cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1223
Views
5
Helpful
15
Replies
Highlighted
Beginner

Whitelisting

Hi,

I have a vendor that is sending us a good amount of email. I usually use HAT to apply diff. throttling policy however in the case of this vendor when I look at logs they are sending from a lot of diff IPs and DSN hostnames (looks like they are using outlook.com prob for email filtering). Their Envelope sender domain doesn't match their DNS hostname. 

 

What would be the best way for me to whitelist them

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

The HAT table won't accept domains, you need to add by the sending mail host (or partial if they have a lot of various hostnames).

There on the associated Sendergroup you created; alter the rate limiting settings to fit your requirements.
Create the address list to allow the -bypass- of these limits for these whitelist sender.

Essentially everyone in this sendergroup match from .outlook.com mail servers will have your rate limit applied per sender except the select few in the list.

Regards,
Matthew

View solution in original post

15 REPLIES 15
Highlighted
Engager

HAT/Flow Policy is all about "can this up talk to me and how much flow will I allow"

Mail policy is about what to do with the mail once you've accepted it. You'll need to create a new Incoming Mail Policy for their domain(envelope sender), and turn off the scannes you need to. (Bulk/antispam/greymail?)
Highlighted

So if I have "rejected by receiving control" wouldn't that not make it to incoming mail policies to get processed?

Highlighted

Hey Toolshed,

 

Rejected by receiving controls would mean they won't make it to the mail policies - correct.

The limits are being applied at the HAT overview already at this stage.

 

As you shared this sender comes from a variety of IPs/DNS hostname and you cannot add them to your whitelisting at the HAT level; it would require the mail policy level if their domain name remains constant to whitelist them.

 

With regards to allowing them to meet the incoming mail policy level - you would either need to generate and track the list of IPs they use and create a separate sendergroup for them; or risk changing your overall rate limits to be more accommodating.

 

(if there is a common part of their hostname that is unique to them, then you can always add the hostname wildcard for sendergroup matching. For example .domain.com if the senders are always from n.domain.com where the n can be anything.)

 

Regards,

matthew 

Highlighted

Matthew,

Issue is that its coming from outlook.com or amazon.com as their rDNS. I don't mind changing # of messages allowed per hour I just don't also want to open it up to the spam coming from outlook.com 

I just need to allow based on their send envelope address

 

Highlighted

Look at the headers of the email in question.
What is the envelope sender address?
What is the from address?
Highlighted

They are diff.

envelope sender is our vendors domain. user@vendor.com it's also from address in outlook.

However its not what ESA sees as where emails are coming from. It sees it coming from outlook.com

 

Highlighted

Hey Toolshed,

The rate limiting functionality will apply by what the sender is on the message tracking rather than what's noticeable on outlook.

Regards,
Matthew
Highlighted

Hey toolshed,

There's the option to rate limit by envelope sender if that fits the bill - it's found inside your mail flow policy settings.

But as Ken shared- you can extract the envelope sender by the tracking and header From from the headers.

When envelope sender rate limiting; it's also a global limiting so it'll apply for each individual envelope sender (you can create a list to allow specific senders to bypass rate limiting for those 'trusted' senders).

Regards,
Matthew
Highlighted

so my steps would be

1. to create another sender group in HAT and add *.outlook.com there.

2. Create a policy that will be assigned to that senders group that has low mps

3. create addresses book 

4. select that addreeses book in policy under envelope sender options that says ignore

 

I already tracked header. That's what I do in almost all the cases. Typically vendors and other sender host their own email servers so I look at headers and add that and/or IPs to our policies. Usually its 2 or 3 IPs so not a huge deal. Issue i'm running into is when they use office 365 or some other service and I don't want to use policy with high mps for outlook.com, because I a lot of cases we get phishing emails from there as well

Highlighted

The HAT table won't accept domains, you need to add by the sending mail host (or partial if they have a lot of various hostnames).

There on the associated Sendergroup you created; alter the rate limiting settings to fit your requirements.
Create the address list to allow the -bypass- of these limits for these whitelist sender.

Essentially everyone in this sendergroup match from .outlook.com mail servers will have your rate limit applied per sender except the select few in the list.

Regards,
Matthew

View solution in original post

Highlighted

just to clarify by senders you mean outlook.com what I see in the first line of the message in the logs and not user@vendor.com which is envelope domain.

 

So essentially I still have to track all IPs and/or host of rDNS and just add it to senders group as I see new ones appearing.?

 

in rDNS I see variousinfo.outlook.com so adding *.outlook.com wont be enough?

Highlighted
Engager

Let' get back to the beginning...  are these emails you want to whitelist from someone using the free email service? Aka Mail is from JohnDoe@outlook.com?

 

 

Or is mail from a someone using Office365? Aka mail is from JohnDoe@company.com, IPs resolve back to *.outlook.com

 

Either way, don't bother with the HAT (that "Whitelist"name is poorly chosen).

Create an Incoming MaIL Policy.  For the first option you'l have to enter each xxx@outlook.com address as from addreset that the policy applies to.  

 

For the second option, you can just use @company.com for the from addresses.

Highlighted

Ken,

Its the second option.

in outlook and in ESA envelope sender its from user@vendor.com we get reports that emails are being delayed. When I look at logs on ESA its because they are hitting message allowed limit per hour (rejected by receiving control). Typically I would assign their ip or rDNS from the logs to higher mps policy, but in this case they are using office 365 so technically everything is coming from  xxxxxxx.outlook.com.

 

I did add @vendor.com to incoming mail policy and I see it on the log that it matches however if they send a ton of email per hour they are still getting "rejected by receiving control" on the logs

 

The only way I was able to work around that if I add IPs to HAT that uses higher mph policy, however I don't want to do that with outlook.com IPs

Highlighted

OK.

So, the reality of the situation that O365 and hotmail/outlook.com/live.com and whatever other free email MS has purchased is sharing the same infrastructure. So if you're limiting mail from the *.outlook.com mailers you're going to throttle legitimate traffic.

I would pull the trottle off and then attack the spam issue from the junk senders differently...with content and outbreak filters.


Content for Community-Ad