Microsoft Exchange and Remote Desktop Services Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

Greylisting and Honeypot IP Whitelists - Vamsoft ORF

Many years ago I wrote about how I was getting good results with the anti-spam technique greylisting. It is still a technique I use with many clients. 

However with the increasing use of cloud based services, I have found that greylisting can delay legitimate traffic, because the email can be delivered from different IP addresses on each attempt. 
While Vamsoft does have an option to Accept delivery retries from the same 24 subnet, this is not always effective because the large providers have bigger IP address pools. 

Therefore I have started whitelisting the major providers within the Vamsoft product. 

Another feature I use with Vamsoft is their Honeypot function - the same lists for greylisting I am using with this feature as well - as a single bad address will cause a lot of senders to get blocked. 

Getting the Lists of IP Addresses

The first thing to do is get the IP addresses. I am putting in Office365, Google Apps, Mimecast and Amazon SES. If you have senders on other cloud providers then you should add those addresses as well. 

For Office365 and Mimecast, the list of IP addresses is on their web site. 


Google Apps

For Google apps, you need to do an NSLOOKUP to get the current list. 
First query their SPF record:
nslookup -q=TXT _spf.google.com 8.8.8.8

Then query each result, which at the time of writing was this:

nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8

Although at the time of writing, Netbblocks 2 is ipV6, which you may not need. 

Amazon SES: 
Similar to Google, query their DNS records:
nslookup -type=TXT amazonses.com | find "v=spf1"

Entering the Lists in to Vamsoft

Once you have the lists, you are ready to put them in to Vamsoft. The GUI I find is a little cumbersome for this task, and if you have lots of servers will take a long time. Therefore modify the configuration file instead. 

First, check whether you have any IP addresses in the white list - Blacklists --> Greylisting --> IP Exceptions. If you don't, add one, as this will create the relevant part of the configuration file and the format. 

Next, option an elevated command prompt and enter this:

notepad "c:\Program Files (x86)\ORF Fusion\orfent.ini"

Then look for the section 

[GreylistingHostExceptions]

The following the format, add the IP addresses like this:

101=V5"23.103.132.0/22","Office365"

The number at the start has to be unique. I usually start at 101 as it will ensure it doesn't conflict with any existing entries - usually creating it in a separate Notepad file and then copying the result in to the configuration file. 

Save the configuration file and close it. Finally start the Vamsoft Administration tool and check the list has your addresses in it. If it does, save the file, which will sort out the numbering for you correctly. For the Honeypot feature, repeat above, but instead put the same list of IP addresses in to the section headed
[HoneypotIpExceptions]

Check the lists regularly - as the providers will add additional IP addresses and you need to update them. 
Comments are closed