Documentation Home > Exchange Anti-Spam Toolkit
Connection Filter
The Connection Filter filters messages based on the source IP address. It supports DNS-based IP Block List and Allow List Providers (also known as IP-based DNSBLs), as well as custom lists of allowed and blocked IP addresses or ranges of IP addresses.
If the source IP address of a message matches an entry on the IP Block List or an IP Block List Provider, Exchange will terminate the SMTP connection with an error code and message, effectively rejecting all messages from that IP address.
If the source IP address of a message matches the IP Allow List or an IP Allow List Provider (IP-based DNS Whitelist or DNSWL), the message will bypass all other anti-spam filters.
In an Exchange environment with Edge Transport servers, the Connection Filtering Agent should be installed on Edge Transport servers only (not on Mailbox or Hub servers).
In Exchange 2013 and above, the Connection Filtering Agent is only installed on Edge Transport servers, not Mailbox (Hub) servers, when using the provided Install-AntispamAgents.ps1 script. In Exchange 2010 it was supported on Hub Transport servers and we have found that it works well on Mailbox (Hub) servers in Exchange 2013, 2016 and 2019, as long as the list of Internal SMTP Servers (in Organization Config) is configured correctly.
In an Exchange environment without Edge Transport servers, we recommend installing the Connection Filtering Agent on Mailbox (Hub) servers. For instructions on installing it on Mailbox (Hub) servers, see Installing the Connection Filtering Agent.
For more information, see Connection filtering on Edge Transport servers in Exchange Server .
We recommend using the Connection Filter in all Exchange environments unless a separate anti-spam service or solution is already in use. IP-based DNS Block Lists (DNSBLs), such as Spamhaus, are some of the most effective tools for filtering spam. While Spamhaus is almost universally used and accepted, we recommend taking the time to understand the listing policies of other IP-based DNSBL services before enabling them in your environment.
IP Allow List & IP Block List
The IP Allow List and IP Block List allow you to define sender IP addresses or ranges of sender IP addresses which will be allowed or blocked.
IP Range
The IP Range value can be either:
- A single IP address, e.g. 192.168.0.1
- A range of IP addresses, e.g. 192.168.0.1-192.168.0.254
- A range of IP addresses in CIDR format, e.g. 192.168.0.1/24
Rejection Responses
In the case of a manually-entered IP block list entry, the Static Entry Rejection Response will be returned with an error code in the SMTP session before it is terminated. The Comment value attached to specific IP Block List entries is not used in any rejection responses.
The Machine Entry Rejection Response will be used in the case of an IP block list entry created by the Sender Reputation filter.
IP Allow List Providers & IP Block List Providers
IP Allow List Providers and IP Block List Providers allow the source IP address of incoming messages to be queried against IP-based DNS Block List (DNSBL) or IP-based DNS White List (DNSWL) services. Multiple IP Allow List and IP Block List providers can be defined.
If the source IP address is listed by any of the IP Allow List Providers, all other anti-spam filtering will be bypassed for the message. If the response from any IP Block List Provider indicates that the source IP address is listed, the SMTP session will be terminated with the specified error response, and other providers will not be checked.
Understanding IP Allow & Block List Providers
It is useful to understand the process by which Exchange (or another mail server) queries an IP Allow or Block List Provider.
In this example, the source IP address of the message is 192.168.0.1 and the provider being queried is zen.spamhaus.org.
- The provider is queried by performing a special DNS query.
- Exchange will perform a DNS lookup for the address 1.0.168.192.zen.spamhaus.org (note that the IP address octets have been reversed).
The response to the DNS query from the IP Allow or Block List Provider determines the action to be taken:
- If a DNS entry is not found (no response), then the IP address is not considered to be listed by that provider and message processing will continue (by moving onto the next IP Allow or Block List Provider, if necessary).
- If a DNS entry is found, a response code will be returned in the format of an IP address or multiple IP addresses.
- The responses are not normally valid IP addresses. They are usually special loopback IP addresses (such as 127.0.0.2) which correlate to specific response codes. The response codes are different for each provider and need to be checked by referring to the documentation or usage guidelines for that provider. We have provided the details for commonly-used providers below.
- The presence of a response does not necessarily mean that the IP address is listed. The response code needs to be interpreted to determine whether the IP address is actually listed.
- If the response code returned matches one of the values defined as IP Addresses Match for that provider (or if Any Match is enabled), then Exchange will consider the IP address to be listed by that provider.
- If the response code does not match one of the values defined as IP Addresses Match for that provider and Any Match is disabled, message processing will continue (by moving onto the next IP Allow or Block List Provider, if necessary).
You can use the Windows command nslookup to manually query a specific IP Allow or Block List Provider. Many providers have special codes which can be queried to allow you to test your configuration.
