{"id":182,"date":"2007-10-12T01:21:41","date_gmt":"2007-10-11T23:21:41","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2008\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/"},"modified":"2007-10-12T01:21:41","modified_gmt":"2007-10-11T23:21:41","slug":"exchange-2007-administration-antispam-and-content-filtering","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/","title":{"rendered":"Exchange 2007 Administration : Antispam and Content Filtering"},"content":{"rendered":"
\n

Enable content filtering on a HUB Transport server <\/h4>\n

If you want to enable the content filter on a HUB transport server, run the ".\/install-AntispamAgents.ps1<\/strong>" script from the %Program Files%\\Exchange Server\\Scripts folder. Next, restart the Microsoft Exchange Transport Service by running Restart-Service MSExchangeTransport<\/strong>. (http:\/\/www.exchangepedia.com\/blog\/2006\/09\/how-to-install-anti-spam-agents-on-hub.html<\/a>) <\/p>\n

Enabling IPBlockListProvider on a HUB that does not directly accept incoming internet emails <\/h4>\n

If the Hub transport is responsible for performing content filtering, and the HUB does not receive incoming internet emails itself (but receives the messages from a relay server), then all incoming connections will appear to be coming from that relay server (and not from the "real" IP address of the sender's mailserver). This means that options such as Real Time block lists (IP Block List Provider in 2007) won't work properly. You can solve this by telling the transport engine on the HUB to treat certain IP addresses as internal and skip those IP addresses in the email header.
Suppose you want to define 192.168.1.3 and the entire 10.1.2.0\/24 IP range as internal, run this script on the HUB transport : set-transportconfig -InternalSMTPServers "192.168.1.3","10.1.2.0\/24"<\/strong> You can read more info about IP Block List providers at http:\/\/technet.microsoft.com\/en-us\/library\/bb124369.aspx<\/a> and http:\/\/exchangepedia.com\/blog\/2006\/12\/exchange-server-2007-how-are-rbls.html<\/a> . Depending on your setup, you may need to add 127.0.0.1 to the list of InternalSMTPServers. Use a sniffer such as wireshark to ensure that everything is set up correctly.
Example : I have installed a POP3 collector on one of my servers. This connector connects to the POP3 mailserver of my ISP and downloads my emails. Next, it uses SMTP to connect to my own internal Exchange server to deliver the messages to my local user. The connection to my Exchange server always originates from a local IP address in my network. And if I skip those local IP addresses, I even have to skip the IP address of my ISP's SMTP servers. So I created a transportconfig that looks like this :
[PS] C:\\>set-transportconfig -InternalSMTPServers "195.130.137.0\/24","195.130.136.0\/24","195.130.132.0\/24","192.168.0.0\/16","127.0.0.1"
[PS] C:\\>Get-TransportConfig
ClearCategories : True
GenerateCopyOfDSNFor : {5.4.8, 5.4.6, 5.4.4, 5.2.4, 5.2.0, 5.1.4}
InternalSMTPServers : {195.130.132.0\/24, 192.168.0.0\/16, 127.0.0.1,
195.130.137.0\/24, 195.130.136.0\/24}
JournalingReportNdrTo : <>
MaxDumpsterSizePerStorageGroup : 18MB
MaxDumpsterTime : 7.00:00:00
MaxReceiveSize : unlimited
MaxRecipientEnvelopeLimit : unlimited
MaxSendSize : unlimited
TLSReceiveDomainSecureList : {}
TLSSendDomainSecureList : {}
VerifySecureSubmitEnabled : False
VoicemailJournalingEnabled : True
Xexch50Enabled : True<\/span>
As you can see, I'm ignoring my local IP addresses and the ISP IP addresses, and localhost. The "IP block List provider" filter will now ignore those IP addresses and (hopefully) only look for the IP address of the server that delivered the email to my ISP's mail server (which is exactly what I want my server to look for). I've sent a test email from my mailserver at work (81.246.74.58) and the wireshark sniffer shows this : <\/p>\n

