Connection Filtering, RBLs and SMTP logs in Exchange 2007/2010

by Bharat Suneja on July 27, 2007

Exchange Server 2003’s Connection Filtering feature allows you to block connections from IP addresses explicitly added to the Global Deny List, or drop messages from IP addresses listed on a RBL (Real-Time Blackhole List / Real-Time Block List).

Note: The term “RBL” is commonly used to describe DNS Black Lists (DNSBLs), but it’s a trademark of Mail Abuse Prevention System (MAPS), one of the first RBLs. It was acquired by Trend Micro in 2005. Exchange Server 2007 uses the term IP Block List Provider.

When connections from IP addresses listed on the Global Deny List are dropped, you don’t find any traces of those dropped connections in SMTP logs [for more details about SMTP logging in Exchange Server 2003, read previous post “Logging SMTP protocol activity“].This is understandable — the IP addresses are explicitly added to the deny list by an administrator, and a SMTP session is never initiated. It’s not as important to log these (though many would prefer to capture information about connections so blocked). If in doubt about which hosts are getting blocked, all one needs to do is look at this list.

When it comes to DNSBLs, the behavior is different. Connections are not dropped. Messages are dropped on RCPT TO command. This allows you to receive mail for addresses on the Exception List. RFC 2821 requires senders to be able to contact the postmaster of a domain. You can also add some of the generic addresses from your domain to the Exception List if you don’t want email to these addresses blocked.

Here’s a demo of the SMTP session. As seen in the session, the sending host gets a 550 5.7.1 error code because the IP address is listed on a DNSBL, and the recipient (in the RCPT TO command) is not listed on the Exception List.

Here’s what the SMTP log shows (some irrelevant fields removed):

2007-07-25 19:04:54 172.31.1.10 0 HELO – – 250 0 49 4 0 SMTP – – – -
2007-07-25 19:04:59 172.31.1.10 0 MAIL – +from:[email protected] 250 0 41 26 50 SMTP – – – -
2007-07-25 19:05:11 172.31.1.10 0 RCPT – +to:[email protected] 550 0 0 31 5017 SMTP – – – -
2007-07-25 19:05:15 172.31.1.10 0 QUIT – – 240 22943 72 4 0 SMTP – – – -

SMTP logs the response code 550, but not the enhanced status code 5.7.1. Having said that, this enhanced status code doesn’t by itself allow you to narrow it down to DNSBLs.

Connection Filtering in Exchange 2007/2010

Exchange Server 2007’s Connection Filtering agent behaves differently – connections from IP addresses explicitly listed in the IP Block List (equivalent of the Global Deny List in Exchange Server 2003) are not blocked. This change in behavior allows such connections to be logged. Antispam agent logs provide detailed information about why a message was accepted or rejected by anti-spam agents. See Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs for more information about agent logs.

One example of the kind of reporting/troubleshooting capabilities this change in behavior, the logging capabilities and the Shell provide: you can search the agent logs for messages blocked by Connection Filtering agent based on DNSBL lookups. This example searches the agent logs for messages blocked from 7/27/2007 with the reason BlockListProvider:

Get-AgentLog -StartDate “7/27/2007″ | where {$_.Reason -eq “BlockListProvider”}

The Get-AgentLog output:

Timestamp : 7/27/2007 6:42:08 AM
SessionId : 08C99DA727C8EF31
IPAddress : 68.45.233.59
MessageId :
P1FromAddress : [email protected]
P2FromAddresses : {}
Recipients : {[email protected]}
Agent : Connection Filtering Agent
Event : OnRcptCommand
Action : RejectCommand
SmtpResponse : 550 5.7.1 Recipient not authorized, your IP has been found on block list
Reason : BlockListProvider
ReasonData : Spamhaus SBL-XBL
Diagnostics :

{ 2 comments… read them below or add one }

Justin August 13, 2007 at 2:48 pm

Perfect. Just what I was looking for.

Reply

Dan April 11, 2012 at 10:44 am

Thanks, this helped out greatly today! The getagent command provided allowed me to trace an IP our ISP uses for a sendmail host that made it onto some lists.

Reply

Leave a Comment

Previous post:

Next post: