One of the most frequently asked questions I received in response to my post on 9 ways Exchange 2010 reduces spam is along the lines of “how do I set up IP Blocklist providers?” So I am following up that post with this one, which will not only go over how to set this up in Exchange 2010, but will also provide you with a short list of publicly accessible providers.
Blacklist providers are essentially DNS servers that respond to queries with ip.addrs that indicate a host is a known spammer when they have that host on their list. They use addresses in the 127.0.0.x range, rather that the actual address of the host. While they all function in essentially the same way when queried by your server, they compile and maintain their lists in very different ways. Please consult each of the providers’ individual websites to make sure you understand what they do and how they do it, and that you are comfortable with this. Also, make sure that you identify your mission critical customers and business partners, so that you can whitelist their systems to be sure there are no unintended issues.
The following list includes several publicly available providers of block lists. Remember, each of these has their own policies regarding how an MTA gets placed on this list, as well as how someone can request removal of their system. Since there is no industry standard regarding this, you are going to want to read their FAQ to make sure you are comfortable with their policies. You are also going to want to make sure you review their licensing agreements.
One common element is that the ‘free’ services are for you to use on your systems only when they are not commercial (no resellers or hosting companies) and they also have certain limits. If you exceed these you should be using their enterprise class services. You pay for those, but they are scaled for volume, and offer SLAs. Again, read these over. And finally, remember that these services function by responding to DNS queries from your MTA.
While you may configure your systems to query your ISP or other public DNS servers, you should have your MTA either make its own queries directly, or to use DNS servers that can make direct queries. These services are in essence DNS servers that respond with various addresses in the 127.0.0.x range to indicate what type of potential spam system a particular host might be.
The URL for SpamHaus’ comprehensive blacklist service is zen.spamhaus.org. The zen service offers a combination of verified spam services, systems compromised by malware, and ip ranges that should not be sending email (usually residential subnets.) This is the one I currently use.
The URL for SpamCop’s blacklist service is bl.spamcop.net. This list is based on reported sources of spam from users, ISPs, and other sources.
The URL for the Surriel passive spam blacklist service is psbl.surriel.com. Surriel uses a spam trap to compile a list of systems sending spam, and also provides for easy self-service removal, on the premise that accidents can happen, but most spammers will never actually go looking to get themselves delisted.
- Not Just Another Bogus List
The URL for the NJABL service is dnsbl.njabl.org.
How to use them
When you configure these providers, you have the option to use only some of their response messages, so check their individual sites to be certain you understand which reasons return which ip.addrs. You also need to set whether to reject the email (and what response message to deliver) or you can either delete the email or quarantine it. Deleting the email does just that… it kills spam but gives a legitimate sender who inadvertently finds himself on a blacklist no information that their mail is going in the bit bucket. Quarantining the mail does mean you have to go through it to manually check or purge, but minimizes the chance that valid email might be lost.
In Exchange 2010, you can configure IP Blocklist filtering using either the EMC, or EMS. If you would like to use the GUI, please consult this TechNet article. I prefer to use the EMS for this, as it is much quicker. In either case, these instructions assume you have administrative rights to Exchange. There are three cmdlets that deal with blocklist providers; Add-IPBlockListProvider, Set-IPBlockListProvider, and Remove-IPBlockListProvider cmdlets. Here are some examples to get you started. Each should be entered as a single line. They just wrap in this post due to formatting.
The following example adds a new IP Block List provider service called “SpamHaus IP Block List Provider,” and configures it to use bitmask matching for 127.0.0.1 (block messages from IP addresses that are on the block list):
Add-IPBlockListProvider -Name "SpamHaus IP Block List Provider" -LookupDomain "zen.spamhaus.org" -BitMaskMatch 127.0.0.1
The following example configures the same IP Block List provider service to use a custom rejection response:
Set-IPBlockListProvider "SpamHaus IP Block List Provider" -RejectionMessage "Your message was rejected because the IP address of the server sending your message is in the block list of contoso.com IP Block List Provider service. No soup for you."
The following example adds another IP Block List provider service called “SpamCop IP Block List Provider”, and configures it to use explicit response matching for 127.0.0.2 and 127.0.0.5 (the host is a known spam source or is an open relay). The command also adds this new provider as the top preferred provider.
Add-IPBlockListProvider -Name "SpamCop IP Block List Provider" -LookupDomain "bl.spamcop.net" -IPAddressesMatch "127.0.0.2","127.0.0.5" -Priority 1
If you want to remove a provider, you can go into the EMC to delete them, or use the Remove-IPBlockListProvider command in the EMS. As for the custom response messages, of course, the sending admin is going to have to see these messages in his logs, or in a packet trace, but the messages are worth using. I would have never figured out the problem I had with Google if they weren’t using custom messages. Hopefully, this post has given you what you need to get started with IP Blacklists. However, if you have any questions, or comments about the listed or any other providers you use, please leave us a comment.