Cisco Cisco Email Security Appliance C160 Mode D'Emploi
13-23
Cisco AsyncOS 9.1 for Email User Guide
Chapter 13 Anti-Spam
Determining Sender IP Address In Deployments with Incoming Relays
mail from the attacking host. To work around this issue and continue receiving messages from the
incoming relay, add the relay to a sender group with a mail flow policy that has unlimited messages for
DHAP.
incoming relay, add the relay to a sender group with a mail flow policy that has unlimited messages for
DHAP.
Incoming Relays and Trace
Trace returns the Incoming Relay’s SenderBase Reputation Score in its results instead of the reputation
score for the source IP address.
score for the source IP address.
Incoming Relays and Email Security Monitor (Reporting)
When using Incoming Relays:
•
Email Security Monitor reports include data for both the external IP and the MX/MTA. For example,
if an external machine (IP 7.8.9.1) sent 5 emails through the internal MX/MTA (IP 10.2.3.4), Mail
Flow Summary will show 5 messages coming from IP 7.8.9.1 and 5 more coming from the internal
relay MX/MTA (IP 10.2.3.5).
if an external machine (IP 7.8.9.1) sent 5 emails through the internal MX/MTA (IP 10.2.3.4), Mail
Flow Summary will show 5 messages coming from IP 7.8.9.1 and 5 more coming from the internal
relay MX/MTA (IP 10.2.3.5).
•
The SenderBase Reputation score is not reported correctly in the Email Security Monitor reports.
Also, sender groups may not be resolved correctly.
Also, sender groups may not be resolved correctly.
Incoming Relays and Message Tracking
When using Incoming Relays, the Message Tracking Details page displays the relay’s IP address and the
relay’s SenderBase Reputation Score for a message instead of the IP address and reputation score of the
original external sender.
relay’s SenderBase Reputation Score for a message instead of the IP address and reputation score of the
original external sender.
Incoming Relays and Logging
In the following log example, the SenderBase Reputation score for the sender is reported initially on
line 1. Later, once the Incoming Relay is processed, the correct SenderBase Reputation score is reported
on line 5.
line 1. Later, once the Incoming Relay is processed, the correct SenderBase Reputation score is reported
on line 5.
1
Fri Apr 28 17:07:29 2006 Info: ICID 210158 ACCEPT SG UNKNOWNLIST match
nx.domain SBRS rfc1918
nx.domain SBRS rfc1918
2
Fri Apr 28 17:07:29 2006 Info: Start MID 201434 ICID 210158
3
Fri Apr 28 17:07:29 2006 Info: MID 201434 ICID 210158 From: <joe@sender.com>
4
Fri Apr 28 17:07:29 2006 Info: MID 201434 ICID 210158 RID 0 To: <mary@example.com>
5
Fri Apr 28 17:07:29 2006 Info: MID 201434 IncomingRelay(senderdotcom): Header
Received found, IP 192.192.108.1 being used, SBRS 6.8
Received found, IP 192.192.108.1 being used, SBRS 6.8
6
Fri Apr 28 17:07:29 2006 Info: MID 201434 Message-ID
'<7.0.1.0.2.20060428170643.0451be40@sender.com>'
'<7.0.1.0.2.20060428170643.0451be40@sender.com>'
7
Fri Apr 28 17:07:29 2006 Info: MID 201434 Subject 'That report...'
8
Fri Apr 28 17:07:29 2006 Info: MID 201434 ready 2367 bytes from <joe@sender.com>
9
Fri Apr 28 17:07:29 2006 Info: MID 201434 matched all recipients for per-recipient policy
DEFAULT in the inbound table
DEFAULT in the inbound table
10
Fri Apr 28 17:07:34 2006 Info: ICID 210158 close
11
Fri Apr 28 17:07:35 2006 Info: MID 201434 using engine: CASE spam negative