We are using ironport email security appliance C160 in our company. Yesterday mail with unknown DNS hostname was delivered to the user. Ironport didn’t detect any viruses in that but in the user side received the mail and also a notification was received showingthe following
“IMPORTANT: This email and any files transmitted with or attached to it (this “Email”) are confidential and privileged and intended solely for the use of the individual or entity to whom they are addressed. This Email may be read, copied and used only by the intended recipients, and must not be re-transmitted in an amended form without the consent of the sender. Any unauthorized use of the information contained in this Email is strictly prohibited. If this Email is received in error, please notify the sender promptly, delete the material from your computer systems and other records and do not use, copy, or disclose the contents of this Email for the benefit of yourself or any third person. All e-mails to anyone @company.ae are communications to the Company Name and not private or confidential to any named individual. Furthermore this email
represents the opinions of the sender and not necessarily those of the Company. Although the Company has taken reasonable precautions to ensure that no viruses are present in this email, the Company accepts no responsibility for any loss or damage arising from the use of this Email or for any errors or omissions in the content of this Email caused by electronic or technical failures.”
When we check the message tracking deatils the reverse dns hostname is none and unverified, the sbrs rating is -1.9 which is under suspectlist.I want to know that why the ironport allowed the mail to pass through as there was not DNS hostname or any changes should be made to drop such mails.
IronPort can be configured to drop the message if connecting servers DNS is not verified. By default its turned off though since it can drop lot of legitimate senders too. This setting is under GUI-->Mail Policies-->HAT Overview, click on sender group name (Unknownlist in your case) and enable the options "Connecting Host DNS Verification" by clicking edit settings. You need to submit and commit the changes.
SInce IronPort virus/anti spam engine didnt find any threat in the message, it will process it normally.
Customer Support Engineer
I have one more clariffication
How to enable the Reverse DNS option in ironport?
Even if it is dropped, can we find those messages in the self service portal. Am I right?
I provided steps to enable reverse DNS in my last response (Mail Policies-->HAT Overview-->Sender Group), please explain if you mean something else. You need to apply a blocked or Throttled policy for this sender group if you dont want to accept the emails if reverse DNS lookup fails.
To troubleshoot message reception, you need to know the IP addresses used for sending mail by the organization sending mail. Usually, contacting the sender organization's mail administrator is the most accurate way to get this info. In the absence of this option, you can use some other resources:
Once you know the IP addresses, you will need to search the mail logs. The grep utility is a good tool for this purpose. If you are running Windows, you can use Find in Word Pad or Notepad or download a grep utility from the Internet. Unix and Mac OSX have grep built in and can be accessed from a shell. The grep command line would look like this (where '184.108.40.206' is the IP address you are searching for):
host> grep –i '220.127.116.11' mail_logs
If the sender's server is successfully connecting to your server, you will see a line similar to the following when you search for their IP(s):
Wed Feb 2 23:43:11 2008 Info: New SMTP ICID 6 interface Management (10.0.0.1) address 18.104.22.168 reverse dns host test.ironport.com verified no
You can then search for all the lines involving the ICID (Incoming Connection ID). The lines you find will tell you if they sent From information, if they sent To information, and the message IDs (MID) linked with the connection. Searching on the MID(s) will show you if the message was accepted by the system, the scan results, and whether delivery was attempted.