I have configured our Exchange 2013 Edge Transport server to utilize several IPBlockListProviders including Spamhaus. While they work great most of the time, there are still some emails which despite being matched by one of the block list providers get through.
Taking for instance an email that was received recently from IP 66.248.197.240 which is most certainly on the Spamhaus SBL as well as a few others (http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a66.248.197.240&run=toolpage) and correctly identified by the Edge server as such:
[PS] C:\Users\Administrator>Test-IPBlockListProvider -Identity "Spamhaus" -IPAddress 66.248.197.240
Provider ProviderResult Matched
-------- -------------- -------
Spamhaus {127.0.0.3} True
I have verified that I'm not using any public DNS forwarders (such as Google's), so it's not an issue of all or nothing being blocked.
What's most confusing is that this configuration works for the majority of messages received which are on an SBL:
[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>.\get-AntispamTopRBLProviders.ps1
Name Value
---- -----
Spamhaus 4594
SpamCop 48
Interestingly, one thing that seems to have made a significant difference is modifying the priority of the transport agents such that the Connection Filtering Agent is first. This is my current configuration in case it's pertinent:
[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>Get-TransportAgent
Identity Enabled Priority
-------- ------- --------
Connection Filtering Agent True 1
Sender Id Agent True 2
Sender Filter Agent True 3
Recipient Filter Agent True 4
Content Filter Agent True 5
Address Rewriting Inbound Agent True 6
Edge Rule Agent True 7
Attachment Filtering Agent True 8
Address Rewriting Outbound Agent True 9
Protocol Analysis Agent True 10
I'm including the full message headers (with my server's identities redacted) of an email from an IP address that is on an SBL below. It's clear that the inclusion of all of the SPAM filtering I have is impacting the time it takes for a message to make it through to the mailbox server (in this case, 8 seconds between submission and delivery), however it doesn't seem to be enough.
X-Ms-Exchange-Organization-Network-Message-Id: 32388ce4-005a-4090-a363-08d2612d1e23
X-Ms-Exchange-Organization-Authas: Anonymous
Pm-Xs: 15766241f_7460962er.x15766241
X-Ms-Exchange-Organization-Avstamp-Enterprise: 1.0
Vr-Yhkrg: 15766241s-15766241e_i7460962
X-Ms-Exchange-Organization-Prd: heliq240.emited.work
X-Ms-Exchange-Organization-Pcl: 2
Return-Path: Remote-Job-Op@heliq240.emited.work
X-Ms-Exchange-Organization-Scl: 1
Mime-Version: 1.0
Ybu-Efa: c3195284488a449ed165c2c50f18376bb-ec3195284488a449ed165c2c50f18376b.u15766241
Okul-Lfp: 15766241y.15766241n_c7460962
X-Ms-Exchange-Organization-Senderidresult: None
X-Ms-Exchange-Organization-Antispam-Report: DV:3.3.14519.472;SID:SenderIDStatus None;OrigIP:66.248.197.240
Message-Id: <c3195284488a449ed165c2c50f18376b.15766241.7460962@heliq240.emited.work>
X-Ms-Exchange-Organization-Authsource: edgeserver.mydomain.com
Content-Type: multipart/alternative; boundary="15766241"
Received-Spf: None (edgeserver.mydomain.com: Remote-Job-Op@heliq240.emited.work does not designate permitted sender hosts)
Received: from mailboxserver.mydomain.com (192.168.1.2) by mailboxserver.mydomain.com (192.168.1.2) with Microsoft SMTP Server (TLS) id 15.0.847.32 via Mailbox Transport; Wed, 20 May 2015 10:59:49 -0500
Received: from mailboxserver.mydomain.com (192.168.1.49) by mailboxserver.mydomain.com (192.168.1.49) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 20 May 2015 10:59:43 -0500
Received: from edgeserver.mydomain.com (192.168.1.4) by mailboxserver.mydomain.com (192.168.1.49) with Microsoft SMTP Server (TLS) id 15.0.847.32 via Frontend Transport; Wed, 20 May 2015 10:59:43 -0500
Received: from heliq240.emited.work (66.248.197.240) by edgeserver.mydomain.com (192.168.1.4) with Microsoft SMTP Server id 15.0.847.32; Wed, 20 May 2015 10:59:41 -0500
New telecommuting opportunities available today - 05/20/15
Any suggestions?
Also, this is my first post on any of the Stack Exchange sites. I hope this question is both merited and on the correct site. If not, please do let me know!
Best Answer
I recommend you check your AllowLists as well, as it seems you have a hard hit against a (presumably enabled) BlockList. My hunch is that you must have a rule in the Transport flow that successfully validates the message. Since Connection Filter is highest in the list, I would think the buck stops there.