Hello: I have my Exchange 2010 Hub Transport servers configured to use a Send Connector to route all externally bound email through an IronPort c350 in a smarthost configuration. In troubleshooting an Exchange availability issue, I had a look at this applicance's Incoming Mail stats. In those stats, I see where every hour, 16,000 "inbound" emails are supposedly being stopped by Reputation Filtering: Domain Rejected Accepted Total Attempted Stopped by Recipient Throttling Stopped by Reputation Filtering Stopped as Invalid Recipients Spam Detected Virus Detected Stopped by Content Filter Total Threat Marketing Clean test.com 0 4 16.2k 0 16.2k 0 0 0 0 16.2k 0 0 If I change the view to IP Address, test.com is broken into my 3 Hub Transport server's IP's: IP Address Hostname DNS Verified SBRS Last Sender Group Total Attempted Stopped by Reputation Filtering Stopped as Invalid Recipients Spam Detected Virus Detected Stopped by Content Filter Total Threat Marketing Clean 10.10.10.51 ...ht02p.test.com No -- 0 6,426 6,426 0 0 0 0 6,426 0 0 10.10.10.52 ...ht03p.test.com No -- 0 6,426 6,426 0 0 0 0 6,426 0 0 10.10.10.50 ...ht01p.test.com No -- 0 4,158 4,158 0 0 0 0 4,158 0 0 If I look into message tracking on my M series and filter by rejected connections, IP address, or any delimiter I can think of, I can't find record of the actual messages that are being stopped. The Exchange message tracking logs don't reflect any such activity. I've opened mail_logs on the affected appliance and I don't see anything in there related to these IP's being rejected by reputation filtering. I've gotten no reports of emails delayed or failing to be delivered. Insofar as I can tell, this behavior has taken place since I put in the Exchange 2010 Send Connector to the internet. Do I have a worm run amok on my network, is this a false positive, or can anyone think of anywhere else I could look to find out what this traffic is referring to? thank you in advance for any assistance.
... View more