Stop Spam With Exchange 2003
How to defend your users against unwanted e-mail using the Realtime Blackhole List.
by Scott Schnoll
Posted February 23, 2004
About This Article
This article is adapted from the forthcoming book Microsoft Exchange Server 2003 Distilled by Scott Schnoll. Copyright © 2004 by Addison-Wesley. Reproduced by permission. All rights reserved.
The best way to prevent spam from being delivered is a defense-in-depth approach, which includes the new filtering mechanisms in Exchange 2003, as well as third-party software and its filtering/blocking mechanisms. The multiple scanning and filtering layers often include firewalls, dedicated SMTP gateways for scanning, and other perimeter defenses. In addition, they also include filtering at the Exchange server level. We start with connection filtering, move on to recipient filtering, and conclude with sender filtering. All three are new Exchange 2003 filtering mechanisms.
As its name implies, connection filtering blocks connections from one or more computers. Previous versions of Exchange included mechanisms for blocking connections based on IP addresses, but there were some downsides, including the fact that you had to enter the information on each individual virtual server running on each separate physical server. In Exchange 2003, you still need to enable filtering on each IP address used by all of your SMTP servers, but you only need to do this once; with the new Connection Filtering feature, the IP deny list is global. Connection Filtering enables you to deny SMTP connectivity based on the IP address of the server attempting to deliver a message to your server. You can manually block a single IP address or a group of them. Connection Filtering also enables you to use third-party blocking services or your own internal blocking service. But this feature is not as clear-cut as it sounds. Before implementing this feature, you should have a solid understanding of how it works and what its limits are.
Note that Connection Filtering rules apply only to anonymous connections and not to authenticated users and computers (such as other Exchange servers in your organization).
First, you'll see the acronym RBL used often. RBL stands for Realtime Blackhole List, and it''s a registered service mark of Mail Abuse Prevention System (MAPS), LLC. These are the folks who started the first block list project, which is now a service they provide. You may also hear and see people, especially other block list providers, use the acronym RBL for realtime block list, relay block list, relay blackhole list, or some other similar variation, in part to avoid stepping on the intellectual property rights of MAPS. Nonetheless, they are all basically the same thing: databases that contain addresses of systems that should be prevented from making connections to your SMTP server.
When a foreign SMTP server connects to an Exchange 2003 SMTP virtual server, the IP address of the foreign SMTP is forwarded in the form of a DNS query to a block list service provider's DNS server to check for the presence of a special resource record. If the resource record is found, the provider returns a return status code, which is a special IP address that translates to a specific meaning, as shown in Table 1. If the foreign SMTP server's IP address is not on the list, the provider returns "host not found."
You can use multiple service providers and configure the order in which they are queried. This provides a kind of fault tolerance in the event that one of them is offline or otherwise unreachable. The service providers are queried one at a time in the order you configured. Because the query process ends as soon as something other than "host not found" is received by a provider, no unnecessary traffic is sent.
Configuring Connection Filtering
After you have subscribed to one or more block list service providers, you can configure Connection Filtering rules. These rules are used to check block lists for IP addresses that should not be allowed to transmit SMTP messages to your Exchange server. To configure Connection Filtering rules, follow these steps: Launch ESM. Select Global Settings in the Scope pane. In the Results pane, right-click on Message Delivery and select Properties. Select the Connection Filtering tab. Click the Add button. The Connection Filtering Rule dialog will appear.
In the "Display Name" field, enter the name you want for this rule. Because this name is used for display purposes in the Block List Service Configuration area of the Connection Filtering tab, you should use a display name that is meaningful, such as the name of the service (however, before you do this, see the note that appears after this list of steps).
Back to top