Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2009-10-06

The Connection Filter agent is an anti-spam agent that is enabled on computers that have the Microsoft Exchange Server 2007 Edge Transport server role installed. The Connection Filter agent relies on the IP address of the remote server that is trying to connect to determine what action, if any, to take on an inbound message. The remote IP address is available to the Connection Filter agent as a by-product of the underlying TCP/IP connection that is required for the Simple Mail Transfer Protocol (SMTP) session. Because the Connection Filter agent must evaluate the IP address of the remote server that is sending the message to be effective, the Connection Filter agent is typically enabled on the Internet-facing Edge Transport server. However, you may also perform additional configuration to run the Connection Filter agent deeper in the inbound message path.

When you configure anti-spam agents on an Edge Transport server, the agents act on messages cumulatively to reduce the number of unsolicited messages that enter the organization. To reduce redundancy and improve overall system performance and efficiency, you must understand the order in which the agents evaluate inbound messages. Understanding the order in which the filters evaluate inbound messages will help you optimize your configuration of the Edge Transport servers. For more information about how to plan and deploy the anti-spam agents, see Anti-Spam and Antivirus Functionality.

When you enable the Connection Filter agent, the Connection Filter agent is the first anti-spam agent to run when an inbound message is evaluated.

When an inbound message is submitted to an Edge Transport server on which the Connection Filter agent is enabled, the source IP address of the SMTP connection is checked against IP Allow lists and IP Block lists. If the source IP address is listed on an IP Allow list, the message is sent to the destination without additional processing by other anti-spam agents. If the source IP address is listed on an IP Block list, the SMTP connection is dropped after all RCPT TO headers in the message are processed.

Note:
The timing of when a given connection is dropped may depend on other anti-spam configurations. For example, you can specify which recipients always receive e-mail messages, even if the source IP address is blocked. Additionally, you may have configured other agents that rely on content from the DATA command to be parsed. The Connection Filter agent always drops blocked connections according to the overall anti-spam configuration.

If the source IP address is not listed on any IP Allow list or IP Block list, the message continues to flow through other anti-spam agents if other anti-spam agents are configured.

For detailed information about how to configure the Connection Filter agent, see Configuring Connection Filtering.

IP Allow Lists and IP Block Lists

The Connection Filter agent compares the IP address of the server that is sending a message to any of the following data stores of IP addresses:

  • Administrator-defined IP Allow lists and IP Block lists

  • IP Block List providers

  • IP Allow List providers

For more information about IP Block List providers, see "IP Block List Providers" later in this topic.

You must configure at least one of these data stores of IP addresses for the Connection Filter agent to be operational. If the data stores of IP addresses do not contain the IP addresses on the IP Allow lists or IP Block lists, or if you do not have any IP Block List providers or IP Allow List providers configured, you should disable the Connection Filter agent.

Administrator-Defined IP Allow Lists and IP Block Lists

Administrators of Edge Transport servers maintain administrator-defined lists of IP addresses. You can enter and delete the IP addresses that you want to allow or block by using the Exchange Management Console or the Exchange Management Shell. You can add IP addresses individually, by IP address range, or by IP address and subnet mask.

When you add an IP address or IP address range, you must specify the IP address or IP address range as an IP Block address or an IP Allow address. Additionally, you can specify an expiration time for each IP Block List entry that you create. When you set the expiration time, the expiration time specifies how long the IP Block List entry is active. When the expiration time duration is reached, the IP Block List entry is disabled.

By using administrator-defined IP Allow lists and IP Block lists, you can configure connection filtering to support the following scenarios:

  • To exempt IP addresses from the IP Block lists of IP Block List providers   You may have to exempt IP addresses from the IP Block lists of IP Block List providers when legitimate senders are unintentionally put on an IP Block List provider's IP Block list. For example, legitimate senders could be unintentionally put on an IP Block list when an SMTP server was unintentionally configured to act as an open relay. In this scenario, the sender will probably try to correct the misconfiguration and remove their IP address from the IP Block List provider's IP Block list.

    For more information about IP Block List providers, see "IP Block List Providers" later in this topic.

  • To deny access from IP addresses that are a source of unsolicited e-mail messages but are not found on an IP Block List provider's IP Block lists   Sometimes, you may receive a large quantity of unsolicited messages from a source that was not yet identified by a real-time block list (RBL) service to which you subscribe.

