Re: Block list not working as expected.

scole · ‎03-28-2011

I have a user that address a domain into their blocklist but it is still coming thru.

Is it possible for this to happen when a user has two e-mail addresses attached to their account?

Example

bob@domain.com - main e-mail

bsmith@domain.com - secondary

E-mail getting sent to bsmith@domain.comis getting thru the blocklist.

If this is the case how do you fix it?

Thanks

Christopher Smith · ‎03-28-2011

Hi

Since I can not see your configuration I would be doing a bit of guessing here. Ideally you would want to consult the mail logs to find out exactly what happened with the message. Does it show that it did not match the address at all? Typically these are entered as a single address however the user may have many individual addresses listed

First lets go over the Safe List Block List.

The SL/BL feature is evaluating incoming messages on both envelope "Mail From" and on "From" header in the following sequence:

Full email address in "From" header
Domain part of email address in "From" header
Full email address in envelope "Mail From"
Domain part of email address in envelope "Mail From"

The message is processed until the first match is met. This can result in a more general match getting preferred to a more specific, as illustrated in the example below:

Example:

The recipient userA@test.com is having the following SL/BL:

example.com on Blocklist
userB@example.com on Safelist

userB@example.com sends a message to userA@test.com with the following property:

envelope Mail From = userB@example.com
header From = notreply@example.com

Result: Domain part of email address in "From" header (example.com) is matching the entry in the Blocklist, and the message is therefore blocked, even though "userB@example.com" is on the Safelist.

How to find SL/BL entries in the mail logs?

If an end user has added a sender's email or sender's domain to their personal safelist/blacklist in the EUQ, the mail_log entries will look like this:

Thu Aug 16 13:41:51 2007 Info: MID 152 ICID 125 From: <lilj@allow.com>
Thu Aug 16 13:41:55 2007 Info: MID 152 ICID 125 RID 0 To: <end_user@ironport.com>
Thu Aug 16 13:42:10 2007 Info: MID 152 Message-ID '<66nnd2$4o@test.run>'
Thu Aug 16 13:42:10 2007 Info: MID 152 Subject '3:43pm'
Thu Aug 16 13:42:10 2007 Info: MID 152 ready 150 bytes from <lilj@allow.com>
Thu Aug 16 13:42:10 2007 Info: MID 152 matched all recipients for per-recipient policy DEFAULT in the inbound table
Thu Aug 16 13:42:10 2007 Info: MID 152 interim verdict using engine: SLBL spam negative
Thu Aug 16 13:42:10 2007 Info: MID 152 using engine: SLBL spam negative
Thu Aug 16 13:42:10 2007 Info: MID 152 queued for delivery

If there are multiple recipients in the message and one recipient is using the SL/BL feature, then there will be message will be splintered with new MID's.

Thu Aug 16 15:55:57 2007 Info: ICID 139 ACCEPT SG None match ALL SBRS None
Thu Aug 16 15:56:02 2007 Info: Start MID 170 ICID 139
Thu Aug 16 15:56:02 2007 Info: MID 170 ICID 139 From: <x@x.com>
Thu Aug 16 15:56:06 2007 Info: MID 170 ICID 139 RID 0 To: <lijlij@ironport.com>
Thu Aug 16 15:56:10 2007 Info: MID 170 ICID 139 RID 1 To: <end_user@ironport.com>
Thu Aug 16 15:56:21 2007 Info: MID 170 Message-ID '<66nnd2$5a@falcon.run>'
Thu Aug 16 15:56:21 2007 Info: MID 170 Subject '5:58pm'
Thu Aug 16 15:56:21 2007 Info: MID 170 ready 151 bytes from <x@x.com>
Thu Aug 16 15:56:21 2007 Info: MID 170 matched all recipients for per-recipient policy DEFAULT in the inbound table
Thu Aug 16 15:56:21 2007 Info: MID 170 was split creating MID 171 due to a SL/BL configuration for following recipients: kluu@ironport.com
Thu Aug 16 15:56:21 2007 Info: MID 171 ICID 0 From: <x@x.com>
Thu Aug 16 15:56:21 2007 Info: MID 171 ICID 0 RID 0 To: <end_user@ironport.com>
Thu Aug 16 15:56:21 2007 Info: MID 170 was split creating MID 172 due to a SL/BL configuration for following recipients: lijlij@ironport.com
Thu Aug 16 15:56:21 2007 Info: MID 172 ICID 0 From: <x@x.com>
Thu Aug 16 15:56:21 2007 Info: MID 172 ICID 0 RID 0 To: <lijlij@ironport.com>
Thu Aug 16 15:56:21 2007 Info: Message finished MID 170 done
Thu Aug 16 15:56:21 2007 Info: MID 171 interim verdict using engine: SLBL spam negative
Thu Aug 16 15:56:21 2007 Info: MID 171 using engine: SLBL spam negative
Thu Aug 16 15:56:21 2007 Info: MID 171 queued for delivery
Thu Aug 16 15:56:21 2007 Info: New SMTP DCID 134 interface 172.19.0.146 address 10.1.1.39 port 25
Thu Aug 16 15:56:21 2007 Info: Delivery start DCID 134 MID 171 to RID [0]
Thu Aug 16 15:56:22 2007 Info: Message done DCID 134 MID 171 to RID [0]
Thu Aug 16 15:56:22 2007 Info: MID 171 RID [0] Response 'ok: Message 56596446 accepted'

My guess is you will see one address triggering and not the other. I would probably have to see your configuration to understand how the addresses are implemented in the SL/BL.

Christopher C Smith

CSE
Cisco IronPort Customer Support

scole · ‎03-29-2011

I submitted a ticket for it, but it appears to be the LDAP Spam Quarantine Alias Consolidation Query.

Still not working at the moment but I am looking into it.

Currently i have setup for the query string

Query String: (|(proxyAddresses={a})(proxyAddresses=smtp:{a}))

Email Attribute: proxyAddresses

Hopefully we will find a proper LDAP Query for Exchange 2010.

Christopher Smith · ‎03-30-2011

Hi,

I just wanted to check to see if your issue was addressed through the ticket you opened. Were you able to determine if he query was the problem?

If the Query is at issue,

Are you using LDAP for other functionality, if so do the other queries work, for example the accept query?

Did you enable the ldap debug logs?

Christopher C Smith

CSE

Cisco IronPort Customer Support

scole · ‎03-30-2011

We have it working using the following.

Server Type: Active Directory

Port: 3268

Base DN:

End User Authentication

Query: (sAMAccountName={u})

Email Attribute: mail,proxyAddresses

Alias Consolidation Query

Query: (|(proxyAddresses={a})(proxyAddresses=smtp:{a}))

Email Attribute: mail,proxyAddresses