Troubleshooting Exchange’s Built-In Anti-Spam Technologies: Pt. 5 Sender Filtering

Enabled by default on Exchange 2010 servers running the Edge Transport role, Sender Filtering is another anti-spam agent built into Exchange 2010 that is designed to help reduce the amount of spam reaching your users’ inboxes. Understanding what Sender Filtering can, and cannot do, is a key part of troubleshooting behaviours associated with this agent. Sender filtering acts upon information contained in the SMTP header’s MAIL FROM header. This header should be populated either by legitimate email clients, or legitimate email servers, but can often be left blank by bulk email programs and other malware. Of course, anyone who has made a TELNET connection to TCP port 25 on a mail server knows that the MAIL FROM field can be easily spoofed, so you want to limit your reliance on this field, and use Sender filtering in conjunction with other ant-spam agents to get the most from your spam blocking efforts.

A very common and default setting is to use Sender filtering to block all incoming messages with a blank MAIL FROM property in the header. This is the most effective use of Sender filtering, and should not block any legitimate email. You might also want to use Sender filtering to block email from specific domains. Be careful with this approach as it is painting with a very large brush. If you block a domain, you block all mail from that domain. You cannot configure exceptions. Some companies like to block email from the free email service domains like outlook.com, Hotmail.com, gmail.com, etc. While I don’t recommend doing this, you certainly can if you wish, but if you use Sender filtering to do so, you cannot later whitelist or make an exception for a specific email address in one of those domains. It’s an all or nothing approach.

Note: if you do need to block entire domains, but then permit exceptions, use a transport rule to do basically the same thing. Create a transport rule to block all email from the specific domain, and configure an exception rule for the specific addresses you wish to allow. Again, I don’t recommend this, but if it what you have to do, this is the best way to do it.

Enabling or disabling Sender filtering

You can use the Exchange Management Shell (EMS) to easily enable or disable Sender filtering. Remember, it is enabled by default. If you want to quickly disable it to see if Sender filtering is blocking a message, you can use the EMS command

Set-SenderFilterConfig -Enabled $false

To re-enable Sender filtering, enter the command

Set-SenderFilterConfig -Enabled $true

Checking Sender Filtering configuration

The easiest way to get a complete view of Sender filtering on your server is to open an EMS and run the following command.

Get-SenderFilterConfig | fl

You can see all the settings in one list using this command.

Configuring the Sender filtering action

Sender filtering can either block a message at the border responding to the MAIL FROM command with a “554 5.1.1 Sender Denied” message, delete it without sending back a 554, or it can stamp a message as being from a blocked sender and pass it on for further processing. Here, my advice is simple. If you are going to use Sender filtering, block the messages. It makes no sense to me to decide a sender is blocked, but then send the message on for further analysis. To set this action, you can use the Exchange Management Console and browse to Organization Configuration, Edge Transport, Anti-spam, Sender Filtering, and set the desired Action, but you will need to use the EMS to decide whether to send a 554 or silently delete. Here are the commands you can use to configure rejecting and either sending a 554(reject) or silently deleting (delete) at the EMS.

Set-senderfilterconfig –action reject –recipientblockedsenderaction <reject | delete>

Configuring or checking Blocked Senders

You can use the Exchange Management Console, or the Exchange Management Shell, to configure filtered (blocked) senders. You can specify individual addresses, domains, or domains and subdomains. Again, be careful how you use this. Configuring individual sender addresses is very precise, but sender addresses are also easily spoofed. Domains are an all or nothing approach, and domains and subdomains are too. If you need to block all but X, use a transport rule as mentioned above. You can use the EMS commands that follow to add senders, domains, or domains and subdomains to the blocked list.

Set-SenderFilterConfig -BlockedSenders joe@example.com, fred@example.net

Set-SenderFilterConfig -BlockedDomains example.com

Set-SenderFilterConfig -BlockedDomainsAndSubdomains example.com

Each time you enter one of the above commands, you overwrite the existing configuration. To remove an entry, simply re-enter all the entries you want to keep, minus the one you wish to remove (or break down and use the EMC since the GUI is easier to use!) Since these lists can get cumbersome, you can use the following to read the existing entries and append to the list if you insist on sticking with the command line.

$Configuration = Get-SenderFilterConfig $Configuration.BlockedSenders += joe@example.com $Configuration.BlockedDomains += “example.net” Set-SenderFilterConfig -BlockedSenders $Configuration.BlockedSenders -BlockedDomains $Configuration.BlockedDomains

Checking logs to see if Sender filtering is blocking an incoming email

You can easily check the logs to see if Sender filtering is blocking an incoming email. Use the EMS to enter this command to quickly parse the agent logs.

get-agentlog | where {$_.SmtpResponse -eq “554 5.1.0 Sender denied”}

When troubleshooting Sender filtering, remember that you can block senders, domains, or domains and subdomains, and also blank senders. The domain lists are literal and all inclusive, and you can either respond with a rejection 554, or accept the message and then delete. Adding entries can overwrite existing entries if you are not careful, and that is often where troubleshooting comes up, e.g. why is this blocked sender suddenly able to send email to us again? Because someone overwrote the list instead of appending!

Written by Casper Manes

I currently work as a Senior Messaging Consultant for one of the premier consulting firms in the world, I cut my teeth on Exchange 5.0, and have worked with every version of Microsoft’s awesome email package since then, as well as MHS, Sendmail, and MailEnable systems. I've written dozens of articles on behalf of my past employers, their partners, and others, and I finally decided to embrace blogging and social media, so please follow me on Twitter @caspermanes if you enjoy my posts.

0 Comments

  1. Lance · December 19, 2013

    Nice article, which I put into practice. Kudo’s and good for you… Sincerely Lance

Leave A Reply