1 / 42

Message Filtering at UM

Message Filtering at UM . The good, the bad & the ugly. Overview . History Message flows & filtering points Common mail flow errors & diagnostics Efficient Troubleshooting Tips & Gotchas Future. History. Antigen for anti-virus since 1999 “ORF” for blocking & stats since 2003

Patman
Download Presentation

Message Filtering at UM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Message Filtering at UM The good, the bad & the ugly

  2. Overview • History • Message flows & filtering points • Common mail flow errors & diagnostics • Efficient Troubleshooting • Tips & Gotchas • Future

  3. History • Antigen for anti-virus since 1999 • “ORF” for blocking & stats since 2003 • “IMFTune” for Outlook Junk-mail foldering since 2004 • Custom MS Windows IIS rules since 2003 • “Ironport” appliance supercedes ORF as primary blocking tool – Summer, 2008

  4. Inbound Mail Filtering Points

  5. Ironport Inbound Filtering

  6. Sample Ironport ReportInbound Mail Summary

  7. Incoming Mail DetailSorted by Reputation Filtering Blocks

  8. Ironport Message Tracking Tools

  9. Ironport treatment of “Absolute” & “Suspected” Spam

  10. Ironport Internet Header additions“Suspected” Spam

  11. Ironport Internet Header additions“Absolutely-positive” Spam

  12. Internet header ‘triggers’ to use when writing custom rules • X-IRONPORT-SCORE: YES • X-IRONPORT-SCORE: SUSPECT • X-SBRS: #Value#

  13. Exchange Inbound Filtering

  14. Antigen for Exchange – ‘Quarantine’ of Viri, Executables & Chain mail

  15. IMFTune for Exchange – Junk Mail ‘auto-foldering’

  16. ORF for Exchange – Former primary tool, replaced by the Ironports, still used for some functions.

  17. Outbound Mail Filtering Points

  18. Outbound Traffic – Authentication & anti-virus

  19. Outbound Traffic – Authentication

  20. Outbound Traffic – Segregated Data Streams

  21. Ironport – Outbound traffic assignments

  22. Yahoo msg header showing source IP as 209.106.229.47 for mst.edu senders

  23. Yahoo msg header showing source IP as 209.106.229.53 for missouri.edu senders

  24. *Why* we use multiple outbound streams via different IP addresses & host names

  25. Mail flow errors & diagnostics • Mis-foldered mail • Mail not received • Delivery errors

  26. Mail flow errors & diagnostics Mis-foldered msgs: Spam in the inbox and/or ‘good mail’ in the Junk Mail Folder Check for the Ironport stamp within the headers X-IRONPORT-SCORE: Check for custom user-created rules. Report if appropriate, be aware of the 0.1 % failure rate of the IMFTune ‘foldering’ engine.

  27. Mail delivery failure – Missing Mail This email message is to notify you that your membership to 52-discusswas previously "held" and has now been restored to "normal".This means that you were not receiving mail from '52-discuss'.Your subscription was held because your email address was bouncing alarge amount of mail which was sent to it.Your membership has now been restored to "normal", and the listserver program running '52-discuss' will attempt to send you mail.  Ifyour email address continues to bounce mail, your subscription willonce again be "held".You may want to contact the people responsible for your electronicmail to determine why your email address has been refusing mail.

  28. Mail delivery failure – Missing Mail • I’m sorry to have to inform you that your message could not be delivered to one or more recipients.  It’s attached below. • For further assistance, please send mail to postmaster. • If you do so, please include this problem report.  You can delete your own text from the attached return message. •                         The mail system • <RECIPIENT@mst.edu>: host mxnip01.um.umsystem.edu[209.106.229.21] refused to talk to me: 421 #4.4.5 Too many connections from your host.

  29. Mail delivery failure – Missing mail Dramatically fewer ‘false-positive’ blocks with the new Ironports But more difficult to resolve. May not be able to track lost mail via sender’s email address alone. ‘Source IP’ of the sending mail system is the key to resolving issues. Check the internet header info of any previously successfully received messages. Have sender forward any error messages to postmaster@SM.missouri.edu , or to recipient via alternative mail system. Be patient, if the sending system is normally ‘clean’, the Ironports will eventually allow the traffic to flow in.

  30. Mail delivery failure – RBL blocks • The following recipient(s) cannot be reached: • crcurry@webtv.net on 9/30/2008 1:26 PM • There was a SMTP communication problem with the recipient's email server. Please contact your system administrator. • <um-nsmtpout1.um.umsystem.edu #5.5.0 smtp;556 <um-nsmtpout1.um.umsystem.edu[209.106.228.53]>: Client host rejected: Resource unavailable - listed by external RBL http://info.webtv.net/spam/index.html#209.106.228.53>

  31. Mail delivery failure – Connection Dropped – NO *500 series permanent failure errors* • Subject: Delivery Status Notification (Delay) • This is an automatically generated Delivery Status Notification. • THIS IS A WARNING MESSAGE ONLY. • YOU DO NOT NEED TO RESEND YOUR MESSAGE. • Delivery to the following recipients has been delayed. • tdubose84@tampabay.rr.com

  32. Mail delivery failure – no such user • Your message did not reach some or all of the intended recipients. • Subject: test • Sent: 9/26/2008 9:05 AM • The following recipient(s) cannot be reached: • usedu@canachieve.com.cn on 9/26/2008 9:05 AM • There was a SMTP communication problem with the recipient's email server. Please contact your system administrator. • <um-tsmtpout1.um.umsystem.edu #5.5.0 smtp;550 user(usedu@canachieve.com.cn) no exist>

  33. Mail delivery failure – no such user • did not reach the following recipient(s): • bill.schulze@business.utah.edu on Tue, 7 Oct 2008 21:15:37 -0500 • The e-mail system was unable to deliver the message, but did not • report a specific reason. Check the address and try again. If it still • fails, contact your system administrator. • < mxtip01-mizzou-out.um.umsystem.edu #5.0.0 smtp; 5.1.0 - Unknown • address error 550-'#5.1.0 Address rejected • bill.schulze@business.utah.edu' (delivery attempts: 0)>

  34. Mail delivery failure – no such user Troubleshooting: Google the recipient’s last name <space> & domain and/or “specialty” to find new email addresses… @harvard.edu smith smith@ swine genetics DNA mailto:

  35. Mail delivery failure – recipient content filter blocks • The following recipient(s) could not be reached: • jonesdb@drexel.edu on 10/14/2008 8:11 AM • The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator. • < smtp.mail.drexel.edu #5.0.0 X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 during .: Error: Message content rejected (in reply to end of DATA command)>

  36. Mail delivery failure – recipient content filter blocks • One sentence test msg – to prove mail *can be* delivered • “Divide & Conquer” technique to slip past foreign filters • Cut msg in half – send both halves • If one half fails – divide *it* in half & send again • Repeat as necessary until either the full message is delivered or you can determine the phrase or phrases which has offended the recipient system’s mail filters.

  37. Mail delivery failure – recipient content filter blocks *suspected* Hello, I’ve been experiencing problems with my e-mails not going through to people.  I get e-mails from them, but they do not receive mine.  I talked to some other people in my department who say that their e-mail works fine.  Have any ideas of what might be going on? --------- Advise sender to 'enable delivery & read receipts' with their outbound messages. This will tell them whether the messages are being accepted by the remote mail server. If problems continue, have them try very short, one line, test msgs - to see if they get thru. If short test msgs get thru, but not other messages, then odds are strong that her messages are being filtered by the remote system. Last resort = send a note to the postmaster & abuse accounts at the failing domains and ask that they check to see what happened to her messages...

  38. Internal Mail Delivery Failure – Deleted Exchange Mailbox This is an automatically generated Delivery Status Notification. THIS IS A WARNING MESSAGE ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. Delivery to the following recipients has been delayed.   IMCEAex-_O=UNIVERSITY+20OF+20MISSOURI_OU=HEALTH+20SCIENCES_CN=RECIPIENTS_CN=5845@missouri.edu

  39. Efficient Troubleshooting • Do short, simple test msgs work ? • Have the sender use delivery & read receipts. • Full info, sender, recipient, subject, date & headers, headers, headers… (if available). • Full copy of any error messages. • Abuse & postmaster accounts. • Manual Telnet session test to foreign hosts.

  40. Tips & Gotchas • Rename executable attachments. • Don’t encrypt (password protect) .zips. • Don’t let the ‘thread’ run forever… The longer a message the greater chance it will trip a content filter, start new ‘threads’ when appropriate. • Watch your language… ;) • Don’t auto-forward mail ! <grrr> • Compare with OWA. • Compare with other mail clients, other machines, other Exchange profiles.

  41. Tips & Gotchas • Phishing & Nigerian Scams Don’t assume your folks couldn’t fall for these…

  42. Future Messaging ‘explosion’ as handhelds take off, etc… Content size increases as attachments get even larger. Encryption & authentication becoming ever more important. More security threats, & “better’ scams…

More Related