Incoming Relays and Remote IP

Unanswered Question
May 13th, 2008
User Badges:

Hi Everyone,


First off, I want to mention what a great community you have here. We've had our appliance for a month now, and all the configuration questions we had so far were easily found in this forum. With that said, I was wondering if someone can assist us with understanding how Content Filters work on an Incoming Relay.

Currently we have 2 filters configured on our IronPort. The first filter is a single condition that will drop messages based on SBRS being <= 4.0. This works fine with us as we are dropping connections when they are received by the ironport, and this filter just basically drops emails where the CASE filter determine that there was no spam found.

Our second filter is the one we are having trouble with. We want our second filter to put emails in the Ironport Spam Quarantine when the SBRS score is between -4.0 and 1.0, and ONLY if the email has been received by the incoming relay. Currently our filter looks like this using the "only when all conditions are met" test case:


Condition:
1) When the remote-ip is our internal relay (we only have one)
2) When the SBRS score is <= -1.0
3) When the SBRS score is > -4.0
Action:
Insert header X-Ironport-Quarantine value Quarantine.

This filter does not appear to be working for us, and I assume its because when the email is parsed by the incoming relay, the "remote-ip" in our condition testing no longer takes the form of our incoming relay, but ip address it parsed from the header. Can someone confirm if my assumption is correct, and recommend a possible solution for us?

Thanks!
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Tue, 05/13/2008 - 22:28
User Badges:

I would probably implement this with a message filter which is entered from the command line. The good thing with message filters is that it's:

1. more powerful and allows you to do more advanced IF conditions
2. same actions as the content filters were are created mostly from the GUI interace.
3. has pretty much the same functionality as the content filters plus more.


Here are the steps that you should need.

1. Replace the IP of "138.88.33.191" with the IP of the incoming relay. If there are multiple ip addresses for the incoming relay then use this:

remote-ip == '(138.88.33.191|138.88.33.192|138.88.33.193)'


2. Use the following message filter.

Remember, replace the IP that I used in the sample below with the real IP of the incoming relay.



Quarantine_suspect_sendergroup_emails:

if ( remote-ip == '138.88.33.191' ) AND ( reputation > -4.1 ) AND ( reputation < -0.9 )
{
insert-header('X-Ironport-Quarantine','1');
}


3. Enter the above message filter into the command line using the kb article below. Once the changes are commited, go to "System Administration > Trace" on the web interface and test it out.

4. Also, the above message filter would replace the content filter so you don't need that anymore.

Also, email pipeline wise, the message filters occur before the workqueue processing. Workqueue is basically anti-spam, anti-virus, content filters.


Let me know if you have any questions or getting different results than expected.



KB articles that may be useful:

1. How do I add a new message filter to my IronPort Appliance?

http://tinyurl.com/mg8kp


Hi Everyone,


First off, I want to mention what a great community you have here. We've had our appliance for a month now, and all the configuration questions we had so far were easily found in this forum. With that said, I was wondering if someone can assist us with understanding how Content Filters work on an Incoming Relay.

Currently we have 2 filters configured on our IronPort. The first filter is a single condition that will drop messages based on SBRS being <= 4.0. This works fine with us as we are dropping connections when they are received by the ironport, and this filter just basically drops emails where the CASE filter determine that there was no spam found.

Our second filter is the one we are having trouble with. We want our second filter to put emails in the Ironport Spam Quarantine when the SBRS score is between -4.0 and 1.0, and ONLY if the email has been received by the incoming relay. Currently our filter looks like this using the "only when all conditions are met" test case:


Condition:
1) When the remote-ip is our internal relay (we only have one)
2) When the SBRS score is <1> -4.0
Action:
Insert header X-Ironport-Quarantine value Quarantine.

This filter does not appear to be working for us, and I assume its because when the email is parsed by the incoming relay, the "remote-ip" in our condition testing no longer takes the form of our incoming relay, but ip address it parsed from the header. Can someone confirm if my assumption is correct, and recommend a possible solution for us?

Thanks!
Geosoft_ironport Wed, 05/14/2008 - 14:10
User Badges:

Oh wow! I had no idea about this. Thanks for the information kluu. I'll have to do some advanced reading on creating message filters then!

meyd45_ironport Fri, 05/16/2008 - 11:41
User Badges:

Note: remote-ip does not take a regex as Kevin suggested above. It takes things as an IP address or range.

bvanzant_ironport Thu, 05/22/2008 - 14:52
User Badges:

Your assumption is correct, the remote-ip gets rewritten right after the DOT in the SMTP conversation, so even if you're using message filters the remote-ip will never show the IP address of the incoming relay. So, unfortunately, this filter won't work.

Another option is to create a second listener. As I'm imagining it one listener is the one you have today that accepts email from the internet.

The new listener will be on some non-standard port or a different IP. Your relay will be configured to forward all mail to this non-standard port and you can then use the recv-listener var in a message filter to say "if the message was received on my special listener and the SBRS range is correct then quarantine the message."

A bit more round about but it might be the only way to do what you're trying to do?

I do wonder why you want to apply these filters only to mail coming through your incoming relay. Have you come up with a reason not to apply them to all mail?

Bart_ironport Thu, 05/22/2008 - 16:14
User Badges:

Or you can create a different sendergroup in the HAT for the backup MX. Usually a good idea anyway because otherwise your backup MX might be blocked entirely when its SBRS changes.

You can then check the sendergroup in your message filter:


if (sendergroup == "BACKUPMX") AND (reputation <= -3.0) {
drop();
}

Its easier for other admins because they can just add additional backup server through the GUI - some people are afraid of the CLI ;)
Geosoft_ironport Thu, 05/22/2008 - 21:25
User Badges:

Thank you all for your suggestions, but what bvanzant stated made sense to me. Since we are already rejecting emails with -3.0 reputation, I can just apply it to all emails.

I'm going to keep this post bookmarked just incase I want to create other message filters.

Actions

This Discussion