Posted on February 20, 2015 · Posted in Exchange

Configure Spam Protection in Exchange 2013 – RBL Providers

In this article we’ll talk about the peculiarities of functioning and setting RBL filters in Exchange 2013. Let’s remember what RBL is. RBL (Realtime Blackhole List) is a service that stores the database of IP addresses of mail servers detected as spammers. RBL is the most often accessed over DNS so these services are also called DNSBL (DNS Block Lists).

When getting a letter from an unknown sender, a mail server can automatically check these lists and block the mail from the IP addresses listed in the database. If the sender address match with the value from one of the RBL lists, the server returns an SMTP error  message 550 5.x.x as the response to RCPT TO command, and the sender gets a Non delivery report (NDR).

In Exchange 2013, the Connection Filtering agent is responsible for blocking the connections based on the lists of IP addresses. The Connection Filtering agent includes:

  • IP Block Lists – a black list of IP addresses from which the mail must not be accepted (blocked senders)
  • IP Allow Lists – a white list of IP addresses (allowed senders)
  • RBL Providers – the list of RBL providers

The first two lists are static and maintained by the Exchange administrator manually. The list of RBL providers contains the list of third-party RBL resources to be checked when receiving a message.

In Exchange 2007/2010, the antispam filtering could be enabled using install-AntispamAgents.ps1 script. Both filtering agents (Connection Filtering and Content Filtering) installed on the same server with Hub Transport role. In Exchange 2013, the transport role is divided  into two components: Front End Transport and Back End Transport, and the feature of the antispam filtering is divided into two parts. The Front End server performs Connection Filtering and the Back End server does the Content Filtering (including the IMF filter – Exchange Intelligent Message Filter and the virus detecting agent – Malware Agent).

In Exchange 2013, if CAS and Mailbox roles are installed on the same server, Install-AntispamAgents.ps1 installs only the Content Filtering agent. It means that RBL filtering won’t be available.

To install Connection Filtering agent, use Install-TransportAgent cmdlet:

Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"

Install Connection Filtering agent on Exchange Server 2013

After the agent is installed, it should be enabled and the Front End Transport service has to be restarted:

Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"
Restart-Service MSExchangeFrontEndTransport

Enable Transport Agent: "Connection Filtering Agent"

To make sure that the Connection Filtering agent is installed and running, do the following:

Get-TransportAgent -TransportService FrontEnd

Get-TransportAgent status

Next you have to specify the RBL providers to be used.

Note. Now the most popular RBL providers are Spamhaus and SpamCop.

Add-IPBlockListProvider -Name -LookupDomain -AnyMatch $true -Enabled $True

To change the text of  the NDR (failure message), returned to the sender, execute this command:

Set-IPBlockListProvider -RejectionResponse "Your IP address is listed by Spamhaus Zen. You can delete it on page”

You can add multiple RBL providers at once, having studied their peculiarities and commercial use policies.
You can display the list of currently used RBL as follows:


Get-IPBlockListProvider Exchange 2013

You can check if a certain IP address is in the RBL list with the following command:

Test-IPBlockListProvider -Identity -IPAddress x.x.x.x

By default the logs of the Connection Filter agent are saved to
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog

After the initial information is collected (it depends on the size of the mail traffic, and usually takes up to 2-3 days), the RBL filtering statistics can be displayed using Get-AntispamTopRBLProviders.ps1 cmdlet

.\get-AntispamTopRBLProviders.ps1 -location "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog"

get antispam statistics exchange 2013

After you started using RBL filtering, you have to study the logs carefully to check if there have been false positives.

The RBL lists are quite effective to protect from unwanted mail, but in the most cases they have to be used in combination with other anti spam methods to provide the robust antispam protection.

Tip. If you would like to add a domain or email address to Whitelist in Microsoft Exchange 2013 to bypass any spam filtering systems the follow the guide Manage Whitelist in Exchange Server 2013

Related Articles