none
IPBlockListEntry on Exchange 2013 not working RRS feed

  • Question

  • Hi

    I have had som problems with spam this fall and have been trying to use the Add-IPBlockListEntry PowerShell script to add IP-ranges from which I don't want to recieve any mails.

    This morning I added this: Add-IPBlockListEntry -IPAddress 91.92.195.0

    To be sure, I restarted the Frontend Transport service and the Transport Service.

    One hour later I get a mail with the following header:

    Received: from OptimusMail.ad.midrange.se (192.168.10.2) by
    OptimusMail.ad.midrange.se (192.168.10.2) with Microsoft SMTP Server (TLS) id
    15.0.847.32 via Mailbox Transport; Thu, 22 Dec 2016 09:50:48 +0100
    Received: from OptimusMail.ad.midrange.se (192.168.10.2) by
    OptimusMail.ad.midrange.se (192.168.10.2) with Microsoft SMTP Server (TLS) id
    15.0.847.32; Thu, 22 Dec 2016 09:50:48 +0100
    Received: from ladhewala.com (91.92.195.138) by OptimusMail.ad.midrange.se
    (192.168.10.2) with Microsoft SMTP Server id 15.0.847.32 via Frontend
    Transport; Thu, 22 Dec 2016 09:50:47 +0100
    From: " Alma Bates" <alessandri@ladhewala.com>
    Date: Thu, 22 Dec 2016 03:45:00 -0500
    MIME-Version: 1.0
    Subject: How BettyWhite overcame Alzhemiers

    Whats is wrong with Exchange? Why does this mail slip through?


    Best Regards Peter Karlström Midrange AB, Sweden


    Thursday, December 22, 2016 9:04 AM

Answers

  • Ok, then Add-IPBlockListEntry is not applicable, due to it works only on edge servers.
    You should consider the option to install edge server in your DMZ network or use another antispam solution (best practice)

    You can also enable antispam agents on your mailbox servers:
    enable anti-spam functionality on Mailbox servers

    but, this will enable only following 4 agents: 

    Content Filter agent
    Sender ID agent
    Sender Filter agent
    Protocol Analysis agent for sender reputation

    There will not be a connection filtering agent, but you will be able to restrict message delivery from domains\senders (not ip-addresses). ( set-senderfilterconfig)




    • Edited by BearEater Thursday, December 22, 2016 3:44 PM
    • Marked as answer by Peter Karlström Thursday, December 22, 2016 4:09 PM
    Thursday, December 22, 2016 3:43 PM

All replies

  • Hi Peter,

    you've added the only ip-address to block list- '91.92.195.0', but from your description you want to block whole subnet.
    You should use following command:

    Add-IpBlockListEntry -IPRange 91.92.195.0/24

     
    • Edited by BearEater Thursday, December 22, 2016 9:25 AM
    • Marked as answer by Peter Karlström Thursday, December 22, 2016 9:57 AM
    • Unmarked as answer by Peter Karlström Thursday, December 22, 2016 2:58 PM
    Thursday, December 22, 2016 9:25 AM
  • I was really glad to discover this mistake from my side.
    I sat down and deleted all old IP-rules and added new ones in the IPRange-form.
    All this was done 2 hours ago.

    Just now this mail arrived:

    Received: from OptimusMail.ad.midrange.se (192.168.10.2) by
     OptimusMail.ad.midrange.se (192.168.10.2) with Microsoft SMTP Server (TLS) id
     15.0.847.32 via Mailbox Transport; Thu, 22 Dec 2016 15:57:06 +0100
    Received: from OptimusMail.ad.midrange.se (192.168.10.2) by
     OptimusMail.ad.midrange.se (192.168.10.2) with Microsoft SMTP Server (TLS) id
     15.0.847.32; Thu, 22 Dec 2016 15:56:30 +0100
    Received: from locopter.com (91.92.195.144) by OptimusMail.ad.midrange.se
     (192.168.10.2) with Microsoft SMTP Server id 15.0.847.32 via Frontend
     Transport; Thu, 22 Dec 2016 15:56:11 +0100
    From: Jane <penmanship@locopter.com>
    Date: Thu, 22 Dec 2016 09:46:51 -0500
    MIME-Version: 1.0
    Subject: Get your Stiffy Back

    These are my rules for this IP which was set 2 hours ago:
    Identity   IPRange                      ExpirationTime                 HasExpired               IsMachineGenerated
    --------   -------                      --------------                 ----------               ------------------
    20         91.92.195.0/24               9999-12-31 23:59:59            False                    False


    Still something fishy with my Exchange filter-configuration?


    Best Regards Peter Karlström Midrange AB, Sweden


    Thursday, December 22, 2016 3:03 PM
  • What is your mail flow setup?
    As I can see, the mail from remote server was delivered to server 192.168.10.2.
    Seems like server 192.168.10.2 is cas+mbx exchange 2013 server. Is is correct?
    Thursday, December 22, 2016 3:27 PM
  • Hi

    Yes, this is a one box setup of Exchange 2013.


    Best Regards Peter Karlström Midrange AB, Sweden

    Thursday, December 22, 2016 3:29 PM
  • Ok, then Add-IPBlockListEntry is not applicable, due to it works only on edge servers.
    You should consider the option to install edge server in your DMZ network or use another antispam solution (best practice)

    You can also enable antispam agents on your mailbox servers:
    enable anti-spam functionality on Mailbox servers

    but, this will enable only following 4 agents: 

    Content Filter agent
    Sender ID agent
    Sender Filter agent
    Protocol Analysis agent for sender reputation

    There will not be a connection filtering agent, but you will be able to restrict message delivery from domains\senders (not ip-addresses). ( set-senderfilterconfig)




    • Edited by BearEater Thursday, December 22, 2016 3:44 PM
    • Marked as answer by Peter Karlström Thursday, December 22, 2016 4:09 PM
    Thursday, December 22, 2016 3:43 PM