Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Using Custom X-headers to Streamline Troubleshooting.

Collecting the information required to track or identify problem messages can be time consuming. Utilizing Ironport’s “Incoming Content Filters” and “Message Filter Action Variables” to add RFC2822 X-headers to inbound messages and can help streamline this process. For example, if you wanted an X-header to display the Senderbase Reputation Score of a message, at the time the message was originally received, you could do the following:

Using the Ironport GUI, Mail Policies tab > Incoming Content Filters:

- Click “Add Filter…"
- Enter Name “X-SBRS_Header”
- Enter Description “Adds SenderBase Reputation score of the sender. If there is no reputation score, it is replaced with "None".”
- Select Order. I found that if it is first, it places the x- header immediately after the “Received” headers. It can be placed where ever it fits best in your environment.
- Skip Condition – it will apply to all messages.
- Select “Add Header” from Actions section
- Enter Header Name: X-SBRS
- Enter Value: $Reputation
- Click “Add Action”
- Click Submit
- Then Commit your changes
- Enable the Content Filter for the “Incoming Mail Policies” -Default Policy (or appropriate policy for your environment)

:idea: If an end-user is reporting Spam missed by your anti-spam filters, you can quickly view the reputation score at the time it was received. Often we have found that spam received earlier in the day has dropped SRBS score and is now being blacklisted. This is also helpful when fine tuning your SBRS scale for your Sender Groups (Blacklist/Suspectlist) for your environment.

Some other “Message Filter Action Variables” that can be added to an X-header are:

Internal Message ID ($MID): Replaced by the Message ID, or "MID" used internally to identify the message. Not to be confused with the RFC822 "Message-Id" value (use $Header to retrieve that). Note: if you have multiple appliances, these numbers are duplicated between appliances.

Envelope Recipients ($EnvelopeRecipients): Adds all Envelope Recipients (Envelope To, <RCPT TO>) of the message. Helpful if recipients have multiple alias Internet addresses and sender displays only List/Group name or when spammers leave the RFC 2822 “To: header” blank.

Envelope Sender ($EnvelopeFrom): Adds the Envelope Sender (Envelope From, <MAIL FROM>) of the message. Helpful if the display from is spoofed.

:?: For more information check out the Advanced Configuration Guide under Policy Enforcement---> Message Filters---> Message Filter Action Variables.

New Member

Re: Using Custom X-headers to Streamline Troubleshooting.

Good tip Jeff - cheers. It's a shame though that there is no way of finding out the Spam score in the X-IronPort-Anti-Spam-Result. Now that would really help in tweaking the system :(

Re: Using Custom X-headers to Streamline Troubleshooting.

yeah, great tip

If you use Message Filters, you can have some performance gain 'cause message isn't splitted yet.

usually, i use this one

if recv-inj == 'IncomingMail' {
insert-header ('X-SBRS', '$REPUTATION');
insert-header ('X-SenderGroup', '$GROUP');
insert-header ('X-MailFlowPolicy', '$POLICY');