Exchange Server - Monitor RBL activity

Asked By Pedro M. Leite

25-Jul-07 12:19 PM

Good Afternoon

setup is SBS 2k3 with exchange 2k3 sp2 running

i have a couple ( seven actually ) rbl for connection filtering and i wonder
if any legitimate email is being rejected.
my question is, how can i see what messages have been rejected by rbl
connection filtering.

Thank You In Advance

Pedro Leite From Portugal

25-Jul-07 12:27 PM

RBLs are part of Connection Filtering. Messages from IP addresses listed on
RBLs are blocked on RCPT TO: command - the DATA is never received. SMTP log
will reveal those details (IP Address, From, To).
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
----------------------------------------------

25-Jul-07 12:57 PM

hi, thank you for the reply.

so, if I query the logs for messages with ehlo from <IP> with <mail from>
but without <rcpt to> and without <data>, i should get those.

thank you
Pedro Leite
-------------------------------------------------------------
on
log

25-Jul-07 01:01 PM

hi once again

i am using sql log and creted the sql table with the script that comes with
sbs
what are all the columns and data type i need to configure on
sqlserver.database.table to make full logs ??

thank you
Pedro Leite
------------------------------------
on
log

25-Jul-07 07:07 PM

You can almost guarantee that some legitimate mail will be rejected.

25-Jul-07 07:07 PM

This may help:
Logging SMTP protocol activity
http://exchangepedia.com/blog/2006/09/logging-smtp-protocol-activity.html

--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
------------------------------

25-Jul-07 07:17 PM

No, you will in fact see a RCPT TO, and the SMTP 550 in response to that, as
shown below:

cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes
cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
2007-07-25 19:04:54 172.31.1.10 - SMTPSVC1 LETTER 172.31.0.168 0 HELO - -
250 0 49 4 0 SMTP - - - -
2007-07-25 19:04:59 172.31.1.10 - SMTPSVC1 LETTER 172.31.0.168 0 MAIL -
+from:foo@mydomain.com 250 0 41 26 50 SMTP - - - -
2007-07-25 19:05:11 172.31.1.10 - SMTPSVC1 LETTER 172.31.0.168 0 RCPT -
+to:jadams@exchangelabs.net 550 0 0 31 5017 SMTP - - - -
2007-07-25 19:05:15 172.31.1.10 - SMTPSVC1 LETTER 172.31.0.168 0 QUIT - -
240 22943 72 4 0 SMTP - - - -

Look at the fourth entry - it does show the 550 response, but SMTP logs do
not record enhanced SMTP response codes like 550 5.7.1 in the above case.
Therefore, it's hard to tell if the message was dropped because of RBLs.

Unfortunately, even if you bump up Diagnostics Logging to max, it will log
stuff like relaying attempts, but not messages dropped because sending host
is listed in a DNSBL.

Note, IIS includes a template for SQL which can help you create the SQL
table for log files.

If it's of any help - Exchange Server 2007 has better logging capabilities,
including the agent log:
Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs
http://exchangepedia.com/blog/2007/04/managing-and-filtering-anti-spam-agent.html


--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
------------------------------

25-Jul-07 10:44 PM

Nada... not even with Diagnostics Logging on MsExchangeTransport bumped up
to max... as far as I can tell. :)

--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
------------------------------

26-Jul-07 08:58 AM

hi

i did that, maxed all logging but found also nothing.
thank you for your kind help.

@others, thank you all too.

Best regards

Pedro Leite
--------------------------------------------