\"101207_1547_Exchange2001\"<\/a> <\/p>\n

Conclusion : it works fine ! Instead of performing a DNS lookup to my internal IP, or the IP of my ISP, the filter skips those IP addresses and performs the lookup for the real IP address of the mailserver that delivered the message to my ISP.
When I look in the header of the email, this is what I can see : <\/p>\n

\n\n\n<\/colgroup>\n\n\n
\n

Received: from socrates (192.168.0.1) by apollo.corelan.be (192.168.0.5) with
Microsoft SMTP Server id 8.0.744.0; Sat, 6 Oct 2007 13:28:36 +0200
<\/strong><\/span>MIME-Version: 1.0
Content-Type: multipart\/alternative;
    boundary="=_alternative 003EFF6DC125736C_="
From: Peter.VanEeckhoutte@imperialmeatproducts.com
Subject: test
Date: Sat, 6 Oct 2007 13:28:09 +0200
Return-Path: Peter.VanEeckhoutte@imperialmeatproducts.com
Delivered-To: peter.ve@telenet.be
Received: (qmail 14237 invoked from network); 6 Oct 2007 11:28:17 -0000
Received: from hoboi1bl8.telenet-ops.be ([195.130.137.93]) (envelope-sender
<Peter.VanEeckhoutte@imperialmeatproducts.com>) by okeanos.telenet-ops.be
(qmail-ldap-1.03) with SMTP for <peter.ve@telenet.be>; 6 Oct 2007 11:28:17
-0000
Received: from nocme2bl8.telenet-ops.be (nocme2bl8.telenet-ops.be
[195.130.136.12])    by hoboi1bl8.telenet-ops.be (8.13.1\/8.13.1) with ESMTP id
l96BSD2o008260    for <peter.ve@telenet.be>; Sat, 6 Oct 2007 13:28:14 +0200
Received: from localhost (localhost.localdomain [127.0.0.1])    by
nocme2bl8.telenet-ops.be (Postfix) with SMTP id E820B158018    for
<peter.ve@telenet.be>; Sat, 6 Oct 2007 13:28:13 +0200 (CEST)
Received: from penia.telenet-ops.be (penia.telenet-ops.be [195.130.132.39])    by
nocme2bl8.telenet-ops.be (Postfix) with ESMTP id DF4B7158005    for
<peter.ve@telenet.be>; Sat, 6 Oct 2007 13:28:13 +0200 (CEST)
<\/span>Received: from mailhost.imperialmeatproducts.com
(mailhost.imperialmeatproducts.com [81.246.74.58])    <\/strong><\/span>by penia.telenet-ops.be
(Postfix) with ESMTP id D6BB333E613    for <peter.ve@telenet.be>; Sat, 6 Oct<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n

Text in red = contains the IP addresses that I want to ignore. Text in blue = IP address of mailserver that delivered the email to my ISP. Text in green = internal IP addresses (need to be ignored as well). <\/p>\n

You can test IP Block List provider settings using Get-IpBlockListProvider | Test-IpBlockListProvider -IpAddress <ip_address_that_needs_to_be_tested> <\/strong><\/p>\n

\n\n\n\n\n<\/colgroup>\n\n\n\n
\n

[PS] C:\\>Get-IPBlockListProvider | Test-IPBlockListProvider -IPAddress 24.167.247.129 <\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Provider
--------
sbl-xbl.spamhaus.org
list.dsbl.org
multihop.dsbl.org
blackholes.mail-abuse.org<\/span><\/p>\n<\/td>\n

\n

ProviderResult
--------------
{127.0.0.4}
{}
{}
{}<\/span><\/p>\n<\/td>\n

\n

Matched
-------
True
False
False
False<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n

Additionally, you can send an email to 'nelson-sbl-test@crynwr.com' and wait for a reply , or use the "Get-AgentLog" query below to see if the returning message was stopped.
If you want to know if the filter works in real life, you can use the following command to read the logs : <\/p>\n

\n\n\n<\/colgroup>\n\n\n
\n

[<\/strong><\/span>PS] C:\\>Get-AgentLog | where {$_.Reason -eq "BlockListProvider"} <\/p>\n

