Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune
  • Home
  • Anti-Spam
  • Exchange 2007 IP Allow List Inherits Old Problems

Exchange 2007 IP Allow List Inherits Old Problems

Alexander Zammit

Alexander Zammit Photo

Software Development Consultant. Involved in the development of various Enterprise software solutions. Today focused on Blockchain and DLT technologies.

Cast your Vote
Poor Excellent

The Exchange 2007 IP Allow List is supposed to whitelist emails allowing them to bypass the anti-spam Content Filter. However just like in Exchange 2003 this is not always the case.

A couple of years ago, Connection Filtering IP Accept List in Exchange SP2 documented a problem concerning the Exchange 2003 IP Accept List. Recently at the Exchange forums I came across similar problem reports concerning Exchange 2007. Thus it was time for me to research this problem again.

Content Filtering, the IP Allow List and Internal IP List

The issue discussed here concerns three elements within Exchange 2007:

Content Filter - The Exchange 2007 Content Filter is the content based anti-spam filter that was formerly named Intelligent Message Filter (IMF).

IP Allow List - This list provides a means for whitelisting emails based on the sending host IP. When receiving an email, Exchange 2007 identifies the IP of the host from which this email is originating. If the IP matches the Allow list, this email is flaged so as to bypass Content Filtering.

Internal IP List - If Exchange does not directly receive incoming emails, retrieving the IP address requires digging through the email headers. In this case Exchange must consider a number of IPs and pick the correct one. This requires determining which IPs belong to the organization and which IPs belong to foreign hosts. This is possible with the help of the Internal IP List. Here the Administrator is expected to specify the IPs of any SMTP servers that are handling emails before these reach Exchange.

Content Filter Processing Emails despite the IP Allow List

The Content Filter normally won't process emails originating from hosts on the IP Allow List. It assigns an SCL of -1 and lets the email through.

However this is not the case when the IP is present on both the Allow List and the Internal IP List. On processing emails against the Allow List, Exchange looks for an IP that is not identified by the Internal IP list. Thus on receiving an email originating from a host whose IP is present on both lists the filter fails to recognize it as whitelisted. Consequently this is scanned for spam as usual.

This may cause problems in case of applications running on the local network and submitting emails to Exchange. Some typical examples include fax servers, reporting and monitoring tools. Being internally generated, filtering these emails is unnecessary. Indeed filtering only introduces the risk of false detection.

Reproducing the Problem

Instead of discussing further, the easiest approach is that of reproducing the problem. To begin with I setup an Exchange 2007 server and on the same machine configure Outlook Express to submit emails to it.

TIP: It is worth nothing that contrary to what some may think Exchange does not automatically whitelist an email just because it originates from its own server.

  1. We first submit an email with a classic spam phrase in the subject and body "Original Replica Watches". For the moment the IP Allow list is disabled and no Internal IPs are configured. The Content Filter is enabled but for simplicity none of Quarantine, Reject or Delete is enabled.

    On checking the email headers we confirm that the Content Filter assigned this an SCL of 8.

    Original Spam Email

  2. Next we put our IP under the Allow List. We do this from the Exchange Management Console under:
    Server Configuration | Hub Transport | Anti-Spam | IP Allow List

    Configuring IP Allow List

    Add IP

    In our case the IP Allow list is disabled. Thus we also have to enable this from:
    Organization Configuration | Hub Transport | Anti-Spam | IP Allow List

    Enable IP Allow List

    With this setup we are ready to resubmit our test spam through Outlook Express. This is now assigned an SCL of -1.

    Filtering Bypassed

  3. Finally we add the same IP to the Internal IP List at:
    Organization Configuration | Hub Transport | Global Settings | Transport Settings

    Transport Settings

    Internal IP List

    We submit another test email confirming that the Content Filter processes this and assigns an SCL of 8.

    Allow List Ignored

    Note how the X-MS-Exchange-Organization-Antispam-Report header says "unavailable" for the IP, exposing the difficulty encountered in this setup.

Solutions

Of course the simplest solution is that of removing the IP from the Internal IP list. From what I have seen in Exchange 2003, too often Administrators enter the entire local subnet here. This is not necessary. Only the IPs of SMTP hosts that are involved in routing internet emails to Exchange are required.

Alternative solutions involve avoiding (rather than solving) the problem. For example an application could submit emails over an authenticated connection. In this case, by default, the Content Filter won't process these emails regardless of the Allow and Internal IP lists.

Here I presented a couple of solutions. Feel welcome to post any others under Comments.

References

Connection Filtering IP Accept List in Exchange SP2

The Exchange 2007 Content Filter Agent

User Comments - Page 1 of 1

BinaryAgent.com 24 Oct 2010 08:13
Thanks Microsoft. I spent over an hour troubleshooting this morning. ExchangeInbox.com to the rescue. :)
Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation