Saturday, December 6, 2014

Adding and checking RBL and DNSBL in Exchange 2010

Open To add a RBL and DNSBL to Exchange 2010 using EMC:


Open the EMC, expand Microsoft Exchange On-Premises –> Organization Configuration –> Hub Transport.


Select the Anti-Spam tab.


Right click on IP Block List Providers and select Properties





Select the Providers tab, and click Add…





Enter the details of the block list provider.  EG:





Some basic providers you can use are:


zen.spamhaus.org
dnsbl.sorbs.net



To do the same thing in Exchange Management Shell:


Add-IPBlockListProvider -Name '%NAME%' -LookupDomain '%LOOKUPDOMAIN%' -Enabled $true -BitmaskMatch $null -IPAdressesMatch @0 -AnyMatch $true -Priority '%PRI%' -RejectionResponse ''


Where:
%NAME% is the name you wish to give the DNSBL (Eg: Spamhaus, sorbs, etc);
%LOOKUPDOMAIN% is the domain that is queried (the DNSBL domain) (zen.spamhaus.org, dnsbl.sorbs.net, etc); and
%PRI% is priority, 1, 2, 3, etc


eg:
Add-IPBlockListProvider -Name 'Spamhaus' -LookupDomain 'zen.spamhaus.org' -Enabled $true -BitmaskMatch $null -IPAdressesMatch @0 -AnyMatch $true -Priority '1' -RejectionResponse ''



To check if the RBL is working, or to check if it is rejecting legitimate emails, you can use the following commands from the Exchange Management Shell (mm/dd/yyyy date format, regardless of regional settings):


Get-Agentlog –StartDate “08/22/2014” | where {$_.Reason –eq “BlockListProvider”}


This will list all emails that failed due to Block List Provider from 22/08/2014 to current.
Using Get-Member we can see the properties: Action; Agent; Diagnostics; Event; IPAddress; MessageID; P1FromAddress; P2FromAddresses; Reason; ReasonData; Recipients; SessionID; SMTPResponse; and TimeStamp.


This will list all emails that were rejected that came from *example.org:


Get-Agentlog –StartDate “08/22/2014” | where {$_.Reason –eq “BlockListProvider” –AND $_.P1FromAddress –like “*example.org”}


This will list all emails that were rejected that were addressed to anonit@example.com:


Get-Agentlog –StartDate “08/22/2014” | where ($_.Reason –eq “BlockListProvider” –AND $_.recipients –like “anonit@example.com”}


Show all originating IP addresses that were blocked by a rule called SpamHaus:


Get-Agentlog –StartDate “08/22/2014” | where {$_.ReasonData –eq “SpamHaus} | select-object IPAddress

No comments:

Post a Comment