06-18-2019 07:20 PM
Hello Email Security Community,
Perhaps this question was asked many times and I did do my best to search through the whole forum.
I followed an advice but still, scratching my head trying to understand what is wrong.
I need to whitelist a specific email address through Ironport email security. Created or rather added an email address to the existing Whitelist that is inserted above the default policy with Anti-Spam set to disabled. I have to admit that emails sent by this sender are marketing emails and their content is about marketing compains performed by designated staff. The email is sent, Ironport accepts it because it comes from a sender with 3.0 score. But it puts it to spam quarantine. Why ?
Moreover, when I do tracing by providing all the details from the message headers and pasting the body of the email I do see that it matches the whitelisting policy. But the email still ends up in spam quarantine.
Desperately need an advice and help!
Eugene
Solved! Go to Solution.
06-19-2019 04:27 AM
Under Mail Policies/Mail Policy Options, there's a setting for matching the headers your policies apply to.
Envelope sender may be the only one checked in priority P1.
You can create priorities and set an order to them, or turn them all on in P1 (which is how it used to work).
06-18-2019 08:09 PM
If its a marketing or bulk sender, also make sure that the Graymail detection/actions are appropriate... if one of those is set to quarantine, that would do it.
It might be useful if you posted the message tracking for one of the emails in question, sanitized if need be.
Ken
06-18-2019 09:22 PM
Thank you, Ken, a lot.
I have ALL policies disabled for this Whitelisting policy.
Take a look at the attached screenshot.
But you half opened my eyes.
Here's the extract from Message tracking and for some reason it hits Default policy
MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: it.xxxx@options.bc.ca |
Incoming connection (ICID 1033318) has sender_group: ACCEPTED, sender_ip: 207.254.213.249 and sbrs: 3.5 |
Protocol SMTP interface Main_incoming_interface (IP 172.16.0.200) on incoming connection (ICID 1033318) from sender IP 207.254.213.249. Reverse DNS host drone192.ral.icpbounce.com verified yes. |
(ICID 1033318) ACCEPT sender group ACCEPTED match sbrs[0.0:10.0] SBRS 3.5 sender IP 207.254.213.249 country Canada |
Message 2207265 Sender Domain: icpbounce.com |
Start message 2207265 on incoming connection (ICID 1033318). |
Message 2207265 enqueued on incoming connection (ICID 1033318) from bounces+264572.35563716.533343@icpbounce.com. |
Message 2207265 direction: incoming |
Message 2207265 on incoming connection (ICID 1033318) added recipient (it.xxxx@options.bc.ca). |
Message 2207265 SPF: helo identity postmaster@drone192.ral.icpbounce.com None |
Message 2207265 SPF: mailfrom identity bounces+264572.35563716.533343@icpbounce.com Pass |
Message 2207265 SPF: pra identity childxxxxyyyyzzzz@options.bc.ca None headers Unknown |
Message 2207265 contains message ID header '<0.1.1.1E.1D52643A30575C4.0@drone192.ral.icpbounce.com>'. |
Message 2207265 original subject on injection: testing 222 |
Message 2207265 has 'reply-to' header childxxxyyyzzz@options.bc.ca |
Message 2207265 Domain Reputation: Neutral, Domain Age: 15 years 8 months 23 days, Threat Category: N/A |
Message 2207265 (41799 bytes) from bounces+264572.35563716.533343@icpbounce.com ready. |
Message 2207265 has sender_group: ACCEPTED, sender_ip: 207.254.213.249 and sbrs: 3.5 |
Message 2207265 matched per-recipient policy DEFAULT for inbound mail policies. |
Message 2207265 scanned by Anti-Spam engine: CASE. Interim verdict: marketing |
Message 2207265 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN |
Message 2207265 scanned by Anti-Virus engine. Final verdict: Negative |
Message 2207265 scanned by Anti-Spam engine: GRAYMAIL. Final verdict: marketing_mail |
Message 2207265 scanned by Outbreak Filters. Verdict: Negative |
Message 2207265 queued for delivery. |
