Connection Filtering, RBLs and SMTP logs

Exchange Server 2003's Connection Filtering feature allows you to block connections from IP addresses explicitly added to the Global Deny List, or drop messages from IP addresses listed on a RBL (Real-Time Blackhole List / Real-Time Block List).

Note: The term "RBL" is commonly used to describe DNS Black Lists (DNSBLs), but it's a trademark of Mail Abuse Prevention System (MAPS), one of the first RBLs. It was acquired by Trend Micro in 2005. Exchange Server 2007 uses the term IP Block List Provider.

When connections from IP addresses listed on the Global Deny List are dropped, you don't find any traces of those dropped connections in SMTP logs [for more details about SMTP logging in Exchange Server 2003, read previous post "Logging SMTP protocol activity"].This is understandable - the IP addresses are explicitly added to the deny list by an administrator, and a SMTP session is never initiated. It's not as important to log these (though many would prefer to capture information about connections so blocked). If in doubt about which hosts are getting blocked, all one needs to do is look at this list.

When it comes to DNSBLs, the behavior is different. Connections are not dropped. Messages are dropped on RCPT TO: command. This allows you to receive mail for addresses on the Exception List. RFC 2821 requires senders to be able to contact the postmaster of a domain. You can also add some of the generic addresses from your domain to the Exception List if you don't want email to these addresses blocked.

Here's a demo of the SMTP session. As seen in the session, the sending host gets a 550 5.7.1 error code because the IP address is listed on a DNSBL, and the recipient (in the RCPT TO: command) is not listed on the Exception List.

Here's what the SMTP log shows (some irrelevant fields removed):

2007-07-25 19:04:54 172.31.1.10 0 HELO - - 250 0 49 4 0 SMTP - - - -
2007-07-25 19:04:59 172.31.1.10 0 MAIL - +from:foo@mydomain.com 250 0 41 26 50 SMTP - - - -
2007-07-25 19:05:11 172.31.1.10 0 RCPT - +to:jadams@exchangelabs.net 550 0 0 31 5017 SMTP - - - -
2007-07-25 19:05:15 172.31.1.10 0 QUIT - - 240 22943 72 4 0 SMTP - - - -

SMTP logs the response code 550, but not the enhanced status code 5.7.1. Having said that, this enhanced status code doesn't by itself allow you to narrow it down to DNSBLs.

Exchange Server 2007's Connection Filtering agent behaves differently - connections from IP addresses explicitly listed in the IP Block List (equivalent of the Global Deny List in Exchange Server 2003) are not blocked. This change in behavior allows such connections to be logged. Detailed information is available from the agent logs [read previous post "Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs"] about why a message was accepted/rejected by anti-spam agents.

One example of the kind of reporting/troubleshooting capabilities this provides: you can search the agent logs for messages blocked by Connection Filtering agent based on DNSBL lookups:

Get-AgentLog -StartDate "7/27/2007" | where {$_.Reason -eq "BlockListProvider"}

The Get-AgentLog output:

Timestamp : 7/27/2007 6:42:08 AM
SessionId : 08C99DA727C8EF31
IPAddress : 68.45.233.59
MessageId :
P1FromAddress : dbuuxwxjlm@bobach.com
P2FromAddresses : {}
Recipients : {bf5b7b59@mydomain.com}
Agent : Connection Filtering Agent
Event : OnRcptCommand
Action : RejectCommand
SmtpResponse : 550 5.7.1 Recipient not authorized, your IP has been found on
a block list
Reason : BlockListProvider
ReasonData : Spamhaus SBL-XBL
Diagnostics :