One of the transport agents that is installed on the Exchange 2013 Edge Transport server is the connection filter agent.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[PS] C:\>Get-TransportAgent Identity Enabled Priority -------- ------- -------- Connection Filtering Agent True 1 Address Rewriting Inbound Agent True 2 Edge Rule Agent True 3 Content Filter Agent True 4 Sender Id Agent True 5 Sender Filter Agent True 6 Recipient Filter Agent True 7 Protocol Analysis Agent True 8 Attachment Filtering Agent True 9 Address Rewriting Outbound Agent True 10 |
The connection filter agent looks at the IP address of a server that is making an SMTP connection to the Edge Transport server and decides whether to block or allow the connection. It makes the decision by looking up the IP address in a block list, allow list, or by querying a block/allow list provider.
When your Exchange organization is receiving spam you can add the IP addresses of the spammers to an IP block list on the Edge Transport server. However this is quite inefficient, as you'll constantly be adding new IP addresses to the list.
A more effective approach is to use one or more IP block list providers, such as Spamhaus (my personal favourite) or SpamCop.
To add Spamhaus to your connection filter agent run the follow Exchange Management Shell command on the Edge Transport server.
|
1 |
[PS] C:\>Add-IPBlockListProvider -Name Spamhaus -LookupDomain zen.spamhaus.org -AnyMatch $true -Enabled $true -RejectionResponse "IP address is listed by Spamhaus" |
Note you can change the rejection message that it sent back to the sender.
|
1 |
[PS] C:\>Set-IPBlockListProvider Spamhaus -RejectionResponse "IP address is listed by Spamhaus Zen." |
You can add multiple providers, just make sure you check their guidance on whether there are issues adding multiple lookup domains from the same provider. Also make sure you check their terms and conditions and comply with any commercial usage policies they have.
|
1 2 3 4 5 6 |
[PS] C:\>Get-IPBlockListProvider Name LookupDomain Priority ---- ------------ -------- Spamhaus zen.spamhaus.org 1 SpamCop bl.spamcop.net 2 |
After the block list provider has been in place for a day or two you can see the results by running the Get-AntispamTopRBLProviders.ps1 script that ships with Exchange.
|
1 2 3 4 5 |
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\get-AntispamTopRBLProviders.ps1 Name Value ---- ----- Spamhaus 12 |
Paul is a Microsoft MVP for Office Apps and Services and a Pluralsight author. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server.
Shouldn’t the lookup domain for SpamCop be “bl.spamcop.net”, not “bl.spamcopy.net”?
Teet Saar.
Great tutorial, thanks! However my default location for the transport logs is on a different disk, so when I run get-AntispamTopRBLProviders, it returns the error:
The location “C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsHubAgentLog” does not exist. Please specify a valid file or directory to look for agent logs using the -Location parameter.
The parameter seems obvious, but what file or directory should I be pointing it to if my transport logs on on volume T: ?
I got the same thing as Barry. I looked at the directory and sure enough it is not there.
This just sounds like a simple case of the script having a hard coded dependency on the default log path. Look in the script code and adjust it if you need to.
Hello
Can I use IPBlockList providers without Exchange Edge Transport role? I Have 1 Server With MBX and CAS roles installed.
From Exchange cmdlet’sTechnet site:
Add-IPAllowListProvider
Applies to: Exchange Server 2013
This cmdlet is available or effective only on Edge Transport servers in on-premises Exchange Server 2013.
Maybe you can enable some antispam feature on MBX role like senderid or senderfilter to prevent some spoof mail.
Hi,
upon running .Get-AntispamTopRBLProviders.ps1 under “C:Program FilesMicrosoftExchange ServerV15scripts” path,, it doesn’t show anything,, neither an error message, Is there something wrong? because we still receive tons of spam from a specific user only
If “the specific user” ‘s IP doesn’t list in the RBL(like spamhaus or spamcop),you will still receive its email.
Maybe you can:
1,block its IP address on the firewall
2, setting “mailflow”->”rules” on ECP to delete or reject specific sender by IP/Domain/Subject etc
3, setting set-senderfilterconfig’s blockeddomain option on the MBX server.
Hello Paul,
Is there any way to configure and use a IP blocklist provider on a mailbox server?
Kind regards,
Ronald Brouwer
How can I make sure either of the anti-spam works?
Great Tutorial.
Thank you sir.
when I run
C:Program FilesMicrosoftExchange ServerV15scripts>.get-AntispamTopRBLProviders.ps1
I get the error
[PS] C:\Windows\system32>C:Program FilesMicrosoftExchange ServerV15scripts>.get-AntispamTopRBLProviders.ps1
At line:1 char:50
+ C:Program FilesMicrosoftExchange ServerV15scripts>.get-AntispamTopRBLProvider …
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks (“&”) to pass it as part of a string.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : AmpersandNotAllowed