Using RBLs in Exchange 2003

There is a feature in Exchange 2003 that is "new" (meaning that it wasn't in Exchange prior to this release). Under the "connection filtering" you can set it up to check messages against RBL servers and then toss them if they don't pass.

An RBL being a "Realtime Block List" (or "Black List" - those terms are interchangeable and I have yet to see a common trend). A very general description of how they work is that an e-mail message comes into your server, the server then queries an RBL server with the information in that message. The server then responds with a good/bad and then your mail server can decide how to act on it from there (in the case of Exchange 2003 it will not deliver it to the end user and return an error message to the sender).
Some RBLs are setup not for known spammers, but instead of servers that are configured in a way so that they could be exploited for spam - in the case of these RBLs, you might want to edit the message that gets sent to the person sending the e-mail so that they are aware of their server configuration.

In order to set this up, follow these steps:

1. Go into your Exchange 2003 System Manager.


2. Go to the Global Settings -> Message Delivery


3. Right click on Message Delivery and select "Properties" from the drop down menu


4. Go to the "Connection Filtering" tab.


5. In here click on the "Add" button.


6. For "Display Name" you can add whatever you like, but usually the name of the RBL server is what you want to put in there.


7. For "DNS Suffix of Provider" you will want to put the url to the server - for example the one for Spamhaus is "sbl.spamhaus.org"


8. If you think you want a custom error message, then fill out that field with whatever you want it to be (like I said, perhaps in the cases of when your RBL is not blocking spam, but instead servers that may potentially be spamming due to their incorrect setup).


9. I personally don't use the "Return Status Code" field, so I can't give you too much info on that one.


10. Then click OK and that RBL is setup.


11. As you can see on that main screen there is the ability to have a global accept and deny list with IP addresses, as well as an exception list - this is where you can whitelist/blacklist people in if you like. (the times I have seen this are usually when a client will call in complaining that their mail is getting bounced)


12. After you are done adding your RBLs, click on OK for the main menu and then you will likely get a popup reminding you that you need to activate these rules.


13. Just like that popup says, you need to activate them - so if this is your first time setting up a connection filter, then go into the System Manager -> Administrative Groups -> and then to the server that you want to activate this on


14. Once in the section for your server, then go to Protocols -> SMTP -> Default SMTP Virtual Sever and then right click on that and select "Properties" from the menu that comes up.


15. In there, under the General tab, click on "Advanced"


16. In there, select the port 25 identity and click on the "Edit" button.


17. In that screen check the "Apply Connection Filter" and then select OK all the way out until you are back at the System Manager

The two RBLs that we use are Spamhaus and SpamCop. Their urls to use in the filter manager are:
Spamhaus: sbl.spamhaus.org
SpamCop: bl.spamcop.net

If you want a wider selection of RBLs on the net, then just do a Google search - but be very careful that you know how the RBL chooses what to add to the blacklist. Depending on where your mail is coming from, choosing the wrong RBL can make a lot of your clients unhappy (spoken from personal experience - fortunately it is very easy to disable and/or delete these rules in Exchange once they are in if there is a problem).

Spamhaus and SpamCop only block from known spammer company servers, so you are far less likely to have an angry client coming after you, but more likely to miss spam.
Also, this approach does essentially nothing at all about blocking "zombied" computers - the desktop computers running various versions of Windows that then get a virus/trojan/worm/spyware/malware that then sets up a server on their machine and sends out spam.
Because of this, you usually will want to combine the RBLs with another spam solution, but it does help cut down on the spam coming in to your users.

This page was one I found in a Google search that does a fairly good job of explaining the popular RBLs and how each one selects servers for their list.

Hopefully for those of you that admin an Exchange 2003 box and are still working your way through it all, this helps speed up your understanding of that built in tool.
Perhaps combined with the Intelligent Message Filtering it can help you out (in that case, you will also want Outlook 2003 on all of your desktop machines).

Posted by Eric at June 10, 2004 08:11 AM | TrackBack