*Note we are using Exchange 2k7* As a small business right now we are just using the RBL lists to manage our spam filters. We currently filter through with barracuda and "dnsbl-1.uceprotect.net". If we get a false positive , every Microsoft site I have read suggests to add that address to the white list via command line. I add both the domain and the address to the list using the "Set-ContentFilterConfig -BypassedSenders" command however, some of the emails are still getting block even after we have white listed them. Am I missing a command? Here is what the log is saying about the email. Please note both the domain and the address have been added to the bypassed senders list " P1FromAddress : Senderwhocantgetthrough P2FromAddresses : {} Recipients : {Recieving@address.com} Agent : Connection Filtering Agent Event : OnRcptCommand Action : RejectCommand SmtpResponse : 550 5.7.1 Recipient not authorized, your IP has been found on a block list Reason : BlockListProvider ReasonData : uceprotect.net Diagnostics : "

On Wed, 24 Aug 2011 20:59:37 +0000, Noah_NSL wrote: > > >*Note we are using Exchange 2k7* As a small business right now we are just using the RBL lists to manage our spam filters. We currently filter through with barracuda and "dnsbl-1.uceprotect.net". If we get a false positive , every Microsoft site I have read suggests to add that address to the white list via command line. I add both the domain and the address to the list using the "Set-ContentFilterConfig -BypassedSenders" command however, some of the emails are still getting block even after we have white listed them. Am I missing a command? > > > >Here is what the log is saying about the email. Please note both the domain and the address have been added to the bypassed senders list > > > >" P1FromAddress : Senderwhocantgetthrough P2FromAddresses : {} Recipients : {Recieving@address.com} Agent : Connection Filtering Agent Event : OnRcptCommand Action : RejectCommand SmtpResponse : 550 5.7.1 Recipient not authorized, your IP has been found on a block list Reason : BlockListProvider ReasonData : uceprotect.net Diagnostics : " If you run "Get-ContentFilterConfig | fl BypassedSenders,BypassedSenderDomains" do you see those addresses you've white listed? Can you post an example of how you add a new a address to either one of the BypassedSenders or BypassedSenderDomains properties? Without seeing how you go about this, I'm guessing that you're simply replacing the existing set of addresses with the new one you give in the Set-ContentFilterConfig. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

No problem. When I add a user i use the following "Set-ContentFilterConfig -BypassedSenders Newuser@contoso.com,olduser@contoso.com,olduser1@contoso.com" I know that adding a new person to the list via command line will erase any names that were already there unless you add them in the new command as well. When I run the "get-contentfilterconfig" I DO see the names and domains I wanted to white list.... However if I later that day run the "Get-AgentLog -StartDate “8/24/2011" -EndDate “8/24/2011" | where {$_.Reason -eq “BlockListProvider”} > c:\"report.txt"" To see what was blocked. I see some of the white listed addresses blocked.

On Thu, 25 Aug 2011 12:25:27 +0000, Noah_NSL wrote: > > >No problem. > > > >When I add a user i use the following > > > >"Set-ContentFilterConfig -BypassedSenders Newuser@contoso.com,olduser@contoso.com,olduser1@contoso.com" > > > >I know that adding a new person to the list via command line will erase any names that were already there unless you add them in the new command as well. > >When I run the "get-contentfilterconfig" I DO see the names and domains I wanted to white list.... However if I later that day run the > >"Get-AgentLog -StartDate ?8/24/2011" -EndDate ?8/24/2011" | where {$_.Reason -eq ?BlockListProvider?} > c:\"report.txt"" > > > >To see what was blocked. I see some of the white listed addresses blocked. You understand that CONTENT filtering deals with the contents of the message, and that CONNECTION filtering deals with whether or not a connections will be allowed or denied, right? A DNSBL just looks at the IP address of the sender, but it does so (on Exchange 2007) at the RCPT TO commands so certain recipients (not senders) can be excluded by adding them to an exclusion list. I don't think there's a way to excude a sender's e-mail address or domain from connection filtering. You'll have to manage that by whitelisting the IP address of the sending organization on each of the edge or hub transport servers. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Could you clarify something.... are you using the Barrcuda RBL? Or is all of your inbound mail coming in through a Barracuda appliance? Jim McBee - Blog - http://mostlyexchange.blogspot.com

We are using the barracuda RBL not a barracuda appliance. I think I understand let me sum up and ask some questions to make sure im all clear. Correct me if I am going wrong anywhere. -incoming mail is checked by the connection filter for its IP... exchange pulls that info from the RBL we have set up - It then goes to the content filter where, even though I have it set up on a whitelist, (via the "Set-ContentFilterConfig BypassedSenders ) if its bad its already been blocked so the whitelist is useless (for my purposes atleast) . - There is no way to white-list by address or domain on the connection filter. (we cant just add IP addresses cause they are from ISPs and that starts to make the whole RBL useless if you open every one of their email IP address) Two quick questions 1. Is there a way using exchange to set up connection filtering to allow certain addresses through? Via edge server or TMG? 2. Is this a feature MS is looking into? It seems like a fairly basic feature that could help alot of people out.

Hi Noah_NSL, For 1, please refer to below information: http://technet.microsoft.com/en-us/library/bb123801(EXCHG.80).aspx http://technet.microsoft.com/en-us/library/bb123554(EXCHG.80).aspx You could add the ip address in to whitelist using add-ipallowlistentry. If I misunderstand your issue, please fell free let me know. Regards! Gavin

After quite a bit of searching I landed here and have the exact same issue with Exchange 2010. A message comes in and is rejected by the transport Anti-spam IP Block List Providers BEFORE any whitelisting is checked. In this case, random valid email messages that come through domains hosted by GoDaddy will be rejected from the RBL lookup although they have been added either by domain or specific email address to the bypass lists on Exchange 2010. I realize the order Exch is taking to process these messages, but this has got to be reviewed by MS and a better solution put into place. The first few lines of the receive SMTP log show the senders address along with the IP address of the server before the rejection takes place. Why would it be so difficult to have Exchange process that email against the bypass list before rejecting the message? This could simply be an option in the Org Config ->Hub Transport->IP Block List Providers (checkbox->process bypasslist before apply RBL response). This way it is an option for an organization to choose to accept mail from specific accounts even if they are coming in from a hosting provider with questionable customers. If that is a problem, how about an additional attribute in the bypass command in EMS to compare between the bypasslist address and the listed RDNS response matching a specified domain ? For example: If bypass address / domain on list = myclient.com AND RDNS response domain was secureserver.net (GoDaddy example), then process mail and skip RBL. This would cut way down on the chance someone could spoof the sender address to skip past your RBL. They would have to be trying to spam you with a spoofed address AND originate the message from within the correct email system's IP addresses to match the reverse lookup. Thoughts? Microsoft Guys?

Hi Eleska, Sure, your understanding is right. And your idea also be very good, per my know, the different agent would be involved in different step during the whole mail flow. So, in my opinion, would not be a easy way to switch it smoothly. I would also expand the idea to others, thanks for your idea! Regards! Gavin TechNet Community Support