Message Filtering at UM - PowerPoint PPT Presentation

Loading...

PPT – Message Filtering at UM PowerPoint presentation | free to view - id: e9836-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Message Filtering at UM

Description:

Antigen for anti-virus since 1999 'ORF' for blocking & stats since 2003 'IMFTune' for Outlook Junk-mail foldering since 2004 ... grrr Compare with OWA. ... – PowerPoint PPT presentation

Number of Views:119
Avg rating:3.0/5.0
Slides: 43
Provided by: installa
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Message Filtering at UM


1
Message Filtering at UM
  • The good, the bad the ugly

2
Overview
  • History
  • Message flows filtering points
  • Common mail flow errors diagnostics
  • Efficient Troubleshooting
  • Tips Gotchas
  • Future

3
History
  • Antigen for anti-virus since 1999
  • ORF for blocking stats since 2003
  • IMFTune for Outlook Junk-mail foldering since
    2004
  • Custom MS Windows IIS rules since 2003
  • Ironport appliance supercedes ORF as primary
    blocking tool Summer, 2008

4
Inbound Mail Filtering Points
5
Ironport Inbound Filtering
6
Sample Ironport ReportInbound Mail Summary
7
Incoming Mail DetailSorted by Reputation
Filtering Blocks
8
Ironport Message Tracking Tools
9
Ironport treatment of Absolute Suspected
Spam
10
Ironport Internet Header additionsSuspected
Spam
11
Ironport Internet Header additionsAbsolutely-pos
itive Spam
12
Internet header triggers to use when writing
custom rules
  • X-IRONPORT-SCORE YES
  • X-IRONPORT-SCORE SUSPECT
  • X-SBRS Value

13
Exchange Inbound Filtering
14
Antigen for Exchange Quarantine of Viri,
Executables Chain mail
15
IMFTune for Exchange Junk Mail auto-foldering
16
ORF for Exchange Former primary tool, replaced
by the Ironports, still used for some functions.
17
Outbound Mail Filtering Points
18
Outbound Traffic Authentication anti-virus
19
Outbound Traffic Authentication
20
Outbound Traffic Segregated Data Streams
21
Ironport Outbound traffic assignments
22
Yahoo msg header showing source IP as
209.106.229.47 for mst.edu senders
23
Yahoo msg header showing source IP as
209.106.229.53 for missouri.edu senders
24
Why we use multiple outbound streams via
different IP addresses host names
25
Mail flow errors diagnostics
  • Mis-foldered mail
  • Mail not received
  • Delivery errors

26
Mail flow errors diagnostics
  • Mis-foldered msgs Spam in the inbox and/or good
    mail in the Junk Mail Folder
  • Check for the Ironport stamp within the headers
  • X-IRONPORT-SCORE
  • Check for custom user-created rules.
  • Report if appropriate, be aware of the 0.1
    failure rate of the IMFTune foldering engine.

27
Mail delivery failure Missing Mail
  • This email message is to notify you that your
    membership to 52-discusswas previously "held"
    and has now been restored to "normal".This
    means that you were not receiving mail from
    '52-discuss'.Your subscription was held because
    your email address was bouncing alarge amount of
    mail which was sent to it.Your membership has
    now been restored to "normal", and the
    listserver program running '52-discuss' will
    attempt to send you mail.  Ifyour email address
    continues to bounce mail, your subscription
    willonce again be "held".You may want to
    contact the people responsible for your
    electronicmail to determine why your email
    address has been refusing mail.

28
Mail delivery failure Missing Mail
  • Im sorry to have to inform you that your message
    could not be delivered to one or more recipients.
     Its attached below.
  • For further assistance, please send mail to
    postmaster.
  • If you do so, please include this problem report.
     You can delete your own text from the attached
    return message.
  •                         The mail system
  • ltRECIPIENT_at_mst.edugt host mxnip01.um.umsystem.edu
    209.106.229.21 refused to talk to me 421 4.4.5
    Too many connections from your host.

29
Mail delivery failure Missing mail
  • Dramatically fewer false-positive blocks with
    the new Ironports
  • But more difficult to resolve.
  • May not be able to track lost mail via senders
    email address alone.
  • Source IP of the sending mail system is the key
    to resolving issues.
  • Check the internet header info of any previously
    successfully received messages.
  • Have sender forward any error messages to
    postmaster_at_SM.missouri.edu , or to recipient via
    alternative mail system.
  • Be patient, if the sending system is normally
    clean, the Ironports will eventually allow the
    traffic to flow in.

30
Mail delivery failure RBL blocks
  • The following recipient(s) cannot be reached
  • crcurry_at_webtv.net on 9/30/2008 126 PM
  • There was a SMTP communication
    problem with the recipient's email server.
    Please contact your system administrator.
  • ltum-nsmtpout1.um.umsystem.edu 5.5.0
    smtp556 ltum-nsmtpout1.um.umsystem.edu209.106.228
    .53gt Client host rejected Resource unavailable
    - listed by external RBL http//info.webtv.net/spa
    m/index.html209.106.228.53gt

31
Mail delivery failure Connection Dropped NO
500 series permanent failure errors
  • Subject Delivery Status Notification (Delay)
  • This is an automatically generated Delivery
    Status Notification.
  • THIS IS A WARNING MESSAGE ONLY.
  • YOU DO NOT NEED TO RESEND YOUR MESSAGE.
  • Delivery to the following recipients has
    been delayed.
  • tdubose84_at_tampabay.rr.com

32
Mail delivery failure no such user
  • Your message did not reach some or all of the
    intended recipients.
  • Subject test
  • Sent 9/26/2008 905 AM
  • The following recipient(s) cannot be reached
  • usedu_at_canachieve.com.cn on 9/26/2008 905
    AM
  • There was a SMTP communication
    problem with the recipient's email server.
    Please contact your system administrator.
  • ltum-tsmtpout1.um.umsystem.edu 5.5.0
    smtp550 user(usedu_at_canachieve.com.cn) no existgt

33
Mail delivery failure no such user
  • did not reach the following recipient(s)
  • bill.schulze_at_business.utah.edu on Tue, 7 Oct 2008
    211537 -0500
  • The e-mail system was unable to deliver the
    message, but did not
  • report a specific reason. Check the address and
    try again. If it still
  • fails, contact your system administrator.
  • lt mxtip01-mizzou-out.um.umsystem.edu 5.0.0
    smtp 5.1.0 - Unknown
  • address error 550-'5.1.0 Address rejected
  • bill.schulze_at_business.utah.edu' (delivery
    attempts 0)gt

34
Mail delivery failure no such user
  • Troubleshooting
  • Google the recipients last name ltspacegt domain
    and/or specialty to find new email addresses
  • _at_harvard.edu smith
  • smith_at_ swine genetics DNA mailto

35
Mail delivery failure recipient content filter
blocks
  • The following recipient(s) could not be reached
  • jonesdb_at_drexel.edu on 10/14/2008 811 AM
  • The e-mail system was unable to deliver the
    message, but did not report a specific reason.
    Check the address and try again. If it still
    fails, contact your system administrator.
  • lt smtp.mail.drexel.edu 5.0.0 X-Postfix host
    127.0.0.1127.0.0.1 said 550 during .
    Error Message content rejected (in reply to end
    of DATA command)gt

36
Mail delivery failure recipient content filter
blocks
  • One sentence test msg to prove mail can be
    delivered
  • Divide Conquer technique to slip past foreign
    filters
  • Cut msg in half send both halves
  • If one half fails divide it in half send
    again
  • Repeat as necessary until either the full message
    is delivered or you can determine the phrase or
    phrases which has offended the recipient systems
    mail filters.

37
Mail delivery failure recipient content filter
blocks suspected
  • Hello, Ive been experiencing problems with my
    e-mails not going through to people.  I get
    e-mails from them, but they do not receive mine. 
    I talked to some other people in my department
    who say that their e-mail works fine.  Have any
    ideas of what might be going on?
  • ---------
  • Advise sender to 'enable delivery read
    receipts' with their outbound messages.
  •  
  • This will tell them whether the messages are
    being accepted by the remote mail server.
  •  
  • If problems continue, have them try very short,
    one line, test msgs - to see if they get thru.
  •  
  • If short test msgs get thru, but not other
    messages, then odds are strong that her messages
    are being filtered by the remote system.
  •  
  • Last resort send a note to the postmaster
    abuse accounts at the failing domains and ask
    that they check to see what happened to her
    messages...

38
Internal Mail Delivery Failure Deleted Exchange
Mailbox
  • This is an automatically generated Delivery
    Status Notification.
  • THIS IS A WARNING MESSAGE ONLY.
  • YOU DO NOT NEED TO RESEND YOUR MESSAGE.
  • Delivery to the following recipients has been
    delayed.
  •        IMCEAex-_OUNIVERSITY20OF20MISSOURI_OUHE
    ALTH20SCIENCES_CNRECIPIENTS_CN5845_at_missouri.edu

39
Efficient Troubleshooting
  • Do short, simple test msgs work ?
  • Have the sender use delivery read receipts.
  • Full info, sender, recipient, subject, date
    headers, headers, headers (if available).
  • Full copy of any error messages.
  • Abuse postmaster accounts.
  • Manual Telnet session test to foreign hosts.

40
Tips Gotchas
  • Rename executable attachments.
  • Dont encrypt (password protect) .zips.
  • Dont let the thread run forever The longer a
    message the greater chance it will trip a content
    filter, start new threads when appropriate.
  • Watch your language )
  • Dont auto-forward mail ! ltgrrrgt
  • Compare with OWA.
  • Compare with other mail clients, other machines,
    other Exchange profiles.

41
Tips Gotchas
  • Phishing Nigerian Scams
  • Dont assume your folks couldnt fall for these

42
Future
  • Messaging explosion as handhelds take off, etc
  • Content size increases as attachments get even
    larger.
  • Encryption authentication becoming ever more
    important.
  • More security threats, better scams
About PowerShow.com