Mail policy not blocking attachment

Answered Question
Dec 28th, 2011

I'm trialling an Ironport C160, and having problems with the content filter. I have an incoming content filter that is set to drop incoming attachments of type jpeg. However, the ironport just lets the attachment past.

The content filter is applied to the default incomping policy. I also tried setting it up as a separate policy with higher priority to default, but the attchment was still allowed through.

If I check the tracking, it says

MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: user@domain.com

So it seems that it goes through the policy, but doesn't apply the content filter.

Any idea what I'm doing wrong?

I have this problem too.
0 votes
Correct Answer by magiccarpetride about 2 years 3 months ago

I saw that too and hoped that the differences between ours would be significant to you.  Sounds like you got it. 

Glad to help.

Greg

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
graham.carey@mo... Wed, 12/28/2011 - 04:38

Or should I be using Message Filtering, rather than content filtering to quarantine or drop attachments?

magiccarpetride Wed, 12/28/2011 - 07:30

Under Mail Policies | Incoming Content Filter  add a content filter, then add a condition for your desired file type, then add two conditions.  #2 Action is to send you an email (if you wish, that's what I did) informing you of the quarantine, and #1 Action is to quarantine the incoming email.

Then create an Incoming Mail Policy, Call it "JPG Quarantine", and tell it to use the Content Filter you created above.

Caveat:  I'm new to this and the above is most likely worth exactly what you paid for it. But, hth anyway.

graham.carey@mo... Wed, 12/28/2011 - 07:34

Hi Greg, that's exactly how I configured it.

I also tried adding a message filter from the CLI, same problem.

graham.carey@mo... Wed, 12/28/2011 - 07:42
MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: recipient@abc.com
28 Dec 2011 15:36:17 (GMT) Protocol SMTP interface Data1  (IP 192.168.1.17) on  incoming connection (ICID 239) from sender IP 192.168.1.199. Reverse DNS   host None verified no.
28 Dec 2011 15:36:17 (GMT) (ICID 239) RELAY sender group RELAYLIST match 192.168.1. SBRS rfc1918
28 Dec 2011 15:36:17 (GMT) Start message 271 on incoming connection (ICID 239).
28 Dec 2011 15:36:17 (GMT) Message 271 enqueued on incoming connection (ICID 239) from sender@gmail.com.
28 Dec 2011 15:36:17 (GMT) Message 271 on incoming connection (ICID 239) added recipient (recipient@abc.com).
28 Dec 2011 15:36:17 (GMT) Message 271 contains message ID header  '<CAKFcXox=Py78A6q_qRp1DaPOd0yNG7td8QCchLJxZzGo5h_KHg@mail.gmail.com>'.
28 Dec 2011 15:36:17 (GMT) Message 271 original subject on injection: JP
28 Dec 2011 15:36:17 (GMT) Message 271 (7685 bytes) from sender@gmail.com ready.
28 Dec 2011 15:36:17 (GMT) Message 271 matched per-recipient policy DEFAULT for outbound mail policies.
28 Dec 2011 15:36:17 (GMT) Message 271 queued for delivery.
28 Dec 2011 15:36:17 (GMT) SMTP delivery connection (DCID 254) opened from  IronPort interface 192.168.1.17 to IP address 192.168.1.25 on port 25.
28 Dec 2011 15:36:17 (GMT) (DCID 254) Delivery started for message 271 to

recipient@abc.com

.
28 Dec 2011 15:36:17 (GMT) (DCID 254) Delivery details: Message 271 sent to recipient@abc.com
28 Dec 2011 15:36:17 (GMT) Message 271 to recipient@abc.com received remote SMTP  response '2.6.0  <CAKFcXox=Py78A6q_qRp1DaPOd0yNG7td8QCchLJxZzGo5h_KHg@mail.gmail.com>  Queued mail for delivery'.
magiccarpetride Wed, 12/28/2011 - 08:29
MAIL POLICY "Greg Test" MATCHED THESE RECIPIENTS: g_hopp@abc.org
28 Dec 2011 11:18:16 (GMT -05:00) Protocol SMTP interface Inbound Mail (IP 10.27.27.10) on incoming connection (ICID 1849114) from sender IP 74.125.82.53. Reverse DNS host mail-ww0-f53.google.com verified yes.
28 Dec 2011 11:18:16 (GMT -05:00) (ICID 1849114) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 4.4
28 Dec 2011 11:18:16 (GMT -05:00) Start message 178731 on incoming connection (ICID 1849114).
28 Dec 2011 11:18:16 (GMT -05:00) Message 178731 enqueued on incoming connection (ICID 1849114) from senderisme@gmail.com.
28 Dec 2011 11:18:16 (GMT -05:00) Message 178731 on incoming connection (ICID 1849114) added recipient (g_hopp@abc.org).
28 Dec 2011 11:18:18 (GMT -05:00) Message 178731 contains message ID header '<CAC2-sMEro0jn8R0uYGa8kPhDNYmvu2R9feNiJqB2qwCZU0No4g@mail.gmail.com>'.
28 Dec 2011 11:18:18 (GMT -05:00) Message 178731 original subject on injection: Test PDF Attachments
28 Dec 2011 11:18:18 (GMT -05:00) Message 178731 (138562 bytes) from senderisme@gmail.com ready.
28 Dec 2011 11:18:18 (GMT -05:00) Message 178731 matched per-recipient policy Greg Test for inbound mail policies.
28 Dec 2011 11:18:18 (GMT -05:00) Message 178731 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
28 Dec 2011 11:18:18 (GMT -05:00) Message 178731 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.
28 Dec 2011 11:18:18 (GMT -05:00) Message 178731 scanned by Anti-Spam engine: CASE. Final verdict: Negative
28 Dec 2011 11:18:18 (GMT -05:00) Message 178731 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
28 Dec 2011 11:18:18 (GMT -05:00) Message 178731 scanned by Anti-Virus engine. Final verdict: Negative
28 Dec 2011 11:18:18 (GMT -05:00) Message 178731 quarantined to Policy. Content filter PDFQuarantine.
graham.carey@mo... Wed, 12/28/2011 - 08:57

Thanks Greg, your time is appreciated. I compared your logs to mine, and could see that I had a relay allowed from 192.168.1.x.

The ironport seems to bypass the policy when the relay is allowed.

I removed it completely, and the attachment was blocked as expected:

MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: recipient@abc.com
28 Dec 2011 16:52:12 (GMT) Protocol SMTP interface Data1  (IP 192.168.1.17) on  incoming connection (ICID 249) from sender IP 192.168.1.199. Reverse DNS   host None verified no.
28 Dec 2011 16:52:12 (GMT) (ICID 249) ACCEPT sender group UNKNOWNLIST match sbrs[none] SBRS rfc1918
28 Dec 2011 16:52:12 (GMT) Start message 281 on incoming connection (ICID 249).
28 Dec 2011 16:52:12 (GMT) Message 281 enqueued on incoming connection (ICID 249) from sender@gmail.com.
28 Dec 2011 16:52:12 (GMT) Message 281 on incoming connection (ICID 249) added recipient (recipient@abc.com).
28 Dec 2011 16:52:12 (GMT) Message 281 contains message ID header  '<CAKFcXoyJuHN5C9AoX51v0RxTnP=Gar65W1gjdEv+UfL-GjUdWg@mail.gmail.com>'.
28 Dec 2011 16:52:12 (GMT) Message 281 original subject on injection: t
28 Dec 2011 16:52:12 (GMT) Message 281 (63617 bytes) from sender@gmail.com ready.
28 Dec 2011 16:52:12 (GMT) Message 281 matched per-recipient policy DEFAULT for inbound mail policies.
28 Dec 2011 16:52:13 (GMT) Message 281 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
28 Dec 2011 16:52:13 (GMT) Message 281 scanned by Anti-Spam engine: CASE. Final verdict: Negative
28 Dec 2011 16:52:13 (GMT) Message 281 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
28 Dec 2011 16:52:13 (GMT) Message 281 scanned by Anti-Virus engine. Final verdict: Negative
28 Dec 2011 16:52:13 (GMT) Message 281 quarantined to FilterDebug. Content filter Doc.
Correct Answer
magiccarpetride Wed, 12/28/2011 - 09:17

I saw that too and hoped that the differences between ours would be significant to you.  Sounds like you got it. 

Glad to help.

Greg

tomak Wed, 12/28/2011 - 20:41

Dear Graham,

Please note that emails received from RELAYLIST sender group, sender group with RELAYED mail flow policy or mail flow policy with 'Relay' connection behavior, or connection with SMTP AUTH are all considered as outgoing emails. You need to add a new outgoing content filter if you want to block any JPG file attachment sending out from your company.

Please note that there are two content filters (attachment filename and attachment filetype). For attachment filetype, it is based on binary fingerprint of the attachment and can catch renamed file extension (e.g. JPEG file renamed with file extension .DOC).

Cheers,

Tommy

Actions

Login or Register to take actions

This Discussion

Posted December 28, 2011 at 3:37 AM
Stats:
Replies:9 Avg. Rating:5
Views:2797 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard