Message filtering at um
Download
1 / 42

Message Filtering at UM - PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on

Message Filtering at UM . The good, the bad & the ugly. Overview . History Message flows & filtering points Common mail flow errors & diagnostics Efficient Troubleshooting Tips & Gotchas Future. History. Antigen for anti-virus since 1999 “ORF” for blocking & stats since 2003

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Message Filtering at UM' - Patman


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Message filtering at um

Message Filtering at UM

The good, the bad & the ugly


Overview
Overview

  • History

  • Message flows & filtering points

  • Common mail flow errors & diagnostics

  • Efficient Troubleshooting

  • Tips & Gotchas

  • Future


History
History

  • Antigen for anti-virus since 1999

  • “ORF” for blocking & stats since 2003

  • “IMFTune” for Outlook Junk-mail foldering since 2004

  • Custom MS Windows IIS rules since 2003

  • “Ironport” appliance supercedes ORF as primary blocking tool – Summer, 2008




Sample ironport report inbound mail summary
Sample Ironport ReportInbound Mail Summary


Incoming mail detail sorted by reputation filtering blocks
Incoming Mail DetailSorted by Reputation Filtering Blocks





Ironport internet header additions absolutely positive spam
Ironport Internet Header additions“Absolutely-positive” Spam


Internet header triggers to use when writing custom rules
Internet header ‘triggers’ to use when writing custom rules

  • X-IRONPORT-SCORE: YES

  • X-IRONPORT-SCORE: SUSPECT

  • X-SBRS: #Value#





Orf for exchange former primary tool replaced by the ironports still used for some functions
ORF for Exchange – Former primary tool, replaced by the Ironports, still used for some functions.


Outbound mail filtering points
Outbound Mail Filtering Points Ironports, still used for some functions.


Outbound traffic authentication anti virus
Outbound Traffic – Authentication & anti-virus Ironports, still used for some functions.


Outbound traffic authentication
Outbound Traffic – Authentication Ironports, still used for some functions.


Outbound traffic segregated data streams
Outbound Traffic – Segregated Data Streams Ironports, still used for some functions.


Ironport outbound traffic assignments
Ironport – Outbound traffic assignments Ironports, still used for some functions.





Mail flow errors diagnostics
Mail flow errors & diagnostics addresses & host names

  • Mis-foldered mail

  • Mail not received

  • Delivery errors


Mail flow errors diagnostics1
Mail flow errors & diagnostics addresses & host names

Mis-foldered msgs: Spam in the inbox and/or ‘good mail’ in the Junk Mail Folder

Check for the Ironport stamp within the headers

X-IRONPORT-SCORE:

Check for custom user-created rules.

Report if appropriate, be aware of the 0.1 % failure rate of the IMFTune ‘foldering’ engine.


Mail delivery failure missing mail
Mail delivery failure – Missing Mail addresses & host names

This email message is to notify you that your membership to 52-discusswas previously "held" and has now been restored to "normal".This means that you were not receiving mail from '52-discuss'.Your subscription was held because your email address was bouncing alarge amount of mail which was sent to it.Your membership has now been restored to "normal", and the listserver program running '52-discuss' will attempt to send you mail.  Ifyour email address continues to bounce mail, your subscription willonce again be "held".You may want to contact the people responsible for your electronicmail to determine why your email address has been refusing mail.


Mail delivery failure missing mail1
Mail delivery failure – Missing Mail addresses & host names

  • I’m sorry to have to inform you that your message could not be delivered to one or more recipients.  It’s attached below.

  • For further assistance, please send mail to postmaster.

  • If you do so, please include this problem report.  You can delete your own text from the attached return message.

  •                         The mail system

  • <[email protected]>: host mxnip01.um.umsystem.edu[209.106.229.21] refused to talk to me: 421 #4.4.5 Too many connections from your host.


Mail delivery failure missing mail2
Mail delivery failure – Missing mail addresses & host names

Dramatically fewer ‘false-positive’ blocks with the new Ironports

But more difficult to resolve.

May not be able to track lost mail via sender’s email address alone.

‘Source IP’ of the sending mail system is the key to resolving issues.

Check the internet header info of any previously successfully received messages.

Have sender forward any error messages to [email protected] , or to recipient via alternative mail system.

Be patient, if the sending system is normally ‘clean’, the Ironports will eventually allow the traffic to flow in.


Mail delivery failure rbl blocks
Mail delivery failure – RBL blocks addresses & host names

  • The following recipient(s) cannot be reached:

  • [email protected] on 9/30/2008 1:26 PM

  • There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.

  • <um-nsmtpout1.um.umsystem.edu #5.5.0 smtp;556 <um-nsmtpout1.um.umsystem.edu[209.106.228.53]>: Client host rejected: Resource unavailable - listed by external RBL http://info.webtv.net/spam/index.html#209.106.228.53>


Mail delivery failure connection dropped no 500 series permanent failure errors
Mail delivery failure – Connection Dropped – NO *500 series permanent failure errors*

  • Subject: Delivery Status Notification (Delay)

  • This is an automatically generated Delivery Status Notification.

