Connection Filters Test
The Connection Filter agent is an anti-spam agent that is enabled on computers that have the Microsoft Exchange server 2007/2010 Edge Transport server role installed. The Connection Filter agent relies on the IP address of the remote server that is trying to connect to determine what action, if any, to take on an inbound message. The remote IP address is available to the Connection Filter agent as a by-product of the underlying TCP/IP connection that is required for the Simple Mail Transfer Protocol (SMTP) session
When you enable the Connection Filter agent, the Connection Filter agent is the first anti-spam agent to run when an inbound message is evaluated. When an inbound message is submitted to an Edge Transport server on which the Connection Filter agent is enabled, the source IP address of the SMTP connection is checked against any of the following data stores of IP addresses:
- Administrator-defined IP Allow lists and IP Block lists
- IP Block List providers
- IP Allow List providers
You must configure at least one of these data stores of IP addresses for the Connection Filter agent to be operational.
The source P address is first compared to the administrator-defined IP Allow list and IP Block list. If the IP address does not exist on either the administrator-defined IP Allow list or IP Block list, the Connection Filter agent queries the IP Block List provider services according to the priority rating that is assigned to each provider. If the IP address appears on the IP Block list of an IP Block List provider, the Edge Transport server waits for and parses the RCPT TO header, responds to the sending system with an SMTP 550 error, and closes the connection. If the IP address does not appear on the IP Block lists of any one of the IP Block List providers, the next agent in the anti-spam chain processes the connection.
This test monitors the connection filtering agent’s activities to reveal the number of connection requests/inbound messages that are in various stages of filtering.
Target of the test : A server configured with the Edge Transport role
Agent deploying the test : An internal agent
Outputs of the test : One set of results for the Edge Transport server being monitored.
| Parameters | Description |
|---|---|
|
Test Period |
How often should the test be executed. |
|
Host |
Indicates the IP address of the Edge Transport server. |
|
Port |
The port number of the Edge Transport server. By default, this is 50389. |
| Measurement | Description | Measurement Unit | Interpretation |
|---|---|---|---|
|
Connections to IP block list providers |
Indicates the number of connections to the IP Block List providers during the last measurement period. |
Number |
IP Block List provider services compile lists of IP addresses from which spam has originated in the past. Additionally, some IP Block List providers provide lists of IP addresses for which SMTP is configured for open relay. There are also IP Block List provider services that provide lists of IP addresses that support dial-up access. You can configure multiple IP Block List provider configurations by using the Exchange Management Console or the Exchange Management Shell. When you configure the Connection Filter agent to use an IP Block List provider, the Connection Filter agent queries the IP Block List provider service to determine whether a match exists with the connecting IP addresses before the message is accepted into the organization. The value of this measure indicates the number of connections that the filtering agent has established with the IP Block List provider service to perform such queries. When you use the Connection Filter agent, it is a best practice to use one or more IP Block List providers to manage access into your organization. However, there may be some disadvantages to using an IP Block List provider. Because the Connection Filter agent must query an external entity for each unknown IP address, outages or delays at the IP Block List provider service can cause delays in the processing of messages on the Edge Transport server. In extreme cases, such outages or delays could cause a mail-flow bottleneck on the Edge Transport server. The other disadvantage of using an external IP Block List provider service is that legitimate senders are sometimes added to the IP Block lists of IP Block List providers by mistake. Legitimate senders can be added to the IP Block lists that are maintained by IP Block List provider as the result of an SMTP misconfiguration, where the SMTP server was unintentionally configured to act as an open relay is an example of such a misconfiguration. |
|
Connections to IP allow list providers |
Indicates the number of connections on the IP Allow List providers during the last measurement period. |
Number |
IP Allow lists are sometimes referred to as IP safe lists or "white" lists elsewhere in the software industry. IP Allow List providers maintain lists of IP addresses that are definitively known not to be associated with any spam activity. When an IP Allow List provider returns an IP Allow match, which indicates that the sender's IP address is more likely to be a reputable or "safe" sender, the Connection Filter agent relays the message to the next agent in the anti-spam chain. The value of this measure indicates the number of connections the filtering agent has established with an IP allow list provider for checking whether the source IP address exists therein. |
|
Connections to IP block list |
Indicates the number of connections on the IP Block List during the last measurement period. |
Number |
By using administrator-defined IP Allow lists and IP Block lists, you can configure connection filtering to support the following scenarios:
|
|
Connections to IP allow list |
Indicates the number of connections on the IP allow list during the last measurement period. |
Number |
