• 1. London, UK
  • 2. New York, NY
  • 3. Sydney, Australia
  • 4. Melbourne, Australia
  • 5. Moscow, Russia
  • 6. Singapore
  • 7. Paris, France
  • 8. Chicago, IL
  • 9. Hong Kong
  • 10. Houston, TX

Wednesday, December 13, 2006

 

Exchange Server 2007: How are RBLs performing?

Posted by Bharat Suneja at 12:41 PM
Exchange Server 2007 includes a script that reports on how Realtime Block Lists (RBLs) perform - it provides the number of messages blocked.

The script - Get-AntispamTopRBLProviders.ps1 can be found in the \Exchange Server\Scripts folder.

To run it, fire up Exchange Shell:

.\get-antispamtoprblproviders.ps1

Name Value
---- -----
Spamhaus SBL-XBL 6626
SORBS 33
NJABL 2

The script can be constrained to a particular time period by using the optional parameters -startdate and -enddate. If not constrained by time, it looks at all the logs. By default, a list of the top 10 RBL providers is provided. Hopefully you aren't using any more than that, but in case you do, you can get a list of top X number of RBL providers by adding the following: -top:X (where X is the number of RBL providers you want returned). This can also be used to get a list of less than 10 RBL providers.

If you feel like parsing through the log files, the agent logs are located in \Exchange Server\TransportRoles\Logs\AgentLog folder. To find out how to easily manage and filter agent logs, read related post "Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs".

Other Antispam-related scripts for reporting:
Get-AntispamFilteringReport.ps1
Get-AntispamSCLHistogram.ps1
Get-AntispamTopBlockedSenderDomains.ps1
Get-AntispamTopBlockedSenderIPs.ps1
Get-AntispamTopBlockedSenders.ps1
Get-AntispamTopRecipients.ps1

Anti-spam agents on Hub Transport servers

By default, anti-spam agents are not installed on Exchange Server 2007 servers with the Hub Transport server role - these logically belong on the Edge Transport server. However, if you do not intend to deploy an Edge server, you can install the agents on a Hub Transport server. [Read previous post: "How to install anti-spam agents on Hub Transport server"]

Update 6/15/2007
From answers to the comments below:

Perfmon counters v/s reporting from log files

Exchange Server 2003 and 2007 expose RBL statistics through performance counters. However, 1) Performance counters are flushed when services are restarted (in this case SMTP service / MSExchangeTransport service). As such, they neither provide historical information nor the rich details that Exchange Server 2007's agent logs provide (for more details on the agent log, read the related post "Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs") and 2) performance counters provide aggregate information, these are not instantiated per RBL/IP Block List provider, so you can't really determine number of messages blocked by each RBL, amongst other details.

Exchange Server 2003 Performance Counters


Figure 1: RBL-related Performance Monitor counters in Exchange Server 2003

As shown in the above screenshot of perfmon in report mode, the performance object is MSExchangeTransport Filter Sink. The following RBL-related counters are available for the object:
- Block List DNS Queries Issued
- Block List DNS Queries Issues/Sec
- Connections Rejected by Block List Providers
- Connections Rejected by Block List Providers/Sec
- Failed Block List DNS Queries
- Failed Block List DNS Queries/Sec

Exchange Server 2007 Performance Counters


Figure 2: RBL-related Performance Monitor counters in Exchange Server 2007

The corresponding perfmon object in Exchange Server 2007 is MSExchange Connection Filtering Agent, as shown in the above screenshot. The counters available are limited:
- Connections on IP Block List Providers
- Connections on IP Block List Providers/Sec
- Messages with Originating IP on IP Block List Providers
- Messages with Originating IP on IP Block List Providers/Sec

Labels: ,

9 Comments:

December 29, 2006 4:49 AM
Anonymous Anonymous said...

Is that an accurate 'performance' counter, or as with other mailservers, is it order dependant?

 
December 29, 2006 9:21 AM
Blogger Bharat said...

It's not a performance counter - performance counters can give you statistics about how many messages are blocked by IP Allow List Providers, et al - they can't classify that data further to indicate messages blocked per RBL.

Another drawback of performance counters - these get reset when the service/server is restarted.

get-AntispamTopRBLProviders.ps1 is a script that parses transport agent logs to produce the output - it's data from logs, so one can assume it's accurate.

 
January 18, 2007 10:15 AM
Blogger Derek said...

Unfortunately nothing comes back when I run this command. I simply get the prompt again. I've downloaded the spam updates & installed the spam agents via 'install-antispamagents.ps1'. What am I missing? Thanks.

 
January 18, 2007 10:30 AM
Blogger Bharat said...

Check your IP Block List Providers config and perfmon counters - is it working? Also check the transport agent logs - do you seee anything?

 
March 21, 2007 8:10 AM
Anonymous Anonymous said...

Are there similar tools for Exchange 2003 or can this be used with 2003?

 
March 21, 2007 8:49 AM
Blogger Bharat said...

No, this is an Exchange Server 2007 shell script that parses the agent log - not available in Exchange Server 2003.

Exchange Server 2003 does not log RBL lookups in any kind of log, afaik - which means there's no data to parse. It does expose statistics for RBLs (as an aggregate number, not per RBL) as a perfmon counter, as noted above.

Bharat

 
May 29, 2007 7:17 AM
Anonymous Anonymous said...

Hi,

"It's not a performance counter - performance counters can give you statistics about how many messages are blocked by IP Allow List Providers, et al -"

Where can these performance counters be found for sender reputation, senderId, content filtering on e2k7 ?

Thanks for you answer.

 
June 15, 2007 7:04 AM
Anonymous Petr said...

You wrote: "Exchange Server 2003 ... expose statistics for RBLs ... as a perfmon counter, as noted above."
Are you sure about this? What's the name of the counter? I couldn't find it in my system (Exchange 2003 SP2). Thank you in advace.
Petr

 
June 15, 2007 11:53 AM
Blogger Bharat Suneja said...

Petr,

The post was updated to answer your questions, but another post listing all anti-spam performance counters is probably in order to cover other filter sinks/agents like SenderID.

Bharat

 

Post a Comment

Links to this post:

Create a Link

<< Home