Exchange Server 2007 includes a script that reports on how Realtime Block Lists (RBLs) perform - it provides the number of messages blocked.
The script - Get-AntispamTopRBLProviders.ps1 can be found in the \Exchange Server\Scripts folder.
To run it, fire up Exchange Shell:
---- -----
Spamhaus SBL-XBL 6626
SORBS 33
NJABL 2
The script can be constrained to a particular time period by using the optional parameters -startdate and -enddate. If not constrained by time, it looks at all the logs. By default, a list of the top 10 RBL providers is provided. Hopefully you aren't using any more than that, but in case you do, you can get a list of top X number of RBL providers by adding the following: -top:X (where X is the number of RBL providers you want returned). This can also be used to get a list of less than 10 RBL providers.
If you feel like parsing through the log files, the agent logs are located in \Exchange Server\TransportRoles\Logs\AgentLog folder. To find out how to easily manage and filter agent logs, read related post "Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs".
Other Antispam-related scripts for reporting:
Get-AntispamFilteringReport.ps1
Get-AntispamSCLHistogram.ps1
Get-AntispamTopBlockedSenderDomains.ps1
Get-AntispamTopBlockedSenderIPs.ps1
Get-AntispamTopBlockedSenders.ps1
Get-AntispamTopRecipients.ps1
From answers to the comments below:
Perfmon counters v/s reporting from log files
Exchange Server 2003 and 2007 expose RBL statistics through performance counters. However, 1) Performance counters are flushed when services are restarted (in this case SMTP service / MSExchangeTransport service). As such, they neither provide historical information nor the rich details that Exchange Server 2007's agent logs provide (for more details on the agent log, read the related post "Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs") and 2) performance counters provide aggregate information, these are not instantiated per RBL/IP Block List provider, so you can't really determine number of messages blocked by each RBL, amongst other details.
Exchange Server 2003 Performance Counters
As shown in the above screenshot of perfmon in report mode, the performance object is MSExchangeTransport Filter Sink. The following RBL-related counters are available for the object:
- Block List DNS Queries Issued
- Block List DNS Queries Issues/Sec
- Connections Rejected by Block List Providers
- Connections Rejected by Block List Providers/Sec
- Failed Block List DNS Queries
- Failed Block List DNS Queries/Sec
Exchange Server 2007 Performance Counters
The corresponding perfmon object in Exchange Server 2007 is MSExchange Connection Filtering Agent, as shown in the above screenshot. The counters available are limited:
- Connections on IP Block List Providers
- Connections on IP Block List Providers/Sec
- Messages with Originating IP on IP Block List Providers
- Messages with Originating IP on IP Block List Providers/Sec
The script - Get-AntispamTopRBLProviders.ps1 can be found in the \Exchange Server\Scripts folder.
To run it, fire up Exchange Shell:
.\get-antispamtoprblproviders.ps1
Name Value---- -----
Spamhaus SBL-XBL 6626
SORBS 33
NJABL 2
The script can be constrained to a particular time period by using the optional parameters -startdate and -enddate. If not constrained by time, it looks at all the logs. By default, a list of the top 10 RBL providers is provided. Hopefully you aren't using any more than that, but in case you do, you can get a list of top X number of RBL providers by adding the following: -top:X (where X is the number of RBL providers you want returned). This can also be used to get a list of less than 10 RBL providers.
If you feel like parsing through the log files, the agent logs are located in \Exchange Server\TransportRoles\Logs\AgentLog folder. To find out how to easily manage and filter agent logs, read related post "Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs".
Other Antispam-related scripts for reporting:
Get-AntispamFilteringReport.ps1
Get-AntispamSCLHistogram.ps1
Get-AntispamTopBlockedSenderDomains.ps1
Get-AntispamTopBlockedSenderIPs.ps1
Get-AntispamTopBlockedSenders.ps1
Get-AntispamTopRecipients.ps1
Anti-spam agents on Hub Transport servers
By default, anti-spam agents are not installed on Exchange Server 2007 servers with the Hub Transport server role - these logically belong on the Edge Transport server. However, if you do not intend to deploy an Edge server, you can install the agents on a Hub Transport server. [Read previous post: "How to install anti-spam agents on Hub Transport server"]
From answers to the comments below:
Perfmon counters v/s reporting from log files
Exchange Server 2003 and 2007 expose RBL statistics through performance counters. However, 1) Performance counters are flushed when services are restarted (in this case SMTP service / MSExchangeTransport service). As such, they neither provide historical information nor the rich details that Exchange Server 2007's agent logs provide (for more details on the agent log, read the related post "Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs") and 2) performance counters provide aggregate information, these are not instantiated per RBL/IP Block List provider, so you can't really determine number of messages blocked by each RBL, amongst other details.
Exchange Server 2003 Performance Counters
As shown in the above screenshot of perfmon in report mode, the performance object is MSExchangeTransport Filter Sink. The following RBL-related counters are available for the object:
- Block List DNS Queries Issued
- Block List DNS Queries Issues/Sec
- Connections Rejected by Block List Providers
- Connections Rejected by Block List Providers/Sec
- Failed Block List DNS Queries
- Failed Block List DNS Queries/Sec
Exchange Server 2007 Performance Counters
The corresponding perfmon object in Exchange Server 2007 is MSExchange Connection Filtering Agent, as shown in the above screenshot. The counters available are limited:
- Connections on IP Block List Providers
- Connections on IP Block List Providers/Sec
- Messages with Originating IP on IP Block List Providers
- Messages with Originating IP on IP Block List Providers/Sec
Labels: Anti-Spam, Exchange Server 2007
9 Comments:
Is that an accurate 'performance' counter, or as with other mailservers, is it order dependant?
It's not a performance counter - performance counters can give you statistics about how many messages are blocked by IP Allow List Providers, et al - they can't classify that data further to indicate messages blocked per RBL.
Another drawback of performance counters - these get reset when the service/server is restarted.
get-AntispamTopRBLProviders.ps1 is a script that parses transport agent logs to produce the output - it's data from logs, so one can assume it's accurate.
Unfortunately nothing comes back when I run this command. I simply get the prompt again. I've downloaded the spam updates & installed the spam agents via 'install-antispamagents.ps1'. What am I missing? Thanks.
Check your IP Block List Providers config and perfmon counters - is it working? Also check the transport agent logs - do you seee anything?
Are there similar tools for Exchange 2003 or can this be used with 2003?
No, this is an Exchange Server 2007 shell script that parses the agent log - not available in Exchange Server 2003.
Exchange Server 2003 does not log RBL lookups in any kind of log, afaik - which means there's no data to parse. It does expose statistics for RBLs (as an aggregate number, not per RBL) as a perfmon counter, as noted above.
Bharat
Hi,
"It's not a performance counter - performance counters can give you statistics about how many messages are blocked by IP Allow List Providers, et al -"
Where can these performance counters be found for sender reputation, senderId, content filtering on e2k7 ?
Thanks for you answer.
You wrote: "Exchange Server 2003 ... expose statistics for RBLs ... as a perfmon counter, as noted above."
Are you sure about this? What's the name of the counter? I couldn't find it in my system (Exchange 2003 SP2). Thank you in advace.
Petr
Petr,
The post was updated to answer your questions, but another post listing all anti-spam performance counters is probably in order to cover other filter sinks/agents like SenderID.
Bharat
Post a Comment
Links to this post:
Create a Link
<< Home