Re: Identifying and removing outgoing messages

ddockter_ironport · ‎09-15-2009

I'm forwarding my outgoing messages from my Exchange server through my C150. I have an Intrusion Detection appliance on my network that will drop the connection on any e-mails with a double-dot attachment (eg. file.doc.doc). The C150 sees the connection as being aborted. Consequently attempts are made to resend the message over and over again over the next few days. Is the message in a queue on the C150 and being resent from there or is it being resent each time from my Exchange server? If it is being resent from the C150, how can I identify the message and remove it from the queue. Hope this all made sense.

Andrew Wurster · ‎09-15-2009

ddockter -

first off, the message is likely held by the ESA for (re)delivery. it is almost certainly not being retransmitted through your internal gateway unless the user is manually resending the message.

in your case, connection errors (and soft bounces) will queue messages up in your destination (or delivery) queues and the system will kick off a hold down timer before redelivering (unless ofcourse you say 'delivernow').

hard bounces, as well as situations where the above scenario occurs for longer than 3 days (default unless you've specified a custom "bounce profile"), will force the message to be dropped and a bounce message generated, if applicable.

two points i can think of on dealing with this (personally i feel there's nothing wrong with dual extensions :) ):

1 - you can use a content filter on the ESA to match the same signature and drop messages, effectively avoiding this issue. perhaps by attachment name. i can try some regex's and get back to you on this one...

2 - if you don't want to do that, then here's how to dig out a message:
A) use 'tophosts' first to see whose destination the connections are failing for.
B) then use 'grep [regex] mail_logs', 'showmessage', and/or 'showrecipients' to locate the MID of the offending message
C) 'removemessage' or 'deleterecipients' to remove the actual message from the queue.

andrew

ddockter_ironport · ‎09-15-2009

Andrew,

Thanks for the reply. What option would I pick with the tophosts command to identify the failing connection? Should I be looking at Soft Bounced Events?

Andrew Wurster · ‎09-15-2009

a nice braindump for you:

tophosts will show you almost everything you need, organized by destination domain
1. Active Recipients (number of recipients queued for delivery)
2. Connections Out (number of open TCP connections outbound)
3. Delivered Recipients (number of successfully delivered rcpts)
4. Hard Bounced Recipients (number of hard bounced rcpts)
5. Soft Bounced Events (number of soft bounces)

once you find the MID, you can check for any corresponding DCID information. some quick examples on the most common outcomes:

SUCCESS:
Fri Aug 28 20:08:58 2009 Info: New SMTP DCID 672 interface 10.92.152.33 address 10.92.152.33 port 25
Fri Aug 28 20:08:58 2009 Info: Delivery start DCID 672 MID 458 to RID [0]
Fri Aug 28 20:08:58 2009 Info: Message done DCID 672 MID 458 to RID [0]
Fri Aug 28 20:09:40 2009 Info: DCID 672 close

HARD BOUNCE:
Wed Sep 9 16:23:57 2009 Info: Bounced: DCID 0 MID 550 to RID 0 - Bounced by destination server with response: 5.1.2 - Bad destination host ('000', ['DNS Hard Error looking up ironport.lab (MX): NXDomain'])

NETWORK ERRORS:
Wed Aug 26 13:19:38 2009 Info: Connection Error: DCID: 645 domain: external.cisco.com IP: 171.71.177.236 port: 25 details: timeout interface: 10.92.152.33 reason: connection timed out
Thu Aug 13 20:58:28 2009 Info: Connection Error: DCID: 586 domain: tickets.ironport.com IP: 204.15.82.141 port: 25 details: [Errno 61] Connection refused interface: 10.92.152.33 reason: network error

as for searching for file extension with a content filter regex, you should be able to get by with 'filename == *.*.*'. please defer to using 'filetype' and 'mimetype' matches, however, since multiple "extensions" are quite common and useful in the real world (see your asyncos log directory for practical examples).

thanks,

andrew

ddockter_ironport · ‎09-15-2009

Great info! I was able to find the offending message and delete it. When you use removemessage, does it generate a hard bounce or just go away and the sender is never notified?

ddockter_ironport · ‎09-15-2009

Andrew,

Trying to add the content filter, but am getting the error "Illegal regular expression: nothing to repeat". I'm in the Attachment File Info section of the content filter. I've selected filename; selected equals from the dropdown box; entered *.*.* in the field.

Andrew Wurster · ‎09-16-2009

no bounces generated. if you want to delete a message and generate bounces, use 'bouncemessage'.

the filter's not working because i was testing offbox on a linux system and it's not going to work in the content filter regex syntax. i also mucked up the formatting with an extra char match (sorry). entering this phrase verbatim into your "attachment filename" criteria had much better success against my scripts:

\.\w+\.\w+

resulting "rules" view looks like:
file_check: if (attachment-filename == "\\.\\w+\\.\\w+") { quarantine ("Policy"); }

very important discussion on filetypes before you go implementing anything though:
http://tinyurl.com/kbjlk

give it shot,

andrew

ddockter_ironport · ‎09-16-2009

Works great! Thanks for your most valuable help!

ddockter_ironport · ‎09-16-2009

I'm baaack! Just had the content filter trap an attachment with a name 09.16.09.doc. Guess what I would really like to do is mimic what my Intrusion Detection System defines as a double-dot extension. The rule is below. Is something like this possible?

.*\.(\[doc|txt|xl.|gif|jpg|zip|enc|end|ps|pdf|dot|etf|rtf|ex_|ex$|ram|rm|bak|bas|bdf|bga|bhz|lha|lzh|arc|arj|cdx|csv|cal|dat|pcm|wav|mpg|mpeg|avi|wmv|mp3|mpe|anus\])\s*\.\s*(\[386|ADE|ADP|ANI|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DO.|EXE|GRP|HLP|HTA|INF|INS|ISP|JOB|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|PCD|PIF|POT|PPT|REG|SCR|SCT|SHB|SHS|SYS|URL|VB|VBE|VBS|WMF|WSC|WSF|WSH|WSZ|XL.\])

Andrew Wurster · ‎09-17-2009

so if it was already written... why did I rewrite it for you?

it looks like it could work as a message filter. I would just paste in the exact syntax you provided as your new filter criteria and retest.

if you run into any problems, make sure to verify it against the python regex syntax.
http://docs.python.org/dev/howto/regex.html

again... IMHO this is not the way to go...

andrew