Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5458
Views
0
Helpful
8
Replies

Exception Table

Go to solution
Alibek Ismailov
Level 1
Level 1

‎06-23-2014 11:29 PM

Hi, I added sender verification exception (email address) to exception table (behaviour - "allow") and turned it on in mail flow policy, but when this sender sends me letter, his letter falls in quarantine. What's the problem, i did something wrong? Thanks.

P.S. I did the same with behaviour - "Reject" and it works.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to Alibek Ismailov

‎07-16-2014 07:17 PM

I would not recommend lowering/altering the scoring thresholds.  If this is a valid email or email sender that is constantly being flagged as spam, but yet is a valid sender - then submit examples to ham@access.ironport.com, so that they can be re-scored and corrected.

Further information for submitting samples for review 

In order to review the SLBL...

From the web interface, choose System Administration > Configuration File >End-User Safelist/Blocklist Database (Spam Quarantine).  You can generate backup files from this location. If you have several C-Series devices in a cluster, you must upload the backup to each opposing unit.

 

From the CLI use the slblconfig to import and export the SLBL configuration:

> slblconfig

End-User Safelist/Blocklist: Enabled

Choose the operation you want to perform:
- IMPORT - Replace all entries in the End-User Safelist/Blocklist.
- EXPORT - Export all entries from the End-User Safelist/Blocklist.
[]> export

End-User Safelist/Blocklist export has been initiated...
Please wait while this operation executes.

End-User Safelist/Blocklist successfully exported to slbl-782BCB64XXYY-1234567-20140717T020032.csv (200B).

 

You will then need to access the appliance via FTP in order to retrieve and retain the newly created exported SLBL:

$ ftp user@myesa.local
Connected to myesa.local.
220 myesa.local.rtp Cisco IronPort FTP server (V8.5.6) ready
331 Password required.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> bin
200 Type set to Binary.
ftp> cd configuration
250 CWD command successful.
ftp> ls
227 Entering Passive Mode (172,16,1,1,XX,YYY)
150 Opening ASCII mode data connection for file list
drwxrwx--- 2 root config 512 Oct 14 2013 iccm
-rw-rw---- 1 admin config 1117 Oct 14 2013 profanity.txt
-rw-rw---- 1 admin config 90 Oct 14 2013 proprietary_content.txt
-rw-rw---- 1 admin config 2119 Oct 14 2013 sexual_content.txt
-rw-rw---- 1 admin config 28025 Oct 14 2013 ASYNCOS-MAIL-MIB.txt
-rw-rw---- 1 admin config 1292 Oct 14 2013 IRONPORT-SMI.txt
-r--r--r-- 1 root wheel 436237 Jul 9 16:51 config.dtd
drwxrwx--- 2 root config 512 May 28 20:23 logos
-rw-rw---- 1 root config 1538 May 30 17:25 HAT_TEST
-rw-r----- 1 admin config 18098688 Jul 9 16:59 warning.msg
-r--r--r-- 1 root wheel 436710 Jul 9 16:51 cluster_config.dtd
-rw-rw---- 1 nobody config 200 Jul 16 22:00 slbl-782BCB64XXYY-1234567-20140717T020032.csv
#
226 Transfer Complete
ftp> get slbl-782BCB64XXYY-1234567-20140717T020032.csv
local: slbl-782BCB64XXYY-1234567-20140717T020032.csv remote: slbl-782BCB64XXYY-1234567-20140717T020032.csv
227 Entering Passive Mode (172,16,1,1,XX,YYY)
150 Opening Binary mode data connection for file 'slbl-782BCB64XXYY-1234567-20140717T020032.csv'
#
226 Transfer Complete
200 bytes received in 00:00 (8.63 KiB/s)
ftp> exit
221 Goodbye.

Your file is now transferred locally.  You can open and view the SLBL entries as needed.

Cheers,
Robert Sherwin

View solution in original post

0 Helpful
8 Replies 8

Go to solution
srussell
Level 1
Level 1

‎06-24-2014 01:17 PM

I would recommend checking your incoming mail policies, this message could be getting quarantined as possible spam.  What does the message tracking for these messages show?

