Using Custom X-headers to Streamline Troubleshooting.
Collecting the information required to track or identify problem messages can be time consuming. Utilizing Ironport’s “Incoming Content Filters” and “Message Filter Action Variables” to add RFC2822 X-headers to inbound messages and can help streamline this process. For example, if you wanted an X-header to display the Senderbase Reputation Score of a message, at the time the message was originally received, you could do the following:
Using the Ironport GUI, Mail Policies tab > Incoming Content Filters:
- Click “Add Filter…" - Enter Name “X-SBRS_Header” - Enter Description “Adds SenderBase Reputation score of the sender. If there is no reputation score, it is replaced with "None".” - Select Order. I found that if it is first, it places the x- header immediately after the “Received” headers. It can be placed where ever it fits best in your environment. - Skip Condition – it will apply to all messages. - Select “Add Header” from Actions section - Enter Header Name: X-SBRS - Enter Value: $Reputation - Click “Add Action” - Click Submit - Then Commit your changes - Enable the Content Filter for the “Incoming Mail Policies” -Default Policy (or appropriate policy for your environment)
:idea: If an end-user is reporting Spam missed by your anti-spam filters, you can quickly view the reputation score at the time it was received. Often we have found that spam received earlier in the day has dropped SRBS score and is now being blacklisted. This is also helpful when fine tuning your SBRS scale for your Sender Groups (Blacklist/Suspectlist) for your environment.
Some other “Message Filter Action Variables” that can be added to an X-header are:
Internal Message ID ($MID): Replaced by the Message ID, or "MID" used internally to identify the message. Not to be confused with the RFC822 "Message-Id" value (use $Header to retrieve that). Note: if you have multiple appliances, these numbers are duplicated between appliances.
Envelope Recipients ($EnvelopeRecipients): Adds all Envelope Recipients (Envelope To, <RCPT TO>) of the message. Helpful if recipients have multiple alias Internet addresses and sender displays only List/Group name or when spammers leave the RFC 2822 “To: header” blank.
Envelope Sender ($EnvelopeFrom): Adds the Envelope Sender (Envelope From, <MAIL FROM>) of the message. Helpful if the display from is spoofed.
:?: For more information check out the Advanced Configuration Guide under Policy Enforcement---> Message Filters---> Message Filter Action Variables.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...