Keeping tabs on Antispam filters: A few handy scripts in Exchange Server 2007

by Bharat Suneja

One of the more useful improvements in Exchange Server 2007 is the abundance of logging for different features and components (read previous post “Exchange Server 2007: How many logs hath thee?“). In particular, the antispam agent logs fill an important gap in monitoring, reporting and troubleshooting message flow as it relates to antispam agents (read previous post “Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs“). As a messaging/Exchange administrator, you want to be able to pin point what the antispam agents have been up to, and determine if particular messsages, or sending hosts, domains or email addresses have been blocked by any of the antispam agents. The antispam agent logs and the get-agentlog command allow you to do this quickly and efficiently.

In addition to the the get-agentlog command, Exchange Server 2007 also ships with a number of canned scripts that help you keep tabs on what the agents are doing. These scripts are found in the \Exchange Server\Scripts directory, where \Exchange Server is the path of the Exchange Server 2007 installation. Note, no documentation or support is available for these scripts – they are meant to be examples you can use to write your own scripts. Let’s take a peek in the directory and see what we find.

Commandline parameters used by antispam scripts

Most of the following scripts take the same (optional) parameters.

  • top n: Where n is the number of results to display. If not specified, the script defaults to (top) 10.
  • StartDate: Start date/time
  • EndDate: End date/time
  • Location: path of agent log files. If no path is specified, the agent works against the default agent log file location.
    1. Get-AntispamFilteringReport.ps1: Takes one of the following values as a mandatory parameter and displays statistics for each agent:
      • connections
      • commands
      • messagesrejected
      • messagesdeleted
      • messagesquarantined
    2. Get-AntispamSCLHistogram.ps1: Provides a breakdown of number of messages stamped with each SCL value.
    3. Get-AntispamTopBlockedSenderDomains.ps1: Lists top ten sender domains from which mail was blocked.
    4. Get-AntispamTopBlockedSenderIPs.ps1: Lists the top ten IP addresses blocked by antispam agents, and number of messages blocked from each.
    5. Get-AntispamTopBlockedSenders.ps1: Lists the top ten blocked senders (SMTP email addresses) and number of messages blocked from each. The script can report on P1 (i.e. address in message envelope in the MAIL header) or P2 addresses (from headers in message body like FROM). Specify the option as a commandline argument (optional parameters -top n, -StartDate, and EndDate used in this example):

      .\Get-AntispamTopBlockedSenders.ps1 P1 -top 20 -StartDate “12/1/2007” -EndDate “12/10/2007”

      Replace the P1 in the above command with P2 to report on P2 senders.

    6. Get-AntispamTopRBLProviders.ps1: Lists the top ten RBLs (aka “IP Block List Providers”) and messages blocked by each (read previous post: “Exchange Server 2007: How are RBLs performing?“).
    7. Get-AntispamTopRecipients.ps1: Lists the top ten recipient addresses that receive spam. The addresses may or may not exist in your Organization – the reporting is based on actions taken by antispam agents on incoming messages. Recipient Filtering with Recipient Validation (dropping messages for recipients that do not exist in AD/GAL) is a great way to drop a large number of messages.

      The following scripts are not used for reporting:

    8. Reset-AntispamUpdates.ps1: Uninstalls any antispam updates and reinstalls the original “out-of-box” antispam data.
    9. Install-AntispamAgents.ps1: By default, antispam agents are not installed on the Hub Transport server role (read previous post: “HOW TO: Install anti-spam agents on Hub Transport server“). This script installs them if you need to.
    10. Uninstall-AntispamAgents.ps1: Uninstalls antispam agents.

    { 3 comments… read them below or add one }

    Anonymous April 27, 2009 at 8:53 pm

    Stupid Question… Does the Get-AntispamTopBlockedSenderIPs.ps1 script represent a single agent that is working? or several agents?

    If so is it the “Sender Reputation Functionality” that is populating the list?

    Thanks,

    Robert

    Reply

    Bharat Suneja April 27, 2009 at 9:47 pm

    @Anonymous April 27: Not a stupid question at all! :)

    The query used in the script is similar to:
    Get-AgentLog | Where {$_.Action -ne “AcceptMessage” -and $_.IPAddress -ne $() }

    You can group the result on the reason or the agent. For example:
    Get-AgentLog | Where {$_.Action -ne “AcceptMessage” -and $_.IPAddress -ne $() } | Group-Object Reason | ft count,name -Autosize

    Get-AgentLog | Where {$_.Action -ne “AcceptMessage” -and $_.IPAddress -ne $() } | Group-Object Agent | ft count,name -AutoSize

    The reason group should show you reasons such as BlockListProvider, RecipientDoesNotExist, SclAtOrABoveRejectThreshold, SclAtOrAboveDeleteThreshold, SclAtOrAboveQuarantineThreshold, Fail_NotPermitted, SubdomainMatch, and so on.

    For agents, you will see all the agents that acted on a message that was not accepted, such as Connection Filtering Agent, Recipient Filter Agent, Sender Id Agent, Content Filter Agent, and so on.

    To get a list of IP addresses on the IP Block List (this is per-transport server, not global):
    Get-IPBlockListEntry | where {$_.IsMachineGenerated -eq $true}

    You can then search the agent log for the IP addresses returned. For example:
    Get-IPBlockListEntry | Where {$_.IsMachineGenerated -eq $true} | ForEach {$IP = $_.IPRange; Write-Host “IP: ” $IP; Get-AgentLog -StartDate “4/27/2009” | where {$_.IPAddress -like $IP}

    Reply

    Bharat Suneja April 27, 2009 at 9:50 pm

    Forgot to mention, the following snippet will only list entries in the IP Block List that are added by the Sender Reputation Agent (returned by using IsMachineGenerated -eq $true)

    >>To get a list of IP addresses on the IP Block List (this is >>per-transport server, not global):
    Get-IPBlockListEntry | where {$_.IsMachineGenerated -eq $true}

    Reply

    Leave a Comment

    { 1 trackback }

    Previous post:

    Next post: