Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3767
Views
0
Helpful
5
Replies

Accepting email from low SBRS senders.

epark_ironport
Level 1
Level 1

‎12-11-2007 04:00 PM

Hey guys, I wanted to get some feedback regarding an issue I've been having. We are currently using the Ironport C10 and have a filter to reject email from companies with a negative score of -1.5. I have certain companies who we regularly work with who have a score of -2.0, certain times they go as low as -3.0

Under normal circumstances we would block them outright but certain times these companies get very defensive and aggressive charing that our policy is way to aggressive. Our policy has been, to add companies to our whitelist for a set period of time to allow them to fix their issues. If the problem isn't resolve within this alloted time period, we remove them from our white list. There are business managers in our firm who believe that protecting the company is top priority and choose to enforce this policy, whereas certain people believe that in the interest of doing business with our clients we need to assume the risk and accept their emails without bias. What are your thoughts about this?

Should I permanently add companies whom we work with regularly to our whitelist regardless of how low their SBRS is? What are the dangers of doing so?

Labels:
0 Helpful
5 Replies 5

Seth Miller
Level 1
Level 1

‎12-11-2007 07:07 PM

First let me say hat's off to the business managers who believe protecting the company is top priority. Often it's hard to get support from upper management (especially when it impacts business productivity.)

I don't have an answer for you, but I will tell you that we only block -7 and lower. (-2 to -7 we throttle) Even with that score we do occasionally block valid messages. I know of at least two occurrences in the past month (one was a message sent directly to me) So I imaging the actual number is much higher. Both were from home ISP's. The ISP's really should do a better job protecting these shared smtp servers from abuse, but that's another topic...

In my personal opinion, -1.5 is way to low. If you can get away with it great, but it doesn't sound like you are. The other thing to consider is how much overhead/aggravation is it to keep white listing companies with a very low SBRS?

Think about it this way, what is your purpose for using SB? In our case it is to reduce blatant spam so the server doesn't become overburdened. Even with settings conservative as (-7 to -10) we're easily seeing 50% less spam in the junk summaries (compared to our old system). For me that's good enough for now. In the future if the servers begin to become over loaded we may have to ramp up those settings.

Another thing to point out is that there was a mention (I believe on these forms somewhere) that IronPort had noticed spammers purchasing reputable IP's) in order to temporarily defeat SBRS (or other reputation mechanisms). Remember it is possible (though rare) for IP’s with a score of 10 to send viruses and spam. Bottom line is although it's a great tool, it's only the first line of defense. The spam and AV engines are still going to be needed to handle missed items.

I know there are many out there who use settings much higher (-2 etc...) , so i would say whatever you can get away with, go for it. Just remember there may be a trade off for headaches and administrative overhead. [Obviously in the whitelisted addresses you only want to excluded SRBS (and still scan for viruses, content etc...)].

Hope that gives you some ideas (sorry if I got off topic).

Cheers,
Seth

0 Helpful

msg630_ironport
Level 1
Level 1

‎12-11-2007 09:23 PM

Well I'll weigh in as well. We currently throttle -0.4 to -1.9 and block -2 to -10. We have 30,000 mail users and have had very few problems.

We have had 2 C600's in place for over two years and have had a few issues where we needed to whitelist a company. We will whitelist a company but not an ISP. If they are hosted and we can't find a way to just let their stuff in they the burden falls back to them. If you have uppermanagements buy off on this then stick to your guns and don't let it in. Our current clean message percentage is between 1 and 3%. If we were to loosen the belts per se then we would get flooded with calls over everything that we are now letting in. Unfortunately its a catch 22. Your gonna hear about it one way or another.

0 Helpful

oh_ironport
Level 1
Level 1

‎12-12-2007 03:51 PM

Our settings are similar to msg630's. We blacklist from -10 to -2 and throttle to -.6. However I believe that the SBRS settings are site specific and you need to find the correct mix at your site.

We never whitelist anyone with a negative SBRS. Instead try to find the problem (DNS or spamcop, etc) and give them advice on how to raise their score. We do have a limited_whitelist which is between our whitelist and blacklist Sender Groups. For that group we add the IP address and allow them to send us a limited number of messages per hour. That number may have to be modified to fix the sender, but we are not open to a denial of service from them.

Once their SBRS improves, thay are removed from the limited_whitelist. Usually, we have no senders in that group. Hope this helps you and that you find the correct levels.

0 Helpful

seveneyes_ironport
Level 1
Level 1

‎12-12-2007 07:18 PM

Here is a goog example of the type of complain you may receive.

