Administrators of Edge Transport servers maintain administrator-defined lists of IP addresses. You can enter and delete the IP addresses that you want to allow or block by using the Exchange Management Console or the Exchange Management Shell. You can add IP addresses individually, by IP address range, or by IP address and subnet mask.

When you add an IP address or IP address range, you must specify the IP address or IP address range as an IP Block address or an IP Allow address. Additionally, you can specify an expiration time for each IP Block List entry that you create. When you set the expiration time, the expiration time specifies how long the IP Block List entry is active. When the expiration time duration is reached, the IP Block List entry is disabled.

By using administrator-defined IP Allow lists and IP Block lists, you can configure connection filtering to support the following scenarios:

• To exempt IP addresses from the IP Block lists of IP Block List providers   You may have to exempt IP addresses from the IP Block lists of IP Block List providers when legitimate senders are unintentionally put on an IP Block List provider's IP Block list. For example, legitimate senders could be unintentionally put on an IP Block list when an SMTP server was unintentionally configured to act as an open relay. In this scenario, the sender will probably try to correct the misconfiguration and remove their IP address from the IP Block List provider's IP Block list.
  
  For more information about IP Block List providers, see "IP Block List Providers" later in this topic.
  
  
• To deny access from IP addresses that are a source of unsolicited e-mail messages but are not found on an IP Block List provider's IP Block lists   Sometimes, you may receive a large quantity of unsolicited messages from a source that was not yet identified by a real-time block list (RBL) service to which you subscribe.
  
  

IP Block List provider services can help you reduce the number of unsolicited e-mail messages that enter your organization.

Note:
IP Block List provider services are frequently referred to as real-time block list (RBL) services. The Exchange Management Console refers to RBL services as IP Block List provider services. The terms "RBL services" and "IP Block List provider services" are equivalent.

IP Block List provider services compile lists of IP addresses from which spam has originated in the past. Additionally, some IP Block List providers provide lists of IP addresses for which SMTP is configured for open relay. There are also IP Block List provider services that provide lists of IP addresses that support dial-up access. Internet service providers (ISP) that provide dial-up access services to their clients assign dynamic IP addresses for each dial-up session. Some ISPs block SMTP traffic from dial-up accounts. These ISPs and the attendant dial-up IP ranges are not typically added to IP Block lists. However, some ISPs allow clients to send SMTP traffic from dial-up accounts. Malicious users take advantage of ISPs that allow SMTP traffic to send spam on dynamically assigned IP addresses. When the IP address is put on an IP Block list, the malicious users start another dial-up session and receive a new IP address. Frequently, a single IP Block List provider can provide a list of IP addresses that covers all these spam threats.

You can configure multiple IP Block List provider configurations by using the Exchange Management Console or the Exchange Management Shell. Each service requires a separate IP Block List provider configuration in the Exchange Management Console or the Exchange Management Shell.

When you configure the Connection Filter agent to use an IP Block List provider, the Connection Filter agent queries the IP Block List provider service to determine whether a match exists with the connecting IP addresses before the message is accepted into the organization.

Before the Connection Filter agent contacts the IP Block List provider to verify an IP address, the IP address is first compared to the administrator-defined IP Allow list and IP Block list. If the IP address does not exist on either the administrator-defined IP Allow list or IP Block list, the Connection Filter agent queries the IP Block List provider services according to the priority rating that is assigned to each provider. If the IP address appears on the IP Block list of an IP Block List provider, the Edge Transport server waits for and parses the RCPT TO header, responds to the sending system with an SMTP 550 error, and closes the connection. If the IP address does not appear on the IP Block lists of any one of the IP Block List providers, the next agent in the anti-spam chain processes the connection. For more information about the order in which the default anti-spam and antivirus agents filter inbound messages from the Internet, see Anti-Spam and Antivirus Functionality.

When you use the Connection Filter agent, it is a best practice to use one or more IP Block List providers to manage access into your organization. The use of an administrator-defined block list to maintain your own IP Block list is very time-consuming and may be impossible from a human resource perspective in most organizations. Therefore, the use of an external IP Block List provider service, whose sole purpose is to maintain IP Block lists, is highly recommended.

However, there may be some disadvantages to using an IP Block List provider. Because the Connection Filter agent must query an external entity for each unknown IP address, outages or delays at the IP Block List provider service can cause delays in the processing of messages on the Edge Transport server. In extreme cases, such outages or delays could cause a mail-flow bottleneck on the Edge Transport server.

The other disadvantage of using an external IP Block List provider service is that legitimate senders are sometimes added to the IP Block lists of IP Block List providers by mistake. Legitimate senders can be added to the IP Block lists that are maintained by IP Block List provider as the result of an SMTP misconfiguration, where the SMTP server was unintentionally configured to act as an open relay is an example of such a misconfiguration.

You can also manage inbound messages by using IP Allow List provider services that provide IP Allow lists. IP Allow lists are sometimes referred to as IP safe lists or "white" lists elsewhere in the software industry. IP Allow List providers maintain lists of IP addresses that are definitively known not to be associated with any spam activity. When an IP Allow List provider returns an IP Allow match, which indicates that the sender's IP address is more likely to be a reputable or "safe" sender, the Connection Filter agent relays the message to the next agent in the anti-spam chain.

For information about how to configure IP Allow List providers, see Configuring Connection Filtering.