IP Block List Providers

IP Block List provider services can help you reduce the number of unsolicited e-mail messages that enter your organization.

Note:
IP Block List provider services are frequently referred to as real-time block list (RBL) services. The Exchange Management Console refers to RBL services as IP Block List provider services. The terms "RBL services" and "IP Block List provider services" are equivalent.

IP Block List provider services compile lists of IP addresses from which spam has originated in the past. Additionally, some IP Block List providers provide lists of IP addresses for which SMTP is configured for open relay. There are also IP Block List provider services that provide lists of IP addresses that support dial-up access. Internet service providers (ISP) that provide dial-up access services to their clients assign dynamic IP addresses for each dial-up session. Some ISPs block SMTP traffic from dial-up accounts. These ISPs and the attendant dial-up IP ranges are not typically added to IP Block lists. However, some ISPs allow clients to send SMTP traffic from dial-up accounts. Malicious users take advantage of ISPs that allow SMTP traffic to send spam on dynamically assigned IP addresses. When the IP address is put on an IP Block list, the malicious users start another dial-up session and receive a new IP address. Frequently, a single IP Block List provider can provide a list of IP addresses that covers all these spam threats.

You can configure multiple IP Block List provider configurations by using the Exchange Management Console or the Exchange Management Shell. Each service requires a separate IP Block List provider configuration in the Exchange Management Console or the Exchange Management Shell.

When you configure the Connection Filter agent to use an IP Block List provider, the Connection Filter agent queries the IP Block List provider service to determine whether a match exists with the connecting IP addresses before the message is accepted into the organization.

Before the Connection Filter agent contacts the IP Block List provider to verify an IP address, the IP address is first compared to the administrator-defined IP Allow list and IP Block list. If the IP address does not exist on either the administrator-defined IP Allow list or IP Block list, the Connection Filter agent queries the IP Block List provider services according to the priority rating that is assigned to each provider. If the IP address appears on the IP Block list of an IP Block List provider, the Edge Transport server waits for and parses the RCPT TO header, responds to the sending system with an SMTP 550 error, and closes the connection. If the IP address does not appear on the IP Block lists of any one of the IP Block List providers, the next agent in the anti-spam chain processes the connection. For more information about the order in which the default anti-spam and antivirus agents filter inbound messages from the Internet, see Anti-Spam and Antivirus Functionality.

When you use the Connection Filter agent, it is a best practice to use one or more IP Block List providers to manage access into your organization. The use of an administrator-defined block list to maintain your own IP Block list is very time-consuming and may be impossible from a human resource perspective in most organizations. Therefore, the use of an external IP Block List provider service, whose sole purpose is to maintain IP Block lists, is highly recommended.

However, there may be some disadvantages to using an IP Block List provider. Because the Connection Filter agent must query an external entity for each unknown IP address, outages or delays at the IP Block List provider service can cause delays in the processing of messages on the Edge Transport server. In extreme cases, such outages or delays could cause a mail-flow bottleneck on the Edge Transport server.

The other disadvantage of using an external IP Block List provider service is that legitimate senders are sometimes added to the IP Block lists of IP Block List providers by mistake. Legitimate senders can be added to the IP Block lists that are maintained by IP Block List provider as the result of an SMTP misconfiguration, where the SMTP server was unintentionally configured to act as an open relay is an example of such a misconfiguration.

IP Allow List Providers

You can also manage inbound messages by using IP Allow List provider services that provide IP Allow lists. IP Allow lists are sometimes referred to as IP safe lists or "white" lists elsewhere in the software industry. IP Allow List providers maintain lists of IP addresses that are definitively known not to be associated with any spam activity. When an IP Allow List provider returns an IP Allow match, which indicates that the sender's IP address is more likely to be a reputable or "safe" sender, the Connection Filter agent relays the message to the next agent in the anti-spam chain.

For information about how to configure IP Allow List providers, see Configuring Connection Filtering.

For More Information

For more information about how to configure connection filtering by using the Exchange Management Console, see the following topics:

For more information about how to configure connection filtering by using the Exchange Management Shell, see Connection Filter Agent Cmdlets.