Documentation Home > Exchange Anti-Spam Toolkit

Exchange Anti-Spam Toolkit Recipient Filter

The Recipient Filter allows Exchange to perform Recipient Validation and allows specific recipients to be blocked. The primary uses would be to enable Recipient Validation and to block specific recipients from receiving external email messages.

Recipient Validation

When an attempt is made to deliver a message to a non-existent mailbox in Exchange, the default behaviour (when Recipient Validation is disabled) is for Exchange to accept the message during the SMTP session, and later send a non-delivery report (NDR) to the sender. While this can make it more difficult for spammers to guess the names of mailboxes on the server, this approach is not recommended or desirable in most environments because if the sender address has been spoofed by the spammer, the NDR will generate backscatter spam which goes to another user (not the spammer) and can cause the Exchange server to be blocked by other mail servers. Most mail addressed to non-existent mailboxes will in fact be spam with spoofed sender addresses.

When Recipient Validation is enabled, messages addressed to non-existent mailboxes will be rejected during the SMTP session. This is the model used by most mail servers other than Microsoft Exchange. Enabling Recipient Validation eliminates the problem of backscatter spam, as the error code and message are always returned to the actual sending mail server. In most cases, the sending mail server will generate a non-delivery report to the user as a result of the SMTP error code returned by Exchange. The non-delivery report received by the sending user will also be more useful in this instance, because more information is available during the SMTP session, and as the NDR is generated by their own mail server, it will be in a familiar format.

When Recipient Validation is enabled, the Tarpit Interval on external Receive Connectors should be set to a non-zero value to minimize directory harvesting attacks. The Tarpit Interval can be configured using the Set-ReceiveConnector PowerShell cmdlet. By default it is set to 5 seconds.

For more information about Recipient Filtering, see Recipient Filtering Procedures.

We recommend enabling Recipient Validation on all Edge Transport servers. Due to the limitation explained below, we do not recommend enabling Recipient Validation on Mailbox (Hub) servers.

Do Not Enable Recipient Validation on Mailbox (Hub) Servers

Recipient Validation should not be enabled on Mailbox (Hub) servers. It is fine to install the Recipient Filter on Mailbox (Hub) servers but Recipient Validation should not be enabled and the list of Blocked Recipients should not be used.

Enabling the Recipient Filter on Mailbox servers may result in messages being rejected for all recipients when only a single recipient is invalid or blocked.

Blocked Recipients

The Recipient Filter will block messages sent to recipients on this list, if Recipient Blocking is enabled. The primary use for this is to block external senders from sending messages to certain recipients, by enabling setting External Mail Enabled on the Recipient Filter.

Caution Regarding Recipient Blocking of Internal Mail

While the Recipient Filtering Procedures documentation suggests that the Blocked Recipients feature is intended for blocking external messages, if the Recipient Filter is also enabled for internal mail, internal messages to Blocked Recipients will in fact also be blocked. This is confirmed by the documentation for the Set-RecipientFilterConfig PowerShell cmdlet.

Therefore, do not set Internal Mail Enabled if using the Blocked Recipients list.