forefront Online Protection for Exchange block list, the Forefront Protection 2010 for Exchange Server DNSBL agent issues the following response: 550 5.7.1. Mail Submission Rejected by {blocklist_provider_name}. Mail From IP Banned. To request removal from the list please forward this message to delist.forefront@messaging.microsoft.com. If the IP address is added to the block list mistakenly or maliciously, forwarding the message to the specified alias allows the sender to request removal from the block list.
For more information on DNS block lists and connection filtering, see Using connection filtering.