Exchange connection filter using a Real Time Block list, and IMFPerfmon.msc

Here are some things I do. I may miss a step so you may have to
confirm things. After you added connection filter provider you need to
make sure you have checked that stuff in the default virtual server.

Global Settings/Message Delivery right click Properties.
Sender Filtering: Check Filter messages with a blank sender and Drop
connection if address filter matches filter.
Connection Filtering: Add your favorite RBL services. I happen to use zen.spamhaus.org Please visit www.spamhaus.org to review terms and conditions to see if you are eligible to use their services.
Intelligent Messaging Filtering: I set it at 7 and Reject. You want
reject so if there was a valid message the sender receives notice that
your server rejected the message.
Recipient Filtering: Filter recipients who are not in the Directory.

Apply and go to Servers/Servername/Protocols/Default SMTP Virtual
Server right click Properties.
Advanced.
Edit
I check everything but Sender ID Filter.

Make sure you are on Exchange SP2 and you add the registry dword
HKLM\Software\Microsoft\Exchange\ ContentFilterState set to 1. That
key lets Microsoft Updates get IMF definitions.

I open up perfmon.msc from the Run box.
On the icon bar I click on the notebook icon to get the report view.
Click on the + sign next to it to add some counters.
In the Performance Object drop down box look for
MSExchange Transport Filter Sink. Choose all counters and Add.
Back to Performance Object and choose MSExchange Intelligent Message
Filter. Choose all counters and Add. I really do not care for the per
second counters so you can choose select counters from list if you
like.

Now you have a permon that is showing how much stuff is going in to
your Exchange server that the IMF considers spam. It shows you how
many connections are being rejected by the RBL. It shows you how many
connections are being dropped because the recipient is not in your
Active Directory. I do a little math and come up with some interesting
numbers.

Click on File and save as. I save it as imfperfmon.msc. I right click
on the desktop and make a new shortcut. Type imfperfmon.msc in the
next two boxes. Now you have a shortcut on your desktop anytime you
want to see how the RBL and IMF are doing.

Back to your question. If you have the imfperfmon working you can see
a little about what is coming in. Last night I had an account getting
slammed with some mailer daemon nonsense. I need to visit to see what
is really going on.

Mail may still be stuck in the queue as your server is trying to send
out Non Delivery Reports to bogus addresses. If you have done the
clicks I mentioned and others hopefully the junk will be blocked.
Those NDRs will die off after a few days. The default setting in
Exchange is to try to deliver for 2 days and then give up. There is a
trick to flush all the messages out but it may be just as easy to let
them die out on their own. As long as you do the clicks I did you
should eventually be ok.

Another rant is that I do in Exchange System Manager. Properties of
the Default SMTP Virtual Server/ Access/Relay. I have the button only
in the list. Below that list I do not have the checkbox clicked for
All computers that successfully authenticate. There is no computer
that I want to relay against my server. I want everyone to be using
Outlook or Outlook Web Access to deal with email. That is just another
way for people to cause trouble. Of course after a misadventure I get
to suggest now is the time to have passwords 8 characters long and
having more than 2 things from the keyboard. Since there are at least
6 easy things on the keyboard it should be not hard to create and easy
to remember complex password.
http://www.microsoft.com/protect/you…rd/create.mspx


2 thoughts on “Exchange connection filter using a Real Time Block list, and IMFPerfmon.msc

  1. Your information was very helpful and it has helped with some issues. I appreciate your detail on navigation. Thanks for sharing your knowledge with us.

  2. Exchange 2011 Real-time Block Lists
    A real-time block list (RBL) is a method of stopping spammers from being able to send out large quantities of distasteful spam. A real-time block list is managed and maintained by an organization (company, non-profit, or volunteers) who track spam activity and create a list of known violators. Violations can include SMTP configurations to being caught sending spam. Once you are on their list, you can typically request removal. Some site will publish email addresses and all messages received to that email address is spam.
    When a computer connects to your Exchange server, Exchange will query the specified real-time block list. If the address is on that list, Exchange will generate an error and refuse the message. The server that was trying to send the spam is then responsible to generate a non-delivery report and send it the sender. This will eventually lock up the sending server until their open relay is detected and resolved.
    For a list of real-time block lists, please refer to the Wikipedia article:
    http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
    Setup
    The process is the same for Exchange 2008 and Exchange 2010.
    To setup a RBL, open Exchange Management Console – the GUI, and under Organization Configuration select Hub Transport. Select the Anti-Spam tab and right click IP Block List Providers selecting Properties. You can add lists and set them up here.

Leave a Reply

Your email address will not be published. Required fields are marked *