Content filter for handling bounces due to spoofed email

Unanswered Question
Jul 30th, 2008

Hello,

No surprises here, but we are starting to find that large amounts of spam is being sent using our legitimate email addresses which results in our users receiving a large number of bounce messages when the spam isn't delivered.

We are unable (at this point) to implement outbound sending via our C350s so we're looking for alternative solutions.

I found this post:
https://www.ironportnation.com/forums/viewtopic.php?t=163&highlight=ndr

and the second last entry suggests a filter to handle a large proportion of the bounce messages. This is the text from the post:

"The problem with the bounce verification feature, is that your outbound e-mail needs to go over an Ironport device as well. I don't know about you guys, but in my environment, this is not the case.

So basically I can't really use the feature in the near future.

However, I've managed to write a small content filter that is quite effective for bounces that come in, as a reaction on spoofed e-mails:

Prerequisite is that you have an entry in the HAT, with "Connecting host PTR record does not exist in DNS." enabled (say you call it "NoPTR"). Then you add a mail filter, that adds the HAT to the e-mail through an X-header (let's say we take X-HAT-SG).
Conditions:
mail-from == "^$"
header("X-HAT-SG") == "^NoPTR$"
Action:
quarantine or drop"

Has anyone used this or have any other suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Fri, 08/01/2008 - 08:44

The HAT entry looks fine. You'll also need to put in a message filter that will grab the sendergroup and mail flow policy when the message is coming in.

Also, I'd recommend your quarantine it and go over the msgs that get put in there. This way, you can review your catch of the day. Once you feel confident that it's matching what you intended you can drop them.


Insert Policy into Header Filter

Show which mail flow policy accepted the connection:

Policy_Tracker:
if (true)
{
insert-header ('X-HAT-SG", '$Group');
insert-header ('X-HAT-MailFlowPolicy', '$Policy');
}




Prerequisite is that you have an entry in the HAT, with "Connecting host PTR record does not exist in DNS." enabled (say you call it "NoPTR"). Then you add a mail filter, that adds the HAT to the e-mail through an X-header (let's say we take X-HAT-SG).
Conditions:
mail-from == "^$"
header("X-HAT-SG") == "^NoPTR$"
Action:
quarantine or drop"

Has anyone used this or have any other suggestions?
cireland_ironport Fri, 08/01/2008 - 16:07

What are you running for your email server(s) in your environment? Exchange, Lotus Notes, etc? If you need help getting your email to flow outbound your IronPort's let me know.

Some of the benefits of this (besides bounce verification) is the IronPort will take over the queue and free up resouces on your backend mail server. You will also be able to scan all outbound email's for viruses and be able to set various content filters for outbound as well, etc

Like I said, If you need help let me know.

Chris
Sr. Systems Engineer

IronportCJH Tue, 08/05/2008 - 04:56

Thanks kluu and cireland for your replies.

We're working towards using outbound sending through the ironports - but it is a significant project and needs some planning.

The filtering may do the trick in the short term...

Cheers

Actions

This Discussion