Identifying and removing outgoing messages

Unanswered Question
Sep 15th, 2009
User Badges:

I'm forwarding my outgoing messages from my Exchange server through my C150. I have an Intrusion Detection appliance on my network that will drop the connection on any e-mails with a double-dot attachment (eg. file.doc.doc). The C150 sees the connection as being aborted. Consequently attempts are made to resend the message over and over again over the next few days. Is the message in a queue on the C150 and being resent from there or is it being resent each time from my Exchange server? If it is being resent from the C150, how can I identify the message and remove it from the queue. Hope this all made sense.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Andrew Wurster Tue, 09/15/2009 - 16:36
User Badges:

ddockter -

first off, the message is likely held by the ESA for (re)delivery. it is almost certainly not being retransmitted through your internal gateway unless the user is manually resending the message.

in your case, connection errors (and soft bounces) will queue messages up in your destination (or delivery) queues and the system will kick off a hold down timer before redelivering (unless ofcourse you say 'delivernow').

hard bounces, as well as situations where the above scenario occurs for longer than 3 days (default unless you've specified a custom "bounce profile"), will force the message to be dropped and a bounce message generated, if applicable.

two points i can think of on dealing with this (personally i feel there's nothing wrong with dual extensions :) ):

1 - you can use a content filter on the ESA to match the same signature and drop messages, effectively avoiding this issue. perhaps by attachment name. i can try some regex's and get back to you on this one...

2 - if you don't want to do that, then here's how to dig out a message:
A) use 'tophosts' first to see whose destination the connections are failing for.
B) then use 'grep [regex] mail_logs', 'showmessage', and/or 'showrecipients' to locate the MID of the offending message
C) 'removemessage' or 'deleterecipients' to remove the actual message from the queue.


ddockter_ironport Tue, 09/15/2009 - 16:50
User Badges:


Thanks for the reply. What option would I pick with the tophosts command to identify the failing connection? Should I be looking at Soft Bounced Events?

Andrew Wurster Tue, 09/15/2009 - 17:28
User Badges:

a nice braindump for you:

tophosts will show you almost everything you need, organized by destination domain
1. Active Recipients (number of recipients queued for delivery)
2. Connections Out (number of open TCP connections outbound)
3. Delivered Recipients (number of successfully delivered rcpts)
4. Hard Bounced Recipients (number of hard bounced rcpts)
5. Soft Bounced Events (number of soft bounces)

once you find the MID, you can check for any corresponding DCID information. some quick examples on the most common outcomes:

Fri Aug 28 20:08:58 2009 Info: New SMTP DCID 672 interface address port 25
Fri Aug 28 20:08:58 2009 Info: Delivery start DCID 672 MID 458 to RID [0]
Fri Aug 28 20:08:58 2009 Info: Message done DCID 672 MID 458 to RID [0]
Fri Aug 28 20:09:40 2009 Info: DCID 672 close

Wed Sep 9 16:23:57 2009 Info: Bounced: DCID 0 MID 550 to RID 0 - Bounced by destination server with response: 5.1.2 - Bad destination host ('000', ['DNS Hard Error looking up ironport.lab (MX): NXDomain'])

Wed Aug 26 13:19:38 2009 Info: Connection Error: DCID: 645 domain: IP: port: 25 details: timeout interface: reason: connection timed out
Thu Aug 13 20:58:28 2009 Info: Connection Error: DCID: 586 domain: IP: port: 25 details: [Errno 61] Connection refused interface: reason: network error

as for searching for file extension with a content filter regex, you should be able to get by with 'filename == *.*.*'. please defer to using 'filetype' and 'mimetype' matches, however, since multiple "extensions" are quite common and useful in the real world (see your asyncos log directory for practical examples).



ddockter_ironport Tue, 09/15/2009 - 18:01
User Badges:

Great info! I was able to find the offending message and delete it. When you use removemessage, does it generate a hard bounce or just go away and the sender is never notified?

ddockter_ironport Tue, 09/15/2009 - 19:44
User Badges:


Trying to add the content filter, but am getting the error "Illegal regular expression: nothing to repeat". I'm in the Attachment File Info section of the content filter. I've selected filename; selected equals from the dropdown box; entered *.*.* in the field.

Andrew Wurster Wed, 09/16/2009 - 05:15
User Badges:

no bounces generated. if you want to delete a message and generate bounces, use 'bouncemessage'.

the filter's not working because i was testing offbox on a linux system and it's not going to work in the content filter regex syntax. i also mucked up the formatting with an extra char match (sorry). entering this phrase verbatim into your "attachment filename" criteria had much better success against my scripts:


resulting "rules" view looks like:
file_check: if (attachment-filename == "\\.\\w+\\.\\w+") { quarantine ("Policy"); }

very important discussion on filetypes before you go implementing anything though:

give it shot,


ddockter_ironport Wed, 09/16/2009 - 22:45
User Badges:

I'm baaack! Just had the content filter trap an attachment with a name 09.16.09.doc. Guess what I would really like to do is mimic what my Intrusion Detection System defines as a double-dot extension. The rule is below. Is something like this possible?


Andrew Wurster Thu, 09/17/2009 - 23:11
User Badges:

so if it was already written... why did I rewrite it for you?

it looks like it could work as a message filter. I would just paste in the exact syntax you provided as your new filter criteria and retest.

if you run into any problems, make sure to verify it against the python regex syntax.

again... IMHO this is not the way to go...



This Discussion