Connection filtering combats spam by blocking and/or
allowing email messages from specific networks, IP addresses, and IP
ranges. Email that is routed through Receive Connectors is processed by
the Connection Filtering Agent. These messages are received from the
Internet and travel inbound to the Edge Transport server for delivery to
the recipient. The connection filtering agents (IP Block List, IP Allow
List, IP Block List Providers, and IP Allow List Providers) are all
enabled by default and can be configured using the Exchange Management
Console or Exchange Management Shell.
An IP Allow List is a manual list of servers you
trust to send email to your organization, more specifically those for
which email communication cannot be disrupted. An IP Block List works in
reverse, blocking email from specific email servers without further
processing or retaining copies of the message. IP Block and Allow List
Providers make it easier to stop email from known malicious entities or
ensure communication continues for others. This is usually a free
service and allows administrators to easily subscribe to these lists and
benefit from them.
One example of a real-time block list providers is The Spamhaus Project at http://www.spamhaus.org.
Spamhaus maintains the Spamhaus Block List (SBL) and provides it as a
free service for anyone to use. Spamhaus records their block entries in
the SBL domain name system (DNS) zone and that list is updated every 30
minutes and then mirrored to more than 40 servers around the world with
direct hourly feeds to major Internet service providers (ISPs).
Note
Changes described in this section are applied
only to the local system. This is important to know if you have more
than one Edge Transport server in your environment because the change
will need to be made locally on all other Edge Transport servers.
To disable the IP Block List, IP Allow List, IP
Block List Providers, and IP Allow List Providers agents using the
Exchange Management Console, right-click the appropriate agent icon in
the action pane and select Disable.
To disable these same agents using the Exchange Management Shell, run the set-< IPAllowListConfig, IPAllowListProvider, IPAllowListProvidersConfig, IPBlockListConfig, IPBlockListProvider, or IPBlockListProvidersConfig> command with the -Enabled $false parameter. For example:
"set-IPBlockListConfig -Enabled $false".
When configuring an IP Block List or IP Allow
List, entities to block must be entered manually by the administrator
because these lists are created and maintained locally on the server.
Unless specified otherwise by the organization, reject email messages
received from addresses on IP Block Lists to avoid further processing,
increased system overhead, and consumed disk space.
Tip
The IP Block List can be used to define IP
addresses that consistently send virus-infected messages or unacceptable
content to the organization, whereas an IP Block List Provider might
not identify these messages, which can be for several reasons.
1. Configuring an IP Allow List Using the Exchange Management Console
Email administrators can configure Allow Lists
on an Edge Transport server to ensure messages from desired source mail
senders or organizations are not filtered and blocked at the Edge
server. Administrators can define single IP addresses, IP addresses and
subnet masks, and/or IP ranges from which to allow email messages.
Note
In some organizations, the Edge Transport
server might sit behind another Simple Mail Transfer Protocol (SMTP)
server that receives email from the Internet. In scenarios like this,
the SMTP address of each upstream email server must be added to the
Transport Configuration object in an Active Directory forest before
connection filtering can be used. The SMTP addresses listed in the
Transport Configuration object in Active Directory are replicated to the
Edge Transport servers via EdgeSync.
To configure an IP Allow List using the Exchange Management Console, do the following:
1. | Launch the Exchange Management Console.
|
2. | Select Edge Transport in the console tree.
|
3. | Double-click the IP Allow List item in the action pane.
|
4. | In the IP Allow List Properties window, select the Allowed Addresses tab.
|
5. | Click
the Add button or the down arrow IP address button to add a Classless
Internet Domain Routing (CIDR) IP address or range (for example,
192.168.1.10 or 192.168.1.10/24).
|
6. | Click OK to add the IP address or address range.
|
7. | The
IP addresses or address ranges are shown in the Remote IP Address(es)
section of the Allowed Addresses tab in the IP Allow List Properties
window.
Note
You must first obtain the IP address or
address ranges of the email server or servers for those you want
included in the IP Allow List.
|
8. | Click Apply to save changes or click OK to save changes and close the window.
|
Note
Entries in an IP Allow List cannot be scheduled to expire.
Alternatively, an IP address and subnet mask, or
IP address range can be defined for filtering. To define an allowed IP
address and subnet mask, do the following:
1. | In the IP Allow List Properties window, select the Allowed Addresses tab.
|
2. | Click the down arrow and select IP and Mask.
|
3. | In the Add Allowed IP Address – IP and Mask window, enter the IP address in the IP Address field (for example, 192.168.1.10).
|
4. | Enter the subnet mask of the IP address in the IP Mask field (for example, 255.255.255.0).
|
5. | Click OK to add the IP address and IP mask.
|
To define an allowed IP address range, do the following:
1. | In the IP Allow List Properties window, select the Allowed Addresses tab.
|
2. | Click the down arrow and select IP Range.
|
3. | In
the Add Allowed IP Address – IP Range window, enter the first IP
address in the Start Address field (for example, 192.168.1.1).
|
4. | Enter the last IP address in the address range in the End Address field (for example, 192.168.255.255).
|
5. | Click OK to add the IP address range.
|
Any defined IP addresses, IP addresses and
subnet masks, and/or IP address ranges are shown in the Remote IP
Address(es) section of the Allowed Addresses tab of the IP Allow List
Properties window.
Several list providers are available; the
criteria for being added to or removed from their databases along with
how often those databases are updated is different. For example,
Microsoft provides updates twice per week for their Intelligent Message
Filter, which is used with content filtering and the heuristics rules
specific to phishing attempts. To configure an IP Allow List Providers
using the Exchange Management Console, complete the following steps:
1. | Launch the Exchange Management Console.
|
2. | Select Edge Transport in the console tree.
|
3. | Double-click the IP Allow List Providers item in the action pane.
|
4. | In the IP Allow List Providers Properties window, select the Providers tab.
|
5. | Click the Add button to define an IP Allow List Provider.
|
6. | Enter the name of the provider in the Provider Name field.
|
7. | Enter the IP address or fully qualified domain name (FQDN) in the Lookup Domain field.
|
8. | Check Match to Any Return Code to identify all delivery status notifications (DSN) and respond to them accordingly.
|
9. | Check Match to the Following Mask to specify an IP address or subnet mask and respond accordingly.
|
10. | Check Match to any of the Following Responses to list multiple IP addresses or subnet masks and respond accordingly.
|
11. | Click
OK when you are finished; the newly created provider entry will be
displayed in the IP Allow List Providers Properties window.
|
2. Configuring an IP Block List Using the Exchange Management Console
The IP Block List is configured using the same
procedures as the IP Allow List; however, an entry made in the IP Block
List can be scheduled to expire, whereas an entry in the IP Allow List
cannot. By default, new entries are set to never expire.
Note
You must first obtain the IP address or address
ranges of the email server or servers that you want included in the IP
Block List.
To configure an IP Block List using the Exchange Management Console, do the following:
1. | Launch the Exchange Management Console.
|
2. | Select Edge Transport in the console tree.
|
3. | Double-click the IP Allow List item in the action pane.
|
4. | In the IP Allow List Properties window, select the Allowed Addresses tab.
|
5. | Click Add to make a new entry.
|
6. | In the Add Blocked IP Address window, select Block Until Date and Time.
|
7. | Specify a date and time to expire the entry, and click OK.
|
Known spam servers and IP addresses sending
malicious email should be double-checked for compliance before the
expiration date comes due. Consider keeping maintenance logs or check
entries frequently to avoid letting unwanted and previously blocked
email messages (back) into your organization.