  • THIS IS A WARNING MESSAGE ONLY.

  • YOU DO NOT NEED TO RESEND YOUR MESSAGE.

  • Delivery to the following recipients has been delayed.

  • [email protected]


Mail delivery failure no such user
Mail delivery failure – no such user series permanent failure errors*

  • Your message did not reach some or all of the intended recipients.

  • Subject: test

  • Sent: 9/26/2008 9:05 AM

  • The following recipient(s) cannot be reached:

  • [email protected] on 9/26/2008 9:05 AM

  • There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.

  • <um-tsmtpout1.um.umsystem.edu #5.5.0 smtp;550 user([email protected]) no exist>


Mail delivery failure no such user1
Mail delivery failure – no such user series permanent failure errors*

  • did not reach the following recipient(s):

  • [email protected] on Tue, 7 Oct 2008 21:15:37 -0500

  • The e-mail system was unable to deliver the message, but did not

  • report a specific reason. Check the address and try again. If it still

  • fails, contact your system administrator.

  • < mxtip01-mizzou-out.um.umsystem.edu #5.0.0 smtp; 5.1.0 - Unknown

  • address error 550-'#5.1.0 Address rejected

  • [email protected]' (delivery attempts: 0)>


Mail delivery failure no such user2
Mail delivery failure – no such user series permanent failure errors*

Troubleshooting:

Google the recipient’s last name <space> & domain and/or “specialty” to find new email addresses…

@harvard.edu smith

smith@ swine genetics DNA mailto:


Mail delivery failure recipient content filter blocks
Mail delivery failure – recipient content filter blocks series permanent failure errors*

  • The following recipient(s) could not be reached:

  • [email protected] on 10/14/2008 8:11 AM

  • The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.

  • < smtp.mail.drexel.edu #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 during .: Error: Message content rejected (in reply to end of DATA command)>


Mail delivery failure recipient content filter blocks1
Mail delivery failure – recipient content filter blocks series permanent failure errors*

  • One sentence test msg – to prove mail *can be* delivered

  • “Divide & Conquer” technique to slip past foreign filters

    • Cut msg in half – send both halves

    • If one half fails – divide *it* in half & send again

    • Repeat as necessary until either the full message is delivered or you can determine the phrase or phrases which has offended the recipient system’s mail filters.


Mail delivery failure recipient content filter blocks suspected
Mail delivery failure – recipient content filter blocks *suspected*

Hello, I’ve been experiencing problems with my e-mails not going through to people.  I get e-mails from them, but they do not receive mine.  I talked to some other people in my department who say that their e-mail works fine.  Have any ideas of what might be going on?

---------

Advise sender to 'enable delivery & read receipts' with their outbound messages.

This will tell them whether the messages are being accepted by the remote mail server.

If problems continue, have them try very short, one line, test msgs - to see if they get thru.

If short test msgs get thru, but not other messages, then odds are strong that her messages are being filtered by the remote system.

Last resort = send a note to the postmaster & abuse accounts at the failing domains and ask that they check to see what happened to her messages...


Internal mail delivery failure deleted exchange mailbox
Internal Mail Delivery Failure – Deleted Exchange Mailbox *suspected*

This is an automatically generated Delivery Status Notification.

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipients has been delayed.

  IMCEAex-_O=UNIVERSITY+20OF+20MISSOURI_OU=HEALTH+20SCIENCES_CN=REC[email protected]


Efficient troubleshooting
Efficient Troubleshooting *suspected*

  • Do short, simple test msgs work ?

  • Have the sender use delivery & read receipts.

  • Full info, sender, recipient, subject, date & headers, headers, headers… (if available).

  • Full copy of any error messages.

  • Abuse & postmaster accounts.

  • Manual Telnet session test to foreign hosts.


Tips gotchas
Tips & Gotchas *suspected*

  • Rename executable attachments.

  • Don’t encrypt (password protect) .zips.

  • Don’t let the ‘thread’ run forever… The longer a message the greater chance it will trip a content filter, start new ‘threads’ when appropriate.

  • Watch your language… ;)

  • Don’t auto-forward mail ! <grrr>

  • Compare with OWA.

  • Compare with other mail clients, other machines, other Exchange profiles.


Tips gotchas1
Tips & Gotchas *suspected*

  • Phishing & Nigerian Scams

    Don’t assume your folks couldn’t fall for these…


Future
Future *suspected*

Messaging ‘explosion’ as handhelds take off, etc…

Content size increases as attachments get even larger.

Encryption & authentication becoming ever more important.

More security threats, & “better’ scams…


ad