07-14-2021 02:56 AM
Hello all,
In our company we have some senders which hase some SPAM filters enabled on their mailboxes which means that our ESA Ironport as sender addresses sees something like this: prvs=6829960914=name.surname@domain.com
We don't want to whitelist all domain, but just this one user mail address to go throught our filters.
Examples for Incoming mail policies shows only (e.g. user@example.com, user@, @example.com, @.example.com)
I have tried like *name.surname@domain.com but seems not working like that.
So does anyone have solution for this?
Thanks.
07-15-2021 02:40 PM - edited 07-21-2021 11:03 PM
Hi,
Can you please be more specific? Those addresses are modified by ESA using a feature called bounce verification:
If the sending domain also uses ESA, that's why you see those email with the prvs=6829960914 tag.
It's not exactly wise to skip spam based on a specific email address, although it's doable.
Usually, you skip spam engine before reaching Incoming Mail Policy, in HAT, by adding the sender domain or IP in a specific Sender Group that has attached a Mail Flow Policy that does not have SPAM engine enabled.
Still, going back to your scenario, have you tested your policy for let's say email sender prvs=6829960914=name.surname@domain.com with only name.surname@domain.com in the Incoming Mail Policy?
I'm asking you this, because:
I expect 'prvs' email to be in Envelope Sender field but not in From header, so I guess it would work.
BR,
Octavian
BR,
Octavian
07-16-2021 01:25 AM
Hello,
I will try to whitelist like this prvs=6829960914=name.surname@domain.com with only name.surname@domain.com but I think I already tried it some time ago and it was still quarantined. Will let You know once get another mails from this affected sender.
07-21-2021 10:29 PM
Hello Kajinssa,
To add - the prvs tagging is done by bounce verification - so as the email leaves your environment (assuming it's enabled) your environment will tag it - once the recipient replies; your device will strip (or should) strip the prvs tagging as it receives assuming it's a tagging your side did.
Now if the issue is this tag is done by another Cisco secure email customer and you're receiving it like this - you cannot strip the tagging as it's not your own tagging.
So to allow this email through and not get hit by quarantine - I would like to ask:
- Which quarantine is it matching? Is it anti-spam that flags it? or is it a content filter?
If it's anti-spam the only means that i can recommend is using a message filter which allows you to add the variables; incoming mail policies will match specific full usernames or domains only which as you shared is not ideal.
That means if you're on-prem just use the CLI and create a message filter to allow this email to skip anti-spam.
If you're on CES - you will need to either:
1) Get CLI access to your CES allocation and create the filter
2) Engage Cisco TAC to assist you in getting access/configuring the message filter with your consent.
A message filter could be:
Bypass_spam_user:
if mail-from =="username@domain.com"
{
skip-spamcheck();
}
.
Where the username is a contains rule and it should skip as long as this string is consistent.
If you use equals to then you need to have the prvs-tagging.
Thanks i hope this helps.
Regards,
Mathew
07-22-2021 12:01 AM
Hello Mathew,
Thanks for Your input. Yes, this PRVS tag is done by other CISCO ESA and we are receiving email like this. And it is maching our Incoming mail policies - so Content filter.
It could be easily resolved, if there will be possibilty to use * to catch all string which are after this char.
Thanks.
07-30-2021 04:46 AM
Hello @Octavian Szolga ,
So I tried to whitelist just name.surname@domain.com but ESA ignore it, if sender address have this prvs tag at the begginning.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide