Managing the Edge Transport Server • Chapter 7 417
An RBL is an Internet-based service that tracks systems (and then adds those systems’
IP addresses to a public list) that are known to send or suspected of sending out spam.
In addition to specifying IP Block list providers, you can also enter a custom error message that
should be returned to the blocked SMTP server. Last but not least, there’s an Exceptions tab where
you can specify IP addresses to which e-mail messages shouldn’t be blocked, regardless of the
feedback from the RBL.
Sender Filtering
When the Connection Filtering agent has processed the SMTP connection, the next fi ltering agent
involved is Sender Filtering, which will check the e-mail address of the sender against the list of
e-mail addresses or domains you have specifi ed under the Sender Filtering Properties page
(see Figure 7.35).
The Sender Filtering agent lets you reject individual e-mail addresses, single domains, or whole
blocks of domains (that is, a domain and any subdomains). When the Sender Filtering agent rejects an
e-mail message, a “554 5.1.0 Sender Denied” message is returned to the sending server. The agent
also lets you reject any e-mail messages that don’t contain a sender.
In addition to rejecting e-mail address and/or domains specifi ed on the Blocked Senders list on
the Sender Filtering Properties page, you can also choose to stamp messages instead of rejecting them
(done under the Action tab). When you choose this action, the metadata of the message will be
updated to indicate that the message was sent by a blocked sender. The stamp will then be used when
the Content Filtering agent calculates the spam confi dence level (SCL) of the message.
Bear in mind that the Sender Filtering agent overrides the Outlook Safe Senders list (which we
will talk about later in this section), which means that senders specifi ed on the Block Senders list will
be rejected even though they are included on a Outlook Safe Senders list.
NOTE
You can read more about what RBLs are as well as how they work at http://en.
wikipedia.org/wiki/DNSBL. In addition, you can fi nd a list of the most popular RBLs
at www.email-policy.com/Spam-black-lists.htm.
418 Chapter 7 • Managing the Edge Transport Server
Recipient Filtering
When a message has been processed by the Sender Filtering agent and hasn’t been rejected, it will be

handed over to the Recipient Filtering agent. (Well, this isn’t exactly true; the Connection Filtering
agent will run once more, before doing so.) This will check the recipient of a given e-mail message
against the Recipient Block list. As you can see in Figure 7.36, you can block recipients based on
their e-mail addresses (that is, the SMTP address in the RCPT TO: fi eld) as well as messages sent to
recipients not listed in the Global Address List (GAL). The edge transport server can only check
whether a recipient is in the GAL if you use EdgeSync subscription; otherwise, recipient data will not
be replicated from Active Directory to ADAM.
Figure 7.35 Blocked Sender List on the Sender Filtering Properties Page
Managing the Edge Transport Server • Chapter 7 419
NOTE
Any SMTP addresses entered on the Blocked Recipients list will only be blocked for
senders located on the Internet. Internal users will still be able to send messages to
these recipients.
Figure 7.36 The Blocked Recipients List on the Recipient Filtering Properties Page
420 Chapter 7 • Managing the Edge Transport Server
If an external sender sends an e-mail message to a recipient that is either listed on the Blocked
Recipient list or not present in the GAL, a “550 5.1.1 User unknown SMTP” session error will be
returned to the sending server.
It worth noting that the Recipient Filtering agent works for only domains for which the
Edge Transport server is authoritative. This means that any domains for which the Edge Transport
server is confi gured as a relay server won’t be able to take advantage of Recipient Filtering. Diagrams
of the Edge Transport Server with the Recipient Filtering Agent disabled and enabled are shown in
Figures 7.37 and 7.38, respectively.
SOME INDEPENDENT ADVICE
As mentioned earlier in this chapter, the EdgeSync service will replicate recipient data
from Active Directory to ADAM every fourth hour. With this in mind, be aware that
any new recipients created on your mailbox server on the internal network won’t be
able to receive e-mail messages from external senders before the EdgeSync service
has taken place hereafter.
The Recipient Lookup feature also includes a SMTP Tarpitting feature that helps

combat directory harvest attacks (DHAs). A DHA is a technique spammers use in an
attempt to fi nd valid SMTP addresses within an organization. This is typically done
with the help of a special program that is capable of generating random SMTP
addresses for one or more domains. For each generated SMTP address, the program
also sends out a spam message to the specifi c address. Because the program will try
to deliver a message to each generated SMTP address, an SMTP session is, of course,
also established to the respective edge transport server (or whatever SMTP gateway
is used in the organization). The program can therefore collect a list of valid SMTP
addresses, since the SMTP session will either respond with “250 2.1.5 Recipient OK”
or “550 5.1.1 User unknown,” depending on whether the SMTP address is valid
or not.
This is where the SMTP Tarpitting feature comes into the picture. This feature
basically delays the “250 2.1.5 Recipient OK” or “550 5.1.1 User unknown” SMTP
response codes during an SMTP session. By default, the SMTP Tarpitting feature on
an Edge Transport server is confi gured to a delay of 5 seconds (but the value can be
changed for each Receive connector), which should help make it more diffi cult for a
spammer to harvest valid SMTP addresses from your domain.
Figure 7.37 The Edge Transport Server with the Recipient Filtering Agent Disabled
Spammer
Perimeter Network
Edge Transport
Firewall
Spammer Performs a
Directory Harvest Attack
Edge Transport Server
Responds as Fast as it Can
Managing the Edge Transport Server • Chapter 7 421
Sender ID Filtering
When an e-mail message has been processed by the Recipient Filtering agent and still hasn’t been
rejected, it will be handed over to the Sender ID Filtering agent.

The Sender ID is an e-mail industry initiative invented by Microsoft and a few other industry
leaders. The purpose of Sender ID is to help counter spoofi ng (at least to make it more diffi cult to
spoof messages), which is the number-one deceptive practice used by spammers. Sender ID works by
verifying that every e-mail message indeed originates from the Internet domain from which it was
sent. This is accomplished by checking the address of the server sending the mail against a registered
list of servers that the domain owner has authorized to send e-mail.
If you don’t have any experience with Sender ID, it can be a bit diffi cult to understand, so let’s
take a closer look at how it works.
An organization can publish a Sender Policy Framework (SPF) record on the public DNS
server(s) hosting their domain. The published SPF record contains a list of the IP addresses that
should be or are allowed to send out messages for a particular domain. If a particular organization has
published a SPF record and someone at that organization sends a message to a recipient behind an
Edge Transport server in another organization, the Edge Transport server will examine the SPF record
to see whether the SMTP server that sent the message is listed there (see Figure 7.39).
SOME INDEPENDENT ADVICE
The SMTP Tarpitting feature was originally introduced in Exchange Server 2003.
In Exchange 2003 the administrator had the option of specifying a tarpit value in
which he or she could defi ne the number of seconds to delay a response to the
RCPT TO command during an SMTP session. The problem in Exchange 2003 was that
this value was fi xed, which enabled spammers to detect this behavior so they could
work around it. A common practice was to have the spam application establish
a new SMTP session, if it detected it was being tarpitted. To solve this problem, the
edge transport server uses a random number of seconds, making predictions much
harder. Even if the spam application reconnects, it won’t be in better shape; the
edge transport server will know it’s the same sending server, so it will retain the
tarpit state.
Figure 7.38 The Edge Transport Server with the Recipient Filtering Agent Enabled
Firewall
Perimeter Network
Spammer

Spammer Performs a Directory
Harvest Attack
Edge Transport Server Responds
with a Delay (Default 5 Seconds)
Edge Transport