0 Helpful

Go to solution
Alibek Ismailov
Level 1
Level 1
In response to srussell

‎06-24-2014 10:49 PM

Message tracking was turned off. I released message. In incoming policy - default policy. 

0 Helpful

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to Alibek Ismailov

‎07-10-2014 06:25 AM

Did you review the online help and see if that would aide in the setup & configuration of the exception?

https://<<ESA HOSTNAME OR IP ADDRESS>>/help/esa_help/index.html?hat10.html#wp1130558

With message tracking turned on - any changes or clear identified processing occurring?

-Robert

Cheers,
Robert Sherwin
0 Helpful

Go to solution
Alibek Ismailov
Level 1
Level 1
In response to Robert Sherwin

‎07-13-2014 10:55 PM

Message Tracking shows this:

Protocol SMTP interface Management (IP 192.168.1.42) on incoming connection (ICID 2246926) from sender IP 95.108.130.82. Reverse DNS host forward14.mail.yandex.net verified yes.

(ICID 2246926) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 5.6

(ICID 2246926) Sender < sender@post.kz> allowed. Envelope sender matched domain exception

Start message 789741 on incoming connection (ICID 2246926).

Message 789741 enqueued on incoming connection (ICID 2246926) from sender@post.kz.

Message 789741 on incoming connection (ICID 2246926) added recipient (recipient@mail.kz).

Message 789741 contains message ID header '<7634671405065107@web20j.yandex.ru>'.

Message 789741 original subject on injection: Theme.

Message 789741 (105698 bytes) from sender@post.kz ready.

Message 789741 matched per-recipient policy DEFAULT for inbound mail policies.

Message 789741 was split creating new message 789742 due to a safelist/blocklist configuration for recipient(s): recipient@mail.kz.

Message 789742 enqueued on incoming connection (ICID 0) from sender@post.kz..

Message 789742 on incoming connection (ICID 0) added recipient (recipient@mail.kz).

Message 789742 scanned by Anti-Spam engine: SLBL. Interim verdict: Negative

Message 789742 scanned by Anti-Spam engine SLBL. Interim verdict: definitely negative.

Message 789742 scanned by Anti-Spam engine: SLBL. Final verdict: Negative

Message 789742 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN

Message 789742 scanned by Anti-Virus engine. Final verdict: Negative

Message 789742 scanned by Outbreak Filters. Verdict: Negative

Message 789742 queued for delivery.

Message 789743 scanned by engine CASE using cached verdict.

Message 789743 scanned by Anti-Spam engine: CASE. Interim verdict: Suspect

Message 789743 scanned by Anti-Spam engine: CASE. Final verdict: Suspect

SMTP delivery connection (DCID 274638) opened from Cisco IronPort interface 192.168.1.42 to IP address 192.168.1.33 on port 25.

(DCID 274638) Delivery started for message 789742 to recipient@mail.kz

Message 789743 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN

Message 789743 scanned by Anti-Virus engine. Final verdict: Negative

Message 789743 scanned by Outbreak Filters. Verdict: Negative

Message 789743 queued for delivery.

Remote procedure call connection (RCID 37) started for message 789743 to local Spam Quarantine.

(DCID 274638) Delivery details: Message 789742 sent to recipient@mail.kz

Message 789742 to recipient@mail.kz received remote SMTP response '2.0.0 Ok: queued as 8589260681'.

Message 789743 quarantined in Spam Quarantine.

0 Helpful

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to Alibek Ismailov

‎07-14-2014 05:30 AM

Does the end-user have that email address listed in their SLBL?

 

Message 789741 was split creating new message 789742 due to a safelist/blocklist configuration for recipient(s): recipient@mail.kz.

 

You can view the SLBL by going to System Administration -> Configuration File...

Download that locally, open and view for the user to confirm.

-Robert

Cheers,
Robert Sherwin
0 Helpful

Go to solution
Alibek Ismailov
Level 1
Level 1
In response to Robert Sherwin

‎07-14-2014 09:22 PM

<Does the end-user have that email address listed in their SLBL?>

Yes, user has that email address in SLBL, but if he removes it, message would go to quarantine, despite that email address prescribed in exception table.

