Tales from Tech Support: Part 12 – Honeypot on Edge Servers

Microsoft introduced the Edge and Hub roles in Exchange 2007. The idea was to separate the perimeter (gateway) functions in order to perform filtering before the email reaches the central server. This includes recipient validation, i.e. to reject all emails sent to non-existent recipients. This is performed by an Exchange transport agent called the “Recipient Filter Agent”.

The Active Directory-based Recipient Validation of ORF is not available on Edge servers, because the Edge server do not have direct access to the AD, so ORF cannot query the valid recipients. This would not be a problem, (since Edge will reject emails sent to non-existent recipients anyway), but the Directory Harvest Attack (DHA) Protection test of ORF relies on the recipient validation of ORF, so that test will not be available on Edge (unless you use TXT or SQL-based recipient validation).

Moreover, as the Honeypot test relies on spam emails sent to non-existent email addresses (which you published to lure spammers), that won’t work either, because Edge will reject spam before ORF could record the delivery attempt to the Honeypot database.

Luckily, we can work the latter problem around by configuring the Trasport Agent of ORF to run before the Recipient Filter Agent:

1) Start the Exchange Management Shell
2) Enter the following command:

Get-TransportAgent | Format-List

3) ORF has two agents, the “Vamsoft ORF Routing Agent” and the “Vamsoft ORF Receive Agent”. You should set their priority of the latter higher than the priority of the “Recipient Filter Agent”, so it would run first.

To change the priority (e.g. to 7), run the following command:

Set-TransportAgent -Identity “Vamsoft ORF Receive Agent” -Priority 7

4) Finally, restart the MSExchangeTransport Service to apply the changes:

Restart-Service MSExchangeTransport

This way, the Honeypot test is performed before the email is rejected by the recipient validation of Edge.

Leave a Reply

Your email address will not be published. Required fields are marked *

AlphaOmega Captcha Classica  –  Enter Security Code