Cisco Cisco Email Security Appliance C650 Guía Del Usuario
13-22
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 13 Anti-Spam
Determining Sender IP Address In Deployments with Incoming Relays
Incoming Relays, HAT, SBRS, and Sender Groups
HAT policy groups do not currently use information from Incoming Relays. However, because the
Incoming Relays feature does supply the SenderBase Reputation score, you can simulate HAT policy
group functionality via message filters and the
Incoming Relays feature does supply the SenderBase Reputation score, you can simulate HAT policy
group functionality via message filters and the
$reputation
variable.
Incoming Relays and Directory Harvest Attack Prevention
If a remote host attempts a directory harvest attack by sending messages to the MX or MTA serving as
an incoming relay on your network, the appliance drops the connection from the incoming relay if the
relay is assigned to a sender group with a mail flow policy with Directory Harvest Attack Prevention
(DHAP) enabled. This prevents all messages from the relay, including legitimate messages, from
reaching the Email Security appliance. The appliance does not have the opportunity to recognize the
remote host as the attacker and the MX or MTA that’s acting as the incoming relay continues to receive
mail from the attacking host. To work around this issue and continue receiving messages from the
incoming relay, add the relay to a sender group with a mail flow policy that has unlimited messages for
DHAP.
an incoming relay on your network, the appliance drops the connection from the incoming relay if the
relay is assigned to a sender group with a mail flow policy with Directory Harvest Attack Prevention
(DHAP) enabled. This prevents all messages from the relay, including legitimate messages, from
reaching the Email Security appliance. The appliance does not have the opportunity to recognize the
remote host as the attacker and the MX or MTA that’s acting as the incoming relay continues to receive
mail from the attacking host. To work around this issue and continue receiving messages from the
incoming relay, add the relay to a sender group with a mail flow policy that has unlimited messages for
DHAP.
Incoming Relays and Trace
Trace returns the Incoming Relay’s SenderBase Reputation Score in its results instead of the reputation
score for the source IP address.
score for the source IP address.
Incoming Relays and Email Security Monitor (Reporting)
When using Incoming Relays:
•
Email Security Monitor reports include data for both the external IP and the MX/MTA. For example,
if an external machine (IP 7.8.9.1) sent 5 emails through the internal MX/MTA (IP 10.2.3.4), Mail
Flow Summary will show 5 messages coming from IP 7.8.9.1 and 5 more coming from the internal
relay MX/MTA (IP 10.2.3.5).
if an external machine (IP 7.8.9.1) sent 5 emails through the internal MX/MTA (IP 10.2.3.4), Mail
Flow Summary will show 5 messages coming from IP 7.8.9.1 and 5 more coming from the internal
relay MX/MTA (IP 10.2.3.5).
•
The SenderBase Reputation score is not reported correctly in the Email Security Monitor reports.
Also, sender groups may not be resolved correctly.
Also, sender groups may not be resolved correctly.
Incoming Relays and Message Tracking
When using Incoming Relays, the Message Tracking Details page displays the relay’s IP address and the
relay’s SenderBase Reputation Score for a message instead of the IP address and reputation score of the
original external sender.
relay’s SenderBase Reputation Score for a message instead of the IP address and reputation score of the
original external sender.
Incoming Relays and Logging
In the following log example, the SenderBase Reputation score for the sender is reported initially on
line 1. Later, once the Incoming Relay is processed, the correct SenderBase Reputation score is reported
on line 5.
line 1. Later, once the Incoming Relay is processed, the correct SenderBase Reputation score is reported
on line 5.
1
Fri Apr 28 17:07:29 2006 Info: ICID 210158 ACCEPT SG UNKNOWNLIST match
nx.domain SBRS rfc1918
nx.domain SBRS rfc1918
2
Fri Apr 28 17:07:29 2006 Info: Start MID 201434 ICID 210158
3
Fri Apr 28 17:07:29 2006 Info: MID 201434 ICID 210158 From: <joe@sender.com>