×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Ironport Bounce Verification

Unanswered Question
Sep 24th, 2013
User Badges:

Hello, working with a client that is getting a ton of NDR's from spammers using their domain, typical case. Setup SPF records, verified email was definitely not coming from systems in their domain.


The Ironport was previously configured by someone else, so not sure as to why some things are configured as they. I do not have continuous access to this system to get logs, configuration, etc to post. My questions are pretty generic though, so hope somone can assist.


1, Bounce Verication was set to reject, however there was not a key configured to use for this. Am I correct in thinking that since there is no key/tag configured, Ironport has nothing to consider upon receiving these, so just allows all?


Since it is enabled, with the setting to reject, shouldn't all NDR's be rejected, or because there is nothing to validate a tag, it defaults to allow all?


2. What is the best way to actually see that in fact the outgoing messages are adding the tag in the return path? When I look at emails on a client, such as Outlook and look at the headers for messages from the ironport, this information does not show.


Is it stripped by the mail server as the message traverses, so the end client will not even see this information?

Or is this info correct and the Ironport isn't even adding the prvs?

How best can I verify this is in fact working as it should?


Thank you for any input!


To clarify, I did configure the tagging key and applied to the config. It was not configured prior to, pertaining to question 2. Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
viahmed Wed, 09/25/2013 - 13:11
User Badges:
  • Cisco Employee,

Hello Mike, please check the answers in-line below.


1, Bounce Verication was set to reject, however there was not a key...

Bounce  Verification settings apply only if bounce verification address tagging  is in use. Hope this explains your rest of the queries.


2. What is the best way to actually see that in fact the outgoing messages......


There are two kinds of logs that can be found relating  to Bounce Verification. The first shows when an address is rewritten to  the Bounce Verification Format. The rewritten address is not logged in  the text mail logs but may be found in message tracking. The second log  type is created during rejections.These  log entries can be found by  parsing your logs with the CLI grep  command.  The command below, ran on  example.com Cisco IronPort, will  return all the log entries that have  do with Bounce Verification  rejection events.


example.com> grep "rejected by Bounce Verification" mail_logs
Mon Aug 31 13:28:43 2009 Info: MID 1094 ICID 502 invalid bounce, rcpt address <[email protected]> rejected by Bounce Verification.

Further parsing for ICID 502 (Injection Connection ID) of the session will show the details of the connecting host.


example.com> grep "ICID 502" mail_logs

Mon   Aug 31 13:28:30 2009 Info: New SMTP ICID 502 interface Management   (10.161.1.10) address 192.168.10.10 reverse dns host unknown verified no
Mon Aug 31 13:28:30 2009 Info: ICID 502 ACCEPT SG Unknown match 192.168.10.10 SBRS None
Mon Aug 31 13:28:38 2009 Info: Start MID 1094 ICID 502
Mon Aug 31 13:28:38 2009 Info: MID 1094 ICID 502 From: <>
Mon Aug 31 13:28:43 2009 Info: MID 1094 ICID 502 invalid bounce, rcpt address <[email protected]> rejected by Bounce Verification.
Mon Aug 31 13:28:47 2009 Info: ICID 502 close

The message shows that the sender was blank, but was addressed to [email protected].  The Cisco IronPort rejected the email because it should have been addressed to [email protected].


Hope that helps!

-Viquar

m.moniz Wed, 09/25/2013 - 14:36
User Badges:

Thank you for your reply Viahmed, it does help. So if I understand correctly, if they had BV enabled, but did not have a key configured, it would not actually be enabled correct? That is how it was when I got involved. I then added a key, as that is how I presume it would have to be to even work.


Nothing else needs to be done, like on separate mail polices to enable this by deafult right? Unless I want to add some exemption destinations, etc?


For the logging, I have not looked at how their logging is setup, is the defualt logging to include this, as it does with all messages? Or does something specific need to be added for this logging?


Thanks again, much appreciated.


Mike

Actions

This Discussion