bypass reputation filtering

Unanswered Question
Aug 29th, 2007

Dear All
i am a new user for ironport, would like to check with you all how do i set bypass a few domain from reputation filtering. There are a few client facing a problem sending mail to us was block my reputation filtering. the problem is sender mail was hosted by someone, and the sending IP is dynamic. please advice.

regards
Anthony

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shannon.hagan Fri, 08/31/2007 - 14:45

Create a sendergroup and put it above the group that has the reputation that you wish to override. In that sendergroup, add the domains/ip addresses that you want to have bypass the reputation lookup.

kluu_ironport Fri, 09/07/2007 - 18:33

In addition, I wanted to add to the post, on how to best detect what hostname/domain/ip address to add to this sendergroup.

Like the previous post mentioned, you'll want to create a new sendergroup and possibly label it "Bypass_SBRS_scoring". Because the mail that you're mentioning is getting blocked, you may want to position this new sendergroup above the "Blacklist" sendergroup. Note, when incoming connections occur, the HAT Overview works in a top-down environment. In other words, it will start at the top and move on down until there's a match or else go into the default of all.

To add a domain or company as a sender in this new sendergroup, you'll need to add either the hostname, IP address, or IP address range. When you add a sender, there is a little question mark that details how you can add the sender. This is what the help says,

Enter the hosts to add. CIDR addresses such as 10.1.1.0/24 are allowed. IP address ranges such as 10.1.1.10-20 are allowed. IP subnets such as 10.2.3. are allowed. Hostnames such as crm.example.com are allowed. Partial hostnames such as .example.com are allowed.



How to locate the hostname or IP address of a sender

- When customers have difficulty obtaining the hostname or ip address of a sender to add to a sendergroup.

- Trying to obtain the SBRS score of a connecting server


How to search in the logs for the IP or hostname of a sender:

You want to find out the IP address or hostname of the sender called of the sender called "[email protected]".

1. From the command line, type:

ironport> grep -i "test.com" mail_logs

Fri Sep 7 10:06:13 2007 Info: MID 28 ready 77 bytes from


2. Then search for the "MID 28"

ironport> grep -i "MID 28" mail_logs


Fri Sep 7 10:05:51 2007 Info: Start MID 28 ICID 10
Fri Sep 7 10:05:51 2007 Info: MID 28 ICID 10 From:
Fri Sep 7 10:05:56 2007 Info: MID 28 ICID 10 RID 0 To:
Fri Sep 7 10:06:13 2007 Info: MID 28 Subject 'testing 123'
Fri Sep 7 10:06:13 2007 Info: MID 28 ready 77 bytes from
Fri Sep 7 10:06:13 2007 Info: MID 28 matched all recipients for per-recipient policy DEFAULT in the inbound table
Fri Sep 7 10:06:13 2007 Info: MID 28 interim verdict using engine: CASE spam negative
Fri Sep 7 10:06:13 2007 Info: MID 28 using engine: CASE spam negative
Fri Sep 7 10:06:13 2007 Info: MID 28 interim AV verdict using Sophos CLEAN
Fri Sep 7 10:06:13 2007 Info: MID 28 antivirus negative
Fri Sep 7 10:06:13 2007 Info: MID 28 queued for delivery
Fri Sep 7 10:06:14 2007 Info: Delivery start DCID 477 MID 28 to RID [0]
Fri Sep 7 10:06:14 2007 Info: Message done DCID 477 MID 28 to RID [0]
Fri Sep 7 10:06:14 2007 Info: MID 28 RID [0] Response 'ok: Message 57897990 accepted'
Fri Sep 7 10:06:14 2007 Info: Message finished MID 28 done


3. From the MID output, you grep for the ICID to get the hostname or IP address of the connecting server.

ironport> grep -i "ICID 10" mail_logs

Fri Sep 7 10:05:42 2007 Info: New SMTP ICID 10 interface Management (172.19.0.146) address 10.1.1.209 reverse dns host outgoing232.ispserver.com verified yes
Fri Sep 7 10:05:42 2007 Info: ICID 10 ACCEPT SG SUSPECTLIST match 10.1.1.209 SBRS 1.2
Fri Sep 7 10:05:51 2007 Info: Start MID 28 ICID 10
Fri Sep 7 10:05:51 2007 Info: MID 28 ICID 10 From:
Fri Sep 7 10:05:56 2007 Info: MID 28 ICID 10 RID 0 To:
Fri Sep 7 10:06:14 2007 Info: ICID 10 close

4. The information that I have put in BOLD above displays the information that you want.

The IP address is: 10.1.1.209
The hostname of the connecting server is: outgoing232.ispserver.com
The SBRS score of the connecting IP is: 1.2
The sendergroup that was matched was: Suspectlist
172.19.0.146 is the IP of your Ironport appliance.

So, if you wanted to whitelist the sender, [email protected] or test.com, you would add any of these to the Sendergroup:

10.1.1.209
outgoing232.ispserver.com
.ispserver.com

Use ".ispserver.com" when there are multiple outgoing servers and you want to wildcard them.

Actions

This Discussion