from:http://woshub.com/configure-spam-protection-in-exchange-2013-rbl-providers/


In this article we’ll talk about the peculiarities of functioning and setting RBL filters in Exchange 2013. Let’s remember what RBL is. RBL (Realtime Blackhole List) is a service that stores the database of IP addresses of mail servers detected as spammers. RBL is the most often accessed over DNS so these services are also called DNSBL (DNS Block Lists).

When getting a letter from an unknown sender, a mail server can automatically check these lists and block the mail from the IP addresses listed in the database. If the sender address match with the value from one of the RBL lists, the server returns an SMTP error  message 550 5.x.x as the response to RCPT TO command, and the sender gets a Non delivery report (NDR).

In Exchange 2013, the Connection Filtering agent is responsible for blocking the connections based on the lists of IP addresses. The Connection Filtering agent includes:

  • IP Block Lists – a black list of IP addresses from which the mail must not be accepted (blocked senders)

  • IP Allow Lists – a white list of IP addresses (allowed senders)

  • RBL Providers – the list of RBL providers

The first two lists are static and maintained by the Exchange administrator manually. The list of RBL providers contains the list of third-party RBL resources to be checked when receiving a message.

In Exchange 2007/2010, the antispam filtering could be enabled using install-AntispamAgents.ps1 script. Both filtering agents (Connection Filtering and Content Filtering) installed on the same server with Hub Transport role. In Exchange 2013, the transport role is divided  into two components: Front End Transport and Back End Transport, and the feature of the antispam filtering is divided into two parts. The Front End server performs Connection Filtering and the Back End server does the Content Filtering (including the IMF filter – Exchange Intelligent Message Filter and the virus detecting agent – Malware Agent).

In Exchange 2013, if CAS and Mailbox roles are installed on the same server, Install-AntispamAgents.ps1 installs only the Content Filtering agent. It means that RBL filtering won’t be available.

To install Connection Filtering agent, use Install-TransportAgent cmdlet:

Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"

Install Connection Filtering agent on Exchange Server 2013

After the agent is installed, it should be enabled and the Front End Transport service has to be restarted:

Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"
Restart-Service MSExchangeFrontEndTransport

Enable Transport Agent: "Connection Filtering Agent"

To make sure that the Connection Filtering agent is installed and running, do the following:

Get-TransportAgent -TransportService FrontEnd

Get-TransportAgent status

Next you have to specify the RBL providers to be used.

Note. Now the most popular RBL providers are Spamhaus and SpamCop.

Add-IPBlockListProvider -Name zen.spamhaus.org -LookupDomain zen.spamhaus.org -AnyMatch $true -Enabled $True

To change the text of  the NDR (failure message), returned to the sender, execute this command:

Set-IPBlockListProvider zen.spamhaus.org -RejectionResponse "Your IP address is listed by Spamhaus Zen. You can delete it on page http://www.spamhaus.org/lookup/”

You can add multiple RBL providers at once, having studied their peculiarities and commercial use policies.
You can display the list of currently used RBL as follows:

Get-IPBlockListProvider

Get-IPBlockListProvider Exchange 2013

You can check if a certain IP address is in the RBL list with the following command:

Test-IPBlockListProvider -Identity zen.spamhaus.org -IPAddress x.x.x.x

By default the logs of the Connection Filter agent are saved to
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog

After the initial information is collected (it depends on the size of the mail traffic, and usually takes up to 2-3 days), the RBL filtering statistics can be displayed using Get-AntispamTopRBLProviders.ps1 cmdlet

.\get-AntispamTopRBLProviders.ps1 -location "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog"

get antispam statistics exchange 2013

After you started using RBL filtering, you have to study the logs carefully to check if there have been false positives.

The RBL lists are quite effective to protect from unwanted mail, but in the most cases they have to be used in combination with other anti spam methods to provide the robust antispam protection.



=======================================================================

from:http://tweaks.com/windows/40003/cut-down-on-spam-with-ip-block-list-providers-rbl/

Cut down on spam with IP Block List Providers (RBL)

Posted in Windows Server by Steve Sinchak

One easy way to make a huge dent in the amount of spam your Exchange organization receives is to configure the IP Block List Providers anti-spam agent.  This component checks senders against known databases of spammers, infected computers and open relays.  Also known as real-time block lists (RBL), they are provided by a number of non-profit and for profit companies.  From my experience I like using the free block lists provided by: 

  • SpamHaus - zen.spamhaus.org

  • SpamCop - bl.spamcop.net

  • Surriel - psbl.surriel.com

  • SORBS - dnsbl.sorbs.net

Adding the IP Block List provider to Exchange is very simple, just open up the Exchange Management Shell and run the command below:

Add-IPBlockListProvider -Name SpamHaus -LookupDomain zen.spamhaus.org -AnyMatch $True -Enabled $True -RejectionResponse “Your IP is on the spamhaus.org block list“

For other block list providers just modify the Name, LookupDomain and RejectionRespose. 

After you add a IP block list provider you can run get-ipblocklistprovider to list all installed.  If you want to delete a provider run Remove-IPBlockListProvider -identity <name> and hit enter.  

Some IP Block List providers have test addresses that allow you to see if your block list is working.  For SpamHaus Zen just send an e-mail to nelson-sbl-test@crynwr.com and you will get the results back via e-mail in a few minutes.