This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reverse DNS lookup of FUR in message attributes

I've set up an additional policy rule in our email appliance and I've got it set to match a Source Hostname. I was just curious what DNS server Sophos uses to do the Reverse DNS lookup of the first untrusted relay? I looked in the documentation and couldn't find any information in there. I'm assuming it's the DNS servers under the Network Interface section of the configuration screen, but I was wanting to make sure.

 

Thanks,

Kenn Murphy



This thread was automatically locked due to age.
Parents
  • Hi Kenn

    This will depend on exactly how the rule was set up and the rule type.  Are you wishing to compare against the Envelope host name, or DATA information?

    The other question is what is it exactly you are trying to do, listing a hostname in your allow/blocklist under hosts would be a better way of letting that mta connect, and under senders if you wanted to whitelist a particular sender from spam.

    As for DNS, the applaince will use your listed servers, it can not function without them.  It is important to ensure that they respond quickly (less than 200ms) and you should have atleast 2 listed.. an external is optional, however I recommend using your own internal.

    If your bent on making a rule, if you wish to check for envelope senders, use a watch list rule and under the senders select Include .. and put the hostname in glob format.. (ie **@mydomain.com) or an IP address.

    If you wish to check message headers, use a keyword rule and configure the appropriate header.. with a Capital .. ie : header / From / regex / .*@.*\abc.com$

     

    Keep in mind these examples are not meant to be copy/pasted and should be modified to suit your needs.

Reply
  • Hi Kenn

    This will depend on exactly how the rule was set up and the rule type.  Are you wishing to compare against the Envelope host name, or DATA information?

    The other question is what is it exactly you are trying to do, listing a hostname in your allow/blocklist under hosts would be a better way of letting that mta connect, and under senders if you wanted to whitelist a particular sender from spam.

    As for DNS, the applaince will use your listed servers, it can not function without them.  It is important to ensure that they respond quickly (less than 200ms) and you should have atleast 2 listed.. an external is optional, however I recommend using your own internal.

    If your bent on making a rule, if you wish to check for envelope senders, use a watch list rule and under the senders select Include .. and put the hostname in glob format.. (ie **@mydomain.com) or an IP address.

    If you wish to check message headers, use a keyword rule and configure the appropriate header.. with a Capital .. ie : header / From / regex / .*@.*\abc.com$

     

    Keep in mind these examples are not meant to be copy/pasted and should be modified to suit your needs.

Children
  • So, a little background then. We're trying to minimize "Google Docs" spam while still allowing employees to receive legitimate emails from Google about shared documents.

     

    I've set up as a Keyword list. The keywords are "Google Doc" and "Google Docs".

    I've got it checking message attributes for the "Source hostname is not: 'google.com'". (If it's not, it will quarantine the email).

    Doing it this way because I'm not sure what hostname the emails would be coming from.

    I'm not sure, but I would think the message attributes look at envelope information.

    I've done a quick test and it appears to work properly.

     

    Thank you for confirming that the appliance would use our posted DNS servers. We do use our own internal servers.