Understanding Connection Filtering
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2010-01-22
The Connection Filter agent is an anti-spam agent enabled on computers running Microsoft Exchange Server 2010 that have the Edge Transport server role installed. The Connection Filter agent relies on the IP address of the remote server that's trying to connect, to determine what action, if any, to take on an inbound message. The remote IP address is available to the Connection Filter agent as a by-product of the underlying TCP/IP connection required for the SMTP session. Because the Connection Filter agent must evaluate the IP address of the remote server that's sending the message to be effective, the Connection Filter agent is typically enabled on the Internet-facing Edge Transport server. However, you may also perform additional configuration to run the Connection Filter agent deeper in the inbound message path.
When you configure anti-spam agents on an Edge Transport server, the agents act on messages cumulatively to reduce the number of unsolicited messages that enter the organization. To reduce redundancy and improve overall system performance and efficiency, you must understand the order in which the agents evaluate inbound messages. Understanding the order in which the filters evaluate inbound messages will help you optimize your configuration of the Edge Transport servers. For more information about how to plan and deploy the anti-spam agents, see Understanding Anti-Spam and Antivirus Functionality.
When you enable the Connection Filter agent, the Connection Filter agent is the first anti-spam agent to run when an inbound message is evaluated.
When an inbound message is submitted to an Edge Transport server on which the Connection Filter agent is enabled, the source IP address of the SMTP connection is checked against IP Allow lists and IP Block lists. If the source IP address is listed on an IP Allow list, the message is sent to the destination without additional processing by other anti-spam agents. If the source IP address is listed on an IP Block list, the SMTP connection is dropped after all RCPT TO headers in the message are processed.
|The timing of when a specific connection is dropped may depend on other anti-spam configurations. For example, you can specify which recipients always receive e-mail messages, even if the source IP address is blocked. Additionally, you may have configured other agents that rely on content from the DATA command to be parsed. The Connection Filter agent always drops blocked connections according to the overall anti-spam configuration.|
If the source IP address isn't listed on any IP Allow list or IP Block list, the message continues to flow through other anti-spam agents if other anti-spam agents are configured.
Looking for management tasks related to anti-spam and antivirus functionality? See Managing Anti-Spam and Antivirus Features.
The Connection Filter agent compares the IP address of the server sending a message to any of the following data stores of IP addresses:
Administrator-defined IP Allow lists and IP Block lists
IP Block List providers
IP Allow List providers
For more information about IP Block List providers, see "IP Block List Providers" later in this topic.
You must configure at least one of these data stores of IP addresses for the Connection Filter agent to be operational. If the data stores of IP addresses don't contain the IP addresses on the IP Allow lists or IP Block lists, or if you don't have any IP Block List providers or IP Allow List providers configured, you should disable the Connection Filter agent.
Administrators of Edge Transport servers maintain administrator-defined lists of IP addresses. You can enter and delete the IP addresses that you want to allow or block by using the Exchange Management Console (EMC) or the Exchange Management Shell. You can add IP addresses individually, by IP address range, or by IP address and subnet mask.
When you add an IP address or IP address range, you must specify the IP address or IP address range as an IP Block list address or an IP Allow list address. Additionally, you can specify an expiration time for each IP Block list entry that you create. When you set the expiration time, the expiration time specifies how long the IP Block list entry is active. When the expiration time duration is reached, the IP Block list entry is disabled.
By using administrator-defined IP Allow lists and IP Block lists, you can configure connection filtering to support the following scenarios:
To exempt IP addresses from the IP Block lists of IP Block List providers
You may have to exempt IP addresses from the IP Block lists of IP Block List providers when legitimate senders are unintentionally put on an IP Block List provider's IP Block list. For example, legitimate senders could be unintentionally put on an IP Block list when an SMTP server was unintentionally configured to act as an open relay. In this scenario, the sender will probably try to correct the misconfiguration and remove the IP address from the IP Block List provider's IP Block list.
For more information about IP Block List providers, see "IP Block List Providers" later in this topic.
To deny access from IP addresses that are a source of unsolicited e-mail messages but aren't found on an IP Block List provider's IP Block lists
Sometimes, you may receive a large quantity of unsolicited messages from a source that wasn't yet identified by a real-time block list service to which you subscribe.
IP Block List provider services can help you reduce the number of unsolicited e-mail messages that enter your organization.
|IP Block List provider services are frequently referred to as real-time block list services or RBL services. The EMC refers to real-time block list services as IP Block List provider services. The terms real-time block list services, RBL services, and IP Block List provider services are equivalent.|
IP Block List provider services compile lists of IP addresses from which spam has originated in the past. Additionally, some IP Block List providers provide lists of IP addresses for which SMTP is configured for open relay. There are also IP Block List provider services that provide lists of IP addresses that support dial-up access. Internet service providers (ISPs) that provide dial-up access services to their clients assign dynamic IP addresses for each dial-up session. Some ISPs block SMTP traffic from dial-up accounts. These ISPs and the attendant dial-up IP ranges aren't typically added to IP Block lists. However, some ISPs allow clients to send SMTP traffic from dial-up accounts. Malicious users take advantage of ISPs that allow SMTP traffic to send spam on dynamically assigned IP addresses. When the IP address is put on an IP Block list, the malicious users start another dial-up session and receive a new IP address. Frequently, a single IP Block List provider can provide a list of IP addresses that covers all these spam threats.
You can configure multiple IP Block List provider configurations by using the EMC or the Shell. Each service requires a separate IP Block List provider configuration in the EMC or the Shell.
