Solved: Receive control command to get list of IP's that are beeing throttled.

Frederik De Muyter · ‎10-03-2019

Hi,

Is there a command or report i can get to see for what IP's the ironport is doing flow control.

Kind regards,

Frederik.

Mathew Huynh · ‎10-03-2019

Hey Frederik,

Emails being throttled by the ESA are all grouped together with a similar log line; so we will not be able to distinguish if it's the Senderbase Flow control coming in, or just your other mail flow policies rate limit.
However you can grep : Rejected by Receiving Control in the mail_logs to track this.
Then you will need to cross reference the IP addresses sent in, sendergroup and from there you'll be able to get a clearer indication if it was blocked due to mail flow policy limits, or senderbase flow control coming through and stopping it.

To know if it's senderbase flow control - essentially if an IP gets stopped due to your rate limit and the sender changes their IP to one in the same IP group and sends emails, it will also be stopped under Rejected by Receiving Control reason, and this would be senderbase flow control grouping the IPs over found through network ID/owner.

---

* 'Use SenderBase for Flow Control' on: The ESA will group connections together based on the network ID of the IPs in SenderBase
* 'Use SenderBase for Flow Control' off and 'Group by Similarity of IP Addresses' on: The ESA will group connections based on the number of significant bits configured in this setting. To make things always host specific (no grouping) set the significant bits to 32.
* 'Use SenderBase for Flow Control' off and 'Group by Similarity of IP Addresses' off: The ESA will group connections based on the sender entries in the sender groups. For example, if the sender group has 10.250.42.0/24 listed as a sender, then all connections from that CIDR range will be grouped together. If instead, they have individual IPs (Ex: 10.250.42.38) with no CIDR ranges, they will not be grouped because each IP had a separate sender entry.
---

Regards,
Mathew

View solution in original post

Mathew Huynh · ‎10-03-2019

Hey Frederik,

Emails being throttled by the ESA are all grouped together with a similar log line; so we will not be able to distinguish if it's the Senderbase Flow control coming in, or just your other mail flow policies rate limit.
However you can grep : Rejected by Receiving Control in the mail_logs to track this.
Then you will need to cross reference the IP addresses sent in, sendergroup and from there you'll be able to get a clearer indication if it was blocked due to mail flow policy limits, or senderbase flow control coming through and stopping it.

To know if it's senderbase flow control - essentially if an IP gets stopped due to your rate limit and the sender changes their IP to one in the same IP group and sends emails, it will also be stopped under Rejected by Receiving Control reason, and this would be senderbase flow control grouping the IPs over found through network ID/owner.

---

* 'Use SenderBase for Flow Control' on: The ESA will group connections together based on the network ID of the IPs in SenderBase
* 'Use SenderBase for Flow Control' off and 'Group by Similarity of IP Addresses' on: The ESA will group connections based on the number of significant bits configured in this setting. To make things always host specific (no grouping) set the significant bits to 32.
* 'Use SenderBase for Flow Control' off and 'Group by Similarity of IP Addresses' off: The ESA will group connections based on the sender entries in the sender groups. For example, if the sender group has 10.250.42.0/24 listed as a sender, then all connections from that CIDR range will be grouped together. If instead, they have individual IPs (Ex: 10.250.42.38) with no CIDR ranges, they will not be grouped because each IP had a separate sender entry.
---

Regards,
Mathew