Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8486
Views
0
Helpful
3
Replies

allowed a mailed whose reverse dns hostname is unverified

Omar Fatah
Level 1
Level 1

‎02-15-2011 12:12 AM

Hi,

We are using ironport email security appliance C160 in our company. Yesterday mail with unknown DNS hostname was delivered to the user. Ironport didn’t detect any viruses in that but in the user side received the mail and also a notification was  received showingthe following

“IMPORTANT:  This email and any files transmitted with or attached to it (this “Email”) are confidential and privileged and intended solely for the use of the individual or entity to whom they are addressed. This Email may be read, copied and used only by the intended recipients, and must not be re-transmitted in an amended form without the consent of the sender. Any  unauthorized use of the information contained in this Email is strictly prohibited.  If this Email is received in error, please notify the sender promptly, delete the material from your computer systems and other records and do not use, copy, or disclose the contents of this Email for the benefit of yourself or any third person. All e-mails to anyone @company.ae are communications to the Company Name  and not private or confidential to any named individual. Furthermore this email
represents the opinions of the sender and not necessarily those of the Company. Although the Company has taken reasonable precautions to ensure that no  viruses are present in this email, the Company accepts no responsibility for any loss or damage arising from the use of this Email or for any errors or omissions in the content of this Email caused by electronic or technical failures.”
When we check the message tracking deatils the reverse dns hostname is none and unverified, the sbrs rating is -1.9 which is under suspectlist.I want to know that why the ironport allowed the mail to pass through as there was not DNS hostname or any changes should be made to drop such mails.

Labels:
0 Helpful
3 Replies 3

viahmed
Cisco Employee
Cisco Employee

‎02-15-2011 12:35 AM

HI Omar,

IronPort can be configured to drop the message if connecting servers DNS is not verified. By default its turned off though since it can drop lot of legitimate senders too. This setting is under GUI-->Mail Policies-->HAT Overview, click on sender group name (Unknownlist in your case) and enable the options "Connecting Host DNS Verification" by clicking edit settings. You need to submit and commit the changes.

SInce IronPort virus/anti spam engine didnt find any threat in the message, it will process it normally.

Cheers,

Viquar Ahmed

Customer Support Engineer

0 Helpful

Omar Fatah
Level 1
Level 1
In response to viahmed

‎02-15-2011 03:54 AM

Hi

Thanks Viquar.

I have one more clariffication

How to enable the Reverse DNS option in ironport?

Even if it is dropped, can we  find those messages in the self service portal. Am I right?

Regards

Omar Fatah

0 Helpful

viahmed
Cisco Employee
Cisco Employee
In response to Omar Fatah

‎02-15-2011 05:10 PM

I provided steps to enable reverse DNS in my last response (Mail Policies-->HAT Overview-->Sender Group), please explain if you mean something else. You need to apply a blocked or Throttled policy for this sender group if you dont want to accept the emails if reverse DNS lookup fails.

To troubleshoot message reception, you need to know the IP addresses  used for sending mail by the organization sending mail.  Usually,  contacting the sender organization's mail administrator is the most  accurate way to get this info. In the absence of this option, you can  use some other resources:

  • SenderBase- If you enter a domain in the search box at http://www.senderbase.org, you will receive a list of known sending IPs for that domain.
  • Mail Logs - If you have successfully received mail from the domain in the past,  you can look in mail logs for one of those successful deliveries.
  • DNS -  You can look up the MX records for the domain. Most smaller  organizations use the same inbound and outbound servers.  For larger or  more segmented organizations, this option will not likely reveal the  needed information.

Once you know the IP addresses, you will need to search the mail logs. The grep utility is a good tool for this purpose.  If you are running  Windows, you can use Find in Word Pad or Notepad or download a grep  utility from the Internet.  Unix and Mac OSX have grep built in and can  be accessed from a shell. The grep command line would look like this  (where '1.2.3.4' is the IP address you are searching for):

host> grep –i '1.2.3.4' mail_logs

If  the sender's server is successfully connecting to your server, you will  see a line similar to the following when you search for their IP(s):

Wed  Feb  2 23:43:11 2008 Info: New SMTP ICID 6 interface Management  (10.0.0.1) address 1.2.3.4 reverse dns host test.ironport.com verified  no

You can then search for all the lines  involving the ICID (Incoming Connection ID).  The lines you find will  tell you if they sent From information, if they sent To information, and  the message IDs (MID) linked with the connection.  Searching on the  MID(s) will show you if the message was accepted by the system, the scan  results, and whether delivery was attempted.

Cheers,

Viquar

0 Helpful
Customers Also Viewed These Support Documents