When you configure the Connection Filter agent to use an IP Block List provider, the Connection Filter agent queries the IP Block List provider service to determine whether a match exists with the connecting IP addresses before the message is accepted into the organization.
Before the Connection Filter agent contacts the IP Block List provider to verify an IP address, the IP address is first compared to the administrator-defined IP Allow list and IP Block list. If the IP address doesn't exist on either the administrator-defined IP Allow list or IP Block list, the Connection Filter agent queries the IP Block List provider services according to the priority rating assigned to each provider. If the IP address appears on the IP Block list of an IP Block List provider, the Edge Transport server waits for and parses the RCPT TO header, responds to the sending system with an SMTP 550 error, and closes the connection. If the IP address doesn't appear on the IP Block lists of any one of the IP Block List providers, the next agent in the anti-spam chain processes the connection. For more information about the order in which the default anti-spam and antivirus agents filter inbound messages from the Internet, see Understanding Anti-Spam and Antivirus Functionality.
When you use the Connection Filter agent, it's a best practice to use one or more IP Block List providers to manage access into your organization. The use of an administrator-defined block list to maintain your own IP Block list is time-consuming and may be impossible from a human resource perspective in most organizations. Therefore, we recommend the use of an external IP Block List provider service, whose sole purpose is to maintain IP Block lists.
However, there may be some disadvantages to using an IP Block List provider. Because the Connection Filter agent must query an external entity for each unknown IP address, outages or delays at the IP Block List provider service can cause delays in the processing of messages on the Edge Transport server. In extreme cases, such outages or delays could cause a mail-flow bottleneck on the Edge Transport server.
The other disadvantage of using an external IP Block List provider service is that legitimate senders are sometimes added to the IP Block lists of IP Block List providers by mistake. For example, legitimate senders can be added to the IP Block lists maintained by IP Block List providers as the result of an SMTP misconfiguration, where the SMTP server was unintentionally configured to act as an open relay.
For each IP Block List provider service that you configure, you can customize the SMTP 550 error returned to the sender when the sender IP address is matched to an IP Block List provider service and is subsequently blocked by the Connection Filter agent. It's a best practice to customize the SMTP 550 error to identify the IP Block List provider service that identifies the sender as a blocked IP address. This best practice enables legitimate senders to contact the IP Block List provider service so that they can be removed from the IP Block List provider service's IP Block list.
Different IP Block List provider services may return different codes when the IP address of a remote server sending a message matches an IP address on an IP Block List provider service's IP Block list. Most IP Block List provider services return one of the following data types: bitmask or absolute value. Within these data types, there may be multiple values that indicate the type of list that the submitted IP address is on.
This section shows an example of the status codes returned by most Block List providers. For details about the status codes that the provider returns, see the documentation from the specific provider.
For bitmask data types, the IP Block List provider service returns a status code of 127.0.0.x, where the integer x is any one of the values listed in the following table.
Values and status codes for bitmask data types
The IP address is on an IP Block list.
The SMTP server is configured to act as an open relay.
The IP address supports a dial-up IP address.
For absolute value types, the IP Block List provider service returns explicit responses based on the cause of the block of the IP address. The following table shows some examples of absolute values and the explicit responses.
Values and status codes for absolute value data types
The IP address is a direct spam source.
The IP address is a bulk mailer.
The remote server sending the message is known to support multistage open relays.
You can also manage inbound messages by using IP Allow List provider services that provide IP Allow lists. IP Allow lists are sometimes referred to as IP safe lists or white lists elsewhere in the software industry. IP Allow List providers maintain lists of IP addresses that are definitively known not to be associated with any spam activity. When an IP Allow List provider returns an IP Allow match, which indicates that the sender's IP address is more likely to be a reputable or safe sender, the Connection Filter agent relays the message to the next agent in the anti-spam chain.
In some organizations, the Edge Transport server role is installed on computers that don't process SMTP requests directly on the Internet. In this scenario, the Edge Transport server is behind another front-end SMTP server that processes inbound messages directly from the Internet. In this scenario, the Connection Filter agent must be able to extract the correct originating IP address from the message. To extract and evaluate the originating IP address, the Connection Filter agent must parse the Received headers from the message and compare those headers to the known SMTP server in the perimeter network.
When an RFC-compliant SMTP server receives a message, the server updates the message's Received header with the domain name and IP address of the sender. Therefore, for each SMTP server between the originating sender and the Edge Transport server, the SMTP server adds an additional Received header entry.
When you configure your perimeter network to support Exchange 2010, you must specify all the IP addresses for the SMTP servers in your perimeter network. The IP address data is replicated to Edge Transport servers by EdgeSync. When messages are received by the computer that runs the Connection Filter agent, the IP address in the Received header that doesn't match an SMTP server IP address in your perimeter network is assumed to be the originating IP address.
You must specify all internal SMTP servers on the transport configuration object in the Active Directory forest before you run connection filtering. Specify the internal SMTP servers by using the InternalSMTPServers parameter on the Set-TransportConfig cmdlet.
After you configure an IP Block List provider service or IP Allow List provider service, you can test to make sure that connection filtering is configured correctly for the particular service. Most IP Block List provider services or IP Allow List provider services provide test IP addresses that you can use to test their services. When you run a test against an IP Block List provider service or an IP Allow List provider service, the Connection Filter agent issues a Domain Name System (DNS) query based on the real-time block list IP address that should respond with a specific response. For more information about how to test IP addresses against an IP Block List provider service or an IP Allow List provider service, see Test-IPAllowListProvider and Test-IPBlockListProvider.