In my logs what i wrote above:  

Message 789743 scanned by Anti-Spam engine: CASE. Interim verdict: Suspect

I lowered Spam Thresholds of Suspect Spam to 25 score.

 

 

<You can view the SLBL by going to System Administration -> Configuration File...

Download that locally, open and view for the user to confirm.>

 

How can i do that? i must restore and import SLBL database?

0 Helpful

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to Alibek Ismailov

‎07-16-2014 07:17 PM

I would not recommend lowering/altering the scoring thresholds.  If this is a valid email or email sender that is constantly being flagged as spam, but yet is a valid sender - then submit examples to ham@access.ironport.com, so that they can be re-scored and corrected.

Further information for submitting samples for review 

In order to review the SLBL...

From the web interface, choose System Administration > Configuration File >End-User Safelist/Blocklist Database (Spam Quarantine).  You can generate backup files from this location. If you have several C-Series devices in a cluster, you must upload the backup to each opposing unit.

 

From the CLI use the slblconfig to import and export the SLBL configuration:

> slblconfig

End-User Safelist/Blocklist: Enabled

Choose the operation you want to perform:
- IMPORT - Replace all entries in the End-User Safelist/Blocklist.
- EXPORT - Export all entries from the End-User Safelist/Blocklist.
[]> export

End-User Safelist/Blocklist export has been initiated...
Please wait while this operation executes.

End-User Safelist/Blocklist successfully exported to slbl-782BCB64XXYY-1234567-20140717T020032.csv (200B).

 

You will then need to access the appliance via FTP in order to retrieve and retain the newly created exported SLBL:

$ ftp user@myesa.local
Connected to myesa.local.
220 myesa.local.rtp Cisco IronPort FTP server (V8.5.6) ready
331 Password required.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> bin
200 Type set to Binary.
ftp> cd configuration
250 CWD command successful.
ftp> ls
227 Entering Passive Mode (172,16,1,1,XX,YYY)
150 Opening ASCII mode data connection for file list
drwxrwx--- 2 root config 512 Oct 14 2013 iccm
-rw-rw---- 1 admin config 1117 Oct 14 2013 profanity.txt
-rw-rw---- 1 admin config 90 Oct 14 2013 proprietary_content.txt
-rw-rw---- 1 admin config 2119 Oct 14 2013 sexual_content.txt
-rw-rw---- 1 admin config 28025 Oct 14 2013 ASYNCOS-MAIL-MIB.txt
-rw-rw---- 1 admin config 1292 Oct 14 2013 IRONPORT-SMI.txt
-r--r--r-- 1 root wheel 436237 Jul 9 16:51 config.dtd
drwxrwx--- 2 root config 512 May 28 20:23 logos
-rw-rw---- 1 root config 1538 May 30 17:25 HAT_TEST
-rw-r----- 1 admin config 18098688 Jul 9 16:59 warning.msg
-r--r--r-- 1 root wheel 436710 Jul 9 16:51 cluster_config.dtd
-rw-rw---- 1 nobody config 200 Jul 16 22:00 slbl-782BCB64XXYY-1234567-20140717T020032.csv
#
226 Transfer Complete
ftp> get slbl-782BCB64XXYY-1234567-20140717T020032.csv
local: slbl-782BCB64XXYY-1234567-20140717T020032.csv remote: slbl-782BCB64XXYY-1234567-20140717T020032.csv
227 Entering Passive Mode (172,16,1,1,XX,YYY)
150 Opening Binary mode data connection for file 'slbl-782BCB64XXYY-1234567-20140717T020032.csv'
#
226 Transfer Complete
200 bytes received in 00:00 (8.63 KiB/s)
ftp> exit
221 Goodbye.

Your file is now transferred locally.  You can open and view the SLBL entries as needed.

Cheers,
Robert Sherwin
0 Helpful

Go to solution
Alibek Ismailov
Level 1
Level 1
In response to Robert Sherwin

‎07-16-2014 09:03 PM

OK, thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents