Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3542
Views
0
Helpful
2
Replies

ESA: how to limit messages per hour from host (or from envelope sender if that is not possible).

valentin.stefan@global.ntt
Level 1
Level 1

‎03-11-2020 07:55 AM

Hi to all,

 

Is there is a rate limit which allows to limit the maximum number of recipients per hour from host and from envelope sender and a way to limit the number of messages instead of the number of recipients?

We want to avoid a faulty application sending a huge amount of messages to collapse our mail infrastructure. Is there another mean to avoid it?

It would be something similar as the following, but with Max. Messages instead of Max. Recipients:

 

Max. Recipients per Hour

The maximum number of recipients per hour this listener will receive from a remote host. The number of recipients per sender IP address is tracked globally. Each listener tracks its own rate limiting threshold; however, because all listeners validate against a single counter, it is more likely that the rate limit will be exceeded if the same IP address (sender) is connecting to multiple listeners.

Thank you and looking forward to your replies.

 

Cheers

Labels:
0 Helpful
2 Replies 2

ppreenja
Cisco Employee
Cisco Employee

‎03-11-2020 10:09 AM

Hi valentin.stefan@global.ntt,

For your requirement, you can make use of the Header repeat option in a message filter to detect high volume emails from a particular sender and take action on it.

The Header Repeats rule evaluates to true if at a given point in time, a specified number of messages:

- With same subject are detected in the last one hour.
- From same envelope sender are detected in the last one hour.

The syntax of this rule is header-repeats (<target>, <threshold> [, <direction>]) , where:

<target> is subject or mail-from . AsyncOS counts the repetition of values of the target.
<threshold> is the number of messages with identical values for a given target, received in the last one hour, beyond which the rule evaluates to true.
<direction> is incoming , outgoing , or both. If direction is not specified in this rule, incoming or outgoing messages are counted for rule evaluation.

For example:

In the following example, at any given point in time, if the filter detects X or more incoming messages with the identical subjects in the last one hour, the subsequent messages with the identical subjects are sent to Policy quarantine.

f1 : if header-repeats('subject', X, 'incoming') { quarantine('Policy');}

In the following example, at any given point in time, if the filter detects X or more outgoing messages from the same envelope sender in the last one hour, the subsequent messages from the same envelope sender are dropped and discarded.

f2 : if header-repeats('mail-from', X, 'outgoing') {drop();}

Please refer below link for more details:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html#con_1258707

I hope it helps!

Cheers,
Pratham
0 Helpful

valentin.stefan@global.ntt
Level 1
Level 1
In response to ppreenja

‎03-17-2020 03:57 AM

Hello Pratham,

 

First let me thanks you for the reply, 

I think this header-repeats rule will not resolve the problem because there may be different applications using the same envelope sender.

Is there a possibility to have a similar rule but using the remote host (remote IP Address), instead of the envelope sender?

Thanks.

 

Vale

 

0 Helpful
Customers Also Viewed These Support Documents