In this article we’ll talk about the peculiarities of functioning and setting RBL filters in Exchange 2013. Let’s remember what RBL is. RBL (Realtime Blackhole List) is a service that stores the database of IP addresses of mail servers detected as spammers. RBL is the most often accessed over DNS so these services are also called DNSBL (DNS Block Lists).
When getting a letter from an unknown sender, a mail server can automatically check these lists and block the mail from the IP addresses listed in the database. If the sender address match with the value from one of the RBL lists, the server returns an SMTP error message 550 5.x.x as the response to RCPT TO command, and the sender gets a Non delivery report (NDR).
In Exchange 2013, the Connection Filtering agent is responsible for blocking the connections based on the lists of IP addresses. The Connection Filtering agent includes:
- IP Block Lists – a black list of IP addresses from which the mail must not be accepted (blocked senders)
- IP Allow Lists – a white list of IP addresses (allowed senders)
- RBL Providers – the list of RBL providers
The first two lists are static and maintained by the Exchange administrator manually. The list of RBL providers contains the list of third-party RBL resources to be checked when receiving a message.
In Exchange 2007/2010, the antispam filtering could be enabled using install-AntispamAgents.ps1 script. Both filtering agents (Connection Filtering and Content Filtering) installed on the same server with Hub Transport role. In Exchange 2013, the transport role is divided into two components: Front End Transport and Back End Transport, and the feature of the antispam filtering is divided into two parts. The Front End server performs Connection Filtering and the Back End server does the Content Filtering (including the IMF filter – Exchange Intelligent Message Filter and the virus detecting agent – Malware Agent).
In Exchange 2013, if CAS and Mailbox roles are installed on the same server, Install-AntispamAgents.ps1 installs only the Content Filtering agent. It means that RBL filtering won’t be available.
To install Connection Filtering agent, use Install-TransportAgent cmdlet:
Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"
After the agent is installed, it should be enabled and the Front End Transport service has to be restarted:
Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"
To make sure that the Connection Filtering agent is installed and running, do the following:
Get-TransportAgent -TransportService FrontEnd
Next you have to specify the RBL providers to be used.
Add-IPBlockListProvider -Name zen.spamhaus.org -LookupDomain zen.spamhaus.org -AnyMatch $true -Enabled $True
To change the text of the NDR (failure message), returned to the sender, execute this command:
Set-IPBlockListProvider zen.spamhaus.org -RejectionResponse "Your IP address is listed by Spamhaus Zen. You can delete it on page http://www.spamhaus.org/lookup/”
You can add multiple RBL providers at once, having studied their peculiarities and commercial use policies.
You can display the list of currently used RBL as follows:
You can check if a certain IP address is in the RBL list with the following command:
Test-IPBlockListProvider -Identity zen.spamhaus.org -IPAddress x.x.x.x
By default the logs of the Connection Filter agent are saved to
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog
After the initial information is collected (it depends on the size of the mail traffic, and usually takes up to 2-3 days), the RBL filtering statistics can be displayed using Get-AntispamTopRBLProviders.ps1 cmdlet
.\get-AntispamTopRBLProviders.ps1 -location "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog"
After you started using RBL filtering, you have to study the logs carefully to check if there have been false positives.
The RBL lists are quite effective to protect from unwanted mail, but in the most cases they have to be used in combination with other anti spam methods to provide the robust antispam protection.