Exception handling & RBL filter issues

This is my RBL filter:

When I initially configured it, I did not include connecting IP addresses and wondered why the RBL filter wasn't working. I was told it was a best practice to include connecting IP addresses and, once I did, I began getting filter hits.

The RBL filter is doing its job and working as designed but this is the issue I am now facing: Valid email originating from domains with which we communicate on a regular basis (as well as others) is being blocked!

Further investigation shows that a series of emails from a given domain, at a given location, may all be delivered to SMG from different IP addresses originating from diverse geographic locations. Typically there are a half dozen SMTP servers through which the email passes from the time it leaves the sender until it is delivered to the SMG appliance and it is one of the intermediate IP addresses that is on a blacklist.

This situation is becoming much more prevalent and, when a recipient contacts me to say a sender is telling them that we are rejecting their email, guess who has to deal with it?

I expect that exceptions require manual intervention but recurring events need to minimise manual involvement.

There are two things we should do:

  • Notify the sender so s/he can get the issue resolved.
  • Create an RBL exception so recipients can receive their email.

Notify the sender

This is the response a sender receives: Error: 550 5.0.350 Remote server returned an error -> 500 Message denied access due to content filters in effect. It doesn't even provide a clue as to why the email was rejected.

We need to provide header information, of course, and it would be very helpful if we were to include the IP addresses we found to be blacklisted. Current scan policy services cannot test nor have access to filter results. If the notification originates from a service in the Policy Scan Configuration, we must be able to specify conditions. For example, we may want to limit notifications to specific senders or domains or based on the results of specific filters.

It would seem the best we can do is return a copy of the received email to the sender but I definitely don't want to do that for every email the fails an RBL test. We could do it based on an exception whitelist once one was created.

Create an RBL exception 

The assumption is that the sender and recipient have a business relationship and the exception is to deal with a situation over which neither have direct control. In such situations it is not uncommon that there may be several senders and recipients that could be impacted. Ideally we would like to whitelist the sender's domain but I don't know that this can be automated. Specific sender/recipient pairs can be whitelisted from the quarantine but this is not an acceptable solution especially when we know in advance that all sender/recipient combinations will be impacted at some point.

Given the above limitations, how are you dealing with this issue? Have you found an automated solution?

__________
Kevin Boyle, SuperUser

Calgary, Alberta, Canada

  • 0  

    Kevin, I did not test it but this would be my approach ...


    Use "Verified Answers" if your problem/issue has been solved!

  • 0   in reply to   
    We could do it based on an exception whitelist once one was created.

    That's essentially what I meant.

    We could send a copy of the incoming email (or at least the headers) but still couldn't tell them which IP address is blacklisted. :-(

    __________
    Kevin Boyle, SuperUser

    Calgary, Alberta, Canada

  • 0   in reply to   

    Right!


    Use "Verified Answers" if your problem/issue has been solved!

  • 0   in reply to   

    And, of course, this only works if you have a list of "good senders" but if you have this list you can use it as an exception list for the RBL filter (as I'm doing) so their email will come through in any case.

    So we are back to:

    • What do you do with senders who aren't on the good senders list?
    • How can you automate the creation of this list other than via the quarantine?

    __________
    Kevin Boyle, SuperUser

    Calgary, Alberta, Canada

  • 0   in reply to   

    Yes, Kevin,

    but exceptions lists do not reply Wink. Of course they do not have to reply ...

    I think there is no way to automate who is good or bad. White list may help a little bit.

    And senders who are not on the "good senders" list will be blocked; that simple. However I agree we need a chance to overrule the message "Message denied access due to content filters in effect", which does not explain anything.

    I remember there is an exchange idea for this request.


    Use "Verified Answers" if your problem/issue has been solved!

  • 0 in reply to   

    I don't know if this will be helpful but...

    We turned off ***ALL*** connection drop services at the interface and replaced each (RBL, SPF, IPREP) with a filter which Quarantines these messages instead.  Effectively, everything which comes into our SMG box (except viruses) goes somewhere.  Either directly to the recipient or into quarantine. 

    By putting stuff into quarantine (instead of just dropping the connection) at least we (inc users themselves) have the ability to find and release any messages which have been inappropriately "tagged".

  • 0   in reply to 

    Right,  . That's the only way to use exceptions. Connection drop is not capable of exceptions or any additional behavior.


    Use "Verified Answers" if your problem/issue has been solved!

  • 0 in reply to   

    Not to put "too fine a point on this", but its not only the "ability to use exceptions"...

    Its also:

    - So we can use the "Message Tracker" to easily find why ANY (ALL)  message didn't get through (instead of downloading and searching log files)

    - So we NEVER lose a message (and it can always be easily "released")

    - So users are able to "self-service" their own Quarantine.  IOW (from an admin to a user):  "If its not in your quarantine, then it never came into our system (unless it had a virus)"

    Basically, we do not use connection drop at all.  That way every email that ever hit our system can be found in the message tracker.  If a message is dropped for any reason, the message tracker should tell us.  Every email (other than those with a virus) can either be found in a user's mailbox or in their quarantine.  We should NEVER lose a message (unless its infected with something).

  • 0   in reply to 

    Me too. No drops in any of my environments.

    However I use blocking without quarantine too. And I use admin quarantine a lot. One of the reasons is that users will get digests. If the digest is too long nobody will take care of it.


    Use "Verified Answers" if your problem/issue has been solved!

  • 0   in reply to 

    Hi Edward,

    Like you, we do not use connection drop and definitely do not quarantine any email flagged with a virus but quarantining email from blacklisted sites and email containing malicious links does pose a risk, albeit a small one, from zero day vulnerabilities. We believe the risk is acceptable if the email originated from a known sender or a known domain (not gmail Scream and similar domains).

    The goal is to whitelist domains with whom we correspond on a regular basis. Unfortunately whitelisting via the quarantine only whitelists specific sender/recipient pairs.

    __________
    Kevin Boyle, SuperUser

    Calgary, Alberta, Canada