Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2124
Views
0
Helpful
8
Replies

ESA: Whitelist email address with bad senderbase.org reputation

amhammond
Level 1
Level 1

‎11-01-2016 11:28 AM

We use a Cisco ESA for our US offices.  senderbase.org blacklisted hosts are Stopped by Reputation Filtering.

Our UK affiliate uses prince.clook.net as an SMTP provider host.

From time to time, another company using prince.clook.net SMTP will send enough spam that prince.clook.net will be blacklisted with senderbase.org.  Then, all email from our UK affiliate is dropped without notice.

I created an Incoming Mail Policy which has

Sender

user@corp.co.uk

@prince.clook.net

@corp.co.uk

where

Anti-Spam = Disabled

Anti-Virus = (use default)

Advanced Malware Protection = (use default)

Graymail = (use default)

Content Filters = (use default)

Outbreak Filters = (use default)

How do I disable senderbase reputation filtering for clook.prince.net?  I prefer to just "whitelist" this one user, but the risk of getting spam to our corporate office from clook.prince.net seems low compared to the risk of losing email from our UK affiliate.

Thanks for any pointers,

Anne

Labels:
0 Helpful
8 Replies 8

Libin Varghese
Cisco Employee
Cisco Employee

‎11-01-2016 12:19 PM

Hi Anne,

As the senderbase scores are for the originating server IP at the connection level, it does not allow us to bypass it for a particular domain.

A workaround would be to add a separate sender group for the sending server prince.clook.net with no SBRS range defined and use filters to quarantine emails with a low reputation or emails not from a particular domain.

This mitigates the risks of emails getting dropped and allows you to review emails in the quarantine to further add exceptions.

Thanks

Libin Varghese

0 Helpful

amhammond
Level 1
Level 1
In response to Libin Varghese

‎11-01-2016 03:15 PM

Thanks Libin.

If I create a Sender Group prince_clook_net from the GUI,

there is not a Policy "Quarantine" dropdown.

Is the software outdated, or do I need to do this from the CLI?

I have created simple filters before, but not sure how to create a filter using this Sender Group.

Anne

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to amhammond

‎11-02-2016 05:30 AM

Hi Anne,

The sendergroup would be associated with the "Accepted" mail flow policy in the GUI.

Once this is done we can create message filters from the command line of the device using command filters -> new

You could also add a new policy quarantine with the name prince_clook_net from the GUI Monitor -> Policy, Virus and Outbreak Quarantine

SBRScheck: if (sendergroup == "prince_clook_net") AND (reputation < -3.0)
{
quarantine("prince_clook_net");
}
.

Attaching screenshot for steps to add the filter.

Libin

Preview file
79 KB
0 Helpful

amhammond
Level 1
Level 1
In response to Libin Varghese

‎11-02-2016 12:24 PM

Thanks Libin,

I have implemented this and waiting for UK office to test.

For the test, I will probably remove the reputation check.

Anne

0 Helpful

amhammond
Level 1
Level 1
In response to amhammond

‎11-09-2016 01:35 PM

This is not working yet. 

I have a Mail Policy Sender Group (see attached).

For the test, I just wanted to quarantine anything being sent through

prince.clook.net. 

The filter is:

[]> detail

Enter the filter name, number, or range:
[]> 7

Num Active Valid Name
  7   Y      Y   QUARClook
QUARClook: if sendergroup == "prince_clook_net" {
               quarantine("prince_clook_net");
           }

The message source incidates the IP is correct:

Received: from prince.clook.net ([46.29.93.6])
  by ironport.corp.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 03 Nov 2016 11:06:31 -0600

Can we view the log for this email?

TIA,

Preview file
59 KB
0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to amhammond

‎11-09-2016 01:50 PM

Hi Anne,

You can certainly pull up the message tracking logs for the test emails.

This would be available under Monitor -> Message Tracking

Search based on the IP, sender or recipient address for the time period.

Also from the attachment I can see that the sendergroup currently is at order 6.

One possible reason for this not to work correctly would be because the IP is matching another sendergroup higher up in the order based on its reputation score.

You can always use the feature under System Administration -> Trace to mimic the email flow with the sender IP, envelope sender and envelope recipient information.

Thanks

Libin

0 Helpful

amhammond
Level 1
Level 1
In response to Libin Varghese

‎12-08-2016 10:47 AM

Thanks Libin.

Under System Administration -> Trace I found that the Sender Group  #2 (WHITELIST with Mail Flow Policy TRUSTED) was accepting the prince_clook_net email, instead of quarantining it. 

I moved the Sender Group prince_clook_net to #2 (befoer WHITELIST); and now it is being quarantined.

I added the qarantine using the ironport cli:

quarantineconfig "add" prince_clook_net 14d delete

The email was being quarantined in a generic quarantine before.

Thanks again Libin.  System Administration -> Trace is very useful.

Anne

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to amhammond

‎12-08-2016 11:26 AM

Glad to hear that helped.

Thank you for the update!

Libin

0 Helpful
Customers Also Viewed These Support Documents