none
Exchange 2013 - RBL not working

All replies

  • Im not Quite sure, but now test-ipblocklistprovider  goes thru after we have restarted exchange 2013 edge server...

    bostjanc

    Thursday, December 31, 2015 2:04 PM
  • Ok update.

    TestIpBLockListProvider gives this output:

    but user still got this mail into his INBOX.

    whyyyyyy? :(


    bostjanc

    Thursday, December 31, 2015 2:18 PM
  • Hi,

    Please run the following command to check the settings for your IPBlockListProvider:
    Get-IPBlockListProvider | fl
    Also make sure the connection Filtering Agent is enabled in Transport Agent:
    Get-TransportAgent

    Additionally, please confirm if these senders are defined as safe-senders by any of your clients. For incoming message, please check the message header and confirm if there is any antispam related value, for example:
    X-MS-Exchange-Organization-AuthAs
    X-MS-Exchange-Organization-Antispam-Report
    X-MS-Exchange-Organization-SCL

    If there is any related event logs in Exchange server, collect some for further troubleshooting.

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Friday, January 1, 2016 6:11 AM
    Moderator
  • Hi,

    Please can you confirm that the IP was blacklisted and the DNS servers were reconfigured before the email was sent to the CIO. 

    Also - please check the header values sent through by Winnie.

    You can also go through the instructions here to test that your Zen Spamhaus RBL is working: http://markgossa.blogspot.com/2015/11/exchange-2013-2016-zen-spamhaus-rbl-not-working.html.

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Saturday, January 2, 2016 11:55 PM
  • Hi guys, heres an example:

    CEO got mail which is as you can see printscreen already on SpamHaus ZEN.

    Get-IpBlockListProvider | fl OUTPUT:

    RejectionResponse :
    LookupDomain      : zen.spamhaus.org
    Enabled           : True
    AnyMatch          : True
    BitmaskMatch      :
    IPAddressesMatch  : {}
    Priority          : 1
    AdminDisplayName  :
    ExchangeVersion   : 0.1 (8.0.535.0)
    Name              : zen.spamhaus.org
    DistinguishedName : CN=zen.spamhaus.org,CN=IPBlockListProviderConfig,CN=Message Hygiene,CN=Transport Settings,CN=First
                        Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,CN={C3EBF016-AA86-4BAB-AC17-56AD07F
                        C9C32}
    Identity          : zen.spamhaus.org
    Guid              : db988082-5396-4ad6-9292-c82561dc4b04
    ObjectCategory    : CN=ms-Exch-Message-Hygiene-IP-Block-List-Provider,CN=Schema,CN=Configuration,CN={C3EBF016-AA86-4BAB
                        -AC17-56AD07FC9C32}
    ObjectClass       : {top, msExchMessageHygieneIPBlockListProvider}
    WhenChanged       : 30.12.2015 9:08:14
    WhenCreated       : 30.12.2015 9:08:14
    WhenChangedUTC    : 30.12.2015 17:08:14
    WhenCreatedUTC    : 30.12.2015 17:08:14
    OrganizationId    :
    Id                : zen.spamhaus.org
    OriginatingServer : localhost
    IsValid           : True
    ObjectState       : Unchanged

    RejectionResponse :
    LookupDomain      : b.barracudacentral.org
    Enabled           : True
    AnyMatch          : True
    BitmaskMatch      :
    IPAddressesMatch  : {}
    Priority          : 2
    AdminDisplayName  :
    ExchangeVersion   : 0.1 (8.0.535.0)
    Name              : b.barracudacentral.org
    DistinguishedName : CN=b.barracudacentral.org,CN=IPBlockListProviderConfig,CN=Message Hygiene,CN=Transport Settings,CN=
                        First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,CN={C3EBF016-AA86-4BAB-AC17-5
                        6AD07FC9C32}
    Identity          : b.barracudacentral.org
    Guid              : 481eee30-0855-4d29-84de-e9b08854259e
    ObjectCategory    : CN=ms-Exch-Message-Hygiene-IP-Block-List-Provider,CN=Schema,CN=Configuration,CN={C3EBF016-AA86-4BAB
                        -AC17-56AD07FC9C32}
    ObjectClass       : {top, msExchMessageHygieneIPBlockListProvider}
    WhenChanged       : 30.12.2015 9:08:21
    WhenCreated       : 30.12.2015 9:08:21
    WhenChangedUTC    : 30.12.2015 17:08:21
    WhenCreatedUTC    : 30.12.2015 17:08:21
    OrganizationId    :
    Id                : b.barracudacentral.org
    OriginatingServer : localhost
    IsValid           : True
    ObjectState       : Unchanged