Remote procedure call connection (RCID 325869) started for message 2207265 to local Spam Quarantine. |
Message 2207265 quarantined in Spam Quarantine. |
06-18-2019 09:28 PM
Like I said previously, when I trace this email it shows as it matching Whitelisting policy
Message Delivery (matched on policy Whitelisting)Outgoing Envelope Sender Tagging for Bounce Verification:Final Recipients:Final Message:
| |
it.xxxx@options.bc.ca | |
Authentication-Results: drone192.ral.icpbounce.com; spf=None smtp.pra=; spf=None smtp.mailfrom=childxxxyyyzzz@options.bc.ca; spf=None smtp.helo=postmaster@drone192.ral.icpbounce.com Received-SPF: None (drone192.ral.icpbounce.com: no sender authenticity information available from domain of ) identity=pra; client-ip=207.254.213.249; receiver=drone192.ral.icpbounce.com; envelope-from="childxxxyyyzzz@options.bc.ca"; x-sender=""; x-conformance=sidf_compatible Received-SPF: None (drone192.ral.icpbounce.com: no sender authenticity information available from domain of childxxxyyyzzz@options.bc.ca) identity=mailfrom; client-ip=207.254.213.249; receiver=drone192.ral.icpbounce.com; envelope-from="childxxxyyyzzz@options.bc.ca"; x-sender="childxxxyyyzzz@options.bc.ca"; x-conformance=sidf_compatible Received-SPF: None (drone192.ral.icpbounce.com: no sender authenticity information available from domain of postmaster@drone192.ral.icpbounce.com) identity=helo; client-ip=207.254.213.249; receiver=drone192.ral.icpbounce.com; envelope-from="childxxxyyyzzz@options.bc.ca"; x-sender="postmaster@drone192.ral.icpbounce.com"; x-conformance=sidf_compatible Received: from drone192.ral.icpbounce.com ([207.254.213.249]) by esa.options.bc.ca with TEST; 18 Jun 2019 21:24:35 -0700 test |
06-18-2019 09:34 PM
And the picture below shows that Greylisting is not appied to Whitelisting poilcy
06-19-2019 04:27 AM
Under Mail Policies/Mail Policy Options, there's a setting for matching the headers your policies apply to.
Envelope sender may be the only one checked in priority P1.
You can create priorities and set an order to them, or turn them all on in P1 (which is how it used to work).
06-19-2019 09:02 AM
Bingo! It made the trick. Thank you, Ken!
No one changed those priorities. I had only two in there, i.e. Envelop sender and Header sender.
Apparently the incoming email was verified against "reply-to" header. Never paid attention to it.
Thanks again, issue solved
Eugene
06-19-2019 09:19 AM - edited 06-19-2019 10:19 AM
Well, I spoke too early. It doesn't work consistently. There are two email addresses that are supposed to receive an email from whitelisted email address. One of them receives it right away, but the email for the second is put into the spam quarantine again. I see that it matches the default policy from message tracking. Weird...
Here's what I mean, there's one message with "testing 666" subject, it is being delivered to two addresses.
The first one receives it right away (to it.tech@), but the one destined to shady.goubran@ gets into the spam quarantine
Checking on details confirms it, the first one matches Whitelisting policy:
MAIL POLICY "Whitelisting" MATCHED THESE RECIPIENTS: it.tech@
The second one matches the default policy:
MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: shady.goubran@
06-19-2019 10:47 AM
06-19-2019 11:21 AM
So which emails does the whitelist policy apply to?
06-19-2019 11:23 AM
So which emails does the Whitelisting policy apply to? Feel free to direct message if you don't want to post it.
06-19-2019 11:37 AM
Here are two messages, I think there's nothing to sanitize in them here in Cisco forums
One of them matches Whitelisting policy, the other one - default.
It was sent as one email earlier today, hence the same subject
06-19-2019 12:48 PM
I can't seem to find in our conversation, did you post what the config is when you click on "Whitelisting" in the policy table?
06-19-2019 02:52 PM
Here it is, Ken, see below
06-19-2019 03:41 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide