Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5686
Views
0
Helpful
6
Replies

How can I report on how many undeliverables I pass through

Go to solution
elias.winburne
Level 1
Level 1

‎06-14-2011 11:06 AM

Hello,

I am new to the Ironports.  Hope this question is not to simplistic for you guys.

I am trying to build the case for using LDAP recipient lookups on my Ironport.  Right now, we have our Exchange Servers do the 550 or 5.1.1 smtp reply of  "The e-mail address you entered couldn't be found."  I want to show some imperical data to management related to this.  How can I see\track how many undeliverables pass through the Ironports from my Exchange servers?  I have not seen a built in report on this...

Any thoughts on this one?

Thanks,

Elias

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andreas Mueller
Level 4
Level 4
In response to elias.winburne

‎06-15-2011 07:08 AM

Hello Elias,

so you basically want to know how many of the inbound messages passing trough your IronPort are bounced by your Exchange server, because the user does not exists, right? The easiest way would be to use the delivery status in the GUI:

GUI: Monitor->Delivery Status

Don't be confused that the table states "Outgoing Destination Status", it just means the destination domain, so you'd look for your (internal) domain all inbound traffic is forwarded to. The "Hard Bounced" column states the number you are looking for, in theory there could be other reasons why a message was rejected by your exchange server, but that's rather rare. This table can also be geberated by a scheduled report. Only drawaback is that the numbers shown do not represent a certain time frame, they increase and only get reset if the appliance is rebooted, or the counters are reset via CLI.

Another place to look for rejected messages from you Exchange server are in the "Bounce Log", i.e you could download those logs and run a script that counts and filters all entries including your domain.

Hope that helps,

Andreas


View solution in original post

0 Helpful
6 Replies 6

Go to solution
Christopher Smith
Level 4
Level 4

‎06-14-2011 11:13 AM

Greetings Elias,

Based on the info you provided it sounds like your looking for the number of invalid recipients?? Correct me if I am wrong here.

You should be able to see invalid recipients listed in the GUI in the monitor overview section or Incoming Mail as a precentage.

This data would be pulled based on the following;

Test-based Mail Logs (mail_logs) show such messages as:

Thu Sep 24 00:17:13 2009 Info: MID 661 ICID 274 From: user@test.tld
Thu Sep 24 00:17:17 2009 Info: MID 661 ICID 274 To: <user@example.com> Rejected by RAT
Thu Sep 24 00:17:25 2009 Info: MID 661 ICID 274 To: <nonexistant@example.com> Rejected by LDAPACCEPT

These  messages  indicate that a MTA has connected to the Cisco IronPort  appliance and attempted to deliver mail to an address that does not  exist or was prohibited. There are several reasons why a recipient would  be labeled invalid and rejected, but here are two of the most common:

  • <user@example.com> Rejected by RAT
    This  denotes that the system did not find the recipient domain's information  in the Recipient Access Table (RAT). Please refer to  article 781 for addressing this problem with the RAT.
  • <nonexistant@example.com> Rejected by LDAPACCEPT
    This  shows the recipient domain may be correct, but that the LDAP lookup to  verify this recipient's specific email address returned a negative  result. In case you believe the address does exists, please verify that  the account is valid and active to satisfy your LDAP accept query  conditions.

    Note: To find out more information about locating  more details for any email issue, you can start by capturing all the  logging or tracking information pertaining to a particular e-mail  message or it's SMTP connection. Further instruction on how to do that  can be found in  article 574 - "How can I determine the disposition of a message using the mail logs?"

Christopher C Smith

CSE

Cisco IronPort Customer Support

0 Helpful

Go to solution
elias.winburne
Level 1
Level 1
In response to Christopher Smith

‎06-14-2011 11:32 AM

Thanks Chris,

I am familiar with the RAT rejection and the LDAP one as well.

My question lies in a little different angle.  I want to know how many Undeliverable messages are sent out my Ironports from my Exchange servers.  For instance, if a directory harvest attack comes my way, how can I determine HOW MANY Undeliverable responses my Exchange servers gave out?  I do not need the Ironports to count them.  If there is a way via Message Tracking that I can see all the Undeliverable responses, that would help me.

Make sense?

0 Helpful

Go to solution
Andreas Mueller
Level 4
Level 4
In response to elias.winburne

‎06-15-2011 07:08 AM

Hello Elias,

so you basically want to know how many of the inbound messages passing trough your IronPort are bounced by your Exchange server, because the user does not exists, right? The easiest way would be to use the delivery status in the GUI:

GUI: Monitor->Delivery Status

Don't be confused that the table states "Outgoing Destination Status", it just means the destination domain, so you'd look for your (internal) domain all inbound traffic is forwarded to. The "Hard Bounced" column states the number you are looking for, in theory there could be other reasons why a message was rejected by your exchange server, but that's rather rare. This table can also be geberated by a scheduled report. Only drawaback is that the numbers shown do not represent a certain time frame, they increase and only get reset if the appliance is rebooted, or the counters are reset via CLI.

Another place to look for rejected messages from you Exchange server are in the "Bounce Log", i.e you could download those logs and run a script that counts and filters all entries including your domain.

Hope that helps,

Andreas


0 Helpful

Go to solution
elias.winburne
Level 1
Level 1
In response to Andreas Mueller

‎06-15-2011 08:44 AM

wow, brilliant!  I will pull down the Bounce logs and do some grep work on them.

Thanks!

0 Helpful

Go to solution
Jason Meyer
Level 1
Level 1
In response to elias.winburne

‎06-15-2011 02:49 PM

Were a small shop (50k mailboxes) and use LDAP Acceptance Queries and for the past year have stopped 1.3 million e-mails from being accepted.  This is 1.3 million e-mails our SMTP gateway didn't have to transfer to our internal e-mail system and 1.3 million e-mails our internal e-mail system didn't have to process and bounce back.

Our IronPort appliances do hit our LDAP directory pretty hard but it is completey tuneable to how many connections, etc.

Long Live the IronPort Nation!

Now if only I could do LDAP Acceptance on an internal listener...    please.....

0 Helpful

Go to solution
Andreas Mueller
Level 4
Level 4
In response to Jason Meyer

‎06-16-2011 05:42 AM

Hello Jason,

totally agree, one more reason to consider LDAP accept on the gateway is also to prevent backscatter  (lots of bounces generated and delivered to the "original" sender, mostly  caused by spam or directory harvest attacts), which some sites now blacklist. With LDAP accept, it's up to the sender to generate the bounce, and not the IronPort gateway any more, also saving a lot of resources and bandwith.

BTW, regarding your request for LDAP accept on private listeners, maybe this workaround can be a bit of help for you:

http://tinyurl.com/cutsb8  (KB article 1344, How to use LDAP accept query to validate the sender of relayed messages.)

You certainly know it already, but just in case you don't it maybe gives you some ideas.

Andreas

0 Helpful
Customers Also Viewed These Support Documents