cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2900
Views
0
Helpful
5
Replies

Message/Content filters & SLBL

Hi There,

I couldn't find an answer to this question in the Knowledge base, so hopefully someone here can help me out.

Is there a way to get a message filter or content filter to know what the recipient user has done to a message in their Safelist/Block list?

Here is the message filter I have currently:


QuarantineSuspectSBRSEmails: if (reputation > -3.0) AND (reputation <= -1.0) {
insert-header("X-IronPort-Quarantine", "Quarantine");
}


I'm planning to move this message filter into content filters as I just realized I'm adding unneeded load by processing the message BEFORE checking it for spam, and where I would only need this filter to be checked on the inbound only.

But still, I cannot seem to find a way to make content filters check the end users SLBL list to take action on the message. Does anyone have a suggestion on what I can do?

5 Replies 5

kluu_ironport
Level 2
Level 2

The safelist/blacklist(SLBL) is applied after message filters and before the anti-spam scanning by a per-recipient policy. If a sender address is part of an end users safelist, anti-spam scanning is skipped, and if the sender
address is listed in the blocklist, the message may be quarantined or dropped depending on administrator settings.

So, when the message comes in, the recipient has either seen this sender or has never seen this sender before. If they've never seen this sender, then it proceeds like normal.

If the recipient has seen it before and has decided to mark it a certain way, the recipient either categorizes it in their Safelist (i.e. whitelist) or categorizes it in their Blocklist(i.e blacklist by dropping or quarantining).

Can you give an example of what the content filter would do if it received once of these types of messages? Are you trying to use a combination of the inbound content filter and the users safelist/blacklist to predict what the end user would do with connections coming in with a SBRS score between -3 and -1?




Hi There,

I couldn't find an answer to this question in the Knowledge base, so hopefully someone here can help me out.

Is there a way to get a message filter or content filter to know what the recipient user has done to a message in their Safelist/Block list?

Here is the message filter I have currently:


QuarantineSuspectSBRSEmails: if (reputation > -3.0) AND (reputation <= -1.0) {
insert-header("X-IronPort-Quarantine", "Quarantine");
}


I'm planning to move this message filter into content filters as I just realized I'm adding unneeded load by processing the message BEFORE checking it for spam, and where I would only need this filter to be checked on the inbound only.

But still, I cannot seem to find a way to make content filters check the end users SLBL list to take action on the message. Does anyone have a suggestion on what I can do?

Are you trying to use a combination of the inbound content filter and the users safelist/blacklist to predict what the end user would do with connections coming in with a SBRS score between -3 and -1? 


This is ultimately what I want to achieve! I want to move this particular message filter to the content filter so I can take action on it. But I don't know where in the content filter I can set a rule to see if it matches a users safelist.

Right now, this rule just quarantines all emails that are less than -1.0, all emails that are -3.0 in SBRS will get dropped. But I don't want to quarantine the email if the sender is in the recipients safelist.

I guess the real question is how do I write a content filter that will test for the score of -1.0 on SBRS, but be mindful of the users Safelist settings so that the X-AntiSpam-Quarantine won't be inserted.

kluu_ironport
Level 2
Level 2

Because the recipient has added that sender to their Safelist, it will automatically not be evaluated by the anti-spam engine for that recipient only. So, irrelevant of the SBRS score of the connection (i.e. if the connection had a -2.1 upon entry), if the recipient has added that sender to their safelist, then that message won't get evaluted by the anti-spam engine.


Wed Jul 9 10:03:51 2008 Info: MID 517 matched all recipients for per-recipient policy DEFAULT in the inbound table
Wed Jul 9 10:03:51 2008 Info: MID 517 interim verdict using engine: SLBL spam negative
Wed Jul 9 10:03:51 2008 Info: MID 517 using engine: SLBL spam negative
Wed Jul 9 10:03:51 2008 Info: MID 517 interim AV verdict using Sophos CLEAN

The SBRS score of the connection and the spamminess of the message are not always in agreement. For example, even if the connection came in with a low SBRS score(i.e. from an ISP provider that doesn't regulate the traffic in their network), the content of the message may be legitimate and good content.

Also, here'a a good kb article that shows how to see those entries in the mail_logs.

If enabling the safelist/blocklist, what does that event look like in the mail logs?

http://tinyurl.com/2mmd7b

While I agree with you that if a user has the sender in their safelist that it will skip the anti-spam check, it will not however skip the anti-virus check nor the content filters check.

Since I have a content filter that defines as following:

Condition: SBRS less than or equal to -1.0
Action: Insert header "X-Action-Quarantine", "Quarantine"

How do I ensure that this action does not fire if the recipient has the sender in its safelist, but yet still take this action for the splintered messages for all other recipients.

Or, is there a better way to getting a message with an SBRS lower that -1.0 to go into the user quarantine without having to put this rule into content filters.

kluu_ironport
Level 2
Level 2

The safelist/blocklist only affects the anti-spam. A message from a sender that is in a recipient's safelist/blocklist will still go through the antispam & content filter. So, though the msg is free from the anti-spam, it is still suspectible to AV and Content filters. So, in your question below, the content filter cannot take into consideration the recipient's preference of the safelist/blocklist.

But, here is a workaround that may get you what you want.

When a msg is compared against a user's SL/BL, the result is added to a header that you can make use of in your content filters.

After a msg has been evaluated against a recipient's safelist/blocklist and there is a match, one of these will get added to the headers:

X-SLBL-Result: BLOCK-LISTED
X-SLBL-Result: SAFE-LISTED

So, what you need to do is put in a new content filter that is ordered above the SBRS-Quarantine filter that you have.

The new content filter

if header("X-SLBL-Result") == "SAFE-LISTED"

then deliver()


If it sees that, it will deliver right away and not get to the SBRS-Quarantine filter.

While I agree with you that if a user has the sender in their safelist that it will skip the anti-spam check, it will not however skip the anti-virus check nor the content filters check.

Since I have a content filter that defines as following:

Condition: SBRS less than or equal to -1.0
Action: Insert header "X-Action-Quarantine", "Quarantine"

How do I ensure that this action does not fire if the recipient has the sender in its safelist, but yet still take this action for the splintered messages for all other recipients.

Or, is there a better way to getting a message with an SBRS lower that -1.0 to go into the user quarantine without having to put this rule into content filters.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: