Monthly Archives: December 2014

Interesting regedit.exe tricks

I read an interesting post by Tim Barrett regarding regedit.exe tricks – here (new window).  You can spend hours looking at regedit.exe, but i never paid attention to the favourites menu!  My favourite trick is to use the export as text function to determine the last write time to that particular registry key.  EG: To determine when a change was made, right click on the key in question, and select export

In the Export Registry File window, select the location you wish to save the file, and select Save as type Text files (*.txt).  Give the file a name and click Save.

Open the saved file in notepad.  In the example, you can see the registry key was last written on the 03/12/2014 at 1815. 

This can help determine when some issues occurred, or in particular cases …. who made the change.

Adding and checking RBL and DNSBL in Exchange 2010

Open To add a RBL and DNSBL to Exchange 2010 using EMC:

Open the EMC, expand Microsoft Exchange On-Premises –> Organization Configuration –> Hub Transport.

Select the Anti-Spam tab.

Right click on IP Block List Providers and select Properties


Select the Providers tab, and click Add…


Enter the details of the block list provider.  EG:

Some basic providers you can use are:

zen.spamhaus.org
dnsbl.sorbs.net

To do the same thing in Exchange Management Shell:

Add-IPBlockListProvider -Name ‘%NAME%’ -LookupDomain ‘%LOOKUPDOMAIN%’ -Enabled $true -BitmaskMatch $null -IPAdressesMatch @0 -AnyMatch $true -Priority ‘%PRI%’ -RejectionResponse ”


Where:
%NAME% is the name you wish to give the DNSBL (Eg: Spamhaus, sorbs, etc);
%LOOKUPDOMAIN% is the domain that is queried (the DNSBL domain) (zen.spamhaus.org, dnsbl.sorbs.net, etc); and
%PRI% is priority, 1, 2, 3, etc

eg:
Add-IPBlockListProvider -Name ‘Spamhaus’ -LookupDomain ‘zen.spamhaus.org’ -Enabled $true -BitmaskMatch $null -IPAdressesMatch @0 -AnyMatch $true -Priority ‘1’ -RejectionResponse ”

To check if the RBL is working, or to check if it is rejecting legitimate emails, you can use the following commands from the Exchange Management Shell (mm/dd/yyyy date format, regardless of regional settings):

Get-Agentlog –StartDate “08/22/2014” | where {$_.Reason –eq “BlockListProvider”}


This will list all emails that failed due to Block List Provider from 22/08/2014 to current.
Using Get-Member we can see the properties: Action; Agent; Diagnostics; Event; IPAddress; MessageID; P1FromAddress; P2FromAddresses; Reason; ReasonData; Recipients; SessionID; SMTPResponse; and TimeStamp.


This will list all emails that were rejected that came from *example.org:

Get-Agentlog –StartDate “08/22/2014” | where {$_.Reason –eq “BlockListProvider” –AND $_.P1FromAddress –like “*example.org”}


This will list all emails that were rejected that were addressed to anonit@example.com:

Get-Agentlog –StartDate “08/22/2014” | where ($_.Reason –eq “BlockListProvider” –AND $_.recipients –like “anonit@example.com”}


Show all originating IP addresses that were blocked by a rule called SpamHaus:

Get-Agentlog –StartDate “08/22/2014” | where {$_.ReasonData –eq “SpamHaus} | select-object IPAddress