For example, the command nslookup 2.0.0.127.zen.spamhaus.org will respond with the return codes 127.0.0.2, 127.0.0.10 and 127.0.0.4:
Non-authoritative answer:
Name: 2.0.0.127.zen.spamhaus.org
Addresses: 127.0.0.10
127.0.0.2
127.0.0.4
DNS Configuration May Be Required
DNS configuration may be required for correct operation of some IP Allow List Providers or IP Block List Providers. Many DNSBL or DNSWL services do not allow queries from ISP or public DNS servers. If your network forwards all external DNS queries to an ISP or public DNS server, additional configuration will be required (see below).
You can use use the nslookup command as explained above to test that your DNS configuration is compatible with each IP Allow or Block List Provider.
See DNS Configuration for DNS-based Block Lists Providers & Allow List Providers for details.
Accurate Configuration of DNSBL Return Codes Required
Accurate configuration of the the IP Addresses Match setting (return codes) for each IP Block List Provider (IP-based DNSBL), according to their documentation, is required. Usage of the Any Match setting is very strongly discouraged as there is a high risk of false positives and even causing all mail to be rejected if one of these statuses is returned.
Some response codes indicate that the query was invalid, or it was rejected due to originating from a public or ISP DNS server, or that the threshold of queries has been exceeded, not that the IP address is actually listed. If Any Match is enabled and such a response is received, all messages will be rejected.
Some providers also return different codes to indicate different severities of listings to allow you to adjust the threshold at which messages will be rejected.
We have provided sample configuration for many popular IP Block List Provider (IP-based DNSBL) services to assist you in achieving an optimal configuration.
Adding IP Allow or Block List Providers
The Name, Lookup Domain and either Any Match or IP Addresses Match are mandatory for every IP Allow or Block List Provider.
Each return code which should be considered as a listing needs to be added to the IP Addresses Match list.
The Rejection Response will be returned in the SMTP session, together with an SMTP error code, when an IP address is listed by an IP Block List Provider. {0} can be used as a placeholder for the IP address in the rejection response message.
Providers with the lowest-numbered priority will be queried first. To minimize DNS traffic, we recommend using the lowest-numbered priorities for the largest providers (such as Spamhaus).
We do not recommend using Bitmask Match as it is inadequately documented.
IP Allow List Provider Configuration Examples
The following example configurations are provided to assist with configuration of IP Allow List Providers. These are provided for your reference only and we encourage you to refer to each provider's documentation to ensure that the IP Addresses Match setting is configured accurately and appropriately for your environment.
IP Allow List Provider Name | Lookup Domain | IP Addresses Match | |||
---|---|---|---|---|---|
DNSWL Refer to the DNSWL documentation to understand the return codes provided by this service. |
list.dnswl.org |
|
|
|
|
UCE Protect | ips.whitelisted.org | 127.0.0.2 |
IP Block List Provider Configuration Examples
The following example configurations are provided to assist with configuration of IP Block List Providers. These are provided for your reference only and we encourage you to refer to each provider's documentation to ensure that the IP Addresses Match setting is configured accurately and appropriately for your environment.
IP Allow List Provider Name | Lookup Domain | IP Addresses Match |
---|---|---|
Spamhaus ZEN | zen.spamhaus.org |
|
SpamCop | bl.spamcop.net | 127.0.0.2 |
Barracuda | b.barracudacentral.org | 127.0.0.2 |
Return Path Sender Score | bl.score.senderscore.com |
127.0.0.2 |
Truncate | truncate.gbudb.net | 127.0.0.2 |
MailSpike | bl.mailspike.net |
|
Fabel Spamsources | spamsources.fabel.dk | 127.0.0.2 |
SORBS Open Relay | smtp.dnsbl.sorbs.net | 127.0.0.5 |
SORBS Dynamic IP Addresses | dul.dnsbl.sorbs.net | 127.0.0.10 |
SORBS Viruses | virus.dnsbl.sorbs.net | 127.0.0.15 |
SORBS Escalations | escalations.dnsbl.sorbs.net | 127.0.0.6 |
UCE Protect Level 1 | dnsbl-1.uceprotect.net | 127.0.0.2 |
UCE Protect Level 2 | dnsbl-2.uceprotect.net | 127.0.0.2 |
UCE Protect Level 3 | dnsbl-3.uceprotect.net | 127.0.0.2 |
SPFBL | dnsbl.spfbl.net | 127.0.0.2 |
Understand Listing Policies Before Enabling IP Block List Providers
It is important to research and understand the listing policies of individual IP Block List Providers before enabling them in your environment. We do not advise simply adding all of the above IP Block List Providers into your configuration.
Adding IP Block List Providers without understanding their listing policies is likely to result in a large number of false positives and legitimate mail being rejected.
Some providers are region-focused or are intended more as a scoring mechanism, not for outright rejection of messages. Note that Exchange does not currently support using IP Block List Providers as a scoring mechanism, only for outright rejection.
Spamhaus and SpamCop are the only IP Block List Providers we recommend enabling if you do not wish to research individual providers and their listing policies. These two providers are very widely used and accepted.
IP Block List Providers Allowed Recipients
Messages sent to recipient (internal) email addresses which have been added to this list will bypass filtering by all IP Block List Providers.