65.17.198.50 (listserv1.123greetings.info)
65.17.198.60 (listserv2.123greetings.info)

When checked at senderbase there is no indication of any blacklisting but their score is reported as poor. The last time they tried to send email (dec 06) their sbrs was -3.0 (probably still is). These 2 IP addresses do appear on some blacklists when checked, and all the email received (when it was accepted) was tagged as spam by brightmail antispam during November (several thousand messages).

So there are 3 problems here.
1) bad sbrs
2) IPs are on some blacklists
3) brightmail considers their email as spam

My suggestions before I do anything for the sender is to deal with his rbl listings and symantec. The sbrs probably won't improve at all unless this is at least done first.

0 Helpful

kluu_ironport
Level 2
Level 2

‎12-13-2007 01:38 AM

What "msg630" and "oh" said are both great points.

One thing I would add is that there may be situations where you need to let in an ISP traffic with a low SBRS score because there are some email senders coming from that IP that need to be let through (for important business reasons or the sender is a friend of the CEO).

In this case, the email sender/company is guilty by association. The email sender/company outsources their mail delivery to an ISP. The potential problem with this is what if the ISP (ie. comcast.net, verizon.net) has a low SBRS score because spammers also send out of this network.

For example, if the sender, joe@company.com sends mail to ceo@business.com, the sender's mail hits the Ironport appliance and the Ironport sees the connection coming from 183.29.29.1 (outgoing5.comcast.net ). When the SBRS score is looked up on 183.29.29.1, it has a SBRS score of -5.0 for example.

What the Ironport would do is categorize the connection as coming from a "spammy" source and do whatever is appropriate for a connection coming from -5.0. Unfortunately, even if the sender or the company is legitimate, they're coming from a spammy source.

----------

In this case, the workaround for this is to accept this IP or hostname into your network. You're just accepting them in and not whitelisting them. There is a big difference between the two. Whitelisting the IP/hostname usually means you're not going to run anti-spam on their traffic. If you accept the traffic, you let it through, allow particular senders/domains to get through, and then enforce the SBRS score after the fact.


Here is a knowledge base document that shows how to do this. Essentially, what you're doing is let the ISP in the door, letting select email senders/domains through, and then enforcing the SBRS score that you normally block.

If you're not sure about some of these steps, contact Customer Support and they can help.

-------------------------
Steps


For situations where some recipients are not receiving messages from sending MTA's that have low SBRS score, this is a workaround to allow those recipients to receive messages from this low-scoring sending MTA and then allowing the SBRS score to take effect.

Configurations that will be affected:

- HAT Overview, the addition of a new sendergroup
- message filters

Steps:

1. In "Mail Policies -> HAT Overview", add a new sendergroup. You can title it something like "Temporarly_Accept". Then add this as a sender, ".comcast.net". You are adding this hostname, IP address or IP address.
2. Order this new Sendergroup so that it above the "Blacklist sendergroup".
3. Create the following message filter below

4.
temporary_accept:
if ( mail-from == '(?i)joe@company.com' )
{
deliver();
}

5. Then create a message filter that enforces the blacklist sendergroup policy:

6.
enforce_blacklist_sbrs:
if ( reputation < -2 )
{
drop();
}

Warning: The order of the message filters are important, so make sure that filter #4 is above #6.

Here is a summary of what the above HAT Overview sendergroup and message filters do. The new HAT Overview Sendergroup was created (Step #1) so that it can be used to allow messages from a low-scoring SBRS host into the Ironport.

Next, the first message filter (Step #4) is created so that messages from specific email senders can be allowed into the machine.

The last message filter (Step #6) was put in place so that the low SBRS score of the sending MTA could be enforced and dropped if the connecting host has a low SBRS score.



References:


1. How do I add a new message filter to my IronPort Appliance?

http://tinyurl.com/mg8kp



Well I'll weigh in as well. We currently throttle -0.4 to -1.9 and block -2 to -10. We have 30,000 mail users and have had very few problems.

We have had 2 C600's in place for over two years and have had a few issues where we needed to whitelist a company. We will whitelist a company but not an ISP. If they are hosted and we can't find a way to just let their stuff in they the burden falls back to them. If you have uppermanagements buy off on this then stick to your guns and don't let it in. Our current clean message percentage is between 1 and 3%. If we were to loosen the belts per se then we would get flooded with calls over everything that we are now letting in. Unfortunately its a catch 22. Your gonna hear about it one way or another.

0 Helpful
Customers Also Viewed These Support Documents