Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3628
Views
0
Helpful
2
Replies

Using Custom X-headers to Streamline Troubleshooting.

jpcarna_ironport
Level 1
Level 1

‎10-04-2006 05:54 PM

Collecting the information required to track or identify problem messages can be time consuming. Utilizing Ironport’s “Incoming Content Filters” and “Message Filter Action Variables” to add RFC2822 X-headers to inbound messages and can help streamline this process. For example, if you wanted an X-header to display the Senderbase Reputation Score of a message, at the time the message was originally received, you could do the following:

Using the Ironport GUI, Mail Policies tab > Incoming Content Filters:

- Click “Add Filter…"
- Enter Name “X-SBRS_Header”
- Enter Description “Adds SenderBase Reputation score of the sender. If there is no reputation score, it is replaced with "None".”
- Select Order. I found that if it is first, it places the x- header immediately after the “Received” headers. It can be placed where ever it fits best in your environment.
- Skip Condition – it will apply to all messages.
- Select “Add Header” from Actions section
- Enter Header Name: X-SBRS
- Enter Value: $Reputation
- Click “Add Action”
- Click Submit
- Then Commit your changes
- Enable the Content Filter for the “Incoming Mail Policies” -Default Policy (or appropriate policy for your environment)

:idea: If an end-user is reporting Spam missed by your anti-spam filters, you can quickly view the reputation score at the time it was received. Often we have found that spam received earlier in the day has dropped SRBS score and is now being blacklisted. This is also helpful when fine tuning your SBRS scale for your Sender Groups (Blacklist/Suspectlist) for your environment.

Some other “Message Filter Action Variables” that can be added to an X-header are:

Internal Message ID ($MID): Replaced by the Message ID, or "MID" used internally to identify the message. Not to be confused with the RFC822 "Message-Id" value (use $Header to retrieve that). Note: if you have multiple appliances, these numbers are duplicated between appliances.

Envelope Recipients ($EnvelopeRecipients): Adds all Envelope Recipients (Envelope To, <RCPT TO>) of the message. Helpful if recipients have multiple alias Internet addresses and sender displays only List/Group name or when spammers leave the RFC 2822 “To: header” blank.

Envelope Sender ($EnvelopeFrom): Adds the Envelope Sender (Envelope From, <MAIL FROM>) of the message. Helpful if the display from is spoofed.

:?: For more information check out the Advanced Configuration Guide under Policy Enforcement---> Message Filters---> Message Filter Action Variables.

Labels:
0 Helpful
2 Replies 2

jbuk_ironport
Level 1
Level 1

‎10-06-2006 10:09 AM

Good tip Jeff - cheers. It's a shame though that there is no way of finding out the Spam score in the X-IronPort-Anti-Spam-Result. Now that would really help in tweaking the system :(

0 Helpful

lucas.castro_ironport
Level 1
Level 1

‎10-07-2006 06:43 PM

yeah, great tip

If you use Message Filters, you can have some performance gain 'cause message isn't splitted yet.

usually, i use this one


AddHeaderSBRS:
   if recv-inj == 'IncomingMail' {   
      insert-header ('X-SBRS', '$REPUTATION');
      insert-header ('X-SenderGroup', '$GROUP');
      insert-header ('X-MailFlowPolicy', '$POLICY');
   }
.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents