Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10100
Views
0
Helpful
21
Replies

IronPort accepts mail but doesn't deliver, unless the attachment is of a certain size

Go to solution
willem.hexspoor
Level 1
Level 1

‎12-22-2016 01:39 PM

I'm running my own mail server. Unfortunately i'm experiencing delivery problems whenever i try to send mail to organizations that use IronPort. My logs indicate that the messages are sent and accepted, but they are never delivered to the mailbox of the recipient. The funny thing is that if i add a >1MB attachment, the message is delivered. Only short messages are dropped.

To my opinion my messages are falsely identified as positive when being checked for spam. I've already send a message to ham@acces.ironport.com but they are not processed, probably because i don't own any Cisco products.

SenderBase says the email and web reputation of my IP address is neutral. The web reputation of my domain name is neutral, the email reputation is not mentioned.

I'm not experiencing any problems when sending to GMail, Hotmail or AOL addressess, the headers of messages sent to them indicate my SPF, DKIM, DMARC and PTR are set up fine.

The admins of the receiving organisations, which is the company i work for and a hospital, are not very responsive if i ask them for help. I'm trying to figure out what is going wrong, any help will be appreciated.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to willem.hexspoor

‎03-02-2017 09:33 AM

The internal team that creates and maintains the anti-spam rules require the email samples in a .msg/.eml format with the headers intact.

Email sample and headers separately cannot be processed by that automated tool.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117822-qanda-esa-00.html

Once you have the email sample in the mentioned format please open a TAC case to get the sample analyzed.

- Libin V

View solution in original post

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to Libin Varghese

‎03-06-2017 11:30 AM

Willem,

Here's the following reason for the FP:

In this instance, the FP can be mainly attributed to the .online domain. This domain is highly prevalent in spam so message being sent from .online are at higher risk of FPs.

Almost never in our systems is an FP caused by one thing. Our spam detection combines many signals, including both weak spam indicators and ham indicators. Prevalence of the former combined with an absence or under representation of the latter can lead to a conviction.

For this case, we have tuned detection content to avoid FPs on the submission domain in our systems.

Thank You!

Libin Varghese

View solution in original post

0 Helpful
21 Replies 21

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎12-22-2016 02:00 PM

Hi Willem,

It would be difficult to say for certain what the issue could be without looking at the tracking details from the ESA the email passed through.

The emails could be getting blocked by any one of the features on the ESA such as anti-spam, graymail, outbreak filters, content/message filters etc.

We would need the receiving domain to give us some information on what they are blocking in order to share a fix or workaround for that.

As a side note, the emails can be stopped by any other network devices in the receiving network including firewalls, IPS, exchange, or any other third party spam checks they use etc.

- Libin

0 Helpful

Go to solution
willem.hexspoor
Level 1
Level 1
In response to Libin Varghese

‎12-23-2016 01:54 PM

Hi Libin,

Is there any other way to  determine why email send from my server is being dropped, because the admins of the receiving domains are not responding to my request for details on why this is happening.

If i use my Gmail account to send a message with the same content, it is being delivered to the respective domains.

Is there a possibility for me to send a test message to Cisco, so they can analyze what might be wrong in the message?

I'm just trying to improve my mail server, but that is hard if the receiving party does not explain why messages are dropped.

Best regards,

Willem

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to willem.hexspoor

‎12-23-2016 02:10 PM

Hi Willem,

The only global rules that I can think of are anti-spam rules, senderbase scoring and URL filtering however these too can be customized at the recipient side.

You did mention submitting emails to ham@access.ironport.com, could you confirm which email address those submissions were made from? I do not see any submission from willem.hexspoor@gmailcom this month.

Also if there are any URLs in the email I can look at their web reputation score at the moment.

With the SPF and other DNS records already confirmed by you I cannot think of anything else we could check based on the limited information available.

- Libin

0 Helpful

Go to solution
willem.hexspoor
Level 1
Level 1
In response to Libin Varghese

‎12-23-2016 02:34 PM

Hi Libin,

Thank you for your quick response. I can confirm that i've submitted emails to ham@access.ironport.com from my gmail address. I've even send more than one, on the 19th, 22th and just a couple of minutes ago to be exactly. I assume the missing dot between gmail and com is a typo.

I also just sent a message to ham@access.ironport.com from the server that has the delivery issues. The sending address is willem@hexspoor.online

None of these messages contained URL's.

Thanks for your effort,

Willem

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to willem.hexspoor

‎12-23-2016 11:36 PM

Hi Willem,

I see a couple of emails submitted from willem@hexspoor.online on Dec 16 and Dec 23 and both were classified as ham (not spam) so I do not think the emails are being blocked by the anti-spam engine.

Apologies for the typo, there are 3 email submissions from willem.hexspoor@gmail.com, Dec 19, 22 and 23 all of which were also ham.

However, these submissions do not have any of the Ironport headers which means they would be missing the actual scoring at the time.

At this point we are dependent on the recipient domain to tell us what they are blocking based of.

