Exchange 2013 IPBlockListProvider blocking some (but not all) matched IPs

Question

I have configured our Exchange 2013 Edge Transport server to utilize several IPBlockListProviders including Spamhaus. While they work great most of the time, there are still some emails which despite being matched by one of the block list providers get through.

Taking for instance an email that was received recently from IP 66.248.197.240 which is most certainly on the Spamhaus SBL as well as a few others (http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a66.248.197.240&run=toolpage) and correctly identified by the Edge server as such:

[PS] C:\Users\Administrator>Test-IPBlockListProvider -Identity "Spamhaus" -IPAddress 66.248.197.240

Provider                                ProviderResult                                                          Matched
--------                                --------------                                                          -------
Spamhaus                                {127.0.0.3}                                                                True

I have verified that I'm not using any public DNS forwarders (such as Google's), so it's not an issue of all or nothing being blocked.

What's most confusing is that this configuration works for the majority of messages received which are on an SBL:

[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>.\get-AntispamTopRBLProviders.ps1

Name                                                                                                              Value
----                                                                                                              -----
Spamhaus                                                                                                           4594
SpamCop                                                                                                              48

Interestingly, one thing that seems to have made a significant difference is modifying the priority of the transport agents such that the Connection Filtering Agent is first. This is my current configuration in case it's pertinent:

[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>Get-TransportAgent

Identity                                           Enabled         Priority
--------                                           -------         --------
Connection Filtering Agent                         True            1
Sender Id Agent                                    True            2
Sender Filter Agent                                True            3
Recipient Filter Agent                             True            4
Content Filter Agent                               True            5
Address Rewriting Inbound Agent                    True            6
Edge Rule Agent                                    True            7
Attachment Filtering Agent                         True            8
Address Rewriting Outbound Agent                   True            9
Protocol Analysis Agent                            True            10

I'm including the full message headers (with my server's identities redacted) of an email from an IP address that is on an SBL below. It's clear that the inclusion of all of the SPAM filtering I have is impacting the time it takes for a message to make it through to the mailbox server (in this case, 8 seconds between submission and delivery), however it doesn't seem to be enough.

X-Ms-Exchange-Organization-Network-Message-Id: 32388ce4-005a-4090-a363-08d2612d1e23
X-Ms-Exchange-Organization-Authas: Anonymous
Pm-Xs: 15766241f_7460962er.x15766241
X-Ms-Exchange-Organization-Avstamp-Enterprise: 1.0
Vr-Yhkrg: 15766241s-15766241e_i7460962
X-Ms-Exchange-Organization-Prd: heliq240.emited.work
X-Ms-Exchange-Organization-Pcl: 2
Return-Path: Remote-Job-Op@heliq240.emited.work
X-Ms-Exchange-Organization-Scl: 1
Mime-Version: 1.0
Ybu-Efa: c3195284488a449ed165c2c50f18376bb-ec3195284488a449ed165c2c50f18376b.u15766241
Okul-Lfp: 15766241y.15766241n_c7460962
X-Ms-Exchange-Organization-Senderidresult: None
X-Ms-Exchange-Organization-Antispam-Report: DV:3.3.14519.472;SID:SenderIDStatus None;OrigIP:66.248.197.240
Message-Id: <c3195284488a449ed165c2c50f18376b.15766241.7460962@heliq240.emited.work>
X-Ms-Exchange-Organization-Authsource: edgeserver.mydomain.com
Content-Type: multipart/alternative; boundary="15766241"
Received-Spf: None (edgeserver.mydomain.com: Remote-Job-Op@heliq240.emited.work does not designate permitted sender hosts)
Received: from mailboxserver.mydomain.com (192.168.1.2) by mailboxserver.mydomain.com (192.168.1.2) with Microsoft SMTP Server (TLS) id 15.0.847.32 via Mailbox Transport; Wed, 20 May 2015 10:59:49 -0500
Received: from mailboxserver.mydomain.com (192.168.1.49) by mailboxserver.mydomain.com (192.168.1.49) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 20 May 2015 10:59:43 -0500
Received: from edgeserver.mydomain.com (192.168.1.4) by mailboxserver.mydomain.com (192.168.1.49) with Microsoft SMTP Server (TLS) id 15.0.847.32 via Frontend Transport; Wed, 20 May 2015 10:59:43 -0500
Received: from heliq240.emited.work (66.248.197.240) by edgeserver.mydomain.com (192.168.1.4) with Microsoft SMTP Server id 15.0.847.32; Wed, 20 May 2015 10:59:41 -0500
New telecommuting opportunities available today - 05/20/15

Any suggestions?

Also, this is my first post on any of the Stack Exchange sites. I hope this question is both merited and on the correct site. If not, please do let me know!

Answer 1

I recommend you check your AllowLists as well, as it seems you have a hard hit against a (presumably enabled) BlockList. My hunch is that you must have a rule in the Transport flow that successfully validates the message. Since Connection Filter is highest in the list, I would think the buck stops there.