Recipient filtering on Edge Transport servers in Exchange Server

Recipient filtering is an antispam feature in Exchange Server that relies on the RCPT TO SMTP header to determine what action, if any, to take on an inbound message. Recipient filtering is performed by the Recipient Filter agent, and is basically unchanged from Exchange Server 2010.

The Recipient Filter agent blocks messages according to the characteristics of the intended recipient in the organization. The Recipient Filter agent can help you prevent the acceptance of messages in the following scenarios:

  • Nonexistent recipients: You can prevent delivery to recipients that aren't in the organization's address book. For example, you may want to stop delivery to frequently misused account names, such as administrator@contoso.com or support@contoso.com.

  • Restricted distribution groups: You can prevent delivery of Internet mail to distribution groups that should be used only by internal users.

  • Mailboxes that should never receive messages from the Internet: You can prevent delivery of Internet mail to a specific mailbox or alias that's typically used inside the organization, such as Helpdesk.

The Recipient Filter agent acts on recipients from one or both of the following data sources:

  • Recipient Block list: An administrator-defined list of recipients who should never receive messages from the Internet.

  • Recipient Lookup: Queries Active Directory to verify that the recipient exists in the organization. On an Edge Transport server, Recipient Lookup requires access to Active Directory information that's provided by EdgeSync to the local instance of Active Directory Lightweight Directory Services (AD LDS). For more information, see Edge Subscriptions.

When you enable the Recipient Filter agent, one of the following actions is taken on inbound messages according to the characteristics of the recipients. These recipients are indicated by the RCPT TO header.

  • If the inbound message contains a recipient that is on the Recipient Block list, the Exchange server sends a 550 5.1.1 User unknown SMTP session error to the sending server.

  • If the inbound message contains a recipient that doesn't match any recipients in Recipient Lookup, the Exchange server sends a 550 5.1.1 User unknown SMTP session error to the sending server.

  • If the recipient isn't on the Recipient Block list and the recipient is found in Recipient Lookup, the Exchange server sends a 250 2.1.5 Recipient OK SMTP response to the sending server, and the next antispam agent in the chain processes the message.

Note

Although the Recipient Filter agent is available on Mailbox servers, you shouldn't configure it. When recipient filtering on a Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the message is rejected. The Recipient Filter agent is enabled when you install the antispam agents on a Mailbox server, but it isn't configured to block any recipients. For more information, see Enable antispam functionality on Mailbox servers.

Configuring recipient lookup

One of the most effective ways to reduce spam is to validate recipients before accepting inbound messages from the Internet. You enable the blocking of messages sent to recipients who don't exist in the Exchange organization, and the blocking of specific recipients using the Set-RecipientFilterConfig cmdlet in the Exchange Management Shell.

Tarpitting functionality

Recipient Lookup functionality enables the sending server to determine whether an email address is valid or invalid. As mentioned earlier, when the recipient of an inbound message is a known recipient, the Exchange server sends back a 250 2.1.5 Recipient OK SMTP response to the sending server. This functionality provides an ideal environment for a directory harvest attack, where a spammer uses an automated program to collect email addresses that return a 250 2.1.5 Recipient OK SMTP response.

To combat directory harvest attacks, Exchange includes tarpitting functionality. Tarpitting is the practice of artificially delaying server responses for specific SMTP communication patterns that indicate high volumes of mail, so that the cost of sending spam increases for the spammer.

If tarpitting isn't configured, the Exchange server immediately returns a 550 5.1.1 User unknown SMTP session error to the sender when a recipient isn't located in Recipient Lookup. Alternatively, if tarpitting is configured, the Exchange server waits a specified number of seconds before it returns the 550 5.1.1 User unknown error. This pause in the SMTP session makes automating a directory harvest attack more difficult and less cost-effective for the spammer. By default, tarpitting is configured for 5 seconds on Receive connectors.

To configure the delay before SMTP returns the 550 5.1.1 User unknown error, you set the tarpitting interval using the TarpitInterval parameter on the Set-ReceiveConnector cmdlet. For more information, see Message throttling on Receive connectors.

Multiple namespaces

The Recipient Filter agent performs recipient lookups only for authoritative domains. If your organization accepts and forwards messages on behalf of another domain that's configured as an internal relay or external relay domain, the Recipient Filter agent doesn't perform a recipient lookup on recipients in those domains. However, if the recipient is specified in the Recipient Block list, the recipient will still be blocked by the Recipient Filter agent.

Note that you can also configure accepted domains locally on an Edge Transport server. If the domain is configured as internal relay or external relay domain, the Recipient Filter agent on the Edge Transport server also doesn't perform a recipient lookup on recipients in those domains.