    RejectionResponse :
    LookupDomain      : bl.spamcop.net
    Enabled           : True
    AnyMatch          : True
    BitmaskMatch      :
    IPAddressesMatch  : {127.0.0.5, 127.0.0.2}
    Priority          : 3
    AdminDisplayName  :
    ExchangeVersion   : 0.1 (8.0.535.0)
    Name              : SpamCop IPBlockListProvider
    DistinguishedName : CN=SpamCop IPBlockListProvider,CN=IPBlockListProviderConfig,CN=Message Hygiene,CN=Transport Setting
                        s,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,CN={C3EBF016-AA86-4BAB-A
                        C17-56AD07FC9C32}
    Identity          : SpamCop IPBlockListProvider
    Guid              : 5c215543-a802-4d2b-89ff-b8e356ebc91d
    ObjectCategory    : CN=ms-Exch-Message-Hygiene-IP-Block-List-Provider,CN=Schema,CN=Configuration,CN={C3EBF016-AA86-4BAB
                        -AC17-56AD07FC9C32}
    ObjectClass       : {top, msExchMessageHygieneIPBlockListProvider}
    WhenChanged       : 30.12.2015 9:08:28
    WhenCreated       : 30.12.2015 9:08:28
    WhenChangedUTC    : 30.12.2015 17:08:28
    WhenCreatedUTC    : 30.12.2015 17:08:28
    OrganizationId    :
    Id                : SpamCop IPBlockListProvider
    OriginatingServer : localhost
    IsValid           : True
    ObjectState       : Unchanged

    Test-IpBlockListProvider RESULT ran on EXCHANGE 2013 EDGE:


    bostjanc

    Friday, January 8, 2016 4:18 PM
  • Damn it, I think I got the solution.

    Forgot to check on both internal dns which are on EDGE NIC.

    After solving dns (not using forwards public dns, but ISP providers), test-ipblocklistproviders goes ok thru.


    bostjanc

    Friday, January 8, 2016 4:49 PM
  • Hi,

    This is correct - some DNS providers, namely Google lookups are blocked by SpamHaus which means you will need to use your ISP DNS servers as per the article I sent through earlier. 

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, January 11, 2016 12:36 AM
  • Damn.

    Now I am confused/amuzed. :(

    Spam (listed on zen.spamhaus.org) still was delivered even if testipblocklistprovider was true on exchange server.


    bostjanc

    Monday, January 11, 2016 3:58 PM
  • And another thing.

    Sending an empty message to 'nelson-sbl-test@crynwr.com' does not give any replies :(


    bostjanc

    Monday, January 11, 2016 4:34 PM
  • Hi,

    You can check the time and date the IP was blacklisted. You may have received an email from an IP before it was blacklisted and so this is why you received it. 

    As for email to nelson-sbl-test@crynwr.com, you should receive an email to the same IP that your email went out to them on. For example, if you use telnet to send the email then they will try send the email to the IP you sent it from. Make sure you're sending from the IP you would like to test incoming email on. 

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, January 11, 2016 9:53 PM
  • Mark, I was trying to find out the way how to check the time and date when IP was blacklisted but can not find that.

    I am using this: http://mxtoolbox.com/blacklists.aspx

    Do you perhaps know how to check that?

    With best regards.


    bostjanc

    Tuesday, January 12, 2016 6:56 AM
  • How can I check the time of putting an IP to blacklist.

    I have looked that also on zen.spamhaus.org but didn't find it :(


    bostjanc

    Wednesday, January 13, 2016 9:26 AM
  • Hi,

    Not all RBLs provide this information. I couldn't find it for you using SpamHaus. Maybe check the other RBLs?

    I understand that you want to ensure that your IP blacklist anti-spam agent is working. Try send an email to nelson-sbl-test@crynwr.com from your Exchange mailbox and see your results. This should email you back your results after it tries to send you an email from a blacklisted IP. 

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Wednesday, January 13, 2016 8:41 PM
  • Hi,

    Did you ever resolve this?  I am seeing the same issue.

    I am using Exchange 2013 CU13.  I have installed the "Connection Filtering Agent" on a mailbox server and enabled it (on the FrontEnd service).  I've added "zen.spamhaus.org" to my IPBlockListProvider configuration.  I have it set to AnyMatch = TRUE and I have nothing set on the BitmaskMatch.

    I know that the agent itself works occasionally as it produces "AgentLog" files in the AgentLog directory.  It occasionally does reject a message.  This proves to me that the configuration is all correct.  However, it is only blocking about 10-20 emails per day.  There are 500+ spam messages coming through each day that it does NOT block, even though every one one of these IPs is already on the Spamhaus RBL.

    I am not using Google DNS forwarders.

    I can logon to the mail server and execute a "Test-IPBlockListProvider" command against the IP address of the spam that I just received and this immediately shows that the address IS ALREADY ON THE RBL (and therefore, the message should have been blocked).

    In a nutshell, the agent only works intermittently.

    Why would it do this?

    Cheers,
    David

    Wednesday, July 13, 2016 1:26 AM
  • At the end we have made a conclusion that MS Exchange Edge is basically piece of *** if you need to configure it on your own. A big difference between forefront for ex2010 between edge2013 being manually configured.

    I know that if you put your mx record for MS online inspection it will work, but basically we did not want that.

    So we have thrown the exchange edge role into the garbage and implemented EFA.

    See for yourself it's very handy, and they have hyperv and vmware appliance images.

    It's FREE, and it made SPAM difference between edge and this solution like night and day.

    https://efa-project.org/

    With best regards


    bostjanc

    Wednesday, July 13, 2016 7:53 AM