Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

internal (private) IP's of Exchange servers being blocked by reputation filtering

Hello:

I have my Exchange 2010 Hub Transport servers configured to use a Send Connector to route all externally bound email through an IronPort c350 in a smarthost configuration. In troubleshooting an Exchange availability issue, I had a look at this applicance's Incoming Mail stats. In those stats, I see where every hour, 16,000 "inbound" emails are supposedly being stopped by Reputation Filtering:

Domain Rejected Accepted Total Attempted Stopped by Recipient Throttling Stopped by Reputation Filtering arrow Stopped as Invalid Recipients Spam Detected Virus Detected Stopped by Content Filter Total Threat Marketing Clean
test.com0416.2k016.2k000016.2k00


If I change the view to IP Address, test.com is broken into my 3 Hub Transport server's IP's:

IP Address Hostname DNS Verified SBRS Last Sender Group Total Attempted Stopped by Reputation Filtering arrow Stopped as Invalid Recipients Spam Detected Virus Detected Stopped by Content Filter Total Threat Marketing Clean
10.10.10.51...ht02p.test.comNo--06,4266,42600006,42600
10.10.10.52...ht03p.test.comNo--06,4266,42600006,42600
10.10.10.50...ht01p.test.comNo--04,1584,15800004,15800


If I look into message tracking on my M series and filter by rejected connections, IP address, or any delimiter I can think of, I can't find record of the actual messages that are being stopped.

The Exchange message tracking logs don't reflect any such activity.

I've opened mail_logs on the affected appliance and I don't see anything in there related to these IP's being rejected by reputation filtering.

I've gotten no reports of emails delayed or failing to be delivered.

Insofar as I can tell, this behavior has taken place since I put in the Exchange 2010 Send Connector to the internet.

Do I have a worm run amok on my network, is this a false positive, or can anyone think of anywhere else I could look to find out what this traffic is referring to?

thank you in advance for any assistance.

2 REPLIES
Cisco Employee

internal (private) IP's of Exchange servers being blocked by rep

What most likely is happening is your connection is being throttled because of large volumes of mail. The statistics shows for Reputation Blocking include those connections that are Throttled. You probably want to examine your Mail Flow Policies to make sure that it is 1. a relay policy and 2. that you have allotted enough connections and recipients per message and flow control settings.

New Member

internal (private) IP's of Exchange servers being blocked by rep

I have recently been looking in to something which sounds very similar

Looking at the Incoming Mail report (by IP) I was seeing (IP address and domain info obfuscated):

Sender IP Address

Hostname

DNS Verified

SBRS

Last Sender Group

Total Attempted

Stopped by Reputation Filtering 

Stopped as Invalid Recipients

Spam Detected

Virus Detected

Stopped by Content Filter

Total Threat

Marketing

Clean

10.x.x.x

No Domain Information

No

--

0

22.3k

22.3k

0

0

0

0

22.3k

0

0


But this an outgoing exchange server on a relay policy so

1 - shouldn't be seeing mail blocked

2 - should be generating a lot of clean outbound traffic.

3 - should probably be on the "outgoing senders" report rather than the "incoming mail" report anyway.  Which it is...

Sender IP Address

Hostname

Spam Detected

Virus Detected

Stopped by Content Filter

Total Threat

Clean

Total Messages

10.x.x.x

unknown domain

0

0

158

158

28.7k

28.8k

We'd also had no reports of mail delay or non-delivery, and this was happening on a Saturday, when we wouldn't have been expecting large quantities of mail from this source.

Eventually tracked this down to a period when the DNS servers hosting the records for the domain which sends mail on this IP were not responding - log entries typically like:

Sat Jun 16 12:12:45 2012 Info: ICID 141750117 RELAY SG VOLUME_RELAYSERVERS match 10.x.x.x SBRS rfc1918

Sat Jun 16 12:12:45 2012 Warning: Received an invalid DNS Response: '' to IP looking up

Sat Jun 16 12:12:45 2012 Info: ICID 141750117 Address: <sender@senderdomain> sender rejected, envelope sender domain could not be resolved

Sat Jun 16 12:12:45 2012 Info: ICID 141750117 close

The repeated retrying of the same messages over a period of around 10 hours added up to the 22.3k rejections.

It looks like in this instance the failure is being recorded under "Incoming Mail" instead of "Outgoing Senders" despite the IP being in a relay sender group.

Hope this helps - maybe a few clues for what to look for in your logs if nothing else.

1552
Views
0
Helpful
2
Replies