<\/strong><\/span>Timestamp : 6\/10\/2007 14:08:01
SessionId : 08C9D621EC2F88DC
IPAddress : 189.18.66.103
MessageId :
P1FromAddress : angelita_mcDanielyb@webtv.com
P2FromAddresses : {angelita_mcDanielyb@webtv.com}
Recipients : {peter.ve@corelan.be}
Agent : Connection Filtering Agent
Event : OnEndOfHeaders
Action : RejectMessage
SmtpResponse : 550 5.7.1 Your server is listed as an open relay at sbl-xbl.spamhaus.org
Reason : BlockListProvider
ReasonData : sbl-xbl.spamhaus.org <\/p>\n

Timestamp : 6\/10\/2007 22:28:02
SessionId : 08C9D621EC2F8BB2
IPAddress : 24.167.247.129
MessageId :
P1FromAddress : JustineTalbot@femenino.com
P2FromAddresses : {JustineTalbot@femenino.com}
Recipients : {peter.ve@corelan.be}
Agent : Connection Filtering Agent
Event : OnEndOfHeaders
Action : RejectMessage
SmtpResponse : 550 5.7.1 Your server is listed as an open relay at sbl-xbl.spamhaus.org
Reason : BlockListProvider
ReasonData : sbl-xbl.spamhaus.org<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n

The IP block list providers that I'm using are : sbl-xbl.spamhaus.org, list.dsbl.org, multihop.dsbl.org and blackholes.mail-abuse.org
Note : You can watch IPBlockListProvider statistics through performance monitor, or view the top RBL block list providers by running get-AntispamTopRBLProviders.ps1<\/strong>. You can dig up other anti-spam statistics by using the scripts that can be found in the Exchange Server installation folder, under "scripts" :
get-AntispamSCLHistogram.ps1
get-AntispamTopBlockedSenders.ps1 "P1"<\/strong> or get-AntispamTopBlockedSenders.ps1 "P2"
get-AntispamFilteringReport.ps1<\/strong> with one of the following parameters : messagesrejected \/ messagesquarantined \/ connections \/ commands \/ messagesdeleted <\/p>\n

Using quarantine mailbox <\/h4>\n

In case you want to quarantine spam emails (as opposed to blocking\/rejecting spam emails), this document will provide more info on Spam Quarantine : http:\/\/technet.microsoft.com\/en-us\/library\/aa997692.aspx<\/a> and http:\/\/technet.microsoft.com\/en-us\/library\/bb124897.aspx<\/a> . If you have set up your quarantine mailbox and you want to be able to properly recover messages from the quarantine, have a look at http:\/\/technet.microsoft.com\/en-us\/library\/aa998920.aspx<\/a> <\/p>\n

See SCL rating in Outlook 2007 <\/h4>\n

You can use the procedure that was written by Microsoft to expose the SCL rating field in Outlook 2003 and apply it to Outlook 2007. You may need to click "OK" at the warning to overwrite a similar form in the library, but if definitely works. The procedure can be found at http:\/\/msexchangeteam.com\/archive\/2004\/05\/26\/142607.aspx<\/a> or http:\/\/www.petri.co.il\/display_scl_level_in_outlook_2003.htm<\/a> Additionally, you can expose original senders and recipients using a procedure explained in http:\/\/exchangepedia.com\/blog\/2007\/05\/how-to-expose-original-senders-and_11.html<\/a> <\/p>\n

How to set up scheduled safe-list aggregation <\/h4>\n

http:\/\/technet.microsoft.com\/en-us\/library\/aa998280.aspx<\/a>
First, set up initial safe-list aggregation by running the Update-SafeList command for each mailbox on the server. If you want to run this on a scheduled basis, create a batch file with the following contents :
"C:\\WINDOWS\\system32\\windowspowershell\\v1.0\\powershell.exe" -psconsolefile "d:\\Exchange Server\\bin\\exshell.psc1" -command "& {get-mailbox | where {$_.RecipientType -eq [Microsoft.Exchange.Data.Directory.Recipient.RecipientType]::UserMailbox } | update-safelist -verbose}"
<\/strong>(Make sure to verify the paths in the script – both the path to powershell.exe and the path to the console file). Next, use the scheduled tasks panel to schedule the script.
Warning : Pay attention to selecting the correct time for running this script. Since the command updates 2 attributes in AD, you may generate a lot of replication data after running this command. <\/p>\n

Note : Since outlook users have the option to add users to the safe senders\/safe recipients, the safe-list aggregation technique may result in unwanted behavior. If users add their own email address to the safe recipients, then all policies will be bypassed, leaving
Also, make sure to disable "Automatically add people I e-mail to the Safe Senders List", because it will create a huge list of email addresses without really verifying that they are using a trusted mailserver… In fact, you disable all policies, including policies that look at the IP address of the sender's server, simply by trusting a user… and that does not make any sense at all to me. So if you start seeing a lot of messages in the Get-AgentLog output that should have been blocked,then you know that you have to look at the Junk E-Mail options from that specific user… Odds are that the user has added himself as a safe recipient…. <\/p>\n

If you are seeing a lot of allowed messages in the agent log that state "not available: policy is disabled", then emails for that users are not being checked. One of the reasons for this behavior could be the fact that you're using a POP3 collector, and set up the collector to use an authenticated smtp connection to your Exchange server (port 587). In general, if you use partner permissions (authenticated client connections) on the receive connector on your Exchange Server, then anti-spam will be bypassed for those connections. Also, make sure you have only one connector that accepts incoming mails for certain IP addresses, or anti-spam will be confused. See http:\/\/busbar.maktoobblog.com\/?post=331077 for more info. You can pull up the list of messages that have bypassed the filters by running Get-AgentLog -start "27\/10\/2007 00:00:00" | where {$_.ReasonData -eq "not available: policy is disabled."} | FT Timestamp,IPAddress,P1FromAddress,Recipients<\/strong> <\/p>\n

Logging & Troubleshooting <\/h4>\n

Show anti-spamcontent filter log : get-AgentLog<\/strong>. <\/strong>If you want to see which messages were blocked, use Get-AgentLog | where {$_.Action -ne "AcceptMessage"}. <\/strong>The logs are saved for 30days or until they've become 250Mb in size (whichever comes first). If you have copied log files to another location (to prevent them from being deleted) and you want to read those log files, use get-AgentLog drive:\\path\\to\\file<\/strong> More commands can be found at http:\/\/exchangepedia.com\/blog\/2007\/04\/managing-and-filtering-anti-spam-agent.html<\/a> <\/p>\n

Tracking messages : get-messagetrackinglog -Start "start date and time" -End "end date and time". Example : get-messagetrackinglog -Start "5\/10\/2007 23:58:00" -End "6\/10\/2007 0:08:00"<\/strong> <\/p>\n

If you have enabled Sender Reputation filtering (which uses IP Block Lists to stop spammers) or if you are using IP Block Lists, you can get the list of blocked IP addresses using Get-IPBlockListEntry <\/strong><\/p>\n

Make sure to enable Antispam updates on your Exchange server. You can use the Enable-AntispamUpdates cmdlet to activate automatic updates. (See <\/a>http:\/\/technet.microsoft.com\/en-us\/library\/aa998006.aspx for more info) :
Enable-AntispamUpdates -IPReputationUpdatesEnabled $true -MicrosoftUpdate RequestScheduled –SpamSignatureUpdatesEnabled $true -UpdateMode Automatic <\/strong><\/strong><\/p>\n

You can find more information about Anti-Spam and Anti-Virus filtering in Exchange on <\/p>\n

http:\/\/technet.microsoft.com\/en-us\/library\/42cd5fe3-15f9-44eb-8dc2-c30a247a6686.aspx<\/a> <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Enable content filtering on a HUB Transport server If you want to enable the content filter on a HUB transport server, run the ".\/install-AntispamAgents.ps1" script from the %Program Files%\\Exchange Server\\Scripts folder. Next, restart the Microsoft Exchange Transport Service by running Restart-Service MSExchangeTransport. (http:\/\/www.exchangepedia.com\/blog\/2006\/09\/how-to-install-anti-spam-agents-on-hub.html) Enabling IPBlockListProvider on a HUB that does not directly accept incoming internet … Continue reading \"Exchange 2007 Administration : Antispam and Content Filtering\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[349],"tags":[1300,509],"class_list":["post-182","post","type-post","status-publish","format-standard","hentry","category-exchange","tag-powershell","tag-exchange"],"yoast_head":"\nExchange 2007 Administration : Antispam and Content Filtering - Corelan | Exploit Development & Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Exchange 2007 Administration : Antispam and Content Filtering - Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Enable content filtering on a HUB Transport server If you want to enable the content filter on a HUB transport server, run the ".\/install-AntispamAgents.ps1" script from the %Program Files%Exchange ServerScripts folder. Next, restart the Microsoft Exchange Transport Service by running Restart-Service MSExchangeTransport. (http:\/\/www.exchangepedia.com\/blog\/2006\/09\/how-to-install-anti-spam-agents-on-hub.html) Enabling IPBlockListProvider on a HUB that does not directly accept incoming internet … Continue reading "Exchange 2007 Administration : Antispam and Content Filtering"\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2007-10-11T23:21:41+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/10\\\/12\\\/exchange-2007-administration-antispam-and-content-filtering\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/10\\\/12\\\/exchange-2007-administration-antispam-and-content-filtering\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Exchange 2007 Administration : Antispam and Content Filtering\",\"datePublished\":\"2007-10-11T23:21:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/10\\\/12\\\/exchange-2007-administration-antispam-and-content-filtering\\\/\"},\"wordCount\":1915,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"powershell\",\"MS Exchange\"],\"articleSection\":[\"MS Exchange\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/10\\\/12\\\/exchange-2007-administration-antispam-and-content-filtering\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/10\\\/12\\\/exchange-2007-administration-antispam-and-content-filtering\\\/\",\"name\":\"Exchange 2007 Administration : Antispam and Content Filtering - Corelan | Exploit Development & Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2007-10-11T23:21:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/10\\\/12\\\/exchange-2007-administration-antispam-and-content-filtering\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/10\\\/12\\\/exchange-2007-administration-antispam-and-content-filtering\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2007\\\/10\\\/12\\\/exchange-2007-administration-antispam-and-content-filtering\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Exchange 2007 Administration : Antispam and Content Filtering\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Exchange 2007 Administration : Antispam and Content Filtering - Corelan | Exploit Development & Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/","og_locale":"en_US","og_type":"article","og_title":"Exchange 2007 Administration : Antispam and Content Filtering - Corelan | Exploit Development & Vulnerability Research","og_description":"Enable content filtering on a HUB Transport server If you want to enable the content filter on a HUB transport server, run the ".\/install-AntispamAgents.ps1" script from the %Program Files%Exchange ServerScripts folder. Next, restart the Microsoft Exchange Transport Service by running Restart-Service MSExchangeTransport. (http:\/\/www.exchangepedia.com\/blog\/2006\/09\/how-to-install-anti-spam-agents-on-hub.html) Enabling IPBlockListProvider on a HUB that does not directly accept incoming internet … Continue reading \"Exchange 2007 Administration : Antispam and Content Filtering\"","og_url":"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/","og_site_name":"Corelan | Exploit Development & Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2007-10-11T23:21:41+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Exchange 2007 Administration : Antispam and Content Filtering","datePublished":"2007-10-11T23:21:41+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/"},"wordCount":1915,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["powershell","MS Exchange"],"articleSection":["MS Exchange"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/","url":"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/","name":"Exchange 2007 Administration : Antispam and Content Filtering - Corelan | Exploit Development & Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2007-10-11T23:21:41+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2007\/10\/12\/exchange-2007-administration-antispam-and-content-filtering\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Exchange 2007 Administration : Antispam and Content Filtering"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":8544,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=182"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/182\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}