This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Whitelisting Email Address Not Working

We have an email that comes everyday with a designated from address of say test@testdomain.com. We've attempted to whitelist it to not end up in a user's quarantine but it still does. The email is being sent from a mail service provider thats actually from address is always unique (ie: 827m1887311901@server9.constanctcontact.com ) usually from a variety of shared IP addresses. Any suggestion on how we could whitelist this type of email for this user? I wouldn't want to get all their IP's because they probably send a fair amount of trash our way but imply adding in the original test@testdomain.com email as a whitelist doesn't work. Thanks!

This thread was automatically locked due to age.

Parents

0 BAlfson over 3 years ago

Hi Michael and welcome to the UTM Community!

Are these emails from Constant Contact or???

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Chiasson over 3 years ago in reply to BAlfson

No it technically looks like its being sent by an Amazon SES service. Below are two examples of the actual sending service.

54.240.48.182 - 01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com

54.240.11.127 - 01000179eb25cdf6-406b4846-0261-4c69-a327-f91d664758fd-000000@amazonses.com
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Michael Chiasson

Are you on 7.705-7, Michael?

Please insert a picture of the Edit of how you're trying to whitelist. Also, copy here the lines from the SMTP log relevant to an email being incorrectly quarantined.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 3 years ago in reply to Michael Chiasson

Are you on 7.705-7, Michael?

Please insert a picture of the Edit of how you're trying to whitelist. Also, copy here the lines from the SMTP log relevant to an email being incorrectly quarantined.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Michael Chiasson over 3 years ago in reply to BAlfson

That is the address the end user sees as it is sent from.

We are on UTM firmware 9.705-7
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Chiasson over 3 years ago in reply to Michael Chiasson
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Michael Chiasson

I meant the text lines in the SMTP proxy log found at 'Logging & Reporting >> View Log Files', Michael.

Ahhhh, the address in the From field is not necessarily the same as the Sender.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Chiasson over 3 years ago in reply to BAlfson

When querying that log for that Amazon SES IP on that day here is the record it produces:

2021:06:10-06:38:54 sophos exim-in[6387]: 2021-06-10 06:38:54 SMTP connection from [54.240.11.16]:58517 (TCP/IP connection count = 1)
2021:06:10-06:38:54 sophos exim-in[936]: 2021-06-10 06:38:54 H=a11-16.smtp-out.amazonses.com [54.240.11.16]:58517 Warning: mikedomain.gov profile excludes SANDBOX scan
2021:06:10-06:38:54 sophos exim-in[936]: 2021-06-10 06:38:54 [54.240.11.16] F=<01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com> R=<mikec@mikedomain.gov> Verifying recipient address with callout
2021:06:10-06:38:54 sophos exim-in[936]: 2021-06-10 06:38:54 1lrI5O-0000F6-2e Greylisting: 54.240.11.16 is a known retry host
2021:06:10-06:38:54 sophos exim-in[936]: 2021-06-10 06:38:54 1lrI5O-0000F6-2e <= 01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com H=a11-16.smtp-out.amazonses.com [54.240.11.16]:58517 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-SHA256:128 CV=no S=3098 DKIM=amazonses.com id=01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@email.amazonses.com
2021:06:10-06:39:00 sophos smtpd[956]: SCANNER[956]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="54.240.11.16" from="01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com" to="mikec@mikedomain.gov" subject="Notification from the Massachusetts Department of Unemployment Assistance (DUA)" queueid="1lrI5U-0000FQ-GQ" size="1245" reason="as" extra=""
2021:06:10-06:39:19 sophos exim-in[936]: 2021-06-10 06:39:19 SMTP connection from a11-16.smtp-out.amazonses.com [54.240.11.16]:58517 closed by QUIT
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Michael Chiasson

The sender is "01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com instead of the defma.org address seen in the From field. I suspect these emails are getting caught by an "unintended feature" introduced in the 9.705-7 Up2Date which was a rushed response to the 21 Nails threat. I don't think there's any way to whitelist such sender addresses except *.amazonses.com and that doesn't seem wise to me.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel