How do I extract the SBRS score of a sender from the mail logs?

nhantd001 · ‎06-06-2016

Dear all,

I have been asked to audit an IronPort C370 to determine the IP and hostname of all systems sending email through the device. How do I extract the SBRS score of a sender from the mail logs?

Please help me. Thank you very much!

Raed Boshmaf · ‎06-06-2016

Hi, From the mail_logs the SBRS score will be listed in the line with the ICID, Sender Group and mail flow policy

Example Snippet from our local labs:

==========================================================================

Fri Jun 3 10:25:34 2016 Info: New SMTP ICID 4345 interface Management (10.48.78.15) address 10.48.78.35 reverse dns host ironport.local verified yes
Fri Jun 3 10:25:34 2016 Info: ICID 4345 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Fri Jun 3 10:25:34 2016 Info: Start MID 6330 ICID 4345
Fri Jun 3 10:25:34 2016 Info: MID 6330 ICID 4345 From: <raed@munich.local>
Fri Jun 3 10:25:34 2016 Info: MID 6330 ICID 4345 RID 0 To: <raed@amman.local>
Fri Jun 3 10:25:34 2016 Info: MID 6330 Message-ID '<579860dc677ca757a915616d64771c83@munich.local>'
Fri Jun 3 10:25:34 2016 Info: MID 6330 Subject 'Final Test - SR 639108941'
Fri Jun 3 10:25:34 2016 Info: MID 6330 ready 25877 bytes from <raed@munich.local>
Fri Jun 3 10:25:34 2016 Info: MID 6330 matched all recipients for per-recipient policy Raed_Test_Policy in the inbound table

==========================================================================

Since it is a privet IP SBRS rfc1918 is thrown, with public IPs you will not see this, but the point you want is sbrs[none]

Regards

Raed