Corelan Cybersecurity Research

Enable content filtering on a HUB Transport server

If you want to enable the content filter on a HUB transport server, run the "./install-AntispamAgents.ps1" script from the %Program Files%\Exchange Server\Scripts folder. Next, restart the Microsoft Exchange Transport Service by running Restart-Service MSExchangeTransport. (http://www.exchangepedia.com/blog/2006/09/how-to-install-anti-spam-agents-on-hub.html)

Enabling IPBlockListProvider on a HUB that does not directly accept incoming internet emails

If the Hub transport is responsible for performing content filtering, and the HUB does not receive incoming internet emails itself (but receives the messages from a relay server), then all incoming connections will appear to be coming from that relay server (and not from the "real" IP address of the sender’s mailserver). This means that options such as Real Time block lists (IP Block List Provider in 2007) won’t work properly. You can solve this by telling the transport engine on the HUB to treat certain IP addresses as internal and skip those IP addresses in the email header.
Suppose you want to define 192.168.1.3 and the entire 10.1.2.0/24 IP range as internal, run this script on the HUB transport : set-transportconfig -InternalSMTPServers "192.168.1.3","10.1.2.0/24" You can read more info about IP Block List providers at http://technet.microsoft.com/en-us/library/bb124369.aspx and http://exchangepedia.com/blog/2006/12/exchange-server-2007-how-are-rbls.html . Depending on your setup, you may need to add 127.0.0.1 to the list of InternalSMTPServers. Use a sniffer such as wireshark to ensure that everything is set up correctly.
Example : I have installed a POP3 collector on one of my servers. This connector connects to the POP3 mailserver of my ISP and downloads my emails. Next, it uses SMTP to connect to my own internal Exchange server to deliver the messages to my local user. The connection to my Exchange server always originates from a local IP address in my network. And if I skip those local IP addresses, I even have to skip the IP address of my ISP’s SMTP servers. So I created a transportconfig that looks like this :
[PS] C:\>set-transportconfig -InternalSMTPServers "195.130.137.0/24","195.130.136.0/24","195.130.132.0/24","192.168.0.0/16","127.0.0.1"
[PS] C:\>Get-TransportConfig
ClearCategories : True
GenerateCopyOfDSNFor : {5.4.8, 5.4.6, 5.4.4, 5.2.4, 5.2.0, 5.1.4}
InternalSMTPServers : {195.130.132.0/24, 192.168.0.0/16, 127.0.0.1,
195.130.137.0/24, 195.130.136.0/24}
JournalingReportNdrTo : <>
MaxDumpsterSizePerStorageGroup : 18MB
MaxDumpsterTime : 7.00:00:00
MaxReceiveSize : unlimited
MaxRecipientEnvelopeLimit : unlimited
MaxSendSize : unlimited
TLSReceiveDomainSecureList : {}
TLSSendDomainSecureList : {}
VerifySecureSubmitEnabled : False
VoicemailJournalingEnabled : True
Xexch50Enabled : True
As you can see, I’m ignoring my local IP addresses and the ISP IP addresses, and localhost. The "IP block List provider" filter will now ignore those IP addresses and (hopefully) only look for the IP address of the server that delivered the email to my ISP’s mail server (which is exactly what I want my server to look for). I’ve sent a test email from my mailserver at work (81.246.74.58) and the wireshark sniffer shows this :

Conclusion : it works fine ! Instead of performing a DNS lookup to my internal IP, or the IP of my ISP, the filter skips those IP addresses and performs the lookup for the real IP address of the mailserver that delivered the message to my ISP.
When I look in the header of the email, this is what I can see :

Text in red = contains the IP addresses that I want to ignore. Text in blue = IP address of mailserver that delivered the email to my ISP. Text in green = internal IP addresses (need to be ignored as well).

You can test IP Block List provider settings using Get-IpBlockListProvider | Test-IpBlockListProvider -IpAddress

Additionally, you can send an email to ‘nelson-sbl-test@crynwr.com’ and wait for a reply , or use the "Get-AgentLog" query below to see if the returning message was stopped.
If you want to know if the filter works in real life, you can use the following command to read the logs :

The IP block list providers that I’m using are : sbl-xbl.spamhaus.org, list.dsbl.org, multihop.dsbl.org and blackholes.mail-abuse.org
Note : You can watch IPBlockListProvider statistics through performance monitor, or view the top RBL block list providers by running get-AntispamTopRBLProviders.ps1. You can dig up other anti-spam statistics by using the scripts that can be found in the Exchange Server installation folder, under "scripts" :
get-AntispamSCLHistogram.ps1
get-AntispamTopBlockedSenders.ps1 "P1" or get-AntispamTopBlockedSenders.ps1 "P2"
get-AntispamFilteringReport.ps1 with one of the following parameters : messagesrejected / messagesquarantined / connections / commands / messagesdeleted

Using quarantine mailbox

In case you want to quarantine spam emails (as opposed to blocking/rejecting spam emails), this document will provide more info on Spam Quarantine : http://technet.microsoft.com/en-us/library/aa997692.aspx and http://technet.microsoft.com/en-us/library/bb124897.aspx . If you have set up your quarantine mailbox and you want to be able to properly recover messages from the quarantine, have a look at http://technet.microsoft.com/en-us/library/aa998920.aspx

See SCL rating in Outlook 2007

You can use the procedure that was written by Microsoft to expose the SCL rating field in Outlook 2003 and apply it to Outlook 2007. You may need to click "OK" at the warning to overwrite a similar form in the library, but if definitely works. The procedure can be found at http://msexchangeteam.com/archive/2004/05/26/142607.aspx or http://www.petri.co.il/display_scl_level_in_outlook_2003.htm Additionally, you can expose original senders and recipients using a procedure explained in http://exchangepedia.com/blog/2007/05/how-to-expose-original-senders-and_11.html

How to set up scheduled safe-list aggregation

http://technet.microsoft.com/en-us/library/aa998280.aspx
First, set up initial safe-list aggregation by running the Update-SafeList command for each mailbox on the server. If you want to run this on a scheduled basis, create a batch file with the following contents :
"C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe" -psconsolefile "d:\Exchange Server\bin\exshell.psc1" -command "& {get-mailbox | where {$_.RecipientType -eq [Microsoft.Exchange.Data.Directory.Recipient.RecipientType]::UserMailbox } | update-safelist -verbose}"
(Make sure to verify the paths in the script – both the path to powershell.exe and the path to the console file). Next, use the scheduled tasks panel to schedule the script.
Warning : Pay attention to selecting the correct time for running this script. Since the command updates 2 attributes in AD, you may generate a lot of replication data after running this command.

Note : Since outlook users have the option to add users to the safe senders/safe recipients, the safe-list aggregation technique may result in unwanted behavior. If users add their own email address to the safe recipients, then all policies will be bypassed, leaving
Also, make sure to disable "Automatically add people I e-mail to the Safe Senders List", because it will create a huge list of email addresses without really verifying that they are using a trusted mailserver… In fact, you disable all policies, including policies that look at the IP address of the sender’s server, simply by trusting a user… and that does not make any sense at all to me. So if you start seeing a lot of messages in the Get-AgentLog output that should have been blocked,then you know that you have to look at the Junk E-Mail options from that specific user… Odds are that the user has added himself as a safe recipient….

If you are seeing a lot of allowed messages in the agent log that state "not available: policy is disabled", then emails for that users are not being checked. One of the reasons for this behavior could be the fact that you’re using a POP3 collector, and set up the collector to use an authenticated smtp connection to your Exchange server (port 587). In general, if you use partner permissions (authenticated client connections) on the receive connector on your Exchange Server, then anti-spam will be bypassed for those connections. Also, make sure you have only one connector that accepts incoming mails for certain IP addresses, or anti-spam will be confused. See http://busbar.maktoobblog.com/?post=331077 for more info. You can pull up the list of messages that have bypassed the filters by running Get-AgentLog -start "27/10/2007 00:00:00" | where {$_.ReasonData -eq "not available: policy is disabled."} | FT Timestamp,IPAddress,P1FromAddress,Recipients

Logging & Troubleshooting

Show anti-spamcontent filter log : get-AgentLog. If you want to see which messages were blocked, use Get-AgentLog | where {$_.Action -ne "AcceptMessage"}. The logs are saved for 30days or until they’ve become 250Mb in size (whichever comes first). If you have copied log files to another location (to prevent them from being deleted) and you want to read those log files, use get-AgentLog drive:\path\to\file More commands can be found at http://exchangepedia.com/blog/2007/04/managing-and-filtering-anti-spam-agent.html

Tracking messages : get-messagetrackinglog -Start "start date and time" -End "end date and time". Example : get-messagetrackinglog -Start "5/10/2007 23:58:00" -End "6/10/2007 0:08:00"

If you have enabled Sender Reputation filtering (which uses IP Block Lists to stop spammers) or if you are using IP Block Lists, you can get the list of blocked IP addresses using Get-IPBlockListEntry

Make sure to enable Antispam updates on your Exchange server. You can use the Enable-AntispamUpdates cmdlet to activate automatic updates. (See http://technet.microsoft.com/en-us/library/aa998006.aspx for more info) :
Enable-AntispamUpdates -IPReputationUpdatesEnabled $true -MicrosoftUpdate RequestScheduled –SpamSignatureUpdatesEnabled $true -UpdateMode Automatic

You can find more information about Anti-Spam and Anti-Virus filtering in Exchange on

http://technet.microsoft.com/en-us/library/42cd5fe3-15f9-44eb-8dc2-c30a247a6686.aspx