Which logfiles contains 'Stopped by Reputation Filtering'?

Pat_ironport · ‎04-30-2008

I would like to know some more details for the values behind the 'Stopped by Reputation Filtering' in the Incoming Mail Summary-Overview.

Which logfiles contains the details for this calculation?
Can I read a KB-Article about that?

kluu_ironport · ‎04-30-2008

It will be in your "mail_logs"

Generally, it will be due to the connecting IP having a low SBRS score, thus matching the BLACKLIST sendergroup.

You can search for entries in the mail_logs if you type something like this:

grep -i "SG BLACKLIST" mail_logs

For more info, go here:

http://ironport.com/technology/reputation_filters.html

Wed Apr 30 12:54:18 2008 Info: New SMTP ICID 102 interface Management (192.168.10.11) address 10.1.1.209 reverse dns host test.ironport.com verified yes
Wed Apr 30 12:54:18 2008 Info: ICID 102 REJECT SG BLACKLIST match [-10:-2] SBRS -8.0

I would like to know some more details for the values behind the 'Stopped by Reputation Filtering' in the Incoming Mail Summary-Overview.

Which logfiles contains the details for this calculation?
Can I read a KB-Article about that?

Pat_ironport · ‎05-01-2008

kluu, thank you for your help.

Unfortunately, we have not one single entry with SG BLACKLIST.
(Maybe you know from my other posts, that we are behind our ASP's sendmail. We get and send mail to this single sendmail-IP and don't have direct connection to the internet).

The only (incoming-) entries we can find in the logs with SG looks like this:

Tue Apr 29 10:24:04 2008 Info: New SMTP ICID 1905941 interface Incoming (1.2.3.4) address 111.222.111.123 reverse dns host unknown verified no
Tue Apr 29 10:24:04 2008 Info: ICID 1905941 ACCEPT SG None match 10.74.2.183 SBRS rfc1918
Tue Apr 29 10:24:04 2008 Info: Start MID 2471129 ICID 1905941

The IP 1.2.3.4 is our internal address from our Ironport and the 111.222.111.123 is the IP-address from our ASP-sendmail.

We know from other questions, that the SBRS score doesn't work in this environment/configuration. Thats another reason, why I would like to know how the values in 'Stopped by Reputation Filtering' in the Incoming Mail Summary-Overview are calculated in this case.

kluu_ironport · ‎05-01-2008

Pat,

You may want to use the "Network > Incoming Relay" feature to determine what are the IP addresses of the previous Received header lines of that message.

Here is info on "incoming relay"

You can enable the "incoming relay" feature for both inbound and outbound mail relays.

Inbound
=======
Summary: There may be an incoming smtp relay that receives Internet email and delivers it to the Ironport appliance. Since the Ironport appliance only sees this as the connecting IP, it is unable to determine the "real" ip of the connecting server.

Solution:
1. Enable the incoming relay. (Network -> Incoming Relay)
2. Create a relay and put in the IP of the SMTP Relay. It will generally only be one hop after the SMTP relay.
3. Use "[" as the string to search for.
4. Go to "System Administration -> Log Susbscription". Click on Edit Global Settings at the bottom and add "Received" header as a header to display in the mail_logs
5. Now you can set up a message filter to look at the new IP address and drop it if the SBRS score is lower than -2 or -4.

Outbound
=======
Summary: You will set the incoming relay in a similar fashion as the Inbound. You will probably not make use of the SBRS score though since it's internal senders who's IP may be local. The information logged here may be useful to determine an infected machine.