A couple of years ago, Connection Filtering IP Accept List in Exchange SP2 documented a problem concerning the Exchange 2003 IP Accept List. Recently at the Exchange forums I came across similar problem reports concerning Exchange 2007. Thus it was time for me to research this problem again.
Content Filtering, the IP Allow List and Internal IP List
The issue discussed here concerns three elements within Exchange 2007:
Content Filter - The Exchange 2007 Content Filter is the content based anti-spam filter that was formerly named Intelligent Message Filter (IMF).
IP Allow List - This list provides a means for whitelisting emails based on the sending host IP. When receiving an email, Exchange 2007 identifies the IP of the host from which this email is originating. If the IP matches the Allow list, this email is flaged so as to bypass Content Filtering.
Internal IP List - If Exchange does not directly receive incoming emails, retrieving the IP address requires digging through the email headers. In this case Exchange must consider a number of IPs and pick the correct one. This requires determining which IPs belong to the organization and which IPs belong to foreign hosts. This is possible with the help of the Internal IP List. Here the Administrator is expected to specify the IPs of any SMTP servers that are handling emails before these reach Exchange.
Content Filter Processing Emails despite the IP Allow List
The Content Filter normally won't process emails originating from hosts on the IP Allow List. It assigns an SCL of -1 and lets the email through.
However this is not the case when the IP is present on both the Allow List and the Internal IP List. On processing emails against the Allow List, Exchange looks for an IP that is not identified by the Internal IP list. Thus on receiving an email originating from a host whose IP is present on both lists the filter fails to recognize it as whitelisted. Consequently this is scanned for spam as usual.
This may cause problems in case of applications running on the local network and submitting emails to Exchange. Some typical examples include fax servers, reporting and monitoring tools. Being internally generated, filtering these emails is unnecessary. Indeed filtering only introduces the risk of false detection.
Reproducing the Problem
Instead of discussing further, the easiest approach is that of reproducing the problem. To begin with I setup an Exchange 2007 server and on the same machine configure Outlook Express to submit emails to it.
TIP: It is worth nothing that contrary to what some may think Exchange does not automatically whitelist an email just because it originates from its own server.
-
We first submit an email with a classic spam phrase in the subject and body "Original Replica Watches". For the moment the IP Allow list is disabled and no Internal IPs are configured. The Content Filter is enabled but for simplicity none of Quarantine, Reject or Delete is enabled.
On checking the email headers we confirm that the Content Filter assigned this an SCL of 8.
-
Next we put our IP under the Allow List. We do this from the Exchange Management Console under:
Server Configuration | Hub Transport | Anti-Spam | IP Allow List
In our case the IP Allow list is disabled. Thus we also have to enable this from:
Organization Configuration | Hub Transport | Anti-Spam | IP Allow List
With this setup we are ready to resubmit our test spam through Outlook Express. This is now assigned an SCL of -1.
-
Finally we add the same IP to the Internal IP List at:
Organization Configuration | Hub Transport | Global Settings | Transport Settings
We submit another test email confirming that the Content Filter processes this and assigns an SCL of 8.
Note how the X-MS-Exchange-Organization-Antispam-Report header says "unavailable" for the IP, exposing the difficulty encountered in this setup.
Solutions
Of course the simplest solution is that of removing the IP from the Internal IP list. From what I have seen in Exchange 2003, too often Administrators enter the entire local subnet here. This is not necessary. Only the IPs of SMTP hosts that are involved in routing internet emails to Exchange are required.
Alternative solutions involve avoiding (rather than solving) the problem. For example an application could submit emails over an authenticated connection. In this case, by default, the Content Filter won't process these emails regardless of the Allow and Internal IP lists.
Here I presented a couple of solutions. Feel welcome to post any others under Comments.
References
Connection Filtering IP Accept List in Exchange SP2
The Exchange 2007 Content Filter Agent