Re: Exchange 2003 Black Lists

Add "URI Stem" and "URI Query" to list of logged fields. This will give you human-friendly server response too. And please read 823866.

Mike wrote:
Hello Bharat,

I have already followed the steps from the link that you provided. My concern is that I'm wondering how to figure out if the RBL is working. Here is a snippet from my log. I see a "550" on the 3rd entry. Is this how I know RBL is working? These logs are in IIS format.

81.172.11.136, hermin.com, 5/1/2006, 13:31:46, SMTPSVC1, Exchange, 10.x.x.x, 0, 15, 51, 250, 0, HELO, -, hermin.com,
81.172.11.136, hermin.com, 5/1/2006, 13:31:46, SMTPSVC1, Exchange, 10.x.x.x, 16, 35, 48, 250, 0, MAIL, -, FROM:<saybatchelor@xxxxxxxxxx>,
81.172.11.136, hermin.com, 5/1/2006, 13:31:46, SMTPSVC1, Exchange, 10.x.x.x, 437, 36, 0, 550, 0, RCPT, -, TO:<x@xxxxx>,
81.172.11.136, hermin.com, 5/1/2006, 13:31:46, SMTPSVC1, Exchange, 10.x.x.x, 578, 36, 60, 240, 984, QUIT, -, hermin.com,

Thanks again for your help.
Mike

"Bharat Suneja [MVP]" wrote:

The perfmon counters show your RBLs are working... check your SMTP log for connections terminated after HELO/EHLO with a 550 5.x.x

How to configure connection filtering to use Realtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;823866

--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"Mike" <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:634156B5-78D8-4B08-AC03-2074BFB4B1ED@xxxxxxxxxxxxxxxx
With the counters you listed below, here are my results:

- Connections Rejected by Block List Providers : Average 41
- Block List DNS Queries Issued : Average 13500
- Failed Block List DNS Queries : 280

Does this look like the RBL is working? If these numbers are good, I'm still
not seeing any entried in my SMTP logs. I have tried the W3 format and IIS
format for the logs and neither have any RBL entried.

Thanks,
Mike



"Bharat Suneja [MVP]" wrote:

To ensure RBLs are working you can also check perfmon counters.
Perfmon object: MSExchange Transport Filter Sink
Counters (each have their /sec equivalents):
- Connections Rejected by Block List Providers
- Block List DNS Queries Issued

and also:
- Failed Block List DNS Queries
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"Mike" <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D75D897E-9092-489B-9FDA-F9ABE57B70E9@xxxxxxxxxxxxxxxx
Thanks. That makes sense! :)

I've checked out my SMTP logs, but what I'm I supposed to see in order to
know that the Black lists are working? I've looked through the logs for
the
relay codes but didn't find any. Can you or someone post an example?

Thanks,
Mike

"Bharat Suneja [MVP]" wrote:

Check your SMTP logs.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"Mike" <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5BFA0F46-9A81-41D2-864D-3C5C132E381E@xxxxxxxxxxxxxxxx
Hello,

I've configure my exchange server to use blacklists to help reduce the
amount of spam we are receiving. When something is blocked/rejected,
does
exchange store the rejected source in a log file somewhere on the
server?
Do
I need to enable this?

Thanks,
Mike
--

Text from most Windows dialogs can be copied to clipboard with Ctrl-INS.

Free productivity applications suit - www.openoffice.org
Free Internet calling - www.skype.com
Free SQL database Firebird - full support for transaction control, triggers, stored procedures, partial SQL-99 compliance
http://www.ibphoenix.com/main.nfs?a=ibphoenix&s=1142758270:704186&page=what_is_interbase
.

Relevant Pages

  • Re: [opensuse] Why does this list permit attachments?
    ... certain logs or screenshots. ... Most other lists I am on prohibit via stripping, which I think is the best ... pastebin-type places logs and images can be uploaded by those who don't ... other files of 20k or more as attachments is what spammers do. ...
    (SuSE)
  • RE: Problem with script requiring valid referrer
    ... same people are on both lists, so it's not the end of the world. ... Are you recording referer data? ... >> recording it, you should be able to verify or refute the claims. ... > Yes, our web logs are recording referrer data, but I wouldn't know ...
    (perl.beginners)
  • Re: Exchange 2003 GAL and OAL problem
    ... address lists. ... have checked the sync logs and server logs and can't find any errors. ... Associated the new offline address list with the mailbox stores that these users reside on. ... Set the users msExchUseOAB attribute in the active directory with the dn of the address list you want them to download. ...
    (microsoft.public.exchange.admin)
  • Re: Hacked or not ?
    ... There is nothing unusual in it's logs. ... I wanted to have some sureness. ... before and chkrootkit is running about one year. ... lists and this one seems as proper as possible for me. ...
    (FreeBSD-Security)
  • Re: Exchange 2003 Black Lists
    ... concern is that I'm wondering how to figure out if the RBL is working. ... These logs are in IIS format. ... How to configure connection filtering to use Realtime Block Lists and ... MVP - Exchange ...
    (microsoft.public.exchange.admin)