- Libin

0 Helpful

Go to solution
willem.hexspoor
Level 1
Level 1
In response to Libin Varghese

‎12-26-2016 01:53 PM

Hi Libin,

Thanks for you analysis. I'm going to try again to get some more information from the recipient domain.

Best regards,

Willem

0 Helpful

Go to solution
willem.hexspoor
Level 1
Level 1
In response to willem.hexspoor

‎01-15-2017 12:14 AM

Hi Libin,

I've received message details of the Content Security Management Appliance from one of the admins of a recepient domain. It turns out my messages are being dropped by CASE:

06 Jan 2017 16:55:25 (GMT) Message 62972262 scanned by Anti-Spam engine: CASE. Interim verdict: Positive
06 Jan 2017 16:55:25 (GMT) Message 62972262 scanned by Anti-Spam engine: CASE. Final verdict: Positive
06 Jan 2017 16:55:25 (GMT) Message 62972262 aborted: Dropped by CASE

Which party am I supposed to contact to figure out why my messages are being dropped by CASE?

Regards,

Willem

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to willem.hexspoor

‎01-15-2017 08:57 PM

Hi Willem,

The recipient domain would need to quarantine these emails so that we can get email samples with the Ironport headers intact.

At this point the emails are getting dropped which does not allow us to get an email sample from them. The recipient domain would either have to modify the action on positive spam from drop to quarantine to get an email sample or disable anti-spam check altogether for your sending domain.

The email samples with the Ironport headers would help identify which rules need to be updated in order to prevent this from happening.

Thanks!

Libin Varghese

0 Helpful

Go to solution
willem.hexspoor
Level 1
Level 1
In response to Libin Varghese

‎02-27-2017 11:53 AM

Hi Libin,

I've contacted several admins with a request to quarantine one of my messages. Unfortunately not one was able to help me. But I've received message tracking details of the admin at my work. I'd rather not share it on this Forum, but is there a way to send it to you by mail?

It indicates that mail from my server is being 'dropped by CASE'. Correct me if I'm wrong, but to my understanding the CASE Anti-Spam engine is operated and maintained by Cisco.

I really think Cisco incorrectly marks my mail server as a spam server. I'm unable to send mail to companies that use Ironport, because they rely on this marking by Cisco.

Today I've also send a message from willem@hexspoor.online to ham@access.ironport.com Can you check if that is still being treated as ham? If it is considered spam, than we might be able to use the header of this message?

Please help me get this issue solved or tell me how to proceed.

Best regards,

Willem Hexspoor

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to willem.hexspoor

‎02-27-2017 12:09 PM

Hi Willem,

I see the email sample submitted is currently being marked as ham. It would be difficult to update rules accurately without the email sample with its X-Ironport headers intact.

It is recommended the receiving domain with the ESA open a TAC case to correct the rules if they feel emails are being incorrectly marked as spam.

Dropped by case means the email at that point was marked as a positive spam and as per the device configuration dropped the email.

Again if a email is spam or not would need to be reported by the receiving domain. And if these are business emails I would think they would go through the process of working with TAC to get this corrected.

- Libin Varghese

0 Helpful

Go to solution
willem.hexspoor
Level 1
Level 1
In response to Libin Varghese

‎02-27-2017 12:24 PM

Hi Libin,

The problem is that the receiving domains are not interested in solving my problem. I'm having this issue with an insurance company, a hospital and my work. I'm running a private mail server and these domains don't care if they receive my message or not. It's like David and Goliath.

Would it be an option if you send a message from your mail address at work to me at willem@hexspoor.online I could reply and my response would probably also be scanned by the case anti spam engine. The result could be used for further analysis.

Best regards,

Willem Hexspoor

0 Helpful

Go to solution
willem.hexspoor
Level 1
Level 1
In response to willem.hexspoor

‎03-02-2017 09:12 AM

Hi Libin,

I've found a friendly mail admin, who was willing to help me. He has send me the headers of one of my messages that was marked as spam and consequently quarantined by his Ironport. I've attached them to this post. Please tell me how to proceed.

Best regards,

Willem Hexspoor

Preview file
5 KB
0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to willem.hexspoor

‎03-02-2017 09:33 AM

The internal team that creates and maintains the anti-spam rules require the email samples in a .msg/.eml format with the headers intact.

Email sample and headers separately cannot be processed by that automated tool.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117822-qanda-esa-00.html

Once you have the email sample in the mentioned format please open a TAC case to get the sample analyzed.

- Libin V

0 Helpful

Go to solution
willem.hexspoor
Level 1
Level 1
In response to Libin Varghese

‎03-03-2017 09:22 AM

Hi Libin,

I've sent a quarantined email sample according the link above. Unfortunately it's been more than 2 hours without a confirmation.

I'm not able to open a TAC case, can you get the attachment of this message into the automated tool? I just renamed the extension from eml to txt in order to be able to upload it here.

Regards,

Willem

Preview file
4 KB
0 Helpful
Customers Also Viewed These Support Documents