Hi Everyone.
I've been setting up a RBL in exchange 2013 using zen.spamhaus.org. The IPBlockListProviders require that the connection filtering agent be enabled. By default when running the installantispamagents.ps1, this script will not install that connection filtering agent because it only installs on an "edge" server and since exchange 2013 did away with the "edge" role, it did not get installed. I had to modify the script so it installed that connection filtering agent with all the other anti-spam agents. (We are a one exchange server shop so the CAS and Mailbox roles are on one box.)
I'm having a very weird response. The RBL list works and when I get a test email sent to me using the service at 'nelson-sbl-test@crynwr.com', I can see the Reject message getting sent back out in the agent logs and the SMTP logs. This is the message I see in the logs. Notice that the originating IP and the RBL triggering IP are the same: 192.203.178.107.
2012-12-14T01:59:04.970Z,08CFA71A75A19B4B,10.10.3.50:2525,192.203.178.107:55186,192.203.178.107
,,<>,,t***********e@*****.org,1,Connection Filtering Agent,OnRcptCommand,RejectCommand,550
5.7.1 zen.spamhaus.org has blocked your IP address (192.203.178.107) using the list
'zen.spamhaus.org'. Please see http://www.spamhaus.org/query/bl?ip=192.203.178.107 for further
information. This organization has no control over this RBL (Realtime Blo,BlockListProvider,
zen.spamhaus.org,,,,Undefined
This is a correct message and that IP address matches the Test RBL IP address spamhaus has blacklisted to check RBL filters. The IP address is added dynamically to the message with a variable in the reject message settings and should list the IP address of the SMTP server that triggered the RBL hit.
The VERY strange thing is when I trigger the RBL with the test message, exchange rejects all incoming mail for my account from any source for several minutes and rejects with that same message. I send a test message from my google account and I can clearly see in the agent log that the SMTP connection is coming from a google IP but it still rejects and issues the message that was sent in response to my test using the nelson-'sbl-test@crynwr.com'
This is the reject message sent to my google account after I sent myself an email following the RBL test message. Notice that the originating IP is a google IP and does not match the IP the the reject message claims the message came from. The log shows the originating IP as 74.125.82.179 (A google IP) but im rejecting the message because 192.203.178.107 is blocked??? The message didn't come from that IP. :
2012-12-14T02:00:06.318Z,08CFA71A75A19B4B,10.10.3.50:2525,74.125.82.179:50654,74.125.82.179,,
t***t@******.net,,t*******te@******.org,1,Connection Filtering Agent,OnRcptCommand,
RejectCommand,550 5.7.1 zen.spamhaus.org has blocked your IP address (192.203.178.107) using
the list 'zen.spamhaus.org'. Please see http://www.spamhaus.org/query/bl?ip=192.203.178.107
for further information. This organization has no control over this RBL
(Realtime Blo,BlockListProvider,zen.spamhaus.org,,,,Undefined
After a couple minutes, it clears up and I can get mail again. I just can not for the life of me figure out why all messages are rejected for several minutes after I have an RBL hit and the reject message is always referencing the the SMTP transaction that originally triggered the hit. Which in this case, is blocking my Gmail message thinking its coming forom the crynwr.com test even when the smtp logs show a completely different SMTP originating IP and Connection.
Here is my IPBlockListProvider:
RunspaceId : 068b87d2-9c34-4ce9-ab05-eedef928cb27
RejectionResponse : {1} has blocked your IP address ({0}) using the list '{2}'. Please see
http://www.spamhaus.org/query/bl?ip={0} for further information. This organization has no control
over this RBL (Realtime Block List).
LookupDomain : zen.spamhaus.org
Enabled : True
AnyMatch : True
BitmaskMatch :
IPAddressesMatch : {}
Priority : 1
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : zen.spamhaus.org
DistinguishedName : CN=zen.spamhaus.org,CN=IPBlockListProviderConfig,CN=Message Hygiene,CN=Transport
Settings,CN=Bel******ch,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=b******rk,DC=net
Identity : zen.spamhaus.org
Guid : 0c9b5eec-b19a-4ab5-9c6a-cb1666cf68d6
ObjectCategory : beltwaypark.net/Configuration/Schema/ms-Exch-Message-Hygiene-IP-Block-List-Provider
ObjectClass : {top, msExchMessageHygieneIPBlockListProvider}
WhenChanged : 12/12/2012 10:02:36 PM
WhenCreated : 12/12/2012 10:02:36 PM
WhenChangedUTC : 12/13/2012 4:02:36 AM
WhenCreatedUTC : 12/13/2012 4:02:36 AM
OrganizationId :
OriginatingServer : Lucas.*****.net
IsValid : True
ObjectState : Unchanged