Transcript Message Filtering at UM - University of Missouri
Message Filtering at UM
The good, the bad & the ugly
Overview
• History • Message flows & filtering points • Common mail flow errors & diagnostics • Efficient Troubleshooting • Tips & Gotchas • Future
History
• Antigen for anti-virus since 1999 • “ORF” for blocking & stats since 2003 • “IMFTune” for Outlook Junk-mail foldering since 2004 • Custom MS Windows IIS rules since 2003 • “Ironport” appliance supercedes ORF as primary blocking tool – Summer, 2008
Inbound Mail Filtering Points
Ironport Inbound Filtering
Sample Ironport Report
Inbound Mail Summary
Incoming Mail Detail
Sorted by Reputation Filtering Blocks
Ironport Message Tracking Tools
Ironport treatment of “Absolute” & “Suspected” Spam
Ironport Internet Header additions “Suspected” Spam
Ironport Internet Header additions “Absolutely-positive” Spam
Internet header ‘triggers’ to use when writing custom rules • X-IRONPORT-SCORE: YES • X-IRONPORT-SCORE: SUSPECT • X-SBRS: #Value#
Exchange Inbound Filtering
Antigen for Exchange – ‘Quarantine’ of Viri, Executables & Chain mail
IMFTune for Exchange – Junk Mail ‘auto-foldering’
ORF for Exchange – Former primary tool, replaced by the Ironports, still used for some functions.
Outbound Mail Filtering Points
Outbound Traffic – Authentication & anti-virus
Outbound Traffic – Authentication
Outbound Traffic – Segregated Data Streams
Ironport – Outbound traffic assignments
Yahoo msg header showing source IP as 209.106.229.47 for mst.edu senders
Yahoo msg header showing source IP as 209.106.229.53 for missouri.edu senders
*Why* we use multiple outbound streams via different IP addresses & host names
Mail flow errors & diagnostics
• Mis-foldered mail • Mail not received • Delivery errors
Mail flow errors & diagnostics
Mis foldered msgs: Spam in the inbox and/or ‘good mail’ in the Junk Mail Folder Check for the Ironport stamp within the headers X-IRONPORT-SCORE: Check for custom user-created rules.
Report if appropriate, be aware of the 0.1 % failure rate of the IMFTune ‘foldering’ engine.
Mail delivery failure – Missing Mail This email message is to notify you that your membership to 52-discuss was previously "held" and has now been restored to "normal".
This means that you were not receiving mail from '52-discuss'.
Your subscription was held because your email address was bouncing a large amount of mail which was sent to it.
Your membership has now been restored to "normal", and the list server program running '52-discuss' will attempt to send you mail. If your email address continues to bounce mail, your subscription will once again be "held".
You may want to contact the people responsible for your electronic mail to determine why your email address has been refusing mail.
Mail delivery failure – Missing Mail
• • • I’m sorry to have to inform you that your message could not be delivered to one or more recipients. It’s attached below.
• For further assistance, please send mail to postmaster.
• If you do so, please include this problem report. You can delete your own text from the attached return message.
The mail system @mst.edu>: host mxnip01.um.umsystem.edu[209.106.229.21] refused to talk to me: 421 # 4.4.5 Too many connections from your host.
Mail delivery failure – Missing mail Dramatically fewer ‘false-positive’ blocks with the new Ironports But more difficult to resolve.
May not be able to track lost mail via sender’s email address alone.
‘Source IP’ of the sending mail system is the key to resolving issues.
Check the internet header info of any previously successfully received messages.
Have sender forward any error messages to [email protected]
recipient via alternative mail system.
, or to Be patient, if the sending system is normally ‘clean’, the Ironports will eventually allow the traffic to flow in.
Mail delivery failure – RBL blocks
• The following recipient(s) cannot be reached: • • • [email protected] on 9/30/2008 1:26 PM There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
>
Mail delivery failure – Connection Dropped – NO *500 series permanent failure errors* • • • Subject: Delivery Status Notification (Delay) This is an automatically generated Delivery Status Notification.
THIS IS A WARNING MESSAGE ONLY.
• • • YOU DO NOT NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipients has [email protected]
been delayed .
Mail delivery failure – no such user
• • • Your message did not reach some or all of the intended recipients.
Subject: test Sent: 9/26/2008 9:05 AM • The following recipient(s) cannot be reached: • • • [email protected] on 9/26/2008 9:05 AM There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
Mail delivery failure – no such user
• did not reach the following recipient(s): • [email protected] on Tue, 7 Oct 2008 21:15:37 -0500 • The e-mail system was unable to deliver the message, but did not • report a specific reason. Check the address and try again. If it still • fails, contact your system administrator.
• < mxtip01-mizzou-out.um.umsystem.edu #5.0.0 smtp; 5.1.0 - Unknown • address error 550-'#5.1.0 Address rejected • [email protected]' (delivery attempts: 0)>
Mail delivery failure – no such user
Troubleshooting: Google the recipient’s last name
Mail delivery failure – recipient content filter blocks • The following recipient(s) could not be reached: • • • [email protected] on 10/14/2008 8:11 AM The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< smtp.mail.drexel.edu #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 during .: Error: Message content rejected (in reply to end of DATA command)>
Mail delivery failure – recipient content filter blocks • One sentence test msg – to prove mail *can be* delivered • “Divide & Conquer” technique to slip past foreign filters – Cut msg in half – send both halves – If one half fails – divide *it* in half & send again – Repeat as necessary until either the full message is delivered or you can determine the phrase or phrases which has offended the recipient system’s mail filters.
Mail delivery failure – recipient content filter blocks *suspected* Hello, I’ve been experiencing problems with my e-mails not going through to people. I get e-mails from them, but they do not receive mine. I talked to some other people in my department who say that their e-mail works fine. Have any ideas of what might be going on? -------- Advise sender to 'enable delivery & read receipts' with their outbound messages.
This will tell them whether the messages are being accepted by the remote mail server.
If problems continue, have them try very short, one line, test msgs - to see if they get thru.
If short test msgs get thru, but not other messages, then odds are strong that her messages are being filtered by the remote system.
Last resort = send a note to the postmaster & abuse accounts at the failing domains and ask that they check to see what happened to her messages...
Internal Mail Delivery Failure – Deleted Exchange Mailbox This is an automatically generated Delivery Status Notification.
THIS IS A WARNING MESSAGE ONLY.
YOU DO NOT NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipients has been delayed.
IMCEAex _O=UNIVERSITY+20OF+20MISSOURI_OU=HEALTH+20SCIENCE [email protected]
Efficient Troubleshooting
• Do short, simple test msgs work ?
• Have the sender use delivery & read receipts.
• Full info, sender, recipient, subject, date & headers, headers, headers… (if available).
• Full copy of any error messages.
• Abuse & postmaster accounts.
• Manual Telnet session test to foreign hosts.
Tips & Gotchas
• Rename executable attachments.
• Don’t encrypt (password protect) .zips.
• Don’t let the ‘thread’ run forever… The longer a message the greater chance it will trip a content filter, start new ‘threads’ when appropriate.
• Watch your language… ;) • Don’t auto-forward mail !
• Compare with other mail clients, other machines, other Exchange profiles.
Tips & Gotchas
• Phishing & Nigerian Scams Don’t assume your folks couldn’t fall for these…
Future
Messaging ‘explosion’ as handhelds take off, etc… Content size increases as attachments get even larger.
Encryption & authentication becoming ever more important.
More security threats, & “better’ scams…