Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Content filter for handling bounces due to spoofed email

Hello,

No surprises here, but we are starting to find that large amounts of spam is being sent using our legitimate email addresses which results in our users receiving a large number of bounce messages when the spam isn't delivered.

We are unable (at this point) to implement outbound sending via our C350s so we're looking for alternative solutions.

I found this post:
https://www.ironportnation.com/forums/viewtopic.php?t=163&highlight=ndr

and the second last entry suggests a filter to handle a large proportion of the bounce messages. This is the text from the post:

"The problem with the bounce verification feature, is that your outbound e-mail needs to go over an Ironport device as well. I don't know about you guys, but in my environment, this is not the case.

So basically I can't really use the feature in the near future.

However, I've managed to write a small content filter that is quite effective for bounces that come in, as a reaction on spoofed e-mails:

Prerequisite is that you have an entry in the HAT, with "Connecting host PTR record does not exist in DNS." enabled (say you call it "NoPTR"). Then you add a mail filter, that adds the HAT to the e-mail through an X-header (let's say we take X-HAT-SG).
Conditions:
mail-from == "^$"
header("X-HAT-SG") == "^NoPTR$"
Action:
quarantine or drop"

Has anyone used this or have any other suggestions?

  • Email Security
3 REPLIES
New Member

Re: Content filter for handling bounces due to spoofed email

The HAT entry looks fine. You'll also need to put in a message filter that will grab the sendergroup and mail flow policy when the message is coming in.

Also, I'd recommend your quarantine it and go over the msgs that get put in there. This way, you can review your catch of the day. Once you feel confident that it's matching what you intended you can drop them.


Insert Policy into Header Filter

Show which mail flow policy accepted the connection:

Policy_Tracker:
if (true)
{
insert-header ('X-HAT-SG", '$Group');
insert-header ('X-HAT-MailFlowPolicy', '$Policy');
}




Prerequisite is that you have an entry in the HAT, with "Connecting host PTR record does not exist in DNS." enabled (say you call it "NoPTR"). Then you add a mail filter, that adds the HAT to the e-mail through an X-header (let's say we take X-HAT-SG).
Conditions:
mail-from == "^$"
header("X-HAT-SG") == "^NoPTR$"
Action:
quarantine or drop"

Has anyone used this or have any other suggestions?

New Member

Re: Content filter for handling bounces due to spoofed email

What are you running for your email server(s) in your environment? Exchange, Lotus Notes, etc? If you need help getting your email to flow outbound your IronPort's let me know.

Some of the benefits of this (besides bounce verification) is the IronPort will take over the queue and free up resouces on your backend mail server. You will also be able to scan all outbound email's for viruses and be able to set various content filters for outbound as well, etc

Like I said, If you need help let me know.

Chris
Sr. Systems Engineer

New Member

Re: Content filter for handling bounces due to spoofed email

Thanks kluu and cireland for your replies.

We're working towards using outbound sending through the ironports - but it is a significant project and needs some planning.

The filtering may do the trick in the short term...

Cheers

290
Views
0
Helpful
3
Replies
This widget could not be displayed.