Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-03-19
IP Block List is part of the connection filtering feature in Exchange. When the IP Block List feature is enabled on a computer, the Connection Filter agent analyzes all messages that come through all Receive connectors on that computer and it block all incoming messages from addresses specified in the IP Block list.
This topic explains how to use the EMC or the Shell to manage the IP Block list.
Note: |
---|
Connection filtering is part of the suite of anti-spam features in Exchange. The anti-spam features are only available on Edge Transport servers by default. You can enable anti-spam features on a Hub Transport server even though it isn't recommended. To learn more about enabling anti-spam features on a Hub Transport server, see Enable Anti-Spam Functionality on a Hub Transport Server. The procedures listed in this topic are for configuring anti-spam functionality on an Edge Transport server, but the process is identical on Hub Transport servers. |
What Do You Want to Do?
Use the EMC to manage the IP Block list
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" entry in the Transport Permissions topic.
- In the console tree, click Edge Transport.
- In the result pane, click the Edge server you want to configure
and then select the Anti-spam tab in the work pane.
- Right-click IP Block List and then select
Properties.
- The General tab displays the
following information about the IP Block List feature.
- Status Shows whether the IP Block List
feature is enabled or disabled.
- Modified Shows the date and time when
IP Block List properties were last modified.
- Description Provides a brief
description of the IP Block List feature.
- Status Shows whether the IP Block List
feature is enabled or disabled.
- Use the Blocked
Addresses tab to manage a list of specific IP addresses for
which e-mail messages are always blocked by the Connection Filter
agent. If an originating IP address matches an IP address or IP
address range on the IP Block list, the Connection Filter agent
disconnects the SMTP session after all RCPT TO: headers in the
message are processed.
- Add - IP Address To enter an
IP address without a subnet mask, or to specify the subnet
mask by using Classless Interdomain Routing (CIDR) notation, click
Add or the drop-down arrow located next to Add and
select IP Address. In the Add Blocked IP Address -
CIDR dialog, enter the IP address directly or specify a
subnet using the CIDR notation. For example, if you enter
192.168.1.1, only that host will be added to the IP Block list, but
if you specify 192.168.1.0/24, the entire class C subnet of
192.168.1.0 will be added to the IP Block list.
Add - IP and Mask To enter an IP address or subnet together with a subnet mask in dotted decimal notation, click the drop-down arrow located next to Add and select IP and Mask. In the Add Blocked IP Address - IP and Mask dialog, specify the IP address and the subnet mask.
Add - IP Range To specify an IP address range by using the first IP address and the last IP address in the range, click the drop-down arrow located next to Add and select IP Range. In the Add Blocked IP Address - IP Range dialog, specify the start and end addresses of the IP range.
Regardless of the method you choose to add an IP address, the dialog also gives you the option to specify an expiration date. By default, the Never let this address expire option is selected and messages from this address are blocked permanently. However, if you want to specify an expiration date, select Block until date and time and specify a date. Messages from this IP address will no longer be blocked after the date you specified.
- Remove To remove an existing entry from
the IP Block list, select the entry, and then click .
- Add - IP Address To enter an
IP address without a subnet mask, or to specify the subnet
mask by using Classless Interdomain Routing (CIDR) notation, click
Add or the drop-down arrow located next to Add and
select IP Address. In the Add Blocked IP Address -
CIDR dialog, enter the IP address directly or specify a
subnet using the CIDR notation. For example, if you enter
192.168.1.1, only that host will be added to the IP Block list, but
if you specify 192.168.1.0/24, the entire class C subnet of
192.168.1.0 will be added to the IP Block list.
Use the Shell to manage the IP Block list
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" entry in the Transport Permissions topic.
You use the Add-IPBlockListEntry and Remove-IPBlockListEntry cmdlets to manage the addresses in the IP Block list. You can specify individual IP addresses, IP subnets using the CIDR notation, or IP ranges.
The following example adds the IP address 192.168.0.100 to the IP Block list.
Copy Code | |
---|---|
Add-IPBlockListEntry -IPAddress 192.168.0.100 |
The following example adds the IP subnet 192.168.1.1/24 to the IP Block list.
Copy Code | |
---|---|
Add-IPBlockListEntry -IPRange 192.168.1.1/24 |
The following example adds the IP range 10.0.0.100-10.0.0.255 to the IP Block list.
Copy Code | |
---|---|
Add-IPBlockListEntry -IPRange 10.0.0.100-10.0.0.255 |
As you add entries to the IP Block list, Exchange automatically assigns IDs to the entries. To remove an address from the IP Block list using the Shell, you must specify this ID. However, an easier way to remove an address is to pipeline the output of the Get-IPBlockListEntry cmdlet to the Remove-IPBlockListEntry cmdlet. For example, if you want to remove the IP address 192.168.0.100 from your IP Block list, run the following command:
Copy Code | |
---|---|
Get-IPBlockListEntry -IPAddress 192.168.0.100 | Remove-IPBlockListEntry |
If you want to remove a range, specify an IP address that is within that range for the IPAddress parameter of the Get-IPBlockListEntry cmdlet. The following example shows how you can remove the subnet 192.168.1.1/24:
Copy Code | |
---|---|
Get-IPBlockListEntry -IPAddress 192.168.1.1 | Remove-IPBlockListEntry |
When using the Shell to add an address to the IP Block list, you can also specify an expiration date and time. After the specified date and time, messages received from the specified address will no longer be blocked. The following example adds the IP address 10.0.10.25 to the IP Block list and configures it to expire on January 1, 2010 at 10:00 AM.
Copy Code | |
---|---|
Add-IPBlockListEntry -IPAddress 10.0.10.25 -ExpirationTime "1/1/2010 10:00" |
For detailed syntax and configuration information, see the following topics: