This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rejecting hosts sending Invalid HELO or missing RDNS

Is anyone know how Sophos Email Appliance v4.1.1.0 can filter RDNS to quarantine or reject if require when the record is wrong.

I cannot find any option in Email Appliance that can filter RDNS, like SPF or DKIM.

I also try from HEADER Attribute [Policy --> Addition Policy --> Message Attribute]  but no luck, because I find that the appliance is already check for rdns as you can see below but I don't know how to used it.

X-SEA-Spam: Gauge=XIIIII, Probability=15%, Report='
 PRIORITY_NO_NAME 0.716, SORTED_RECIPS 0.5, MULTIPLE_RCPTS 0.1, SUBJ_1WORD 0.1, HTML_00_01 0.05, 
HTML_00_10 0.05, MIME_TEXT_ONLY_MP_MIXED 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_6000_6999 0,
BODY_SIZE_7000_LESS 0, ECARD_KNOWN_DOMAINS 0, NO_REAL_NAME 0, RDNS_SERVFAIL 0, SPF_NONE 0, SUSPICIOUS_RECIPS 0,
__ANY_URI 0, __CP_URI_IN_BODY 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_MIXED 0,
__DQ_S_IP_100K 0, __DQ_S_IP_10K 0, __DQ_S_IP_MC_10_P 0, __FROM_DOMAIN_IN_ANY_TO1 0, __FROM_DOMAIN_IN_RCPT 0,
__HAS_FROM 0, __HAS_MSGID 0, __HAS_X_PRIORITY 0, __HTTPS_URI 0, __MIME_TEXT_ONLY 0, __MIME_TEXT_P 0,
__MIME_TEXT_P1 0, __MIME_TEXT_P2 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_TO_X5 0, __MULTIPLE_URI_TEXT 0,
__NO_HTML_TAG_RAW 0, __SANE_MSGID 0, __STOCK_PHRASE_24 0, __SXL_FUR_ERROR_SERVFAIL , __SXL_SIG_ERROR_SERVFAIL ,
__SXL_URI_ERROR_SERVFAIL , __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_IN_BODY 0, __URI_NO_MAILTO 0, __URI_NS , __URI_WITH_PATH 0'

 Is anyone know how to reject if rdns is wrong. It would filter a lot of spam in my case just like Sophos SG / Email Protection.


Thanks a lot,

ANN



This thread was automatically locked due to age.
  • Hi Ann,

     

    Here are a few things you can do to help with RDNS and general mail rejection.

     

    #1

    The appliance will not arbitrarily drop mail from an RDNS check on its own.  Instead the results will affect the total spam score.  You can however configure postfix to drop mail from domains that are non-existent / do not have any DNS  under configuration / policy / smtp options / Perimeter Protection tab.  Just ensure its checked and post fis will drop these connections.

     

    In order to create DKIM and SPF rules you will need to create the policy under the threat protection menu.

    I recommend the following rules.

    #2

    SPF Rule

    rule config: choose fail. You could select Fail & Soft Fail however that will give you more hits.
    select users : skip
    main action : tag subject and continue

    in the box enter something like : [SPF Fail] %%SUBJECT%%

    Name it and save it.

    (I do not recommend quarantine as there are many reasons email can fail spf such as misconfigured mail servers, so arbitrary quarantining them all is generally disruptive)

     

    #3

    DKIM rule.

    Exactly the same, except just use "fail"
    (there are many cases where people will not host keys correctly or add a banner after the email has been hashed so setting it to quarantine may be disruptive)

    Once those rules are done you can educate your users to be vigilant of anything tagged with a SPF or DKIM failure. Or just quarantine it depending on what works best for you.


    #4

    Another thing you can do is add your domain to the blacklisted senders list, (allow block list, blocked hosts, senders) this check is done on external to internal mail only and is an effective way of enforcing anti-spoof as you would never relay mail from your own domain with an external ip.

     

    #5

    The filtering options are important as well, ensure that the following options are checked off

    Enable connection-level blocking of mail from known bad senders (Recommended)

    Enable proactive IP connection control for blocking suspicious hosts

    and the action is:
    Action for policy-level blocked messages DISCARD

     

    You do not want to ever receive mail from anyone that is pushed out in this update.  In addition you do not want to quarantine these messages because in order for the appliance to do so it must accept the message for processing, so there is a chance they would be delivered or released.  The other issue is you will fill your quarantine space very quickly.